- (Exam Topic 2)
A solutions architect is designing a multi-account structure that has 10 existing accounts. The design must meet the following requirements
• Consolidate all accounts into one organization
• Allow full access to the Amazon EC2 service from the management account and the secondary accounts
• Minimize the effort required to add additional secondary accounts
Which combination of steps should be included in the solution? (Select TWO )

1. A. Create an organization from the management account Send invitations to the secondary accounts from the management account Accept the invitations and create an OU
2. B. Create an organization from the management accoun
3. C. Send a join request to the management account from each secondary account Accept the requests and create an OU
4. D. Create a VPC peering connection between the management account and the secondary accounts Accept the request for the VPC peering connection
5. E. Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU
6. F. Create a full EC2 access policy and map the policy to a role in each account Trust every other account to assume the role

Correct Answer: AE

- (Exam Topic 1)
A company provides a centralized Amazon EC2 application hosted in a single shared VPC. The centralized application must be accessible from client applications running in the VPCs of other business units. The centralized application front end is configured with a Network Load Balancer (NLB) for scalability.
Up to 10 business unit VPCs will need to be connected to the shared VPC. Some of the business unit VPC CIDR blocks overlap with the shared VPC. and some overlap with each other. Network connectivity to the centralized application in the shared VPC should be allowed from authorized business unit VPCs only.
Which network configuration should a solutions architect use to provide connectivity from the client applications in the business unit VPCs to the centralized application in the shared VPC?

1. A. Create an AW5 Transit Gatewa
2. B. Attach the shared VPC and the authorized business unit VPCs to the transit gatewa
3. C. Create a single transit gateway route table and associate it with all of the attached VPC
4. D. Allow automatic propagation of routes from the attachments into the route tabl
5. E. Configure VPC routing tables to send traffic to the transit gateway.
6. F. Create a VPC endpoint service using the centralized application NLB and enable (he option to require endpoint acceptanc
7. G. Create a VPC endpoint in each of the business unit VPCs using the service name of the endpoint servic
8. H. Accept authorized endpoint requests from the endpoint service console.
9. I. Create a VPC peering connection from each business unit VPC to Ihe shared VP
10. J. Accept the VPC peering connections from the shared VPC consol
11. K. Configure VPC routing tables to send traffic to the VPC peering connection.
12. L. Configure a virtual private gateway for the shared VPC and create customer gateways for each of theauthorized business unit VPC
13. M. Establish a Sile-to-Site VPN connection from the business unit VPCs to the shared VP
14. N. Configure VPC routing tables to send traffic to the VPN connection.

Correct Answer: B
Amazon Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, Amazon Transit Gateway will not propagate the new Amazon VPC route into the Amazon Transit Gateway route table.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-pre

- (Exam Topic 2)
A large company has many business units Each business unit has multiple AWS accounts for different purposes. The CIO of the company sees that each business unit has data that would be useful to share with other parts of the company in total there are about 10 PB of data that needs to be shared with users in 1.000 AWS accounts. The data is proprietary so some of it should only be available to users with specific job types Some of the data is used for throughput of intensive workloads such as simulations. The number of accounts changes frequently because of new initiatives acquisitions and divestitures
A solutions architect has been asked to design a system that will allow for sharing data for use in AWS with all of the employees in the company
Which approach will allow for secure data sharing in scalable way?

1. A. Store the data in a single Amazon S3 bucket Create an IAM role for every combination of job type and business unit that allows for appropriate read/write access based on object prefixes in the S3 bucket The roles should have trust policies that allow the business unit's AWS accounts to assume their roles UseIAM in each business unit's AWS account to prevent them from assuming roles for a different job type Users get credentials to access the data by using AssumeRole from their business unit's AWS account Users can then use those credentials with an S3 client
2. B. Store the data in a single Amazon S3 bucket Write a bucket policy that uses conditions to grant read and write access where appropriate based on each user's business unit and job typ
3. C. Determine the business unit with the AWS account accessing the bucket and the job type with a prefix in the IAM user's name Users can access data by using IAM credentials from their business unit's AWS account with an S3 client
4. D. Store the data in a series of Amazon S3 buckets Create an application running m Amazon EC2 that is integrated with the company's identity provider (IdP) thatauthenticates users and allows them to download or upload data through the application The application uses the business unit and job type information in the IdP to control what users can upload and download through the application The users can access the data through the application's API
5. E. Store the data in a series of Amazon S3 buckets Create an AWS STS token vending machine that is integrated with the company's identity provider (IdP) When a user logs in: have the token vending machine attach an IAM policy that assumes the role that limits the user's access and/or upload only the data the user is authorized to access Users can get credentials by authenticating to the token vending machine's website or API and then use those credentials with an S3 client
6. F. D

Correct Answer: E

- (Exam Topic 1)
A company maintains a restaurant review website. The website is a single-page application where files are stored in Amazon S3 and delivered using Amazon CloudFront. The company receives several fake postings every day that are manually removed.
The security team has identified that most of the fake posts are from bots with IP addresses that have a bad reputation within the same global region. The team needs to create a solution to help restrict the bots from accessing the website.
Which strategy should a solutions architect use?

1. A. Use AWS Firewall Manager to control the CloudFront distribution security setting
2. B. Create a geographical block rule and associate it with Firewall Manager.
3. C. Associate an AWS WAF web ACL with the CloudFront distributio
4. D. Select the managed Amazon IP reputation rule group for the web ACL with a deny action.
5. E. Use AWS Firewall Manager to control the CloudFront distribution security setting
6. F. Select the managed Amazon IP reputation rule group and associate it with Firewall Manager with a deny action.
7. G. Associate an AWS WAF web ACL with the CloudFront distributio
8. H. Create a rule group for the web ACL with a geographical match statement with a deny action.

Correct Answer: B
IP reputation rule groups allow you to block requests based on their source. Choose one or more of these rule groups if you want to reduce your exposure to BOTS!!!! traffic or exploitation attempts
The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Inspects for a list of IP addresses that have been identified as bots by Amazon threat intelligence.

- (Exam Topic 2)
A video streaming company recently launched a mobile app for video sharing. The app uploads various files to an Amazon S3 bucket in the us-east-1 Region. The files range in size from 1 GB to 1 0 GB.
Users who access the app from Australia have experienced uploads that take long periods of time Sometimes the files fail to completely upload for these users . A solutions architect must improve the app' performance for these uploads
Which solutions will meet these requirements? (Select TWO.)

1. A. Enable S3 Transfer Acceleration on the S3 bucket Configure the app to use the Transfer Acceleration endpoint for uploads
2. B. Configure an S3 bucket in each Region to receive the upload
3. C. Use S3 Cross-Region Replication to copy the files to the distribution S3 bucket.
4. D. Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket Region.
5. E. Configure the app to break the video files into chunks Use a multipart upload to transfer files to Amazon S3.
6. F. Modify the app to add random prefixes to the files before uploading

Correct Answer: AE