- (Exam Topic 2)
A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company’s marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Instruct each business unit to add a unique secondary CIDR range to the business unit's VP
2. B. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.
3. C. Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account's VP
4. D. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit's VP
5. E. Perform NAT where necessary.
6. F. Create an AWS PrivateLink endpoint service to share the marketing applicatio
7. G. Grant permission to specific AWS accounts to connect to the servic
8. H. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.
9. I. Create a Network Load Balancer (NLB) in front of the marketing application in a private subne
10. J. Create an API Gateway AP
11. K. Use the Amazon API Gateway private integration to connect the API to the NL
12. L. Activate IAM authorization for the AP
13. M. Grant access to the accounts of the other business units.

Correct Answer: C
With AWS PrivateLink, the marketing team can create an endpoint service to share their internal application with other accounts securely using private IP addresses. They can grant permission to specific AWS accounts to connect to the service and create interface VPC endpoints in the other accounts to access the application by using private IP addresses. This option does not require any changes to the network of the other business units, and it does not require peering or NATing. This solution is both scalable and secure.
https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-range

- (Exam Topic 1)
A solutions architect is designing the data storage and retrieval architecture for a new application that a company will be launching soon. The application is designed to ingest millions of small records per minute from devices all around the world. Each record is less than 4 KB in size and needs to be stored in a durable location where it can be retrieved with low latency. The data is ephemeral and the company is required to store the data for 120 days only, after which the data can be deleted.
The solutions architect calculates that, during the course of a year, the storage requirements would be about 10-15 TB.
Which storage strategy is the MOST cost-effective and meets the design requirements?

1. A. Design the application to store each incoming record as a single .csv file in an Amazon S3 bucket to allow for indexed retrieva
2. B. Configure a lifecycle policy to delete data older than 120 days.
3. C. Design the application to store each incoming record in an Amazon DynamoDB table properly configured for the scal
4. D. Configure the DynamoOB Time to Live (TTL) feature to delete records older than 120 days.
5. E. Design the application to store each incoming record in a single table in an Amazon RDS MySQL databas
6. F. Run a nightly cron job that executes a query to delete any records older than 120 days.
7. G. Design the application to batch incoming records before writing them to an Amazon S3 bucke
8. H. Updatethe metadata for the object to contain the list of records in the batch and use the Amazon S3 metadata search feature to retrieve the dat
9. I. Configure a lifecycle policy to delete the data after 120 days.

Correct Answer: B
DynamoDB with TTL, cheaper for sustained throughput of small items + suited for fast retrievals. S3 cheaper for storage only, much higher costs with writes. RDS not designed for this use case.

- (Exam Topic 3)
A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team.
How should a solutions architect meet these requirements?

1. A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member accoun
2. B. Establish a trust relationship between the IAM policy in each member account and the security accoun
3. C. Ask the security team to use the IAM policy to gain access.
4. D. Use the Organization AccountAccessRole IAM role to create a new IAM role with read-only access in each member accoun
5. E. Establish a trust relationship between the IAM role in each member account and the security accoun
6. F. Ask the security team to use the IAM role to gain access.
7. G. Ask the security team to use AWS Security Token Service (AWS STS) lo call the AssumeRole API tor the Organization AccountAccessRole IAM role in the management account from the security accoun
8. H. Use the generated temporary credentials to gain access.
9. I. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the Organization AccountAccessRole IAM role in the member account from the security accoun
10. J. Use the generated temporary credentials to gain access.

Correct Answer: B
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_ "When you create a member account using the AWS Organizations console, AWS Organizations
automatically creates an IAM role named OrganizationAccountAccessRole in the account" you need
OrganizationAccountAccessRole in member account to create an read-only role and use role from security team to assume this read-only role.

- (Exam Topic 2)
A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts.
A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of Cloud Formation stacks. Trusted access has been enabled in Organizations.
What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?

1. A. Create a stack set in the Organizations member account
2. B. Use service-managed permission
3. C. Set deployment options to deploy to an organizatio
4. D. Use CloudFormation StackSets drift detection.
5. E. Create stacks in the Organizations member account
6. F. Use self-service permission
7. G. Set deploymentoptions to deploy to an organizatio
8. H. Enable the CloudFormation StackSets automatic deployment.
9. I. Create a stack set in the Organizations management accoun
10. J. Use service-managed permission
11. K. Set deployment options to deploy to the organizatio
12. L. Enable CloudFormation StackSets automatic deployment.
13. M. Create stacks in the Organizations management accoun
14. N. Use service-managed permission
15. O. Set deployment options to deploy to the organizatio
16. P. Enable CloudFormation StackSets drift detection.

Correct Answer: C
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.h

- (Exam Topic 1)
A company has a latency-sensitive trading platform that uses Amazon DynamoDB as a storage backend. The company configured the DynamoDB table to use on-demand capacity mode. A solutions architect needs to design a solution to improve the performance of the trading platform. The new solution must ensure high availability for the trading platform.
Which solution will meet these requirements with the LEAST latency?

1. A. Create a two-node DynamoDB Accelerator (DAX) cluster Configure an application to read and write data by using DAX.
2. B. Create a three-node DynamoDB Accelerator (DAX) cluste
3. C. Configure an application to read data by using DAX and to write data directly to the DynamoDB table.
4. D. Create a three-node DynamoDB Accelerator (DAX) cluste
5. E. Configure an application to read data directly from the DynamoDB table and to write data by using DAX.
6. F. Create a single-node DynamoD8 Accelerator (DAX) cluste
7. G. Configure an application to read data by using DAX and to write data directly to the DynamoD8 table.

Correct Answer: B
A DAX cluster can be deployed with one or two nodes for development or test workloads. One- and two-node clusters are not fault-tolerant, and we don't recommend using fewer than three nodes for production use. If a one- or two-node cluster encounters software or hardware errors, the cluster can become unavailable or lose cached data.A DAX cluster can be deployed with one or two nodes for development or test workloads. One and two-node clusters are not fault-tolerant, and we don't recommend using fewer than three nodes for production use. If a one- or two-node cluster encounters software or hardware errors, the cluster can become unavailable or lose cached data.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.cluster.html