- (Topic 4)
An ecommerce company runs applications in AWS accounts that are part of an organization in AWS Organizations The applications run on Amazon Aurora PostgreSQL databases across all the accounts The company needs to prevent malicious activity and must identify abnormal failed and incomplete login attempts to the databases
Which solution will meet these requirements in the MOST operationally efficient way?

1. A. Attach service control policies (SCPs) to the root of the organization to identify the failed login attempts
2. B. Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the organization
3. C. Publish the Aurora general logs to a log group in Amazon CloudWatch Logs Export the log data to a central Amazon S3 bucket
4. D. Publish all the Aurora PostgreSQL database events in AWS CloudTrail to a central Amazon S3 bucket

Correct Answer: C
This option is the most operationally efficient way to meet the requirements because it allows the company to monitor and analyze the database login activity across all the accounts in the organization. By publishing the Aurora general logs to a log group in Amazon CloudWatch Logs, the company can enable the logging of the database connections, disconnections, and failed authentication attempts. By exporting the log data to a central Amazon S3 bucket, the company can store the log data in a durable and cost- effective way and use other AWS services or tools to perform further analysis or alerting on the log data. For example, the company can use Amazon Athena to query the log data in Amazon S3, or use Amazon SNS to send notifications based on the log data.
* A. Attach service control policies (SCPs) to the root of the organization to identify the failed login attempts. This option is not effective because SCPs are not designed to identify the failed login attempts, but to restrict the actions that the users and roles can perform in the member accounts of the organization. SCPs are applied to the AWS API calls, not to the database login attempts. Moreover, SCPs do not provide any logging or analysis capabilities for the database activity.
* B. Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the organization. This option is not optimal because the Amazon RDS Protection feature in Amazon GuardDuty is not available for Aurora PostgreSQL databases, but only for Amazon RDS for MySQL and Amazon RDS for MariaDB databases. Moreover, the Amazon RDS Protection feature does not monitor the database login attempts, but the network and API activity related to the RDS instances.
* D. Publish all the Aurora PostgreSQL database events in AWS CloudTrail to a central Amazon S3 bucket. This option is not sufficient because AWS CloudTrail does not capture the database login attempts, but only the AWS API calls made by or on behalf of the Aurora PostgreSQL database. For example, AWS CloudTrail can record the events such as creating, modifying, or deleting the database instances, clusters, or snapshots, but not the events such as connecting, disconnecting, or failing to authenticate to the database. References:
✑ 1 Working with Amazon Aurora PostgreSQL - Amazon Aurora
✑ 2 Working with log groups and log streams - Amazon CloudWatch Logs
✑ 3 Exporting Log Data to Amazon S3 - Amazon CloudWatch Logs
✑ [4] Amazon GuardDuty FAQs
✑ [5] Logging Amazon RDS API Calls with AWS CloudTrail - Amazon Relational Database Service

- (Topic 2)
A company is building a containerized application on premises and decides to move the application to AWS. The application will have thousands of users soon after li is deployed. The company Is unsure how to manage the deployment of containers at scale. The company needs to deploy the containerized application in a highly available architecture that minimizes operational overhead.
Which solution will meet these requirements?

1. A. Store container images In an Amazon Elastic Container Registry (Amazon ECR) repositor
2. B. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the AWS Fargate launch type to run the container
3. C. Use target tracking to scale automatically based on demand.
4. D. Store container images in an Amazon Elastic Container Registry (Amazon ECR) repositor
5. E. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the Amazon EC2 launch type to run the container
6. F. Use target tracking to scale automatically based on demand.
7. G. Store container images in a repository that runs on an Amazon EC2 instanc
8. H. Run the containers on EC2 instances that are spread across multiple Availability Zone
9. I. Monitor the average CPU utilization in Amazon CloudWatc
10. J. Launch new EC2 instances as needed
11. K. Create an Amazon EC2 Amazon Machine Image (AMI) that contains the container image Launch EC2 Instances in an Auto Scaling group across multiple Availability Zone
12. L. Use an Amazon CloudWatch alarm to scale out EC2 instances when the average CPU utilization threshold is breached.

