- (Exam Topic 1)
An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client's allow list.
The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.
How should a solutions architect ensure that the web application can continue to call the third-parly API after the migration?

1. A. Associate a block of customer-owned public IP addresses to the VP
2. B. Enable public IP addressing for public subnets in the VPC.
3. C. Register a block of customer-owned public IP addresses in the AWS accoun
4. D. Create Elastic IP addresses from the address block and assign them lo the NAT gateways in the VPC.
5. E. Create Elastic IP addresses from the block of customer-owned IP addresse
6. F. Assign the static Elastic IP addresses to the ALB.
7. G. Register a block of customer-owned public IP addresses in the AWS accoun
8. H. Set up AWS Global Accelerator to use Elastic IP addresses from the address bloc
9. I. Set the ALB as the accelerator endpoint.

Correct Answer: B
When EC2 instances reach third-party API through internet, their privates IP addresses will be masked by NAT Gateway public IP address.
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-bring-your-own-ip-byoip-for-amaz

- (Exam Topic 3)
A company is migrating to the cloud. It wants to evaluate the configurations of virtual machines in its existing data center environment to ensure that it can size new Amazon EC2 instances accurately. The company wants to collect metrics, such as CPU. memory, and disk utilization, and it needs an inventory of what processes are running on each instance. The company would also like to monitor network connections to map communications between servers.
Which would enable the collection of this data MOST cost effectively?

1. A. Use AWS Application Discovery Service and deploy the data collection agent to each virtual machine in the data center.
2. B. Configure the Amazon CloudWatch agent on all servers within the local environment and publish metrics to Amazon CloudWatch Logs.
3. C. Use AWS Application Discovery Service and enable agentless discovery in the existing visualization environment.
4. D. Enable AWS Application Discovery Service in the AWS Management Console and configure thecorporate firewall to allow scans over a VPN.

Correct Answer: A
The AWS Application Discovery Service can help plan migration projects by collecting data about
on-premises servers, such as configuration, performance, and network connections. The data collection agent is a lightweight software that can be installed on each server to gather this information. This option is more cost-effective than agentless discovery, which requires deploying a virtual appliance in the VMware environment, or using CloudWatch agent, which incurs additional charges for CloudWatch Logs. Scanning the servers over a VPN is not a valid option for AWS Application Discovery Service. References: What is AWS Application Discovery Service?, Data collection methods

- (Exam Topic 1)
A company that uses AWS Organizations allows developers to experiment on AWS. As part of the landing zone that the company has deployed, developers use their company email address to request an account. The company wants to ensure that developers are not launching costly services or running services unnecessarily. The company must give developers a fixed monthly budget to limit their AWS costs.
Which combination of steps will meet these requirements? (Choose three.)

1. A. Create an SCP to set a fixed monthly account usage limi
2. B. Apply the SCP to the developer accounts.
3. C. Use AWS Budgets to create a fixed monthly budget for each developer's account as part of the account creation process.
4. D. Create an SCP to deny access to costly services and component
5. E. Apply the SCP to the developer accounts.
6. F. Create an IAM policy to deny access to costly services and component
7. G. Apply the IAM policy to the developer accounts.
8. H. Create an AWS Budgets alert action to terminate services when the budgeted amount is reached.Configure the action to terminate all services.
9. I. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reache
10. J. Invoke an AWS Lambda function to terminate all services.

