- (Exam Topic 1)
A company that uses AWS Organizations allows developers to experiment on AWS. As part of the landing zone that the company has deployed, developers use their company email address to request an account. The company wants to ensure that developers are not launching costly services or running services unnecessarily. The company must give developers a fixed monthly budget to limit their AWS costs.
Which combination of steps will meet these requirements? (Choose three.)

1. A. Create an SCP to set a fixed monthly account usage limi
2. B. Apply the SCP to the developer accounts.
3. C. Use AWS Budgets to create a fixed monthly budget for each developer's account as part of the account creation process.
4. D. Create an SCP to deny access to costly services and component
5. E. Apply the SCP to the developer accounts.
6. F. Create an IAM policy to deny access to costly services and component
7. G. Apply the IAM policy to the developer accounts.
8. H. Create an AWS Budgets alert action to terminate services when the budgeted amount is reached.Configure the action to terminate all services.
9. I. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reache
10. J. Invoke an AWS Lambda function to terminate all services.

Correct Answer: BCF
Option A is incorrect because creating an SCP to set a fixed monthly account usage limit is not possible.
SCPs are policies that specify the services and actions that users and roles can use in the member accounts of an AWS Organization. SCPs cannot enforce budget limits or prevent users from launching
costly services or running services unnecessarily1
Option B is correct because using AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets allows you to plan your service usage, service costs, and instance reservations. You can create budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount2
Option C is correct because creating an SCP to deny access to costly services and components meets the requirement of ensuring that developers are not launching costly services or running services
unnecessarily. SCPs can restrict access to certain AWS services or actions based on conditions such as region, resource tags, or request time. For example, an SCP can deny access to Amazon Redshift clusters or Amazon EC2 instances with certain instance types1
Option D is incorrect because creating an IAM policy to deny access to costly services and components is not sufficient to meet the requirement of ensuring that developers are not launching costly services or running services unnecessarily. IAM policies can only control access to resources within a single AWS account. If developers have multiple accounts or can create new accounts, they can bypass the IAM policy restrictions. SCPs can apply across multiple accounts within an AWS Organization and prevent users from creating new accounts that do not comply with the SCP rules3
Option E is incorrect because creating an AWS Budgets alert action to terminate services when the budgeted amount is reached is not possible. AWS Budgets alert actions can only perform one of the following actions: apply an IAM policy, apply an SCP, or send a notification through Amazon SNS. AWS Budgets alert actions cannot terminate services directly.
Option F is correct because creating an AWS Budgets alert action to send an Amazon SNS notification when the budgeted amount is reached and invoking an AWS Lambda function to terminate all services meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets alert actions can send notifications through Amazon SNS when a budget threshold is breached. Amazon SNS can trigger an AWS Lambda function that can perform custom logic such as terminating all services in the developer’s account. This way, developers cannot exceed their budget limit and incur additional costs.
References: 1: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html 2
: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-create.html 3: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html : https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-actions.html : https://docs.aws.amazon.com/sns/latest/dg/sns-lambda.html : https://docs.aws.amazon.com/lambda/latest/dg/welcome.html

- (Exam Topic 3)
A company is deploying AWS Lambda functions that access an Amazon RDS for PostgreSQL database. The company needs to launch the Lambda functions in a QA environment and in a production environment.
The company must not expose credentials within application code and must rotate passwords automatically. Which solution will meet these requirements?

1. A. Store the database credentials for both environments in AWS Systems Manager Parameter Store.Encrypt the credentials by using an AWS Key Management Service (AWS KMS) ke
2. B. Within the application code of the Lambda functions, pull the credentials from the Parameter Store parameter by using the AWS SDK for Python (Bot03). Add a role to the Lambda functions to provide access to the Parameter Store parameter.
3. C. Store the database credentials for both environments in AWS Secrets Manager with distinct key entry for the QA environment and the production environmen
4. D. Turn on rotatio
5. E. Provide a reference to the Secrets Manager key as an environment variable for the Lambda functions.
6. F. Store the database credentials for both environments in AWS Key Management Service (AWS KMS).Turn on rotatio
7. G. Provide a reference to the credentials that are stored in AWS KMS as an environment variable for the Lambda functions.
8. H. Create separate S3 buckets for the QA environment and the production environmen
9. I. Turn on server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket
10. J. Use an object namingpattern that gives each Lambda function's application code the ability to pull the correct credentials for the function's corresponding environmen
11. K. Grant each Lambda function's execution role access to Amazon S3.

