- (Topic 3)
A company wants to verify if multi-factor authentication (MFA) is enabled for all users within its AWS accounts.
Which AWS service or resource will meet this requirement?

1. A. AWS Cost and Usage Report
2. B. IAM credential reports
3. C. AWS Artifact
4. D. Amazon CloudFront reports

Correct Answer: B
The AWS service or resource that will meet the requirement of verifying if multi-factor authentication (MFA) is enabled for all users within its AWS accounts is IAM credential reports. IAM credential reports are downloadable reports that list all the users in an AWS account and the status of their various credentials, including passwords, access keys, and MFA devices. Users can use IAM credential reports to audit the security status of their AWS accounts and identify any issues or risks4. AWS Cost and Usage Report, AWS Artifact, and Amazon CloudFront reports are other AWS services or resources that provide different types of information, such as billing, compliance, and content delivery, but they do not show the MFA status of the users.

- (Topic 2)
A company is reviewing the design of an application that will be migrated from on premises to a single Amazon EC2 instance.
What should the company do to make the application highly available?

1. A. Provision additional EC2 instances in other Availability Zones.
2. B. Configure an Application Load Balancer (ALB). Assign the EC2 instance as the ALB's target.
3. C. Use an Amazon Machine Image (AMI) to create the EC2 instance.
4. D. Provision the application by using an EC2 Spot Instance.

Correct Answer: A
Provisioning additional EC2 instances in other Availability Zones is a way to make the application highly available, as it reduces the impact of failures and increases fault tolerance. Configuring an Application Load Balancer and assigning the EC2 instance as the ALB’s target is a way to distribute traffic among multiple instances, but it does not make the application highly available if there is only one instance. Using an Amazon Machine Image to create the EC2 instance is a way to launch a virtual server with a preconfigured operating system and software, but it does not make the application highly available by itself. Provisioning the application by using an EC2 Spot Instance is a way to use spare EC2 capacity at up to 90% off the On-Demand price, but it does not make the application highly available, as Spot Instances can be interrupted by EC2 with a two-minute notification.

- (Topic 3)
A company is looking for a managed machine learning (ML) service that can recommend products based on a customer's previous behaviors.
Which AWS service meets this requirement?

1. A. Amazon Personalize
2. B. Amazon SageMaker
3. C. Amazon Pinpoint
4. D. Amazon Comprehend

Correct Answer: A
The AWS service that meets the requirement of providing a managed machine learning (ML) service that can recommend products based on a customer’s previous behaviors is Amazon Personalize. Amazon Personalize is a fully managed service that enables developers to create personalized recommendations for customers using their own data. Amazon Personalize can automatically process and examine the data, identify what is meaningful, select the right algorithms, and train and optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and Amazon Comprehend are other AWS services related to machine learning, but they do not provide the specific functionality of product recommendation.

- (Topic 3)
A development team wants to deploy multiple test environments for an application in a fast repeatable manner.
Which AWS service should the team use?

1. A. Amazon EC2
2. B. AWS CloudFormation
3. C. Amazon QuickSight
4. D. Amazon Elastic Container Service (Amazon ECS)

Correct Answer: B
AWS CloudFormation is a service that allows you to model and provision your AWS resources using templates. You can define your infrastructure as code and automate the creation and update of your resources. AWS CloudFormation also supports nested stacks, change sets, and rollback features to help you manage complex and dynamic environments34. References:
✑ AWS CloudFormation
✑ AWS Certified Cloud Practitioner Exam Guide

- (Topic 2)
Which AWS services or tools are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks? (Select TWO.)

1. A. VPC endpoint
2. B. Virtual private gateway Q
3. C. AWS Shield Standard
4. D. AWS Config
5. E. AWS WAF

Correct Answer: C
AWS Shield Standard and AWS WAF are the AWS services or tools that are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks.
According to the AWS Shield Developer Guide, "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection."5 According to the AWS WAF Developer Guide, “AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.” VPC endpoint, virtual private gateway, and AWS Config are not designed to protect a workload from these types of attacks.