- (Exam Topic 1)
A company has a latency-sensitive trading platform that uses Amazon DynamoDB as a storage backend. The company configured the DynamoDB table to use on-demand capacity mode. A solutions architect needs to design a solution to improve the performance of the trading platform. The new solution must ensure high availability for the trading platform.
Which solution will meet these requirements with the LEAST latency?

1. A. Create a two-node DynamoDB Accelerator (DAX) cluster Configure an application to read and write data by using DAX.
2. B. Create a three-node DynamoDB Accelerator (DAX) cluste
3. C. Configure an application to read data by using DAX and to write data directly to the DynamoDB table.
4. D. Create a three-node DynamoDB Accelerator (DAX) cluste
5. E. Configure an application to read data directly from the DynamoDB table and to write data by using DAX.
6. F. Create a single-node DynamoD8 Accelerator (DAX) cluste
7. G. Configure an application to read data by using DAX and to write data directly to the DynamoD8 table.

Correct Answer: B
A DAX cluster can be deployed with one or two nodes for development or test workloads. One- and two-node clusters are not fault-tolerant, and we don't recommend using fewer than three nodes for production use. If a one- or two-node cluster encounters software or hardware errors, the cluster can become unavailable or lose cached data.A DAX cluster can be deployed with one or two nodes for development or test workloads. One and two-node clusters are not fault-tolerant, and we don't recommend using fewer than three nodes for production use. If a one- or two-node cluster encounters software or hardware errors, the cluster can become unavailable or lose cached data.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.cluster.html

- (Exam Topic 1)
A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company's AWS accounts.
The company's security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.
Which solution will meet these requirements?

1. A. Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0.Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protoco
2. B. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
3. C. Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity sourc
4. D. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protoco
5. E. Grant access to the AWS accounts by using AWS SSO permission sets.
6. F. In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provide
7. G. Provision IAM users that are mapped to the federated user
8. H. Grant access that corresponds to appropriate groups in Active Director
9. I. Grant access to the required AWS accounts by using cross-account IAM users.
10. J. In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provide
11. K. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Director
12. L. Grant access to the required AWS accounts by using cross-account IAM roles.

Correct Answer: D
https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

- (Exam Topic 3)
A company has developed a mobile game. The backend for the game runs on several virtual machines located in an on-premises data center. The business logic is exposed using a REST API with multiple functions. Player session data is stored in central file storage. Backend services use different API keys for throttling and to distinguish between live and test traffic.
The load on the game backend varies throughout the day. During peak hours, the server capacity is not sufficient. There are also latency issues when fetching player session data. Management has asked a solutions architect to present a cloud architecture that can handle the game's varying load and provide low-latency data access. The API model should not be changed.
Which solution meets these requirements?

1. A. Implement the REST API using a Network Load Balancer (NLB). Run the business logic on an Amazon EC2 instance behind the NL
2. B. Store player session data in Amazon Aurora Serverless.
3. C. Implement the REST API using an Application Load Balancer (ALB). Run the business logic in AWS Lambd
4. D. Store player session data in Amazon DynamoDB with on-demand capacity.
5. E. Implement the REST API using Amazon API Gatewa
6. F. Run the business logic in AWS Lambd
7. G. Store player session data in Amazon DynamoDB with on- demand capacity.
8. H. Implement the REST API using AWS AppSyn
9. I. Run the business logic in AWS Lambd
10. J. Store player session data in Amazon Aurora Serverless.

Correct Answer: C

- (Exam Topic 3)
A company has automated the nightly retraining of its machine learning models by using AWS Step Functions. The workflow consists of multiple steps that use AWS Lambda Each step can fail for various reasons and any failure causes a failure of the overall workflow
A review reveals that the retraining has failed multiple nights in a row without the company noticing the failure A solutions architect needs to improve the workflow so that notifications are sent for all types of failures in the retraining process
Which combination of steps should the solutions architect take to meet these requirements? (Select THREE)

1. A. Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type "Email" that targets the team's mailing list.
2. B. Create a task named "Email" that forwards the input arguments to the SNS topic
3. C. Add a Catch field all Task Ma
4. D. and Parallel states that have a statement of "Error Equals": [ “States.ALL”] and "Next": "Email".
5. E. Add a new email address to Amazon Simple Email Service (Amazon SES). Verify the email address.
6. F. Create a task named "Email" that forwards the input arguments to the SES email address
7. G. Add a Catch field to all Task Map, and Parallel states that have a statement of "Error Equals": [ "states.Runtime”] and "Next": "Email".

Correct Answer: ABC
Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type "Email" that targets the team's mailing list. This will create a topic for sending notifications and add a subscription for the team's email list to that topic. C. Add a Catch field to all Task, Map, and Parallel states that have a statement of "ErrorEquals": [ "States.ALL" ] and "Next": "Email". This will ensure that any errors that occur in any of the steps in the workflow will trigger the "Email" task, which will forward the input arguments to the SNS topic created in step A. B. Create a task named "Email" that forwards the input arguments to the SNS topic. This will allow the company to send email notifications to the team's mailing list in case of any errors occurred in any step in the workflow.

- (Exam Topic 1)
An AWS partner company is building a service in AWS Organizations using Its organization named org. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2 The company must establish least privilege security access using an API or command line tool to the customer account
What is the MOST secure way to allow org1 to access resources h org2?

1. A. The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks
2. B. The customer should create an IAM user and assign the required permissions to the IAM user The customer should then provide the credentials to the partner company to log In and perform the required tasks.
3. C. The customer should create an IAM role and assign the required permissions to the IAM rol
4. D. The partner company should then use the IAM rote's Amazon Resource Name (ARN) when requesting access to perform the required tasks
5. E. The customer should create an IAM rote and assign the required permissions to the IAM rot
6. F. The partner company should then use the IAM rote's Amazon Resource Name (ARN). Including the external ID in the IAM role's trust pokey, when requesting access to perform the required tasks

Correct Answer: C
https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
This is the most secure way to allow org1 to access resources in org2 because it allows for least privilege security access. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) and include the external ID in the IAM role’s trust policy when requesting access to perform the required tasks. This ensures that the partner company can only access the resources that it needs and only from the specific customer account.