- (Topic 3)
An ecommerce company needs to run a scheduled daily job to aggregate and filler sales records for analytics. The company stores the sales records in an Amazon S3 bucket. Each object can be up to 10 G6 in size Based on the number of sales events, the job can take up to an hour to complete. The CPU and memory usage of the fob are constant and are known in advance.
A solutions architect needs to minimize the amount of operational effort that is needed for the job to run. Which solution meets these requirements?

1. A. Create an AWS Lambda function that has an Amazon EventBridge notification Schedule the EventBridge event to run once a day
2. B. Create an AWS Lambda function Create an Amazon API Gateway HTTP API, and integrate the API with the function Create an Amazon EventBridge scheduled avert that calls the API and invokes the function.
3. C. Create an Amazon Elastic Container Service (Amazon ECS) duster with an AWS Fargate launch typ
4. D. Create an Amazon EventBridge scheduled event that launches an ECS task on the cluster to run the job.
5. E. Create an Amazon Elastic Container Service (Amazon ECS) duster with an Amazon EC2 launch type and an Auto Scaling group with at least one EC2 instanc
6. F. Create an Amazon EventBridge scheduled event that launches an ECS task on the duster to run the job.

Correct Answer: C
The solution that meets the requirements with the least operational overhead is to create a
**Regional AWS WAF web ACL with a rate-based rule** and associate the web ACL with the API Gateway stage. This solution will protect the application from HTTP flood attacks by monitoring incoming requests and blocking requests from IP addresses that exceed the predefined rate. Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint is also a good solution but it requires more operational overhead than the previous solution. Using Amazon CloudWatch metrics to monitor the Count metric and alerting the security team when the predefined rate is reached is not a solution that can protect against HTTP flood attacks. Creating an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours is not a solution that can protect against HTTP flood attacks.

- (Topic 2)
A company runs a high performance computing (HPC) workload on AWS. The workload required low-latency network performance and high network throughput with tightly coupled node-to-node communication. The Amazon EC2 instances are properly sized for compute and storage capacity, and are launched using default options.
What should a solutions architect propose to improve the performance of the workload?

1. A. Choose a cluster placement group while launching Amazon EC2 instances.
2. B. Choose dedicated instance tenancy while launching Amazon EC2 instances.
3. C. Choose an Elastic Inference accelerator while launching Amazon EC2 instances.
4. D. Choose the required capacity reservation while launching Amazon EC2 instances.

Correct Answer: A
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-placementgroup.html
"A cluster placement group is a logical grouping of instances within a single Availability Zone that benefit from low network latency, high network throughput"

- (Topic 4)
A company has a web application hosted over 10 Amazon EC2 instances with traffic directed by Amazon Route 53. The company occasionally experiences a timeout error when attempting to browse the application. The networking team finds that some DNS queries return IP addresses of unhealthy instances, resulting in the timeout error.
What should a solutions architect implement to overcome these timeout errors?

1. A. Create a Route 53 simple routing policy record for each EC2 instanc
2. B. Associate a health check with each record.
3. C. Create a Route 53 failover routing policy record for each EC2 instanc
4. D. Associate a health check with each record.
5. E. Create an Amazon CloudFront distribution with EC2 instances as its origi
6. F. Associate a health check with the EC2 instances.
7. G. Create an Application Load Balancer (ALB) with a health check in front of the EC2 instance
8. H. Route to the ALB from Route 53.

Correct Answer: D
An Application Load Balancer (ALB) allows you to distribute incoming traffic across multiple backend instances, and can automatically route traffic to healthy instances while removing traffic from unhealthy instances. By using an ALB in front of the EC2 instances and routing traffic to it from Route 53, the load balancer can perform health checks on the instances and only route traffic to healthy instances, which should help to reduce or eliminate timeout errors caused by unhealthy instances.

- (Topic 2)
A company has a dynamic web application hosted on two Amazon EC2 instances. The company has its own SSL certificate, which is on each instance to perform SSL termination.
There has been an increase in traffic recently, and the operations team determined that SSL encryption and decryption is causing the compute capacity of the web servers to reach their maximum limit.
What should a solutions architect do to increase the application's performance?

1. A. Create a new SSL certificate using AWS Certificate Manager (ACM) install the ACM certificate on each instance
2. B. Create an Amazon S3 bucket Migrate the SSL certificate to the S3 bucket Configure the EC2 instances to reference the bucket for SSL termination
3. C. Create another EC2 instance as a proxy server Migrate the SSL certificate to the new instance and configure it to direct connections to the existing EC2 instances
4. D. Import the SSL certificate into AWS Certificate Manager (ACM) Create an Application Load Balancer with an HTTPS listener that uses the SSL certificate from ACM

Correct Answer: D
https://aws.amazon.com/certificate-manager/:
"With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM- integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally."

- (Topic 3)
A solutions architect must secure a VPC network that hosts Amazon EC2 instances The EC2 ^stances contain highly sensitive data and tun n a private subnet According to company policy the EC2 instances mat run m the VPC can access only approved third- party software repositories on the internet for software product updates that use the third party's URL Other internet traffic must be blocked.
Which solution meets these requirements?

1. A. Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewal
2. B. Configure domain list rule groups
3. C. Set up an AWS WAF web AC
4. D. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
5. E. Implement strict inbound security group roles Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs
6. F. Configure an Application Load Balancer (ALB) in front of the EC2 instance
7. G. Direct an outbound traffic to the ALB Use a URL-based rule listener in the ALB's target group for outbound access to the internet

Correct Answer: A
Send the outbound connection from EC2 to Network Firewall. In Network Firewall, create stateful outbound rules to allow certain domains for software patch download and deny all other domains. https://docs.aws.amazon.com/network-
firewall/latest/developerguide/suricata-examples.html#suricata-example-domain-filtering