- (Exam Topic 3)
An online retail company is migrating its legacy on-premises .NET application to AWS. The application runs on load-balanced frontend web servers, load-balanced application servers, and a Microsoft SQL Server database.
The company wants to use AWS managed services where possible and does not want to rewrite the application. A solutions architect needs to implement a solution to resolve scaling issues and minimize licensing costs as the application scales.
Which solution will meet these requirements MOST cost-effectively?

1. A. Deploy Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer for the web tier and for the application tie
2. B. Use Amazon Aurora PostgreSQL with Babelfish turned on to replatform the SOL Server database.
3. C. Create images of all the servers by using AWS Database Migration Service (AWS DMS). Deploy Amazon EC2 instances that are based on the on-premises import
4. D. Deploy the instances in an Auto Scaling group behind a Network Load Balancer for the web tier and for the application tie
5. E. Use Amazon DynamoDB as the database tier.
6. F. Containerize the web frontend tier and the application tie
7. G. Provision an Amazon Elastic Kubernetes Service (Amazon EKS) cluste
8. H. Create an Auto Scaling group behind a Network Load Balancer for the web tier and for the application tie
9. I. Use Amazon RDS for SOL Server to host the database.
10. J. Separate the application functions into AWS Lambda function
11. K. Use Amazon API Gateway for the web frontend tier and the application tie
12. L. Migrate the data to Amazon S3. Use Amazon Athena to query the data.

Correct Answer: A
The best solution is to create a tag policy that contains the allowed project tag values in the organization’s management account and create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. A tag policy is a type of policy that can help standardize tags across resources in the organization’s accounts. A tag policy can specify the allowed tag keys, values, and case treatment for compliance. A service control policy (SCP) is a type of policy that can restrict the actions that users and roles can perform in the organization’s accounts. An SCP can deny access to specific API operations unless certain conditions are met, such as having a specific tag. By creating a tag policy in the management account and attaching it to each OU, the organization can enforce consistent tagging across all accounts. By creating an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added, the organization can prevent users from creating new resources without proper tagging. This solution will meet the requirements with the least effort, as it does not involve creating additional resources or modifying existing ones. References: Tag policies - AWS Organizations, Service control policies - AWS Organizations, AW CloudFormation User Guide

- (Exam Topic 1)
A company is subject to regulatory audits of its financial information. External auditors who use a single AWS account need access to the company's AWS account. A solutions architect must provide the auditors with secure, read-only access to the company's AWS account. The solution must comply with AWS security best practices.
Which solution will meet these requirements?

1. A. In the company's AWS account, create resource policies for all resources in the account to grant access to the auditors' AWS accoun
2. B. Assign a unique external ID to the resource policy.
3. C. In the company's AWS account create an IAM role that trusts the auditors' AWS account Create an IAM policy that has the required permission
4. D. Attach the policy to the rol
5. E. Assign a unique external ID to the role's trust policy.
6. F. In the company's AWS account, create an IAM use
7. G. Attach the required IAM policies to the IAM user.Create API access keys for the IAM use
8. H. Share the access keys with the auditors.
9. I. In the company's AWS account, create an IAM group that has the required permissions Create an IAM user in the company s account for each audito
10. J. Add the IAM users to the IAM group.

Correct Answer: B
This solution will allow the external auditors to have read-only access to the company's AWS account while being compliant with AWS security best practices. By creating an IAM role, which is a secure and flexible way of granting access to AWS resources, and trusting the auditors' AWS account, the company can ensure that the auditors only have the permissions that are required for their role and nothing more. Assigning a unique external ID to the role's trust policy, it will ensure that only the auditors' AWS account can assume the role.
Reference:
AWS IAM Roles documentation: https://aws.amazon.com/iam/features/roles/ AWS IAM Best practices: https://aws.amazon.com/iam/security-best-practices/

- (Exam Topic 3)
A company is using AWS CodePipeline for the CI/CD of an application to an Amazon EC2 Auto Scaling group. All AWS resources are defined in AWS CloudFormation templates. The application artifacts are stored in an Amazon S3 bucket and deployed to the Auto Scaling group using instance user data scripts.
As the application has become more complex, recent resource changes in the CloudFormation templates have caused unplanned downtime.
How should a solutions architect improve the CI/CD pipeline to reduce the likelihood that changes in the templates will cause downtime?