Correct Answer: B
The best solution is to store the database credentials for both environments in AWS Secrets Manager with distinct key entry for the QA environment and the production environment. AWS Secrets Manager is a web service that can securely store, manage, and retrieve secrets, such as database credentials. AWS Secrets Manager also supports automatic rotation of secrets by using Lambda functions or built-in rotation templates. By storing the database credentials for both environments in AWS Secrets Manager, the company can avoid exposing credentials within application code and rotate passwords automatically. By providing a reference to the Secrets Manager key as an environment variable for the Lambda functions, the company can easily access the credentials from the code by using the AWS SDK. This solution meets all the requirements of the company.
References: AWS Secrets Manager Documentation, Using AWS Lambda with AWS Secrets Manager, Usi environment variables - AWS Lambda

- (Exam Topic 3)
A company is migrating its infrastructure to the AWS Cloud. The company must comply with a variety of regulatory standards for different projects. The company needs a multi-account environment.
A solutions architect needs to prepare the baseline infrastructure. The solution must provide a consistent baseline of management and security, but it must allow flexibility for different compliance requirements within various AWS accounts. The solution also needs to integrate with the existing on-premises Active Directory Federation Services (AD FS) server.
Which solution meets these requirements with the LEAST amount of operational overhead?

1. A. Create an organization in AWS Organization
2. B. Create a single SCP for least privilege access across all account
3. C. Create a single OU for all account
4. D. Configure an IAM identity provider for federation with the on-premises AD FS serve
5. E. Configure a central logging account with a defined process for log generating services to send log events to the central accoun
6. F. Enable AWS Config in the central account with conformance packs for all accounts.
7. G. Create an organization in AWS Organization
8. H. Enable AWS Control Tower on the organizatio
9. I. Review included controls (guardrails) for SCP
10. J. Check AWS Config for areas that require addition
11. K. Add OUS as necessar
12. L. Connect AWS IAM Identity Center (AWS Single Sign-On) to the on-premises AD FS server.
13. M. Create an organization in AWS Organization
14. N. Create SCPs for least privilege acces
15. O. Create an OU structure, and use it to group AWS account
16. P. Connect AWS IAM Identity Center (AWS SingleSign-On) to the on-premises AD FS serve
17. Q. Configure a central logging account with a defined process for log generating services to send log events to the central accoun
18. R. Enable AWS Config in the central account with aggregators and conformance packs.
19. S. Create an organization in AWS Organization
20. T. Enable AWS Control Tower on the organizatio
21. . Review included controls (guardrails) for SCP
22. . Check AWS Config for areas that require addition
23. . Configure an IAM identity provider for federation with the on-premises AD FS server.

Correct Answer: B

- (Exam Topic 1)
A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production release of the web application introduced an issue that resulted in an outage lasting several minutes. A solutions architect must adjust the deployment process to support a canary release.
Which solution will meet these requirements?

1. A. Create an alias for every new deployed version of the Lambda functio
2. B. Use the AWS CLI update-alias command with the routing-config parameter to distribute the load.
3. C. Deploy the application into a new CloudFormation stac
4. D. Use an Amazon Route 53 weighted routing policy to distribute the load.
5. E. Create a version for every new deployed Lambda functio
6. F. Use the AWS CLIupdate-function-configuration command with the routing-config parameter to distribute the load.
7. G. Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the Deployment configuration to distribute the load.

Correct Answer: A
https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias- https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

- (Exam Topic 3)
A company has AWS accounts that are in an organization in AWS Organizations. The company wants to track Amazon EC2 usage as a metric. The company's architecture team must receive a daily alert if the EC2 usage is more than 10% higher than the average EC2 usage from the last 30 days.
Which solution will meet these requirements?

1. A. Configure AWS Budgets in the organization's management accoun
2. B. Specify a usage type of EC2 running hour
3. C. Specify a daily perio
4. D. Set the budget amount to be 10% more than the reported average usage for the last 30 days from AWS Cost Explore
5. E. Configure an alert to notify the architecture team if the usage threshold is met.
6. F. Configure AWS Cost Anomaly Detection in the organization's management accoun
7. G. Configure a monitor type of AWS Servic
8. H. Apply a filter of Amazon EC2. Configure an alert subscription to notify the architecture team if the usage is 10% more than the average usage for the last 30 days.
9. I. Enable AWS Trusted Advisor in the organization's management accoun
10. J. Configure a cost optimization advisory alert to notify the architecture team if the EC2 usage is 10% more than the reported average usage for the last 30 days.
11. K. Configure Amazon Detective in the organization's management accoun
12. L. Configure an EC2 usage anomaly alert to notify the architecture team if Detective identifies a usage anomaly of more than 10%.

Correct Answer: B
AWS Cost Anomaly Detection is a feature of the AWS Cost Management suite that leverages machine learning to enable continuous monitoring of your AWS costs and usage, allowing you to identify unexpected
and abnormal spending1. You can create cost monitors that evaluate specific AWS services, member accounts cost allocation tags, or cost categories based on your AWS account structure2. You can also configure alert subscriptions that notify you when a cost monitor detects an anomaly that meets your threshold2. In this case, you can create a cost monitor with a monitor type of AWS Service and apply a filter of Amazon EC2 to track the EC2 usage as a metric. You can then configure an alert subscription to notify the architecture team if the usage is 10% more than the average usage for the last 30 days, which is the anomaly detection period used by AWS Cost Anomaly Detection3.