A company receives food orders from multiple partners. The company has a microservices application that uses Amazon API Gateway APIs with AWS Lambda integration. Each partner sends orders by calling a customized API that is exposed through API Gateway. The API call invokes a shared Lambda function to process the orders.
Partners need to be notified after the Lambda function processes the orders. Each partner must receive updates for only the partner's own orders. The company wants to add new partners in the future with the fewest code changes possible.
Which solution will meet these requirements in the MOST scalable way?

1. A. Create a different Amazon Simple Notification Service (Amazon SNS) topic for each partne
2. B. Configure the Lambda function to publish messages for each partner to the partner's SNS topic.
3. C. Create a different Lambda function for each partne
4. D. Configure the Lambda function to notify each partner's service endpoint directly.
5. E. Create an Amazon Simple Notification Service (Amazon SNS) topi
6. F. Configure the Lambda function to publish messages with specific attributes to the SNS topi
7. G. Subscribe each partner to the SNS topi
8. H. Apply the appropriate filter policy to the topic subscriptions.
9. I. Create one Amazon Simple Notification Service (Amazon SNS) topi
10. J. Subscribe all partners to the SNS topic.

Correct Answer: C
Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.
References:
✑ [Amazon Simple Notification Service (SNS)]
✑ [Filtering Messages with Attributes - Amazon Simple Notification Service]

A company is using AWS CloudFormation to deploy a two-tier application. The application will use Amazon RDS as its backend database. The company wants a solution that will randomly generate the database password during deployment. The solution also must automatically rotate the database password without requiring changes to the application.
What is the MOST operationally efficient solution that meets these requirements'?

1. A. Use an AWS Lambda function as a CloudFormation custom resource to generate and rotate the password.
2. B. Use an AWS Systems Manager Parameter Store resource with the SecureString data type to generate and rotate the password.
3. C. Use a cron daemon on the application s host to generate and rotate the password.
4. D. Use an AWS Secrets Manager resource to generate and rotate the password.

Correct Answer: D
This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.
References: [AWS Secrets Manager], [AWS::SecretsManager::Secret]

A developer must use multi-factor authentication (MFA) to access data in an Amazon S3
bucket that is in another AWS account. Which AWS Security Token Service (AWS STS) API operation should the developer use with the MFA information to meet this requirement?

1. A. AssumeRoleWithWebidentity
2. B. GetFederationToken
3. C. AssumeRoleWithSAML
4. D. AssumeRole

Correct Answer: D
The AssumeRole API operation returns a set of temporary security credentials that can be used to access resources in another AWS account. The developer can specify the MFA device serial number and the MFA token code in the request parameters. This option enables the developer to use MFA to access data in an S3 bucket that is in another AWS account. The other options are not relevant or effective for this scenario. References
✑ AssumeRole
✑ Requesting Temporary Security Credentials

An application that runs on AWS Lambda requires access to specific highly confidential objects in an Amazon S3 bucket. In accordance with the principle of least privilege a company grants access to the S3 bucket by using only temporary credentials.
How can a developer configure access to the S3 bucket in the MOST secure way?

1. A. Hardcode the credentials that are required to access the S3 objects in the application cod
2. B. Use the credentials to access me required S3 objects.
3. C. Create a secret access key and access key ID with permission to access the S3 bucke
4. D. Store the key and key ID in AWS Secrets Manage
5. E. Configure the application to retrieve the Secrets Manager secret and use the credentials to access me S3 objects.
6. F. Create a Lambda function execution role Attach a policy to the rote that grants access to specific objects in the S3 bucket.
7. G. Create a secret access key and access key ID with permission to access the S3 bucket Store the key and key ID as environment variables m Lambd
8. H. Use the environment variables to access the required S3 objects.

Correct Answer: C
This solution will meet the requirements by creating a Lambda function execution role, which is an IAM role that grants permissions to a Lambda function to access AWS resources such as Amazon S3 objects. The developer can attach a policy to the role that grants access to specific objects in the S3 bucket that are required by the application, following the principle of least privilege. Option A is not optimal because it will hardcode the credentials that are required to access S3 objects in the application code, which is insecure and difficult to maintain. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will store the secret access key and access key ID as environment variables in Lambda, which is also insecure and difficult to maintain. References: [AWS Lambda Execution Role], [Using AWS Lambda with Amazon S3]

A company is offering APIs as a service over the internet to provide unauthenticated read access to statistical information that is updated daily. The company uses Amazon API Gateway and AWS Lambda to develop the APIs. The service has become popular, and the company wants to enhance the responsiveness of the APIs.
Which action can help the company achieve this goal?

1. A. Enable API caching in API Gateway.
2. B. Configure API Gateway to use an interface VPC endpoint.
3. C. Enable cross-origin resource sharing (CORS) for the APIs.
4. D. Configure usage plans and API keys in API Gateway.

Correct Answer: A
Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to- live (TTL) period. This can improve the responsiveness of the APIs by reducing the number
of calls made to the backend service. References:
✑ [What Is Amazon API Gateway? - Amazon API Gateway]
✑ [Enable API Caching to Enhance Responsiveness - Amazon API Gateway]