- (Exam Topic 3)
A company is collecting a large amount of data from a fleet of loT devices Data is stored as Optimized Row Columnar (ORC) files in the Hadoop Distributed File System (HDFS) on a persistent Amazon EMR cluster. The company's data analytics team queries the data by using SQL in Apache Presto deployed on the same EMR cluster Queries scan large amounts of data, always run for less than 15 minutes, and run only between 5 PM and 10 PM.
The company is concerned about the high cost associated with the current solution A solutions architect must propose the most cost-effective solution that will allow SQL data queries
Which solution will meet these requirements?

1. A. Store data in Amazon S3 Use Amazon Redshift Spectrum to query data.
2. B. Store data in Amazon S3 Use the AWS Glue Data Catalog and Amazon Athena to query data
3. C. Store data in EMR File System (EMRFS) Use Presto in Amazon EMR to query data
4. D. Store data in Amazon Redshif
5. E. Use Amazon Redshift to query data.

Correct Answer: B
(https://stackoverflow.com/questions/50250114/athena-vs-redshift-spectrum)

- (Exam Topic 1)
A solutions architect is auditing the security setup of an AWS Lambda function for a company. The Lambda function retrieves the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.
The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.
What should the solutions architect recommend to meet these requirements?

1. A. Enable IAM database authentication on the Aurora DB cluste
2. B. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authenticatio
3. C. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
4. D. Enable IAM database authentication on the Aurora DB cluste
5. E. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authenticatio
6. F. Enforce HTTPS on the connection to Amazon S3 during data transfers.
7. G. Save the database credentials in AWS Systems Manager Parameter Stor
8. H. Set up password rotation on the credentials in Parameter Stor
9. I. Change the IAM role for the Lambda function to allow the function to access Parameter Stor
10. J. Modify the Lambda function to retrieve the credentials from Parameter Stor
11. K. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
12. L. Save the database credentials in AWS Secrets Manage
13. M. Set up password rotation on the credentials in Secrets Manage
14. N. Change the IAM role for the Lambda function to allow the function to access Secrets Manage
15. O. Modify the Lambda function to retrieve the credentials Om Secrets Manage
16. P. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Correct Answer: A
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

- (Exam Topic 2)
A company is using an organization in AWS Organizations to manage hundreds of AWS accounts. A solutions architect is working on a solution to provide baseline protection for the Open Web Application Security Project (OWASP) top 10 web application vulnerabilities. The solutions architect is using AWS WAF for all existing and new Amazon CloudFront distributions that are deployed within the organization.
Which combination of steps should the solutions architect take to provide the baseline protection? (Select THREE.)

1. A. Enable AWS Config in all accounts.
2. B. Enable Amazon GuardDuty in all accounts.
3. C. Enable all features for the organization.
4. D. Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions.
5. E. Use AWS Shield Advanced to deploy AWS WAF rules in all accounts for all CloudFront distributions.
6. F. Use AWS Security Hub to deploy AWS WAF rules in all accounts for all CloudFront distributions.

Correct Answer: CDE
Enabling all features for the organization will enable using AWS Firewall Manager to centrally configure and manage firewall rules across multiple AWS accounts1. Using AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions will enable providing baseline protection for the OWASP top 10 web application vulnerabilities2. AWS Firewall Manager supports AWS WAF rules that can help protect against common web exploits such as SQL injection and cross-site scripting3. Configuring redirection of HTTP requests to HTTPS requests in CloudFront will enable encrypting the data in transit using SSL/TLS.

- (Exam Topic 3)
A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of
creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.
A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.
Which combination of steps should the solutions architect take to meet the requirements? (Select THREE.)

1. A. Create a destination Amazon Kinesis data stream in the central logging account.
2. B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
3. C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data strea
4. D. Create a trust polic
5. E. Specify the trust policy in the IAM rol
6. F. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
7. G. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queu
8. H. Create a trust polic
9. I. Specify the trust policy in the IAM rol
10. J. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
11. K. Create an AWS Lambda functio
12. L. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
13. M. Create an AWS Lambda functio
14. N. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.

Correct Answer: ACE

- (Exam Topic 1)
A company is planning to host a web application on AWS and works to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.
Which solution will meet this requirement?

1. A. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the AL
2. B. Export the SSL certificate and install it on each EC2 instanc
3. C. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
4. D. Associate the EC2 instances with a target grou
5. E. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure It to use the SSL certificat
6. F. Set CloudFront to use the target group as the origin server
7. G. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the AL
8. H. Provision athird-party SSL certificate and install it on each EC2 instanc
9. I. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
10. J. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instanc
11. K. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

Correct Answer: A
Option A is correct because placing the EC2 instances behind an Application Load Balancer (ALB) and associating an SSL certificate from AWS Certificate Manager (ACM) with the ALB enables encryption in transit between the client and the ALB. Exporting the SSL certificate and installing it on each EC2 instance enables encryption in transit between the ALB and the web server. Configuring the ALB to listen on port 443 and to forward traffic to port 443 on the instances ensures that HTTPS is used for both connections. This solution achieves end-to-end encryption in transit for the web applicatio1n2
References: 1: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html 2:
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html 3: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html : https://aws.amazon.com/certificate-manager/faqs/ : https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html