- (Topic 4)
A company has a popular gaming platform running on AWS. The application is sensitive to latency because latency can impact the user experience and introduce unfair advantages to some players. The application is deployed in every AWS Region. It runs on Amazon EC2 instances that are part of Auto Scaling groups configured behind Application Load Balancers (ALBs). A solutions architect needs to implement a mechanism to monitor the health of the application and redirect traffic to healthy endpoints.
Which solution meets these requirements?

1. A. Configure an accelerator in AWS Global Accelerato
2. B. Add a listener for the port that the application listens on, and attach it to a Regional endpoint in each Regio
3. C. Add the ALB as the endpoint.
4. D. Create an Amazon CloudFront distribution and specify the ALB as the origin serve
5. E. Configure the cache behavior to use origin cache header
6. F. Use AWS Lambda functions to optimize the traffic.
7. G. Create an Amazon CloudFront distribution and specify Amazon S3 as the origin serve
8. H. Configure the cache behavior to use origin cache header
9. I. Use AWS Lambda functions to optimize the traffic.
10. J. Configure an Amazon DynamoDB database to serve as the data store for the applicatio
11. K. Create a DynamoDB Accelerator (DAX) cluster to act as the in-memory cache for DynamoDB hosting the application data.

Correct Answer: A
AWS Global Accelerator directs traffic to the optimal healthy endpoint based on health checks, it can also route traffic to the closest healthy endpoint based on geographic location of the client. By configuring an accelerator and attaching it to a Regional endpoint
in each Region, and adding the ALB as the endpoint, the solution will redirect traffic to healthy endpoints, improving the user experience by reducing latency and ensuring that the application is running optimally. This solution will ensure that traffic is directed to the closest healthy endpoint and will help to improve the overall user experience.

- (Topic 2)
A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

1. A. Encrypt a copy of the latest DB snapsho
2. B. Replace existing DB instance by restoring the encrypted snapshot
3. C. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it Enable encryption on the DB instance
4. D. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance
5. E. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS)

Correct Answer: A
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapsho t.html#USER_RestoreFromSnapshot.CON
Under "Encrypt unencrypted resources" - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

- (Topic 1)
A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSL/TLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated each year before the certificate expires.
What should a solutions architect do to meet these requirements?

1. A. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificat
2. B. Apply the certificate to the AL
3. C. Use the managed renewal feature to automatically rotate the certificate.
4. D. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificat
5. E. Import the key material from the certificat
6. F. Apply the certificate to the AL
7. G. Use the managed renewal feature to automatically rotate the certificate.
8. H. Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root C
9. I. Apply the certificate to the AL
10. J. Use the managed renewal feature to automatically rotate the certificate.
11. K. Use AWS Certificate Manager (ACM) to import an SSL/TLS certificat
12. L. Apply the certificate to the AL
13. M. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiratio
14. N. Rotate the certificate manually.

Correct Answer: D
https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment

- (Topic 4)
A company runs a microservice-based serverless web application. The application must be able to retrieve data from multiple Amazon DynamoDB tables. A solutions architect needs to give the application the ability to retrieve the data with no impact on the baseline performance of the application.
Which solution will meet these requirements in the MOST operationally efficient way?

1. A. AWSAppSync pipeline resolvers
2. B. Amazon CloudFront with Lambda@Edge functions
3. C. Edge-optimized Amazon API Gateway with AWS Lambda functions
4. D. Amazon Athena Federated Query with a DynamoDB connector

Correct Answer: C
An edge-optimized API Gateway is a way to create RESTful APIs that can access multiple DynamoDB tables through AWS Lambda functions. The edge-optimized API Gateway provides low latency and high performance by caching API responses at CloudFront edge locations. The AWS Lambda functions can use the AWS SDK to query or scan the DynamoDB tables and return the data to the API Gateway. This solution meets all the requirements of the question, while the other options do not. References:
✑ https://aws.amazon.com/blogs/compute/understanding-database-options-for-your-
serverless-web-applications/
✑ https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app- lambda-apigateway-s3-dynamodb-cognito/module-3/
✑ https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best- practices.html

- (Topic 1)
A company needs to store its accounting records in Amazon S3. The records must be immediately accessible for 1 year and then must be archived for an additional 9 years. No one at the company, including administrative users and root users, can be able to delete the records during the entire 10-year period. The records must be stored with maximum resiliency.
Which solution will meet these requirements?

1. A. Store the records in S3 Glacier for the entire 10-year perio
2. B. Use an access control policy to deny deletion of the records for a period of 10 years.
3. C. Store the records by using S3 Intelligent-Tierin
4. D. Use an IAM policy to deny deletion of the record
5. E. After 10 years, change the IAM policy to allow deletion.
6. F. Use an S3 Lifecycle policy to transition the records from S3 Standard to S3 Glacier Deep Archive after 1 yea
7. G. Use S3 Object Lock in compliance mode for a period of 10 years.
8. H. Use an S3 Lifecycle policy to transition the records from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 1 yea
9. I. Use S3 Object Lock in governance mode for a period of 10 years.

Correct Answer: C
To meet the requirements of immediately accessible records for 1 year and then archived for an additional 9 years with maximum resiliency, we can use S3 Lifecycle policy to transition records from S3 Standard to S3 Glacier Deep Archive after 1 year. And to ensure that the records cannot be deleted by anyone, including administrative and root users, we can use S3 Object Lock in compliance mode for a period of 10 years. Therefore, the correct answer is option C.
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html