- (Exam Topic 2)
A company uses multiple AWS accounts in a single AWS Region A solutions architect is designing a solution to consolidate logs generated by Elastic Load Balancers (ELBs) in the AppDev, AppTest and AppProd accounts. The logs should be stored in an existing Amazon S3 bucket named s3-eib-logs in the central AWS account. The central account is used for log consolidation only and does not have ELBs deployed ELB logs must be encrypted at rest
Which combination of steps should the solutions architect take to build the solution'' (Select TWO )

1. A. Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3 PutBucketLogging action for the central AWS account ID
2. B. Update the S3 bucket policy for the s3-eib-logs bucket to allow the s3 PutObject and s3 DeleteObject actions for the AppDev AppTest and AppProd account IDs
3. C. Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3 PutObject action for the AppDev AppTest and AppProd account IDs
4. D. Enable access logging for the ELB
5. E. Set the S3 location to the s3-elb-logs bucket
6. F. Enable Amazon S3 default encryption using server-side encryption with S3 managed encryption keys (SSE-S3) for the s3-elb-logs S3 bucket

Correct Answer: AE

- (Exam Topic 1)
A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:
The database must use strong, randomly generated passwords stored in a secure AWS managed service.
The application resources must be deployed through AWS CloudFormation.
The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.
Which resources specified in the CloudFormation template will meet the security engineer's requirements with the LEAST amount of operational overhead?

1. A. Generate the database password as a secret resource using AWS Secrets Manage
2. B. Create an AWS Lambda function resource to rotate the database passwor
3. C. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
4. D. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Stor
5. E. Create an AWS Lambda function resource to rotate the database passwor
6. F. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
7. G. Generate the database password as a secret resource using AWS Secrets Manage
8. H. Create an AWS Lambda function resource to rotate the database passwor
9. I. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
10. J. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Stor
11. K. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

Correct Answer: A
https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-us https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html

- (Exam Topic 1)
A solutions architect is responsible (or redesigning a legacy Java application to improve its availability, data durability, and scalability. Currently, the application runs on a single high-memory Amazon EC2 instance. It accepts HTTP requests from upstream clients, adds them to an in-memory queue, and responds with a 200 status. A separate application thread reads items from the queue, processes them, and persists the results to an Amazon RDS MySQL instance. The processing time for each item takes 90 seconds on average, most of which is spent waiting on external service calls, but the application is written to process multiple items in parallel.
Traffic to this service is unpredictable. During periods of high load, items may sit in the internal queue for over an hour while the application processes the backlog. In addition, the current system has issues with availability and data loss if the single application node fails.
Clients that access this service cannot be modified. They expect to receive a response to each HTTP request they send within 10 seconds before they will time out and retry the request.
Which approach would improve the availability and durability of (he system while decreasing the processing latency and minimizing costs?

1. A. Create an Amazon API Gateway REST API that uses Lambda proxy integration to pass requests to an AWS Lambda functio
2. B. Migrate the core processing code to a Lambda function and write a wrapper class that provides a handler method that converts the proxy events to the internal application data model and invokes the processing module.
3. C. Create an Amazon API Gateway REST API that uses a service proxy to put items in an Amazon SOS queu
4. D. Extract the core processing code from the existing application and update it to pull items from Amazon SOS instead of an in-memory queu
5. E. Deploy the new processing application to smaller EC2 instances within an Auto Scaling group that scales dynamically based on the approximate number of messages in the Amazon SOS queue.
6. F. Modify the application to use Amazon DynamoDB instead of Amazon RD
7. G. Configure Auto Scaling for the DynamoDB tabl
8. H. Deploy the application within an Auto Scaling group with a scaling policy based on CPU utilizatio
9. I. Back the in-memory queue with a memory-mapped file to an instance store volume and periodically write that file to Amazon S3.
10. J. Update the application to use a Redis task queue instead of the in-memory queu
11. K. 8uild a Docker container image for the applicatio
12. L. Create an Amazon ECS task definition that includes the application container and a separate container to host Redi
13. M. Deploy the new task definition as an ECS service using AWS Fargate, and enable Auto Scaling.

Correct Answer: B
The obvious challenges here are long workloads, scalability based on queue load, and reliability. Almost always the defacto answer to queue related workload is SQS. Since the workloads are very long (90 minutes) Lambdas cannot be used (15 mins max timeout). So, autoscaled smaller EC2 nodes that wait on external services to complete the task makes more sense. If the task fails, the message is returned to the queue and retried.

- (Exam Topic 2)
A company has migrated an application from on premises to AWS. The application frontend is a static website that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB). The application backend is a Python application that runs on three EC2 instances behind another ALB. The EC2 instances are large, general purpose On-Demand Instances that were sized to meet the on-premises specifications for peak usage of the application.
The application averages hundreds of thousands of requests each month. However, the application is used mainly during lunchtime and receives minimal traffic during the rest of the day.
A solutions architect needs to optimize the infrastructure cost of the application without negatively affecting the application availability.
Which combination of steps will meet these requirements? (Choose two.)

1. A. Change all the EC2 instances to compute optimized instances that have the same number of cores as the existing EC2 instances.
2. B. Move the application frontend to a static website that is hosted on Amazon S3.
3. C. Deploy the application frontend by using AWS Elastic Beanstal
4. D. Use the same instance type for the nodes.
5. E. Change all the backend EC2 instances to Spot Instances.
6. F. Deploy the backend Python application to general purpose burstable EC2 instances that have the same number of cores as the existing EC2 instances.

Correct Answer: BE

- (Exam Topic 1)
A company with global offices has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company's on-premises network uses the connection to communicate with the company's resources in the AWS Cloud. The connection has a single private virtual interface that connects to a single VPC.
A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. The solution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.
Which solution meets these requirements?

1. A. Provision a Direct Connect gatewa
2. B. Delete the existing private virtual interface from the existing connectio
3. C. Create the second Direct Connect connectio
4. D. Create a new private virtual interlace on each connection, and connect both private victual interfaces to the Direct Connect gatewa
5. E. Connect the Direct Connect gateway to the single VPC.
6. F. Keep the existing private virtual interfac
7. G. Create the second Direct Connect connectio
8. H. Create a new private virtual interface on the new connection, and connect the new private virtual interface to the single VPC.
9. I. Keep the existing private virtual interfac
10. J. Create the second Direct Connect connectio
11. K. Create a new public virtual interface on the new connection, and connect the new public virtual interface to the single VPC.
12. L. Provision a transit gatewa
13. M. Delete the existing private virtual interface from the existing connection.Create the second Direct Connect connectio
14. N. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the transit gatewa
15. O. Associate the transit gateway with the single VPC.

Correct Answer: A
A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions. The following describe scenarios where you can use a Direct Connect gateway.
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html