- (Exam Topic 3)
A solutions architect has an operational workload deployed on Amazon EC2 instances in an Auto Scaling Group The VPC architecture spans two Availability Zones (AZ) with a subnet in each that the Auto Scaling group is targeting. The VPC is connected to an on-premises environment and connectivity cannot be interrupted The maximum size of the Auto Scaling group is 20 instances in service. The VPC IPv4 addressing is as follows:
VPCCIDR 10 0 0 0/23
AZ1 subnet CIDR: 10 0 0 0724
AZ2 subnet CIDR: 10.0.1 0724
Since deployment, a third AZ has become available in the Region The solutions architect wants to adopt the new AZ without adding additional IPv4 address space and without service downtime. Which solution will meet these requirements?

1. A. Update the Auto Scaling group to use the AZ2 subnet only Delete and re-create the AZ1 subnet using half the previous address space Adjust the Auto Scaling group to also use the new AZI subnet When the instances are healthy, adjust the Auto Scaling group to use the AZ1 subnet only Remove the currentAZ2 subnet Create a new AZ2 subnet using the second half of the address space from the original AZ1 subnet Create a new AZ3 subnet using half the original AZ2 subnet address space, then update the Auto Scaling group to target all three new subnets.
2. B. Terminate the EC2 instances in the AZ1 subnet Delete and re-create the AZ1 subnet using hall the address spac
3. C. Update the Auto Scaling group to use this new subne
4. D. Repeat this for the second A
5. E. Define a new subnet in AZ3: then update the Auto Scaling group to target all three new subnets
6. F. Create a new VPC with the same IPv4 address space and define three subnets, with one for each AZ Update the existing Auto Scaling group to target the new subnets in the new VPC
7. G. Update the Auto Scaling group to use the AZ2 subnet only Update the AZ1 subnet to have halt the previous address space Adjust the Auto Scaling group to also use the AZ1 subnet agai
8. H. When the instances are healthy, adjust the Auto Seating group to use the AZ1 subnet onl
9. I. Update the current AZ2 subnet and assign the second half of the address space from the original AZ1 subnet Create a new AZ3 subnet using half the original AZ2 subnet address space, then update the Auto Scaling group to target all three new subnets

Correct Answer: A
https://repost.aws/knowledge-center/vpc-ip-address-range

- (Exam Topic 3)
A research company is running daily simul-ations in the AWS Cloud to meet high demand. The simu-lations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2. Occasionally, a simu-lation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH.
Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail.
How can a solutions architect meet these requirements?

1. A. Launch new EC2 instances, and generate an individual SSH key for each instanc
2. B. Store the SSH key in AWS Secrets Manage
3. C. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement for the GetSecretValue actio
4. D. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.
5. E. Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH ke
6. F. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement to run Systems Manager document
7. G. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.
8. H. Launch new EC2 instances without setting up any SSH key for the instance
9. I. Set up EC2 Instance Connect on each instanc
10. J. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement for the SendSSHPublicKey actio
11. K. Instruct the engineers to connect to the instance by using a browser-based SSH client from the EC2 console.
12. L. Set up AWS Secrets Manager to store the EC2 SSH ke
13. M. Create a new AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2instanc
14. N. Configure Secrets Manager to use the Lambda function for automatic rotation once dail
15. O. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.

Correct Answer: C

- (Exam Topic 1)
A finance company hosts a data lake in Amazon S3. The company receives financial data records over SFTP each night from several third parties. The company runs its own SFTP server on an Amazon EC2 instance in a public subnet of a VPC. After the files ate uploaded, they are moved to the data lake by a cron job that runs on the same instance. The SFTP server is reachable on DNS sftp.examWe.com through the use of Amazon Route 53.
What should a solutions architect do to improve the reliability and scalability of the SFTP solution?

1. A. Move the EC2 instance into an Auto Scaling grou
2. B. Place the EC2 instance behind an Application Load Balancer (ALB). Update the DNS record sftp.example.com in Route 53 to point to the ALB.
3. C. Migrate the SFTP server to AWS Transfer for SFT
4. D. Update the DNS record sftp.example.com in Route 53 to point to the server endpoint hostname.
5. E. Migrate the SFTP server to a file gateway in AWS Storage Gatewa
6. F. Update the DNS record sflp.example.com in Route 53 to point to the file gateway endpoint.
7. G. Place the EC2 instance behind a Network Load Balancer (NLB). Update the DNS record sftp.example.com in Route 53 to point to the NLB.

Correct Answer: B
https://aws.amazon.com/aws-transfer-family/faqs/ https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html
https://aws.amazon.com/about-aws/whats-new/2018/11/aws-transfer-for-sftp-fully-managed-sftp-for-s3/?nc1=h_

- (Exam Topic 1)
A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN The company Is hosting Internal applications with VPCs in multiple AWS accounts Currently the applications are accessible from the company's on-premises office network through an AWS Site-to-Site VPN connection The VPC in the company's main AWS account has peering connections established with VPCs in other AWS accounts.
A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home
What is the MOST cost-effective solution that meets these requirements?

1. A. Create a Client VPN endpoint in each AWS account Configure required routing that allows access to internal applications
2. B. Create a Client VPN endpoint in the mam AWS account Configure required routing that allows access to internal applications
3. C. Create a Client VPN endpoint in the main AWS account Provision a transit gateway that is connected to each AWS account Configure required routing that allows access to internal applications
4. D. Create a Client VPN endpoint in the mam AWS account Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN

Correct Answer: C
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html

- (Exam Topic 3)
A team of data scientists is using Amazon SageMaker instances and SageMaker APIs to train machine learning (ML) models. The SageMaker instances are deployed in a VPC that does not have access to or from the internet. Datasets for ML model training are stored in an Amazon S3 bucket. Interface VPC endpoints provide access to Amazon S3 and the SageMaker APIs.
Occasionally, the data scientists require access to the Python Package Index (PyPl) repository to update Python packages that they use as part of their workflow. A solutions architect must provide access to the PyPI repository while ensuring that the SageMaker instances remain isolated from the internet.
Which solution will meet these requirements?

1. A. Create an AWS CodeCommit repository for each package that the data scientists need to access.Configure code synchronization between the PyPl repository and the CodeCommit repositor
2. B. Create a VPC endpoint for CodeCommit.
3. C. Create a NAT gateway in the VP
4. D. Configure VPC routes to allow access to the internet with a network ACL that allows access to only the PyPl repository endpoint.
5. E. Create a NAT instance in the VP
6. F. Configure VPC routes to allow access to the interne
7. G. Configure SageMaker notebook instance firewall rules that allow access to only the PyPI repository endpoint.
8. H. Create an AWS CodeArtifact domain and repositor
9. I. Add an external connection for public:pypi to the CodeArtifact repositor
10. J. Configure the Python client to use the CodeArtifact repositor
11. K. Create a VPC endpoint for CodeArtifact.

Correct Answer: D