Correct Answer: BCF
Option A is incorrect because creating an SCP to set a fixed monthly account usage limit is not possible.
SCPs are policies that specify the services and actions that users and roles can use in the member accounts of an AWS Organization. SCPs cannot enforce budget limits or prevent users from launching
costly services or running services unnecessarily1
Option B is correct because using AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets allows you to plan your service usage, service costs, and instance reservations. You can create budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount2
Option C is correct because creating an SCP to deny access to costly services and components meets the requirement of ensuring that developers are not launching costly services or running services
unnecessarily. SCPs can restrict access to certain AWS services or actions based on conditions such as region, resource tags, or request time. For example, an SCP can deny access to Amazon Redshift clusters or Amazon EC2 instances with certain instance types1
Option D is incorrect because creating an IAM policy to deny access to costly services and components is not sufficient to meet the requirement of ensuring that developers are not launching costly services or running services unnecessarily. IAM policies can only control access to resources within a single AWS account. If developers have multiple accounts or can create new accounts, they can bypass the IAM policy restrictions. SCPs can apply across multiple accounts within an AWS Organization and prevent users from creating new accounts that do not comply with the SCP rules3
Option E is incorrect because creating an AWS Budgets alert action to terminate services when the budgeted amount is reached is not possible. AWS Budgets alert actions can only perform one of the following actions: apply an IAM policy, apply an SCP, or send a notification through Amazon SNS. AWS Budgets alert actions cannot terminate services directly.
Option F is correct because creating an AWS Budgets alert action to send an Amazon SNS notification when the budgeted amount is reached and invoking an AWS Lambda function to terminate all services meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets alert actions can send notifications through Amazon SNS when a budget threshold is breached. Amazon SNS can trigger an AWS Lambda function that can perform custom logic such as terminating all services in the developer’s account. This way, developers cannot exceed their budget limit and incur additional costs.
References: 1: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html 2
: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-create.html 3: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html : https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-actions.html : https://docs.aws.amazon.com/sns/latest/dg/sns-lambda.html : https://docs.aws.amazon.com/lambda/latest/dg/welcome.html

- (Exam Topic 3)
A company runs an unauthenticated static website (www.example.com) that includes a registration form for users. The website uses Amazon S3 for hosting and uses Amazon CloudFront as the content delivery network with AWS WAF configured. When the registration form is submitted, the website calls an Amazon API Gateway API endpoint that invokes an AWS Lambda function to process the payload and forward the payload to an external API call.
During testing, a solutions architect encounters a cross-origin resource sharing (CORS) error. The solutions architect confirms that the CloudFront distribution origin has the Access-Control-Allow-Origin header set to www.example.com.
What should the solutions architect do to resolve the error?

1. A. Change the CORS configuration on the S3 bucke
2. B. Add rules for CORS to the Allowed Origin element for www.example.com.
3. C. Enable the CORS setting in AWS WA
4. D. Create a web ACL rule in which the Access-Control-Allow-Origin header is set to www.example.com.
5. E. Enable the CORS setting on the API Gateway API endpoin
6. F. Ensure that the API endpoint is configured to return all responses that have the Access-Control -Allow-Origin header set to www.example.com.
7. G. Enable the CORS setting on the Lambda functio
8. H. Ensure that the return code of the function has the Access-Control-Allow-Origin header set to www.example.com.

Correct Answer: C
CORS errors occur when a web page hosted on one domain tries to make a request to a server hosted on another domain. In this scenario, the registration form hosted on the static website is trying to make a request to the API Gateway API endpoint hosted on a different domain, which is causing the error. To resolve this error, the Access-Control-Allow-Origin header needs to be set to the domain from which the request is being made. In this case, the header is already set to www.example.com on the CloudFront distribution origin. Therefore, the solutions architect should enable the CORS setting on the API Gateway API endpoint and ensure that the API endpoint is configured to return all responses that have the Access-Control-Allow-Origin header set to www.example.com. This will allow the API endpoint to respond to requests from the static website without a CORS error.
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cors-errors/

- (Exam Topic 3)
A company has a project that is launching Amazon EC2 instances that are larger than required. The project's account cannot be part of the company's organization in AWS Organizations due to policy restrictions to keep this activity outside of corporate IT. The company wants to allow only the launch of t3.small EC2 instances by developers in the project's account. These EC2 instances must be restricted to the us-east-2 Region.
What should a solutions architect do to meet these requirements?

1. A. Create a new developer accoun
2. B. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company's organization in AWS Organization
3. C. Enforce a tagging policy that denotes Region affinity.
4. D. Create an SCP that denies the launch of all EC2 instances except t3.small EC2 instances in us-east-2.Attach the SCP to the project's account.
5. E. Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.
6. F. Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project's account.

Correct Answer: D