- (Topic 4)
A company hosts a multi-tier web application on Amazon Linux Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The company observes that the Auto Scaling group launches more On-Demand Instances when the application's end users access high volumes of static web content. The company wants to optimize cost.
What should a solutions architect do to redesign the application MOST cost-effectively?

1. A. Update the Auto Scaling group to use Reserved Instances instead of On-Demand Instances.
2. B. Update the Auto Scaling group to scale by launching Spot Instances instead of On- Demand Instances.
3. C. Create an Amazon CloudFront distribution to host the static web contents from an Amazon S3 bucket.
4. D. Create an AWS Lambda function behind an Amazon API Gateway API to host the static website contents.

Correct Answer: C
This answer is correct because it meets the requirements of optimizing cost and reducing the workload on the database. Amazon CloudFront is a content delivery network (CDN) service that speeds up distribution of your static and dynamic web content, such as .html,.css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance. You can create an Amazon CloudFront distribution to host the static web contents from an Amazon S3 bucket, which is an origin that you define for CloudFront. This way, you can offload the requests for static web content from your EC2 instances to CloudFront, which can improve the performance and availability of your website, and reduce the cost of running your EC2 instances.
References:
✑ https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introducti on.html
✑ https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html

- (Topic 3)
A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SOS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.
A solutions architect is reviewing the infrastructure design Data must be encrypted at test and in transit. Only authorized personnel of the hospital should be able to access the data.
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)

1. A. Turn on server-side encryption on the SQS components Update tie default key policy to restrict key usage to a set of authorized principals.
2. B. Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key Apply a key policy to restrict key usage to a set of authorized principals.
3. C. Turn on encryption on the SNS components Update the default key policy to restrict key usage to a set of authorized principal
4. D. Set a condition in the topic pokey to allow only encrypted connections over TLS.
5. E. Turn on server-side encryption on the SOS components by using an AWS Key Management Service (AWS KMS) customer managed key Apply a key pokey to restrict key usage to a set of authorized principal
6. F. Set a condition in the queue pokey to allow only encrypted connections over TLS.
7. G. Turn on server-side encryption on the SOS components by using an AWS Key Management Service (AWS KMS) customer managed ke
8. H. Apply an IAM pokey to restrict key usage to a set of authorized principal
9. I. Set a condition in the queue pokey to allow only encrypted connections over TLS

Correct Answer: BD
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html

- (Topic 3)
An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental exposure of the objects in the S3 buckets to the public. All S3 objects in the entire AWS account need to remain private
Which solution will meal these requirements?

1. A. Use Amazon GuardDuty to monitor S3 bucket policies Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public
2. B. Use AWS Trusted Advisor to find publicly accessible S3 Dockets Configure email notifications In Trusted Advisor when a change is detected manually change the S3 bucket policy if it allows public access
3. C. Use AWS Resource Access Manager to find publicly accessible S3 buckets Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change it detecte
4. D. Deploy a Lambda function that programmatically remediates the change.
5. E. Use the S3 Block Public Access feature on the account leve
6. F. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting Apply tie SCP to tie account

Correct Answer: D
The S3 Block Public Access feature allows you to restrict public access to S3 buckets and objects within the account. You can enable this feature at the account level to prevent any S3 bucket from being made public, regardless of the bucket policy settings. AWS Organizations can be used to apply a Service Control Policy (SCP) to the account to prevent IAM users from changing this setting, ensuring that all S3 objects remain private. This is a straightforward and effective solution that requires minimal operational overhead.

- (Topic 1)
A company that hosts its web application on AWS wants to ensure all Amazon EC2 instances. Amazon RDS DB instances. and Amazon Redshift clusters are configured with tags. The company wants to minimize the effort of configuring and operating this check.
What should a solutions architect do to accomplish this?

1. A. Use AWS Config rules to define and detect resources that are not properly tagged.
2. B. Use Cost Explorer to display resources that are not properly tagge
3. C. Tag those resources manually.
4. D. Write API calls to check all resources for proper tag allocatio
5. E. Periodically run the code on an EC2 instance.
6. F. Write API calls to check all resources for proper tag allocatio
7. G. Schedule an AWS Lambda function through Amazon CloudWatch to periodically run the code.

Correct Answer: A
To ensure all Amazon EC2 instances, Amazon RDS DB instances, and Amazon Redshift clusters are configured with tags, a solutions architect should use AWS Config rules to define and detect resources that are not properly tagged. AWS Config rules are a set of customizable rules that AWS Config uses to evaluate AWS resource configurations for compliance with best practices and company policies. Using AWS Config rules can minimize the effort of configuring and operating this check because it automates the process of identifying non-compliant resources and notifying the responsible teams. Reference:
AWS Config Developer Guide: AWS Config Rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed- rules.html)

- (Topic 4)
A company runs a microservice-based serverless web application. The application must be able to retrieve data from multiple Amazon DynamoDB tables. A solutions architect needs to give the application the ability to retrieve the data with no impact on the baseline performance of the application.
Which solution will meet these requirements in the MOST operationally efficient way?

1. A. AWSAppSync pipeline resolvers
2. B. Amazon CloudFront with Lambda@Edge functions
3. C. Edge-optimized Amazon API Gateway with AWS Lambda functions
4. D. Amazon Athena Federated Query with a DynamoDB connector

Correct Answer: C
An edge-optimized API Gateway is a way to create RESTful APIs that can access multiple DynamoDB tables through AWS Lambda functions. The edge-optimized API Gateway provides low latency and high performance by caching API responses at CloudFront edge locations. The AWS Lambda functions can use the AWS SDK to query or scan the DynamoDB tables and return the data to the API Gateway. This solution meets all the requirements of the question, while the other options do not. References:
✑ https://aws.amazon.com/blogs/compute/understanding-database-options-for-your-
serverless-web-applications/
✑ https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app- lambda-apigateway-s3-dynamodb-cognito/module-3/
✑ https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best- practices.html