- (Exam Topic 2)
A company is planning a large event where a promotional offer will be introduced The company's website is hosted on AWS and backed by an Amazon RDS for PostgreSQL DB instance The website explains the promotion and includes a sign-up page that collects user information and preferences Management expects large and unpredictable volumes of traffic periodically which will create many database writes A solutions architect needs to build a solution that does not change the underlying data model and ensures that submissions are not dropped before they are committed to the database
Which solutions meets these requirements'?

1. A. Immediately before the event, scale up the existing DB instance to meet the anticipated deman
2. B. Then scale down after the event
3. C. Use Amazon SQS to decouple the application and database layers Configure an AWS Lambda function to write items from the queue into the database
4. D. Migrate to Amazon DynamoDB and manage throughput capacity with automatic scaling
5. E. Use Amazon ElastiCache for Memcached to increase write capacity to the DB instance

Correct Answer: B

- (Exam Topic 1)
A company has an application that generates reports and stores them in an Amazon S3 bucket. When a user accesses their report, the application generates a signed URL to allow the user to download the report. The company's security team has discovered that the files are public and that anyone can download them without authentication. The company has suspended the generation of new reports until the problem is resolved.
Which set of actions will immediately remediate the security issue without impacting the application's normal workflow?

1. A. Create an AWS Lambda function that applies a deny all policy for users who are not authenticated.Create a scheduled event to invoke the Lambda function.
2. B. Review the AWS Trusted Advisor bucket permissions check and implement the recommended actions.
3. C. Run a script that puts a private ACL on all of the objects in the bucket.
4. D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcls option to TRUE on the bucket.

Correct Answer: D
The S3 bucket is allowing public access and this must be immediately disabled. Setting the IgnorePublicAcls option
to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. The other settings you can configure with the Block Public Access Feature are:
o BlockPublicAcls – PUT bucket ACL and PUT objects requests are blocked if granting public access. o BlockPublicPolicy – Rejects requests to PUT a bucket policy if granting public access.
o RestrictPublicBuckets – Restricts access to principles in the bucket owners’ AWS account. https://aws.amazon.com/s3/features/block-public-access/

- (Exam Topic 2)
A company is using Amazon OpenSearch Service to analyze data. The company loads data into an OpenSearch Service cluster with 10 data nodes from an Amazon S3 bucket that uses S3 Standard storage. The data resides in the cluster for 1 month for read-only analysis. After 1 month, the company deletes the index that contains the data from the cluster. For compliance purposes, the company must retain a copy of all input data.
The company is concerned about ongoing costs and asks a solutions architect to recommend a new solution.
Which solution will meet these requirements MOST cost-effectively?

1. A. Replace all the data nodes with UltraWarm nodes to handle the expected capacit
2. B. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.
3. C. Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the expected capacit
4. D. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the dat
5. E. Transition the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy.
6. F. Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the expected capacit
7. G. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the dat
8. H. Add cold storage nodes to the cluster Transition the indexes from UltraWarm to cold storag
9. I. Delete the input data from the S3 bucket after 1 month by using an S3 Lifecycle policy.
10. J. Reduce the number of data nodes in the cluster to 2. Add instance-backed data nodes to handle the expected capacit
11. K. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.

Correct Answer: B

- (Exam Topic 1)
A company has a policy that all Amazon EC2 instances that are running a database must exist within the same subnets in a shared VPC Administrators must follow security compliance requirements and are not allowed to directly log in to the shared account All company accounts are members of the same organization in AWS Organizations. The number of accounts will rapidly increase as the company grows.
A solutions architect uses AWS Resource Access Manager to create a resource share in the shared account What is the MOST operationally efficient configuration to meet these requirements?

1. A. Add the VPC to the resource shar
2. B. Add the account IDs as principals
3. C. Add all subnets within the VPC to the resource shar
4. D. Add the account IDs as principals
5. E. Add all subnets within the VPC to the resource shar
6. F. Add the organization as a principal.
7. G. Add the VPC to the resource shar
8. H. Add the organization as a principal

Correct Answer: C
https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create To restrict resource sharing to only principals in your organization, choose Allow sharing with principals in your organization only.
https://docs.aws.amazon.com/ram/latest/userguide/ram-ug.pdf

- (Exam Topic 2)
A solutions architect has implemented a SAML 2.0 federated identity solution with their company's
on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal access to the AWS environment is granted However, when test users attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment.
Which items should the solutions architect check to ensure identity federation is property configured? (Select THREE j

1. A. The IAM user's permissions pokey has allowed the use of SAML federation for that user
2. B. The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principle.
3. C. Test users are not in the AWSFederatedUsers group in the company's IdP
4. D. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider the ARN of the IAM role, and the SAML assertion from IdP
5. E. The on-premises IdP's DNS hostname is reachable from the AWS environment VPCs.
6. F. The company's IdP defines SAML assertions that property map users or groups m the company to IAM roles with appropriate permissions

Correct Answer: BCF