- (Topic 4)
A company uses multiple vendors to distribute digital assets that are stored in Amazon S3
buckets The company wants to ensure that its vendor AWS accounts have the minimum access that is needed to download objects in these S3 buckets
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Design a bucket policy that has anonymous read permissions and permissions to list ail buckets.
2. B. Design a bucket policy that gives read-only access to user
3. C. Specify 1AM entities as principals
4. D. Create a cross-account 1AM role that has a read-only access policy specified for the 1AM role.
5. E. Create a user policy and vendor user groups that give read-only access to vendor users

Correct Answer: C
A cross-account IAM role is a way to grant users from one AWS account access to resources in another AWS account. The cross-account IAM role can have a read-only access policy attached to it, which allows the users to download objects from the S3 buckets without modifying or deleting them. The cross-account IAM role also reduces the operational overhead of managing multiple IAM users and policies in each account. The cross-account IAM role meets all the requirements of the question, while the other options do not. References:
✑ https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-
managing-access-example2.html
✑ https://aws.amazon.com/blogs/storage/setting-up-cross-account-amazon-s3- access-with-s3-access-points/
✑ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for- user_externalid.html

- (Topic 1)
A company is building an ecommerce web application on AWS. The application sends information about new orders to an Amazon API Gateway REST API to process. The company wants to ensure that orders are processed in the order that they are received.
Which solution will meet these requirements?

1. A. Use an API Gateway integration to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when the application receives an orde
2. B. Subscribe an AWS Lambda function to the topic to perform processing.
3. C. Use an API Gateway integration to send a message to an Amazon Simple Queue Service (Amazon SQS) FIFO queue when the application receives an orde
4. D. Configure the SQS FIFO queue to invoke an AWS Lambda function for processing.
5. E. Use an API Gateway authorizer to block any requests while the application processes an order.
6. F. Use an API Gateway integration to send a message to an Amazon Simple Queue Service (Amazon SQS) standard queue when the application receives an orde
7. G. Configure the SQS standard queue to invoke an AWS Lambda function for processing.

Correct Answer: B
To ensure that orders are processed in the order that they are received, the best solution is to use an Amazon SQS FIFO (First-In-First-Out) queue. This type of queue maintains the exact order in which messages are sent and received. In this case, the application can send information about new orders to an Amazon API Gateway REST API, which can then use an API Gateway integration to send a message to an Amazon SQS FIFO queue for processing. The queue can then be configured to invoke an AWS Lambda function to perform the necessary processing on each order. This ensures that orders are processed in the exact order in which they are received.

- (Topic 4)
A solutions architect has created a new AWS account and must secure AWS account root user access.
Which combination of actions will accomplish this? (Choose two.)

1. A. Ensure the root user uses a strong password.
2. B. Enable multi-factor authentication to the root user.
3. C. Store root user access keys in an encrypted Amazon S3 bucket.
4. D. Add the root user to a group containing administrative permissions.
5. E. Apply the required permissions to the root user with an inline policy document.

Correct Answer: AB
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html * Enable AWS multi-factor authentication (MFA) on your AWS account root user. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide. * Never share your AWS account root user password or access keys with anyone. * Use a strong password to help protect access to the AWS Management Console. For information about managing your AWS account root user password, see Changing the password for the root user.

- (Topic 2)
A global company is using Amazon API Gateway to design REST APIs for its loyalty club
users in the us-east-1 Region and the ap-southeast-2 Region. A solutions architect must design a solution to protect these API Gateway managed REST APIs across multiple accounts from SQL injection and cross-site scripting attacks.
Which solution will meet these requirements with the LEAST amount of administrative effort?

1. A. Set up AWS WAF in both Region
2. B. Associate Regional web ACLs with an API stage.
3. C. Set up AWS Firewall Manager in both Region
4. D. Centrally configure AWS WAF rules.
5. E. Set up AWS Shield in bath Region
6. F. Associate Regional web ACLs with an API stage.
7. G. Set up AWS Shield in one of the Region
8. H. Associate Regional web ACLs with an API stage.

Correct Answer: A
Using AWS WAF has several benefits. Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following: Presence of SQL code that is likely to be malicious (known as SQL injection). Presence of a script that is likely to be malicious (known as cross-site scripting). AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

- (Topic 4)
A company is concerned that two NAT instances in use will no longer be able to support the traffic needed for the company’s application. A solutions architect wants to implement a solution that is highly available, fault tolerant, and automatically scalable.
What should the solutions architect recommend?

1. A. Remove the two NAT instances and replace them with two NAT gateways in the same Availability Zone.
2. B. Use Auto Scaling groups with Network Load Balancers for the NAT instances in differentAvailability Zones.
3. C. Remove the two NAT instances and replace them with two NAT gateways in different Availability Zones.
4. D. Replace the two NAT instances with Spot Instances in different Availability Zones and deploy a Network Load Balancer.

Correct Answer: C
If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway- basics