1. A. Adapt the deployment scripts to detect and report CloudFormation error conditions when performing deployment
2. B. Write test plans for a testing team to execute in a non-production environment before approving the change for production.
3. C. Implement automated testing using AWS CodeBuild in a test environmen
4. D. Use CloudFormation change sets to evaluate changes before deploymen
5. E. Use AWS CodeDeploy to leverage blue/green deployment patterns to allow evaluations and the ability to revert changes, if needed.
6. F. Use plugins for the integrated development environment (IDE) to check the templates for errors, and usethe AWS CLI to validate that the templates are correc
7. G. Adapt the deployment code to check for error conditions and generate notifications on error
8. H. Deploy to a test environment and execute a manual test plan before approving the change for production.
9. I. Use AWS CodeDeploy and a blue/green deployment pattern with CloudFormation to replace the user data deployment script
10. J. Have the operators log in to running instances and go through a manual test plan to verify the application is running as expected.

Correct Answer: B

- (Exam Topic 2)
A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company's information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.
To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.
Which combination of steps should the solutions architect take to implement this solution? (Select TWO.)

1. A. Create an S3 access point for each application in the AWS account that owns the S3 bucke
2. B. Configureeach access point to be accessible only from the application's VP
3. C. Update the bucket policy to require access from an access point.
4. D. Create an interface endpoint for Amazon S3 in each application's VP
5. E. Configure the endpoint policy to allow access to an S3 access poin
6. F. Create a VPC gateway attachment for the S3 endpoint.
7. G. Create a gateway endpoint for Amazon S3 in each application's VP
8. H. Configure the endpoint policy to allow access to an S3 access poin
9. I. Specify the route table that is used to access the access point.
10. J. Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucke
11. K. Configure each access point to be accessible only from the application's VP
12. L. Update the bucket policy to require access from an access point.
13. M. Create a gateway endpoint for Amazon S3 in the data lake's VP
14. N. Attach an endpoint policy to allow access to the S3 bucke
15. O. Specify the route table that is used to access the bucket.

Correct Answer: AC
https://joe.blog.freemansoft.com/2020/04/protect-data-in-cloud-with-s3-access.html

- (Exam Topic 1)
An international delivery company hosts a delivery management system on AWS. Drivers use the system to upload confirmation of delivery. Confirmation includes the recipient's signature or a photo of the package with the recipient. The driver's handheld device uploads signatures and photos through FTP to a single Amazon EC2 instance. Each handheld device saves a file in a directory based on the signed-in user, and the file name matches the delivery number. The EC2 instance then adds metadata to the file after querying a central database to pull delivery information. The file is then placed in Amazon S3 for archiving.
As the company expands, drivers report that the system is rejecting connections. The FTP server is having problems because of dropped connections and memory issues. In response to these problems, a system engineer schedules a cron task to reboot the EC2 instance every 30 minutes. The billing team reports that files are not always in the archive and that the central system is not always updated.
A solutions architect needs to design a solution that maximizes scalability to ensure that the archive always receives the files and that systems are always updated. The handheld devices cannot be modified, so the company cannot deploy a new application.
Which solution will meet these requirements?

1. A. Create an AMI of the existing EC2 instanc
2. B. Create an Auto Scaling group of EC2 instances behind an Application Load Balance
3. C. Configure the Auto Scaling group to have a minimum of three instances.
4. D. Use AWS Transfer Family to create an FTP server that places the files in Amazon Elastic File System (Amazon EFS). Mount the EFS volume to the existing EC2 instanc
5. E. Point the EC2 instance to the new path for file processing.
6. F. Use AWS Transfer Family to create an FTP server that places the files in Amazon S3. Use an S3 event notification through Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda functio
7. G. Configure the Lambda function to add the metadata and update the delivery system.
8. H. Update the handheld devices to place the files directly in Amazon S3. Use an S3 event notification through Amazon Simple Queue Service (Amazon SQS) to invoke an AWS Lambda functio
9. I. Configure the Lambda function to add the metadata and update the delivery system.

Correct Answer: C
Using AWS Transfer Family to create an FTP server that places the files in Amazon S3 and using S3 event notifications through Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function will ensure that the archive always receives the files and that the central system is always updated. This solution maximizes scalability and eliminates the need for manual intervention, such as rebooting the EC2 instance.