- (Exam Topic 2)
A company is updating an application that customers use to make online orders. The number of attacks on the application by bad actors has increased recently.
The company will host the updated application on an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use Amazon DynamoDB to store application data. A public Application Load Balancer (ALB) will provide end users with access to the application. The company must prevent prevent attacks and ensure business continuity with minimal service interruptions during an ongoing attack.
Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

1. A. Create an Amazon CloudFront distribution with the ALB as the origi
2. B. Add a custom header and random value on the CloudFront domai
3. C. Configure the ALB to conditionally forward traffic if the header and value match.
4. D. Deploy the application in two AWS Region
5. E. Configure Amazon Route 53 to route to both Regions with equal weight.
6. F. Configure auto scaling for Amazon ECS task
7. G. Create a DynamoDB Accelerator (DAX) cluster.
8. H. Configure Amazon ElastiCache to reduce overhead on DynamoDB.
9. I. Deploy an AWS WAF web ACL that includes an appropriate rule grou
10. J. Associate the web ACL with the Amazon CloudFront distribution.

Correct Answer: AE
The company should create an Amazon CloudFront distribution with the ALB as the origin. The company should add a custom header and random value on the CloudFront domain. The company should configure the ALB to conditionally forward traffic if the header and value match. The company should also deploy an AWS WAF web ACL that includes an appropriate rule group. The company should associate the web ACL with the Amazon CloudFront distribution. This solution will meet the requirements most cost-effectively because Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a
developer-friendly environment1. By creating an Amazon CloudFront distribution with the ALB as the origin, the company can improve the performance and availability of its application by caching static content at edge locations closer to end users. By adding a custom header and random value on the CloudFront domain, the company can prevent direct access to the ALB and ensure that only requests from CloudFront are forwarded to the ECS tasks. By configuring the ALB to conditionally forward traffic if the header and value match, the company can implement origin access identity (OAI) for its ALB origin. OAI is a feature that enables you to restrict access to your content by requiring users to access your content through CloudFront URLs2. By deploying an AWS WAF web ACL that includes an appropriate rule group, the company can prevent attacks and ensure business continuity with minimal service interruptions during an ongoing attack. AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked3. By associating the web ACL with the Amazon CloudFront distribution, the company can apply the web security rules to all requests that are forwarded by CloudFront.
The other options are not correct because:
Deploying the application in two AWS Regions and configuring Amazon Route 53 to route to both Regions with equal weight would not prevent attacks or ensure business continuity. Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service that routes end users to Internet applications by translating names like www.example.com into numeric IP addresses4. However, routing traffic to multiple Regions would not protect against attacks or provide failover in case of an outage. It would also increase operational complexity and costs compared to using CloudFront and
AWS WAF.
Configuring auto scaling for Amazon ECS tasks and creating a DynamoDB Accelerator (DAX) cluster would not prevent attacks or ensure business continuity. Auto scaling is a feature that enables you to automatically adjust your ECS tasks based on demand or a schedule. DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement. However, these features would not protect against attacks or provide failover in case of an outage. They would also increase operational complexity and costs compared to using CloudFront and AWS WAF.
Configuring Amazon ElastiCache to reduce overhead on DynamoDB would not prevent attacks or ensure business continuity. Amazon ElastiCache is a fully managed in-memory data store service that makes it easy to deploy, operate, and scale popular open-source compatible in-memory data stores. However, this service would not protect against attacks or provide failover in case of an outage. It would also increase operational complexity and costs compared to using CloudFront and AWS WAF.
References:
https://aws.amazon.com/cloudfront/
https://aws.amazon.com/waf/
https://aws.amazon.com/route53/
https://aws.amazon.com/dynamodb/dax/
https://aws.amazon.com/elasticache/

- (Exam Topic 1)
A company is hosting a monolithic REST-based API for a mobile app on five Amazon EC2 instances in public subnets of a VPC. Mobile clients connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing policy with the IP addresses of all the EC2 instances. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app has not been able to keep up with the traffic.
A solutions architect needs to implement a solution so that the app can handle the new and varying load. Which solution will meet these requirements with the LEAST operational overhead?

1. A. Separate the API into individual AWS Lambda function
2. B. Configure an Amazon API Gateway REST API with Lambda integration for the backen
3. C. Update the Route 53 record to point to the API Gateway API.
4. D. Containerize the API logi
5. E. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluste
6. F. Run the containers in the cluster by using Amazon EC2. Create a Kubernetes ingres
7. G. Update the Route 53 record to point to the Kubernetes ingress.
8. H. Create an Auto Scaling grou
9. I. Place all the EC2 instances in the Auto Scaling grou
10. J. Configure the Auto Scaling group to perform scaling actions that are based on CPU utilizatio
11. K. Create an AWS Lambda function that reacts to Auto Scaling group changes and updates the Route 53 record.
12. L. Create an Application Load Balancer (ALB) in front of the AP
13. M. Move the EC2 instances to private subnets in the VP
14. N. Add the EC2 instances as targets for the AL
15. O. Update the Route 53 record to point to the ALB.

