- (Exam Topic 3)
A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group.
The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents.
The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead.
Which combination of actions should a solutions architect take to meet these requirements? (Select TWO.)

1. A. Create an identity policy that grants the user read and write acces
2. B. Add a condition that specifies that the S3 paths must be prefixed with ${aws:username}. Apply the policy on the scientists' IAM user group.
3. C. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucke
4. D. Store the trail output in another S3 bucke
5. E. Use Amazon Athena to query the logs and generate reports.
6. F. Enable S3 server access loggin
7. G. Configure another S3 bucket as the target for log deliver
8. H. Use Amazon Athena to query the logs and generate reports.
9. I. Create an S3 bucket policy that grants read and write access to users in the scientists' IAM user group.
10. J. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatc
11. K. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.

Correct Answer: AB
This option allows the solutions architect to use an identity policy that grants the user read and write access to their own personal folder on the S3 bucket1. By adding a condition that specifies that the S3
paths must be prefixed with ${aws:username}, the solutions architect can ensure that each scientist can only access their own folder2. By applying the policy on the scientists’ IAM user group, the solutions architect can simplify the management of permissions for all the scientists3. By configuring a trail with AWS CloudTrail to capture all object-level events in the S3 bucket, the solutions architect can record and store information about every action performed on the S3 objects4. By storing the trail output in another S3 bucket, the solutions architect can secure and archive the log files5. By using Amazon Athena to query the logs and generate reports, the solutions architect can use a serverless interactive query service that can analyze data in S3 using standard SQL.
References:
Identity-based policies
Policy variables
IAM groups
Object-level logging
Creating a trail that applies to all regions
[What is Amazon Athena?]

- (Exam Topic 1)
A solutions architect must analyze a company's Amazon EC2 Instances and Amazon Elastic Block Store (Amazon EBS) volumes to determine whether the company is using resources efficiently The company is running several large, high-memory EC2 instances lo host database dusters that are deployed in active/passive configurations The utilization of these EC2 instances varies by the applications that use the databases, and the company has not identified a pattern
The solutions architect must analyze the environment and take action based on the findings. Which solution meets these requirements MOST cost-effectively?

1. A. Create a dashboard by using AWS Systems Manager OpsConter Configure visualizations tor Amazon CloudWatch metrics that are associated with the EC2 instances and their EBS volumes Review thedashboard periodically and identify usage patterns Right size the EC2 instances based on the peaks in the metrics
2. B. Turn on Amazon CloudWatch detailed monitoring for the EC2 instances and their EBS volumes Create and review a dashboard that is based on the metrics Identify usage patterns Right size the FC? instances based on the peaks In the metrics
3. C. Install the Amazon CloudWatch agent on each of the EC2 Instances Turn on AWS Compute Optimizer, and let it run for at least 12 hours Review the recommendations from Compute Optimizer, and right size the EC2 instances as directed
4. D. Sign up for the AWS Enterprise Support plan Turn on AWS Trusted Advisor Wait 12 hours Review the recommendations from Trusted Advisor, and rightsize the EC2 instances as directed

Correct Answer: C
(https://aws.amazon.com/compute-optimizer/pricing/ , https://aws.amazon.com/systems-manager/pricing/ ). https://aws.amazon.com/compute-optimizer/

- (Exam Topic 1)
A team collects and routes behavioral data for an entire company The company runs a Multi-AZ VPC
environment with public subnets, private subnets, and in internet gateway Each public subnet also contains a NAT gateway Most of the company's applications read from and write to Amazon Kinesis Data Streams. Most of the workloads am in private subnets.
A solutions architect must review the infrastructure The solutions architect needs to reduce costs and maintain the function of the applications The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
What should the solutions architect do to meet these requirements?

1. A. Enable VPC Flow Log
2. B. Use Amazon Athena to analyze the logs for traffic that can be remove
3. C. Ensure that security groups are Mocking traffic that is responsible for high costs.
4. D. Add an interface VPC endpoint for Kinesis Data Streams to the VP
5. E. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
6. F. Enable VPC Flow Logs and Amazon Detective Review Detective findings for traffic that is not related to Kinesis Data Streams Configure security groups to block that traffic
7. G. Add an interface VPC endpoint for Kinesis Data Streams to the VP
8. H. Ensure that the VPC endpoint policy allows traffic from the applications.

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html https://aws.amazon.com/premiumsupport/knowledge-center/vpc-reduce-nat-gateway-transfer-costs/
VPC endpoint policies enable you to control access by either attaching a policy to a VPC endpoint or by using additional fields in a policy that is attached to an IAM user, group, or role to restrict access to only occur via the specified VPC endpoint

- (Exam Topic 1)
A company is building a software-as-a-service (SaaS) solution on AWS. The company has deployed an Amazon API Gateway REST API with AWS Lambda integration in multiple AWS Regions and in the same production account.
The company offers tiered pricing that gives customers the ability to pay for the capacity to make a certain number of API calls per second. The premium tier offers up to 3,000 calls per second, and customers are identified by a unique API key. Several premium tier customers in various Regions report that they receive error responses of 429 Too Many Requests from multiple API methods during peak usage hours. Logs indicate that the Lambda function is never invoked.
What could be the cause of the error messages for these customers?

1. A. The Lambda function reached its concurrency limit.
2. B. The Lambda function its Region limit for concurrency.
3. C. The company reached its API Gateway account limit for calls per second.
4. D. The company reached its API Gateway default per-method limit for calls per second.

Correct Answer: C
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html#apig-reques

- (Exam Topic 1)
A company runs a Python script on an Amazon EC2 instance to process data. The script runs every
10 minutes. The script ingests files from an Amazon S3 bucket and processes the files. On average, the script takes approximately 5 minutes to process each file The script will not reprocess a file that the script has already processed.
The company reviewed Amazon CloudWatch metrics and noticed that the EC2 instance is idle for approximately 40% of the time because of the file processing speed. The company wants to make the workload highly available and scalable. The company also wants to reduce long-term management overhead.
Which solution will meet these requirements MOST cost-effectively?

1. A. Migrate the data processing script to an AWS Lambda functio
2. B. Use an S3 event notification to invoke the Lambda function to process the objects when the company uploads the objects.
3. C. Create an Amazon Simple Queue Service (Amazon SQS) queu
4. D. Configure Amazon S3 to send event notifications to the SQS queu
5. E. Create an EC2 Auto Scaling group with a minimum size of one instanc
6. F. Update the data processing script to poll the SQS queu
7. G. Process the S3 objects that the SQS message identifies.
8. H. Migrate the data processing script to a container imag
9. I. Run the data processing container on an EC2 instanc
10. J. Configure the container to poll the S3 bucket for new objects and to process the resulting objects.
11. K. Migrate the data processing script to a container image that runs on Amazon Elastic Container Service (Amazon ECS) on AWS Fargat
12. L. Create an AWS Lambda function that calls the Fargate RunTaskAPI operation when the container processes the fil
13. M. Use an S3 event notification to invoke the Lambda function.

Correct Answer: D
migrating the data processing script to an AWS Lambda function and using an S3 event notification to invoke the Lambda function to process the objects when the company uploads the objects. This solution meets the company's requirements of high availability and scalability, as well as reducing long-term management overhead, and is likely to be the most cost-effective option.