Correct Answer: A
AWS Fargate is a serverless experience for user applications, allowing the user to concentrate on building applications instead of configuring and managing servers. Fargate also automates resource management, allowing users to easily scale their applications in response to demand.

- (Topic 2)
A company has an ecommerce checkout workflow that writes an order to a database and calls a service to process the payment. Users are experiencing timeouts during the checkout process. When users resubmit the checkout form, multiple unique orders are created for the same desired transaction.
How should a solutions architect refactor this workflow to prevent the creation of multiple orders?

1. A. Configure the web application to send an order message to Amazon Kinesis Data Firehos
2. B. Set the payment service to retrieve the message from Kinesis Data Firehose and process the order.
3. C. Create a rule in AWS CloudTrail to invoke an AWS Lambda function based on the logged application path request Use Lambda to query the database, call the payment service, and pass in the order information.
4. D. Store the order in the databas
5. E. Send a message that includes the order number to Amazon Simple Notification Service (Amazon SNS). Set the payment service to pollAmazon SN
6. F. retrieve the message, and process the order.
7. G. Store the order in the databas
8. H. Send a message that includes the order number to an Amazon Simple Queue Service (Amazon SQS) FIFO queu
9. I. Set the payment service to retrieve the message and process the orde
10. J. Delete the message from the queue.

Correct Answer: D
This approach ensures that the order creation and payment processing steps are separate and atomic. By sending the order information to an SQS FIFO queue, the payment service can process the order one at a time and in the order they were received. If the payment service is unable to process an order, it can be retried later, preventing the creation of multiple orders. The deletion of the message from the queue after it is processed will prevent the same message from being processed multiple times.

- (Topic 3)
A solutions architect must secure a VPC network that hosts Amazon EC2 instances The EC2 ^stances contain highly sensitive data and tun n a private subnet According to company policy the EC2 instances mat run m the VPC can access only approved third- party software repositories on the internet for software product updates that use the third party's URL Other internet traffic must be blocked.
Which solution meets these requirements?

1. A. Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewal
2. B. Configure domain list rule groups
3. C. Set up an AWS WAF web AC
4. D. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
5. E. Implement strict inbound security group roles Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs
6. F. Configure an Application Load Balancer (ALB) in front of the EC2 instance
7. G. Direct an outbound traffic to the ALB Use a URL-based rule listener in the ALB's target group for outbound access to the internet

Correct Answer: A
Send the outbound connection from EC2 to Network Firewall. In Network Firewall, create stateful outbound rules to allow certain domains for software patch download and deny all other domains. https://docs.aws.amazon.com/network-
firewall/latest/developerguide/suricata-examples.html#suricata-example-domain-filtering

- (Topic 3)
A company recently deployed a new auditing system to centralize information about operating system versions patching and installed software for Amazon EC2 instances. A solutions architect must ensure all instances provisioned through EC2 Auto Scaling groups successfully send reports to the auditing system as soon as they are launched and terminated
Which solution achieves these goals MOST efficiently?

1. A. Use a scheduled AWS Lambda function and run a script remotely on all EC2 instances to send data to the audit system.
2. B. Use EC2 Auto Scaling lifecycle hooks to run a custom script to send data to the audit system when instances are launched and terminated
3. C. Use an EC2 Auto Scaling launch configuration to run a custom script through user data to send data to the audit system when instances are launched and terminated
4. D. Run a custom script on the instance operating system to send data to the audit system Configure the script to be invoked by the EC2 Auto Scaling group when the instance starts and is terminated

Correct Answer: B
Amazon EC2 Auto Scaling offers the ability to add lifecycle hooks to your Auto Scaling groups. These hooks let you create solutions that are aware of events in the Auto Scaling instance lifecycle, and then perform a custom action on instances when the corresponding lifecycle event occurs. (https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html)