- (Exam Topic 1)
A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.
A solutions architect needs to enforce the new process in the most secure way possible.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

1. A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
2. B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
3. C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
4. D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances actio
5. E. Attach the SCP to each OU of the organization.
6. F. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.

Correct Answer: AD
All features – The default feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. For example, when all features are enabled the management account of the organization has full control over what member accounts can do. The management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

- (Exam Topic 2)
A company wants to run a custom network analysis software package to inspect traffic as traffic leaves and enters a VPC. The company has deployed the solution by using AWS Cloud Formation on three Amazon EC2 instances in an Auto Scaling group. All network routing has been established to direct traffic to the EC2 instances.
Whenever the analysis software stops working, the Auto Scaling group replaces an instance. The network routes are not updated when the instance replacement occurs.
Which combination of steps will resolve this issue? {Select THREE.)

1. A. Create alarms based on EC2 status check metrics that will cause the Auto Scaling group to replace the failed instance.
2. B. Update the Cloud Formation template to install the Amazon CloudWatch agent on the EC2 instances.Configure the CloudWatch agent to send process metrics for the application.
3. C. Update the Cloud Formation template to install AWS Systems Manager Agent on the EC2 instances.Configure Systems Manager Agent to send process metrics for the application.
4. D. Create an alarm for the custom metric in Amazon CloudWatch for the failure scenario
5. E. Configure the alarm to publish a message to an Amazon Simple Notification Service {Amazon SNS) topic.
6. F. Create an AWS Lambda function that responds to the Amazon Simple Notification Service (Amazon SNS) message to take the instance out of servic
7. G. Update the network routes to point to the replacement instance.
8. H. In the Cloud Formation template, write a condition that updates the network routes when a replacement instance is launched.

Correct Answer: BDE

- (Exam Topic 3)
A company that provisions job boards for a seasonal workforce is seeing an increase in traffic and usage. The backend services run on a pair of Amazon EC2 instances behind an Application Load Balancer with Amazon DynamoDB as the datastore. Application read and write traffic is slow during peak seasons.
Which option provides a scalable application architecture to handle peak seasons with the LEAST development effort?

1. A. Migrate the backend services to AWS Lambd
2. B. Increase the read and write capacity of DynamoDB.
3. C. Migrate the backend services to AWS Lambd
4. D. Configure DynamoDB to use global tables.
5. E. Use Auto Scaling groups for the backend service
6. F. Use DynamoDB auto scaling.
7. G. Use Auto Scaling groups for the backend service
8. H. Use Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB.

Correct Answer: C
Option C is correct because using Auto Scaling groups for the backend services allows the company to scale up or down the number of EC2 instances based on the demand and traffic. This way, the backend services can handle more requests during peak seasons without compromising performance or availability. Using DynamoDB auto scaling allows the company to adjust the provisioned read and write capacity of the table or index automatically based on the actual traffic patterns. This way, the table or index can handle sudden increases or decreases in workload without throttling or overprovisioning1.
Option A is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, increasing the read and write capacity of DynamoDB manually may not be efficient or cost-effective, as it does not account for the variability of the workload. The company may end up paying for unused capacity or experiencing throttling if the workload exceeds the provisioned capacity1.
Option B is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, configuring DynamoDB to use global tables may not be necessary or beneficial for the company, as global tables are mainly used for replicating data across multiple AWS Regions for fast local access and disaster recovery. Global tables do not automatically scale the provisioned capacity of each replica table; they still require manual or auto scaling settings2.
Option D is incorrect because using Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB may introduce additional complexity and latency to the application architecture. Amazon SQS is a message queue service that decouples and coordinates the components of a distributed system. AWS Lambda is a serverless compute service that runs code in response to events. Using these services may require significant development effort to integrate them with the backend services and DynamoDB. Moreover, they may not improve the read performance of DynamoDB, which may also be affected by high traffic3.
References:
Auto Scaling groups
DynamoDB auto scaling
AWS Lambda
DynamoDB global tables
AWS Lambda vs EC2: Comparison of AWS Compute Resources - Simform
Managing throughput capacity automatically with DynamoDB auto scaling - Amazon DynamoDB
AWS Aurora Global Database vs. DynamoDB Global Tables
Amazon Simple Queue Service (SQS)

- (Exam Topic 2)
A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts.
A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of Cloud Formation stacks. Trusted access has been enabled in Organizations.
What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?

1. A. Create a stack set in the Organizations member account
2. B. Use service-managed permission
3. C. Set deployment options to deploy to an organizatio
4. D. Use CloudFormation StackSets drift detection.
5. E. Create stacks in the Organizations member account
6. F. Use self-service permission
7. G. Set deploymentoptions to deploy to an organizatio
8. H. Enable the CloudFormation StackSets automatic deployment.
9. I. Create a stack set in the Organizations management accoun
10. J. Use service-managed permission
11. K. Set deployment options to deploy to the organizatio
12. L. Enable CloudFormation StackSets automatic deployment.
13. M. Create stacks in the Organizations management accoun
14. N. Use service-managed permission
15. O. Set deployment options to deploy to the organizatio
16. P. Enable CloudFormation StackSets drift detection.

Correct Answer: C
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.h

- (Exam Topic 2)
A company is creating a REST API to share information with six of its partners based in the United States. The company has created an Amazon API Gateway Regional endpoint. Each of the six partners will access the API once per day to post daily sales figures.
After initial deployment, the company observes 1.000 requests per second originating from 500 different IP addresses around the world. The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost.
Which approach should the company take to secure its API?

1. A. Create an Amazon CloudFront distribution with the API as the origi
2. B. Create an AWS WAF web ACL with a rule lo block clients thai submit more than fiverequests per da
3. C. Associate the web ACL with the CloudFront distnbutio
4. D. Configure CloudFront with an origin access identity (OAI) and associate it with the distributio
5. E. Configure API Gateway to ensure only the OAI can run the POST method.
6. F. Create an Amazon CloudFront distribution with the API as the origi
7. G. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per da
8. H. Associate the web ACL with the CloudFront distnbutio
9. I. Add a custom header to the CloudFront distribution populated with an API ke
10. J. Configure the API to require an API key on the POST method.
11. K. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners.Associate the web ACL with the AP
12. L. Create a resource policy with a request limit and associate it with the AP
13. M. Configure the API to require an API key on the POST method.
14. N. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners.Associate the web ACL with the AP
15. O. Create a usage plan with a request limit and associate it with the AP
16. P. Create an API key and add it to the usage plan.

Correct Answer: D
"A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys."
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span...... The following caveats apply to AWS WAF rate-based rules: The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior five minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them. " https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html