- (Exam Topic 1)
A company plans to refactor a monolithic application into a modern application designed deployed or AWS. The CLCD pipeline needs to be upgraded to support the modem design for the application with the following requirements
• It should allow changes to be released several times every hour.
* It should be able to roll back the changes as quickly as possible Which design will meet these requirements?

1. A. Deploy a Cl-CD pipeline that incorporates AMIs to contain the application and their configurationsDeploy the application by replacing Amazon EC2 instances
2. B. Specify AWS Elastic Beanstak to sage in a secondary environment as the deployment target for the CI/CD pipeline of the applicatio
3. C. To deploy swap the staging and production environment URLs.
4. D. Use AWS Systems Manager to re-provision the infrastructure for each deployment Update the Amazon EC2 user data to pull the latest code art-fact from Amazon S3 and use Amazon Route 53 weighted routing to point to the new environment
5. E. Roll out At application updates as pan of an Auto Scaling event using prebuilt AMI
6. F. Use new versions of the AMIs to add instances, and phase out all instances that use the previous AMI version with the configured termination policy during a deployment event.

Correct Answer: B
It is the fastest when it comes to rollback and deploying changes every hour

- (Exam Topic 3)
An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:
Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.
Use a central account to manage the creation of infrastructure services.
Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.
Provide the ability to enforce tags on any infrastructure that is started by users.
Which combination of actions using AWS services will meet these requirements? (Choose three.)

1. A. Develop infrastructure services using AWS Cloud Formation template
2. B. Add the templates to a central Amazon S3 bucket and add the-IAM roles or users that require access to the S3 bucket policy.
3. C. Develop infrastructure services using AWS Cloud Formation template
4. D. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS accoun
5. E. Share these portfolios with the Organizations structure created for the company.
6. F. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permission
7. G. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
8. H. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions onl
9. I. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption assign users access and apply launch constraints.
10. J. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company.Apply the TagOption to AWS Service Catalog products or portfolios.
11. K. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.

Correct Answer: BDE

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable the company to
centrally manage the creation of infrastructure services and control who can use them1. AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on
AWS2. You can organize products into portfolios, which are collections of products along with configuration information3. You can share portfolios with other accounts in your organization using AWS Organizations4.
Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.
Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.
References:
Creating a product from an existing CloudFormation template
What is AWS Service Catalog?
Working with portfolios
Sharing a portfolio with AWS Organizations
[Providing least privilege access for users]
[AWS managed policies for job functions]
[Importing shared portfolios]
[Enforcing tag policies]
[Working with TagOptions]
[Creating a TagOption Library]
[Applying TagOptions]

- (Exam Topic 3)
A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.
A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

1. A. Create an organization in AWS Organization
2. B. Set up AWS Control Tower, and turn on the strongly recommended guardrail
3. C. Join all accounts to the organizatio
4. D. Categorize the AWS accounts into OUs.
5. E. Use the AWS CLI to list all the unencrypted volumes in all the AWS account
6. F. Run a script to encrypt all the unencrypted volumes in place.
7. G. Create a snapshot of each unencrypted volum
8. H. Create a new encrypted volume from the unencrypted snapsho
9. I. Detach the existing volume, and replace it with the encrypted volume.
10. J. Create an organization in AWS Organization
11. K. Set up AWS Control Tower, and turn on the mandatory guardrail
12. L. Join all accounts to the organizatio
13. M. Categorize the AWS accounts into OUs.
14. N. Turn on AWS CloudTrai
15. O. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect and automatically encrypt unencrypted volumes.

Correct Answer: AC
(https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html)

- (Exam Topic 2)
A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application's operations insert records into the database. The application currently stores credentials in a text-based configuration file.
The solutions architect needs to implement a solution so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis.
Which solution will meet these requirements?

1. A. Deploy an Amazon RDS Proxy layer in front of the DB instanc
2. B. Store the connection credentials as a secret in AWS Secrets Manager.
3. C. Deploy an Amazon RDS Proxy layer in front of the DB instanc
4. D. Store the connection credentials in AWS Systems Manager Parameter Store.
5. E. Create an Aurora Replic
6. F. Store the connection credentials as a secret in AWS Secrets Manager.
7. G. Create an Aurora Replic
8. H. Store the connection credentials in AWS Systems Manager Parameter Store.

Correct Answer: A
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

- (Exam Topic 2)
A company uses an AWS CodeCommit repository The company must store a backup copy of the data that is in the repository in a second AWS Region
Which solution will meet these requirements?

1. A. Configure AWS Elastic Disaster Recovery to replicate the CodeCommit repository data to the second Region
2. B. Use AWS Backup to back up the CodeCommit repository on an hourly schedule Create a cross-Region copy in the second Region
3. C. Create an Amazon EventBridge rule to invoke AWS CodeBuild when the company pushes code to the repository Use CodeBuild to clone the repository Create a zip file of the content Copy the file to an S3 bucket in the second Region
4. D. Create an AWS Step Functions workflow on an hourly schedule to take a snapshot of the CodeCommit repository Configure the workflow to copy the snapshot to an S3 bucket in the second Region

Correct Answer: B
AWS Backup is a fully managed service that makes it easy to centralize and automate the creation, retention, and restoration of backups across AWS services. It provides a way to schedule automatic backups for CodeCommit repositories on an hourly basis. Additionally, it also supports cross-Region replication, which allows you to copy the backups to a second Region for disaster recovery.
By using AWS Backup, the company can set up an automatic and regular backup schedule for the CodeCommit repository, ensuring that the data is regularly backed up and stored in a second Region. This can provide a way to recover quickly from any disaster event that might occur.
Reference:
AWS Backup documentation: https://aws.amazon.com/backup/ AWS Backup for AWS CodeCommit documentation:
https://aws.amazon.com/about-aws/whats-new/2020/07/aws-backup-now-supports-aws-codecommit-repositorie