- (Exam Topic 3)
A company plans to deploy a new private intranet service on Amazon EC2 instances inside a VPC. An AWS Site-to-Site VPN connects the VPC to the company's on-premises network. The new service must communicate with existing on-premises services The on-premises services are accessible through the use of hostnames that reside in the company example DNS zone This DNS zone is wholly hosted on premises and is available only on the company's private network.
A solutions architect must ensure that the new service can resolve hostnames on the company example domain to integrate with existing services.
Which solution meets these requirements?

1. A. Create an empty private zone in Amazon Route 53 for company example Add an additional NS record to the company's on-premises company example zone that points to the authoritative name servers for the new private zone in Route 53
2. B. Turn on DNS hostnames for the VPC Configure a new outbound endpoint with Amazon Route 53 Resolve
3. C. Create a Resolver rule to forward requests for company example to the on-premises name servers
4. D. Turn on DNS hostnames for the VPC Configure a new inbound resolver endpoint with Amazon Route 53 Resolve
5. E. Configure the on-premises DNS server to forward requests for company example to the new resolver.
6. F. Use AWS Systems Manager to configure a run document that will install a hosts file that contains any required hostname
7. G. Use an Amazon EventBndge rule to run the document when an instance is entering the running state.

Correct Answer: B
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

- (Exam Topic 1)
A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts.
In an AWS application account, the company's application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed in the application account.
The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.
Which solution will meet these requirements?

1. A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA accoun
2. B. In the DBA account, create an IAM role that is named DBA-Admi
3. C. Grant the role the required permissions to access the shared secret
4. D. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
5. E. In the application account, create an IAM role that is named DBA-Secre
6. F. Grant the role the required permissions to access the secret
7. G. In the DBA account, create an IAM role that is named DBA-Admi
8. H. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application accoun
9. I. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
10. J. In the DBA account, create an IAM role that is named DBA-Admi
11. K. Grant the role the required permissions to access the secrets and the default AWS managed key in the application accoun
12. L. In the application account, attach resource-based policies to the key to allow access from the DBA accoun
13. M. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
14. N. In the DBA account, create an IAM role that is named DBA-Admi
15. O. Grant the role the required permissions to access the secrets in the application accoun
16. P. Attach an SCP to the application account to allow access to the secrets from the DBA accoun
17. Q. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.

Correct Answer: B
Option B is correct because creating an IAM role in the application account that has permissions to access the secrets and creating an IAM role in the DBA account that has permissions to assume the role in the application account eliminates the need to manually share the secrets. This approach uses
cross-account IAM roles to grant access to the secrets in the application account. The database administrators can assume the role in the application account from their EC2 instance in the DBA
account and retrieve the secrets without having to store them locally or share them manually2
References: 1: https://docs.aws.amazon.com/ram/latest/userguide/what-is.html 2:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html 3: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html : https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html : https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

- (Exam Topic 3)
A company wants to migrate its on-premises application to AWS. The database for the application stores structured product data and temporary user session data. The company needs to decouple the product data from the user session data. The company also needs to implement replication in another AWS Region for disaster recovery.
Which solution will meet these requirements with the HIGHEST performance?

1. A. Create an Amazon RDS DB instance with separate schemas to host the product data and the user session dat
2. B. Configure a read replica for the DB instance in another Region.
3. C. Create an Amazon RDS DB instance to host the product dat
4. D. Configure a read replica for the DB instance in another Regio
5. E. Create a global datastore in Amazon ElastiCache for Memcached to host the user session data.
6. F. Create two Amazon DynamoDB global table
7. G. Use one global table to host the product data Use the other global table to host the user session dat
8. H. Use DynamoDB Accelerator (DAX) for caching.
9. I. Create an Amazon RDS DB instance to host the product dat
10. J. Configure a read replica for the DB instance in another Regio
11. K. Create an Amazon DynamoDB global table to host the user session data

Correct Answer: B

- (Exam Topic 1)
An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client's allow list.
The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.
How should a solutions architect ensure that the web application can continue to call the third-parly API after the migration?

1. A. Associate a block of customer-owned public IP addresses to the VP
2. B. Enable public IP addressing for public subnets in the VPC.
3. C. Register a block of customer-owned public IP addresses in the AWS accoun
4. D. Create Elastic IP addresses from the address block and assign them lo the NAT gateways in the VPC.
5. E. Create Elastic IP addresses from the block of customer-owned IP addresse
6. F. Assign the static Elastic IP addresses to the ALB.
7. G. Register a block of customer-owned public IP addresses in the AWS accoun
8. H. Set up AWS Global Accelerator to use Elastic IP addresses from the address bloc
9. I. Set the ALB as the accelerator endpoint.

Correct Answer: B
When EC2 instances reach third-party API through internet, their privates IP addresses will be masked by NAT Gateway public IP address.
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-bring-your-own-ip-byoip-for-amaz

- (Exam Topic 2)
A solutions architect needs to assess a newly acquired company’s portfolio of applications and databases. The solutions architect must create a business case to migrate the portfolio to AWS. The newly acquired company runs applications in an on-premises data center. The data center is not well documented. The solutions architect cannot immediately determine how many applications and databases exist. Traffic for the applications is variable. Some applications are batch processes that run at the end of each month.
The solutions architect must gain a better understanding of the portfolio before a migration to AWS can begin. Which solution will meet these requirements?

1. A. Use AWS Server Migration Service (AWS SMS) and AWS Database Migration Service (AWS DMS) to evaluate migratio
2. B. Use AWS Service Catalog to understand application and database dependencies.
3. C. Use AWS Application Migration Servic
4. D. Run agents on the on-premises infrastructur
5. E. Manage the agents by using AWS Migration Hu
6. F. Use AWS Storage Gateway to assess local storage needs and database dependencies.
7. G. Use Migration Evaluator to generate a list of server
8. H. Build a report for a business cas
9. I. Use AWS Migration Hub to view the portfoli
10. J. Use AWS Application Discovery Service to gain an understanding of application dependencies.
11. K. Use AWS Control Tower in the destination account to generate an application portfoli
12. L. Use AWS Server Migration Service (AWS SMS) to generate deeper reports and a business cas
13. M. Use a landing zone for core accounts and resources.

Correct Answer: C
The company should use Migration Evaluator to generate a list of servers and build a report for a business case. The company should use AWS Migration Hub to view the portfolio and use AWS Application Discovery Service to gain an understanding of application dependencies. This solution will meet the requirements because Migration Evaluator is a migration assessment service that helps create a data-driven business case for AWS cloud planning and migration. Migration Evaluator provides a clear baseline of what the company is running today and projects AWS costs based on measured on-premises provisioning and utilization1. Migration Evaluator can use an agentless collector to conduct broad-based discovery or securely upload exports from existing inventory tools2. Migration Evaluator integrates with AWS Migration Hub, which is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions3. Migration Hub also supports AWS Application Discovery Service, which is a service that helps systems integrators quickly and reliably plan application migration projects by automatically identifying applications running in on-premises data centers, their associated dependencies, and their performance profile4.
https://aws.amazon.com/migration-evaluator/
https://docs.aws.amazon.com/migration-evaluator/latest/userguide/what-is.html
https://aws.amazon.com/migration-hub/
https://aws.amazon.com/application-discovery/
https://aws.amazon.com/server-migration-service/
https://aws.amazon.com/dms/
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
https://aws.amazon.com/application-migration-service/
https://aws.amazon.com/storagegateway/