Correct Answer: D
By breaking down the monolithic API into individual Lambda functions and using API Gateway to handle the incoming requests, the solution can automatically scale to handle the new and varying load without the need for manual scaling actions. Additionally, this option will automatically handle the traffic without the need of having EC2 instances running all the time and only pay for the number of requests and the duration of the execution of the Lambda function.
By updating the Route 53 record to point to the API Gateway, the solution can handle the traffic and also it will direct the traffic to the correct endpoint.

- (Exam Topic 1)
A software company has deployed an application that consumes a REST API by using Amazon API Gateway. AWS Lambda functions, and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.
A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API's reputation.
What should the solutions architect recommend to improve the customer experience?

1. A. Implement retry logic with exponential backoff and irregular variation in the client applicatio
2. B. Ensure that the errors are caught and handled with descriptive error messages.
3. C. Implement API throttling through a usage plan at the API Gateway leve
4. D. Ensure that the client application handles code 429 replies without error.
5. E. Turn on API caching to enhance responsiveness for the production stag
6. F. Run 10-minute load tests.Verify that the cache capacity is appropriate for the workload.
7. G. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.

Correct Answer: B
https://aws.amazon.com/premiumsupport/knowledge-center/aws-batch-requests-error/ https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-429-limit/

- (Exam Topic 3)
A company has mounted sensors to collect information about environmental parameters such as humidity and light throughout all the company's factories. The company needs to stream and analyze the data in the AWS Cloud in real time. If any of the parameters fall out of acceptable ranges, the factory operations team must receive a notification immediately.
Which solution will meet these requirements?

1. A. Stream the data to an Amazon Kinesis Data Firehose delivery strea
2. B. Use AWS Step Functions toconsume and analyze the data in the Kinesis Data Firehose delivery strea
3. C. use Amazon Simple Notification Service (Amazon SNS) to notify the operations team.
4. D. Stream the data to an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluste
5. E. Set up a trigger in Amazon MSK to invoke an AWS Fargate task to analyze the dat
6. F. Use Amazon Simple Email Service (Amazon SES) to notify the operations team.
7. G. Stream the data to an Amazon Kinesis data strea
8. H. Create an AWS Lambda function to consume the Kinesis data stream and to analyze the dat
9. I. Use Amazon Simple Notification Service (Amazon SNS) to notify the operations team.
10. J. Stream the data to an Amazon Kinesis Data Analytics applicatio
11. K. I-Jse an automatically scaled and containerized service in Amazon Elastic Container Service (Amazon ECS) to consume and analyze the dat
12. L. use Amazon Simple Email Service (Amazon SES) to notify the operations team.

Correct Answer: C
The best solution is to stream the data to an Amazon Kinesis data stream and create an AWS Lambda function to consume the Kinesis data stream and to analyze the data. Amazon Kinesis is a web service that can collect, process, and analyze real-time streaming data from various sources, such as sensors. AWS Lambda is a serverless computing service that can run code in response to events, such as incoming data from a Kinesis data stream. By using AWS Lambda, the company can avoid provisioning or managing servers and scale automatically based on the demand. Amazon Simple Notification Service (Amazon SNS) is a web service that enables applications to send and receive notifications from the cloud. By using Amazon SNS, the company can notify the operations team immediately if any of the parameters fall out of acceptable ranges. This solution meets all the requirements of the company.
References: Amazon Kinesis Documentation, AWS Lambda Documentation, Amazon Simple Notification Service Documentation

- (Exam Topic 1)
An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team's policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement . The procurement team wants administration of Private Marketplace to be restricted to a role named
procurement-manager-role, which could be assumed by procurement managers Other IAM users groups, roles, and account administrators in the company should be denied Private Marketplace administrative access
What is the MOST efficient way to design an architecture to meet these requirements?

1. A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization Add the PowerUserAccess managed policy to the role Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
2. B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization Add the AdministratorAccess managed policy to the role Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
3. C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone exceptthe role named procurement-manager-role Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
4. D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developer
5. E. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the rol
6. F. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-rol
7. G. Apply the SCP to all the shared services accounts in the organization.

Correct Answer: C
SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role.
https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-usi
This approach allows the procurement managers to assume the procurement-manager-role in shared services accounts, which have the AWSPrivateMarketplaceAdminFullAccess managed policy attached to it and can then manage the Private Marketplace. The organization root-level SCP denies the permission to administer Private Marketplace to everyone except the role named procurement-manager-role and another SCP denies the permission to create an IAM role named procurement-manager-role to everyone in the organization, ensuring that only the procurement team can assume the role and manage the Private Marketplace. This approach provides a centralized way to manage and restrict access to Private Marketplace while maintaining a high level of security.