- (Topic 1)
A solutions architect is developing a multiple-subnet VPC architecture. The solution will consist of six subnets in two Availability Zones. The subnets are defined as public, private and dedicated for databases. Only the Amazon EC2 instances running in the private subnets should be able to access a database.
Which solution meets these requirements?

1. A. Create a now route table that excludes the route to the public subnets' CIDR block
2. B. Associate the route table to the database subnets.
3. C. Create a security group that denies ingress from the security group used by instances in the public subnet
4. D. Attach the security group to an Amazon RDS DB instance.
5. E. Create a security group that allows ingress from the security group used by instances in the private subnet
6. F. Attach the security group to an Amazon RDS DB instance.
7. G. Create a new peering connection between the public subnets and the private subnet
8. H. Create a different peering connection between the private subnets and the databasesubnets.

Correct Answer: C
Security groups are stateful. All inbound traffic is blocked by default. If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. You cannot block specific IP address using Security groups (instead use Network Access Control Lists).
"You can specify allow rules, but not deny rules." "When you first create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group." Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurit yGroups

- (Topic 3)
A company wants to implement a disaster recovery plan for its primary on-premises file storage volume. The file storage volume is mounted from an Internet Small Computer Systems Interface (iSCSI) device on a local storage server. The file storage volume holds hundreds of terabytes (TB) of data.
The company wants to ensure that end users retain immediate access to all file types from the on-premises systems without experiencing latency.
Which solution will meet these requirements with the LEAST amount of change to the company's existing infrastructure?

1. A. Provision an Amazon S3 File Gateway as a virtual machine (VM) that is hosted on premise
2. B. Set the local cache to 10 T
3. C. Modify existing applications to access the files through the NFS protoco
4. D. To recover from a disaster, provision an Amazon EC2 instance and mount the S3 bucket that contains the files.
5. E. Provision an AWS Storage Gateway tape gatewa
6. F. Use a data backup solution to back up all existing data to a virtual tape librar
7. G. Configure the data backup solution to run nightly after the initial backup is complet
8. H. To recover from a disaster, provision an Amazon EC2 instance and restore the data to an Amazon Elastic Block Store (Amazon EBS) volume from the volumes in the virtual tape library.
9. I. Provision an AWS Storage Gateway Volume Gateway cached volum
10. J. Set the local cache to 10 T
11. K. Mount the Volume Gateway cached volume to the existing file server by using iSCS
12. L. and copy all files to the storage volum
13. M. Configure scheduled snapshots of the storage volum
14. N. To recover from a disaster, restore a snapshot to an Amazon Elastic Block Store (Amazon EBS) volume and attach the EBS volume to an Amazon EC2 instance.
15. O. Provision an AWS Storage Gateway Volume Gateway stored volume with the same amount of disk space as the existing file storage volum
16. P. Mount the Volume Gateway stored volume to the existing file server by using iSCSI, and copy all files to the storage volum
17. Q. Configure scheduled snapshots of the storage volum
18. R. To recover from a disaster, restore a snapshot to an Amazon Elastic Block Store (Amazon EBS) volume and attach the EBS volume to an Amazon EC2 instance.

Correct Answer: D
"The company wants to ensure that end users retain immediate access to all file types from the on-premises systems " - Cached volumes: low latency access to most recent data - Stored volumes: entire dataset is on premise, scheduled backups to S3 Hence Volume Gateway stored volume is the apt choice.

- (Topic 4)
A hospital needs to store patient records in an Amazon S3 bucket. The hospital's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption key for data at rest.
Which solution will meet these requirements?

1. A. Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use server- side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
2. B. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSE-S3). Assign the compliance team to manage the SSE-S3 keys.
3. C. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
4. D. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.

Correct Answer: C
it allows the compliance team to manage the KMS keys used for server-side encryption, thereby providing the necessary control over the encryption keys. Additionally, the use of the "aws:SecureTransport" condition on the bucket policy ensures that all connections to the S3 bucket are encrypted in transit.

- (Topic 4)
A company wants to run its experimental workloads in the AWS Cloud. The company has a budget for cloud spending. The company's CFO is concerned about cloud spending accountability for each department. The CFO wants to receive notification when the spending threshold reaches 60% of the budget.
Which solution will meet these requirements?

1. A. Use cost allocation tags on AWS resources to label owner
2. B. Create usage budgets in AWS Budget
3. C. Add an alert threshold to receive notification when spending exceeds 60% of the budget.
4. D. Use AWS Cost Explorer forecasts to determine resource owner
5. E. Use AWS Cost Anomaly Detection to create alert threshold notifications when spending exceeds 60% of the budget.
6. F. Use cost allocation tags on AWS resources to label owner
7. G. Use AWS Support API on AWS Trusted Advisor to create alert threshold notifications when spending exceeds 60% of the budget
8. H. Use AWS Cost Explorer forecasts to determine resource owner
9. I. Create usage budgets in AWS Budget
10. J. Add an alert threshold to receive notification when spending exceeds 60% of the budget.

Correct Answer: A
This solution meets the requirements because it allows the company to track and manage its cloud spending by using cost allocation tags to assign costs to different departments, creating usage budgets to set spending limits, and adding alert thresholds to receive notifications when the spending reaches a certain percentage of the budget. This way, the company can monitor its experimental workloads and avoid overspending on the cloud.
References:
✑ Using Cost Allocation Tags
✑ Creating an AWS Budget
✑ Creating an Alert for an AWS Budget

- (Topic 4)
A company wants to use an AWS CloudFormatlon stack for its application in a test environment. The company stores the CloudFormation template in an Amazon S3 bucket that blocks public access. The company wants to grant CloudFormation access to the template in the S3 bucket based on specific user requests to create the test environment The solution must follow security best practices.
Which solution will meet these requirements?

1. A. Create a gateway VPC endpoint for Amazon S3. Configure the CloudFormation stack to use the S3 object URL
2. B. Create an Amazon API Gateway REST API that has the S3 bucket as the targe
3. C. Configure the CloudFormat10n stack to use the API Gateway URL _
4. D. Create a presigned URL for the template object_ Configure the CloudFormation stack to use the presigned URL.
5. E. Allow public access to the template object in the S3 bucke
6. F. Block the public access after the test environment is created

Correct Answer: C
it allows CloudFormation to access the template in the S3 bucket without granting public access or creating additional resources. A presigned URL is a URL that is
signed with the access key of an IAM user or role that has permission to access the object. The presigned URL can be used by anyone who receives it, but it expires after a specified time. By creating a presigned URL for the template object and configuring the CloudFormation stack to use it, the company can grant CloudFormation access to the template based on specific user requests and follow security best practices. References:
✑ Using Amazon S3 Presigned URLs
✑ Using Amazon S3 Buckets