- (Topic 4)
A solutions architect needs to review a company's Amazon S3 buckets to discover personally identifiable information (Pll). The company stores the Pll data in the us-east-I Region and us-west-2 Region.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Configure Amazon Macie in each Regio
2. B. Create a job to analyze the data that is in Amazon S3_
3. C. Configure AWS Security Hub for all Region
4. D. Create an AWS Config rule to analyze the data that is in Amazon S3_
5. E. Configure Amazon Inspector to analyze the data that IS in Amazon S3.
6. F. Configure Amazon GuardDuty to analyze the data that is in Amazon S3.

Correct Answer: A
it allows the solutions architect to review the S3 buckets to discover personally identifiable information (Pll) with the least operational overhead. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS. Amazon Macie can analyze data in S3 buckets across multiple regions and provide insights into the type, location, and level of sensitivity of the data. References:
✑ Amazon Macie
✑ Analyzing data with Amazon Macie

- (Topic 3)
A company hosts its application on AWS The company uses Amazon Cognito to manage users When users log in to the application the application fetches required data from Amazon DynamoDB by using a REST API that is hosted in Amazon API Gateway. The company wants an AWS managed solution that will control access to the REST API to reduce development efforts
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Configure an AWS Lambda function to be an authorize! in API Gateway to validate which user made the request
2. B. For each user, create and assign an API key that must be sent with each request Validate the key by using an AWS Lambda function
3. C. Send the user's email address in the header with every request Invoke an AWS Lambda function to validate that the user with that email address has proper access
4. D. Configure an Amazon Cognito user pool authorizer in API Gateway to allow Amazon Cognito to validate each request

Correct Answer: D
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
To control access to the REST API and reduce development efforts, the company can use an Amazon Cognito user pool authorizer in API Gateway. This will allow Amazon Cognito to validate each request and ensure that only authenticated users can access the API. This
solution has the LEAST operational overhead, as it does not require the company to develop and maintain any additional infrastructure or code.

- (Topic 2)
A company is running a multi-tier web application on premises. The web application is containerized and runs on a number of Linux hosts connected to a PostgreSQL database that contains user records. The operational overhead of maintaining the infrastructure and capacity planning is limiting the company's growth. A solutions architect must improve the application's infrastructure.
Which combination of actions should the solutions architect take to accomplish this? (Choose two.)

1. A. Migrate the PostgreSQL database to Amazon Aurora
2. B. Migrate the web application to be hosted on Amazon EC2 instances.
3. C. Set up an Amazon CloudFront distribution for the web application content.
4. D. Set up Amazon ElastiCache between the web application and the PostgreSQL database.
5. E. Migrate the web application to be hosted on AWS Fargate with Amazon Elastic Container Service (Amazon ECS).

Correct Answer: AE
Amazon Aurora is a fully managed, scalable, and highly available relational database service that is compatible with PostgreSQL. Migrating the database to Amazon Aurora would reduce the operational overhead of maintaining the database infrastructure and allow the company to focus on building and scaling the application. AWS Fargate is a fully managed container orchestration service that enables users to run containers without the need to manage the underlying EC2 instances. By using AWS Fargate with Amazon Elastic Container Service (Amazon ECS), the solutions architect can improve the scalability and efficiency of the web application and reduce the operational overhead of maintaining the underlying infrastructure.

- (Topic 3)
A company is migrating its on-premises workload to the AWS Cloud. The company already uses several Amazon EC2 instances and Amazon RDS DB instances. The company wants a solution that automatically starts and stops the EC2 instances and D6 instances outside of business hours. The solution must minimize cost and infrastructure maintenance.
Which solution will meet these requirement?

1. A. Scale the EC2 instances by using elastic resize Scale the DB instances to zero outside of business hours
2. B. Explore AWS Marketplace for partner solutions that will automatically start and stop theEC2 Instances and OB instances on a schedule
3. C. Launch another EC2 instanc
4. D. Configure a crontab schedule to run shell scripts that will start and stop the existing EC2 instances and DB instances on a schedule.
5. E. Create an AWS Lambda function that will start and stop the EC2 instances and DB instances Configure Amazon EventBridge to invoke the Lambda function on a schedule

Correct Answer: D
The most efficient solution for automatically starting and stopping EC2 instances and DB instances on a schedule while minimizing cost and infrastructure maintenance is to create an AWS Lambda function and configure Amazon EventBridge to invoke the function on a schedule.
Option A, scaling EC2 instances by using elastic resize and scaling DB instances to zero outside of business hours, is not feasible as DB instances cannot be scaled to zero.
Option B, exploring AWS Marketplace for partner solutions, may be an option, but it may not be the most efficient solution and could potentially add additional costs.
Option C, launching another EC2 instance and configuring a crontab schedule to run shell scripts that will start and stop the existing EC2 instances and DB instances on a schedule, adds unnecessary infrastructure and maintenance.

- (Topic 4)
A company's developers want a secure way to gain SSH access on the company's Amazon EC2 instances that run the latest version of Amazon Linux. The developers work remotely and in the corporate office.
The company wants to use AWS services as a part of the solution. The EC2 instances are hosted in a VPC private subnet and access the internet through a NAT gateway that is deployed in a public subnet.
What should a solutions architect do to meet these requirements MOST cost-effectively?

1. A. Create a bastion host in the same subnet as the EC2 instance
2. B. Grant the ec2:CreateVpnConnection 1AM permission to the developer
3. C. Install EC2 Instance Connect so that the developers can connect to the EC2 instances.
4. D. Create an AWS Site-to-Site VPN connection between the corporate network and the VP
5. E. Instruct the developers to use the Site-to-Site VPN connection to access the EC2 instances when the developers are on the corporate networ
6. F. Instruct the developers to set up another VPN connection for access when they work remotely.
7. G. Create a bastion host in the public subnet of the VP
8. H. Configure the security groups and SSH keys of the bastion host to only allow connections and SSH authentication from the developers' corporate and remote network
9. I. Instruct the developers to connect through the bastion host by using SSH to reach the EC2 instances.
10. J. Attach the AmazonSSMManagedlnstanceCore 1AM policy to an 1AM role that is associated with the EC2 instance
11. K. Instruct the developers to use AWS Systems Manager Session Manager to access the EC2 instances.

Correct Answer: D
AWS Systems Manager Session Manager is a service that enables you to securely connect to your EC2 instances without using SSH keys or bastion hosts. You can use Session Manager to access your instances through the AWS Management Console, the AWS CLI, or the AWS SDKs. Session Manager uses IAM policies and roles to control who can access which instances. By attaching the AmazonSSMManagedlnstanceCore IAM policy to an IAM role that is associated with the EC2 instances, you grant the Session Manager service the necessary permissions to perform actions on your instances. You also need to attach another IAM policy to the developers’ IAM users or roles that allows them to start sessions to the instances. Session Manager uses the AWS Systems Manager Agent (SSM Agent) that is installed by default on Amazon Linux 2 and other supported Linux distributions. Session Manager also encrypts all session data between your client and your instances, and streams session logs to Amazon S3, Amazon CloudWatch Logs, or both for auditing purposes. This solution is the most cost-effective, as it does not require any additional resources or services, such as bastion hosts, VPN connections, or NAT gateways. It also simplifies the security and management of SSH access, as it eliminates the need for SSH keys, port opening, or firewall rules. References:
✑ What is AWS Systems Manager?
✑ Setting up Session Manager
✑ Getting started with Session Manager
✑ Controlling access to Session Manager
✑ Logging Session Manager activity