- (Topic 4)
A company has deployed a Java Spring Boot application as a pod that runs on Amazon Elastic Kubernetes Service (Amazon EKS) in private subnets. The application needs to write data to an Amazon DynamoDB table. A solutions architect must ensure that the application can interact with the DynamoDB table without exposing traffic to the internet.
Which combination of steps should the solutions architect take to accomplish this goal? (Choose two.)

1. A. Attach an IAM role that has sufficient privileges to the EKS pod.
2. B. Attach an IAM user that has sufficient privileges to the EKS pod.
3. C. Allow outbound connectivity to the DynamoDB table through the private subnets’ network ACLs.
4. D. Create a VPC endpoint for DynamoDB.
5. E. Embed the access keys in the Java Spring Boot code.

Correct Answer: AD
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc- endpoints-dynamodb.html
https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-eks-adds-support-to- assign-iam-permissions-to-kubernetes-service-accounts/

- (Topic 2)
A company runs a production application on a fleet of Amazon EC2 instances. The application reads the data from an Amazon SQS queue and processes the messages in parallel. The message volume is unpredictable and often has intermittent traffic. This application should continually process messages without any downtime.
Which solution meets these requirements MOST cost-effectively?

1. A. Use Spot Instances exclusively to handle the maximum capacity required.
2. B. Use Reserved Instances exclusively to handle the maximum capacity required.
3. C. Use Reserved Instances for the baseline capacity and use Spot Instances to handle additional capacity.
4. D. Use Reserved Instances for the baseline capacity and use On-Demand Instances to handle additional capacity.

Correct Answer: D
We recommend that you use On-Demand Instances for applications with short-term, irregular workloads that cannot be interrupted. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-on-demand-instances.html

- (Topic 2)
An online retail company has more than 50 million active customers and receives more than 25,000 orders each day. The company collects purchase data for customers and stores this data in Amazon S3. Additional customer data is stored in Amazon RDS.
The company wants to make all the data available to various teams so that the teams can perform analytics. The solution must provide the ability to manage fine-grained permissions for the data and must minimize operational overhead.
Which solution will meet these requirements?

1. A. Migrate the purchase data to write directly to Amazon RD
2. B. Use RDS access controls to limit access.
3. C. Schedule an AWS Lambda function to periodically copy data from Amazon RDS to Amazon S3. Create an AWS Glue crawle
4. D. Use Amazon Athena to query the dat
5. E. Use S3 policies to limit access.
6. F. Create a data lake by using AWS Lake Formatio
7. G. Create an AWS Glue JDBC connection to Amazon RD
8. H. Register (he S3 bucket in Lake Formatio
9. I. Use Lake Formation access controls to limit access.
10. J. Create an Amazon Redshift cluste
11. K. Schedule an AWS Lambda function to periodically copy data from Amazon S3 and Amazon RDS to Amazon Redshif
12. L. Use Amazon Redshift access controls to limit access.

Correct Answer: C
To make all the data available to various teams and minimize operational overhead, the company can create a data lake by using AWS Lake Formation. This will allow the company to centralize all the data in one place and use fine-grained access controls to manage access to the data. To meet the requirements of the company, the solutions architect can create a data lake by using AWS Lake Formation, create an AWS Glue JDBC connection to Amazon RDS, and register the S3 bucket in Lake Formation. The solutions architect can then use Lake Formation access controls to limit access to the data. This solution will provide the ability to manage fine-grained permissions for the data and minimize operational overhead.

- (Topic 2)
A company produces batch data that comes from different databases. The company also produces live stream data from network sensors and application APIs. The company needs to consolidate all the data into one place for business analytics. The company needs to process the incoming data and then stage the data in different Amazon S3 buckets. Teams will later run one-time queries and import the data into a business intelligence tool to show key performance indicators (KPIs).
Which combination of steps will meet these requirements with the LEAST operational
overhead? (Choose two.)

1. A. Use Amazon Athena foe one-time queries Use Amazon QuickSight to create dashboards for KPIs
2. B. Use Amazon Kinesis Data Analytics for one-time queries Use Amazon QuickSight to create dashboards for KPIs
3. C. Create custom AWS Lambda functions to move the individual records from me databases to an Amazon Redshift duster
4. D. Use an AWS Glue extract transform, and toad (ETL) job to convert the data into JSON format Load the data into multiple Amazon OpenSearch Service (Amazon Elasticsearch Service) dusters
5. E. Use blueprints in AWS Lake Formation to identify the data that can be ingested into a data lake Use AWS Glue to crawl the source extract the data and load the data into Amazon S3 in Apache Parquet format

Correct Answer: AE
Amazon Athena is the best choice for running one-time queries on streaming data. Although Amazon Kinesis Data Analytics provides an easy and familiar standard SQL language to analyze streaming data in real-time, it is designed for continuous queries rather than one-time queries[1]. On the other hand, Amazon Athena is a serverless interactive query service that allows querying data in Amazon S3 using SQL. It is optimized for ad-hoc querying and is ideal for running one-time queries on streaming data[2].AWS Lake Formation uses as a central place to have all your data for analytics purposes (E). Athena integrate perfect with S3 and can makes queries (A).

- (Topic 4)
A global marketing company has applications that run in the ap-southeast-2 Region and the eu-west-1 Region. Applications that run in a VPC in eu-west-1 need to communicate securely with databases that run in a VPC in ap-southeast-2.
Which network design will meet these requirements?

1. A. Create a VPC peering connection between the eu-west-1 VPC and the ap-southeast-2 VP
2. B. Create an inbound rule in the eu-west-1 application security group that allows traffic from the database server IP addresses in the ap-southeast-2 security group.
3. C. Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west- 1 VP
4. D. Update the subnet route table
5. E. Create an inbound rule in the ap-southeast-2 database security group that references the security group ID of the application servers in eu-west-1.
6. F. Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west- 1 VP
7. G. Update the subnet route tables Create an inbound rule in the ap-southeast-2 database security group that allows traffic from the eu-west-1 application server IP addresses.
8. H. Create a transit gateway with a peering attachment between the eu-west-1 VPC and the ap-southeast-2 VP
9. I. After the transit gateways are properly peered and routing is configured, create an inbound rule in the database security group that references the security group ID of the application servers in eu-west-1.

Correct Answer: C
"You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC." https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html