- (Exam Topic 3)
A company is planning a one-time migration of an on-premises MySQL database to Amazon Aurora MySQL in the us-east-1 Region. The company's current internet connection has limited bandwidth. The on-premises MySQL database is 60 TB in size The company estimates that it will take a month to transfer the data to AWS over the current internet connection.
The company needs a migration solution that will migrate the database more quickly Which solution will migrate the database in the LEAST amount of time?

1. A. Request a 1 Gbps AWS Direct Connect connection between the on-premises data center and AWS Use AWS Database Migration Service (AWS DMS) to migrate the on-premises MySQL database to Aurora MySQL.
2. B. Use AWS DataSync with the current internet connection to accelerate the data transfer between theon-premises data center and AWS Use AWS Application Migration Service to migrate the on-premises MySQL database to Aurora MySQL.
3. C. Order an AWS Snowball Edge Device Load the data into an Amazon S3 bucket by using the S3 interface Use AWS Database Migration Service (AWS DMS) to migrate the data from Amazon S3 to Aurora MySQL
4. D. Order an AWS Snowball Device Load the data into an Amazon S3 bucket by using the S3 Adapter for Snowball Use AWS Application Migration Service to migrate the data from Amazon S3 to Aurora MySQL.

Correct Answer: C

- (Exam Topic 1)
A company has created an OU in AWS Organizations for each of its engineering teams Each OU owns multiple AWS accounts. The organization has hundreds of AWS accounts A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts. Which solution meets these requirements?

1. A. Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
2. B. Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account- Allow each team to visualize the CUR through an Amazon QuickSight dashboard
3. C. Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
4. D. Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager Allow each team to visualize the CUR through Systems Manager OpsCenter dashboards

Correct Answer: B
https://docs.aws.amazon.com/cur/latest/userguide/billing-cur-limits.html

- (Exam Topic 3)
A company is deploying a third-party firewall appliance solution from AWS Marketplace to monitor and protect traffic that leaves the company's AWS environments. The company wants to deploy this appliance into a shared services VPC and route all outbound internet-bound traffic through the appliances.
A solutions architect needs to recommend a deployment method that prioritizes reliability and minimizes failover time between firewall appliances within a single AWS Region. The company has set up routing from the shared services VPC to other VPCs.
Which steps should the solutions architect recommend to meet these requirements? (Select THREE.)

1. A. Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.
2. B. Create a new Network Load Balancer in the shared services VP
3. C. Create a new target group, and attach it to the new Network Load Balance
4. D. Add each of the firewall appliance instances to the target group.
5. E. Create a new Gateway Load Balancer in the shared services VP
6. F. Create a new target group, and attach it to the new Gateway Load Balance
7. G. Add each of the firewall appliance instances to the target group.
8. H. Create a VPC interface endpoin
9. I. Add a route to the route table in the shared services VP
10. J. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.
11. K. Deploy two firewall appliances into the shared services VP
12. L. each in the same Availability Zone.
13. M. Create a VPC Gateway Load Balancer endpoin
14. N. Add a route to the route table in the shared services VP
15. O. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.

Correct Answer: ACF
The best solution is to deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone, and create a new Gateway Load Balancer to distribute traffic to them. A Gateway Load Balancer is designed for high performance and high availability scenarios with third-party network virtual appliances, such as firewalls. It operates at the network layer and maintains flow stickiness and symmetry to a specific appliance instance. It also uses the GENEVE protocol to encapsulate traffic between the load balancer and the appliances. To route traffic from other VPCs to the Gateway Load Balancer, a VPC Gateway Load Balancer endpoint is needed. This is a VPC endpoint that provides private connectivity between the appliances in the shared services VPC and the application servers in other VPCs. The endpoint must be added as the next hop in the route table for the shared services VPC. This solution ensures reliability and minimizes failover time between firewall appliances within a single AWS Region. References: What is a Gateway Load Balancer?, Gateway load balancer - Azure Load Balancer, Introducing Azure Gateway Load Balancer: Depl and scale network …

- (Exam Topic 1)
A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.
A solutions architect needs to enforce the new process in the most secure way possible.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

1. A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
2. B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
3. C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
4. D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances actio
5. E. Attach the SCP to each OU of the organization.
6. F. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.

Correct Answer: AD
All features – The default feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. For example, when all features are enabled the management account of the organization has full control over what member accounts can do. The management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

- (Exam Topic 3)
A financial services company sells its software-as-a-service (SaaS) platform for application compliance to
large global banks. The SaaS platform runs on AWS and uses multiple AWS accounts that are managed in an organization in AWS Organizations. The SaaS platform uses many AWS resources globally.
For regulatory compliance, all API calls to AWS resources must be audited, tracked for changes, and stored in a durable and secure data store.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create a new AWS CloudTrail trai
2. B. Use an existing Amazon S3 bucket in the organization's management account to store the log
3. C. Deploy the trail to all AWS Region
4. D. Enable MFA delete and encryption on the S3 bucket.
5. E. Create a new AWS CloudTrail trail in each member account of the organizatio
6. F. Create new Amazon S3 buckets to store the log
7. G. Deploy the trail to all AWS Region
8. H. Enable MFA delete and encryption on the S3 buckets.
9. I. Create a new AWS CloudTrail trail in the organization's management accoun
10. J. Create a new Amazon S3 bucket with versioning turned on to store the log
11. K. Deploy the trail for all accounts in the organizatio
12. L. Enable MFA delete and encryption on the S3 bucket.
13. M. Create a new AWS CloudTrail trail in the organization's management accoun
14. N. Create a new Amazon S3 bucket to store the log
15. O. Configure Amazon Simple Notification Service (Amazon SNS) to send log-file delivery notifications to an external management system that will track the log
16. P. Enable MFA delete and encryption on the S3 bucket.

Correct Answer: C
The correct answer is C. This option uses AWS CloudTrail to create a trail in the organization’s management account that applies to all accounts in the organization. This way, the company can centrally manage and audit all API calls to AWS resources across multiple accounts and regions. The company also needs to create a new Amazon S3 bucket with versioning turned on to store the logs. Versioning helps protect against accidental or malicious deletion of log files by keeping multiple versions of each object in the bucket. The company also needs to enable MFA delete and encryption on the S3 bucket to further enhance the security and durability of the data store.
Option A is incorrect because it uses an existing S3 bucket in the organization’s management account to store the logs. This may not be optimal for regulatory compliance, as the existing bucket may have different permissions, encryption settings, or lifecycle policies than a dedicated bucket for CloudTrail logs.
Option B is incorrect because it requires creating a new CloudTrail trail in each member account of the organization. This adds operational overhead and complexity, as the company would need to manage multiple trails and S3 buckets across multiple accounts and regions.
Option D is incorrect because it requires configuring Amazon SNS to send log-file delivery notifications to an external management system that will track the logs. This adds unnecessary complexity and cost, as CloudTrail already provides log-file integrity validation and log-file digest delivery features that can help verify the authenticity and integrity of log files.
Reference: Creating a Trail for an Organization