- (Exam Topic 2)
A company's solutions architect is analyzing costs of a multi-application environment. The environment is deployed across multiple Availability Zones in a single AWS Region. After a recent acquisition, the company manages two organizations in AWS Organizations. The company has created multiple service provider applications as AWS PrivateLink-powered VPC endpoint services in one organization. The company has created multiple service consumer applications in the other organization.
Data transfer charges are much higher than the company expected, and the solutions architect needs to reduce the costs. The solutions architect must recommend guidelines for developers to follow when they deploy services. These guidelines must minimize data transfer charges for the whole environment.
Which guidelines meet these requirements? (Select TWO.)

1. A. Use AWS Resource Access Manager to share the subnets that host the service provider applications with other accounts in the organization.
2. B. Place the service provider applications and the service consumer applications in AWS accounts in the same organization.
3. C. Turn off cross-zone load balancing for the Network Load Balancer in all service provider application deployments.
4. D. Ensure that service consumer compute resources use the Availability Zone-specific endpoint service by using the endpoint's local DNS name.
5. E. Create a Savings Plan that provides adequate coverage for the organization's planned inter-Availability Zone data transfer usage.

Correct Answer: CD
Cross-zone load balancing enables traffic to be distributed evenly across all registered instances in all enabled Availability Zones. However, this also increases data transfer charges between Availability Zones. By turning off cross-zone load balancing, the service provider applications can reduce inter-Availability Zone data transfer costs. Similarly, by using the Availability Zone-specific endpoint service, the service consumer applications can ensure that they connect to the nearest service provider application in the same Availability Zone, avoiding cross-Availability Zone data transfer charges. References:
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-dns

- (Exam Topic 1)
A company has 10 accounts that are part of an organization in AWS Organizations AWS Config is configured in each account All accounts belong to either the Prod OU or the NonProd OU
The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source The company's security team is subscribed to the SNS topic
For all accounts in the NonProd OU the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source
Which solution will meet this requirement with the LEAST operational overhead?

1. A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic Deploy the updated rule to the NonProd OU
2. B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU
3. C. Configure an SCP to allow the ec2 AulhonzeSecurityGrouplngress action when the value of the aws Sourcelp condition key is not 0.0.0.0/0 Apply the SCP to the NonProd OU
4. D. Configure an SCP to deny the ec2 AuthorizeSecurityGrouplngress action when the value of the aws Sourcelp condition key is 0.0.0.0/0 Apply the SCP to the NonProd OU

Correct Answer: D
This solution will meet the requirement with the least operational overhead because it directly denies the creation of the security group inbound rule with 0.0.0.0/0 as the source, which is the exact requirement. Additionally, it does not require any additional steps or resources such as invoking a Lambda function or adding a Config rule.
An SCP (Service Control Policy) is a policy that you can use to set fine-grained permissions for your AWS
accounts within your organization. You can use SCPs to set permissions for the root user of an account and to delegate permissions to IAM users and roles in the accounts. You can use SCPs to set permissions that allow or deny access to specific services, actions, and resources.
To implement this solution, you would need to create an SCP that denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This SCP would then be applied to the NonProd OU. This would ensure that any security group inbound rule that includes 0.0.0.0/0 as the source will be denied, thus meeting the requirement.
Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_condition-keys.html

- (Exam Topic 3)
A scientific company needs to process text and image data from an Amazon S3 bucket. The data is collected from several radar stations during a live, time-critical phase of a deep space mission. The radar stations upload the data to the source S3 bucket. The data is prefixed by radar station identification number.
The company created a destination S3 bucket in a second account. Data must be copied from the source S3 bucket to the destination S3 bucket to meet a compliance objective. The replication occurs through the use of an S3 replication rule to cover all objects in the source S3 bucket.
One specific radar station is identified as having the most accurate data. Data replication at this radar station must be monitored for completion within 30 minutes after the radar station uploads the objects to the source S3 bucket.
What should a solutions architect do to meet these requirements?

1. A. Set up an AWS DataSync agent to replicate the prefixed data from the source S3 bucket to the destination S3 bucke
2. B. Select to use all available bandwidth on the task, and monitor the task to ensure that it is in the TRANSFERRING statu
3. C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an alert if this status changes.
4. D. In the second account, create another S3 bucket to receive data from the radar station with the most accurate dat
5. E. Set up a new replication rule for this new S3 bucket to separate the replication from the other radar station
6. F. Monitor the maximum replication time to the destinatio
7. G. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an alert when the time exceeds the desired threshold.
8. H. Enable Amazon S3 Transfer Acceleration on the source S3 bucket, and configure the radar station with the most accurate data to use the new endpoin
9. I. Monitor the S3 destination bucket's TotalRequestLatency metri
10. J. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an alert if this status changes.
11. K. Create a new S3 replication rule on the source S3 bucket that filters for the keys that use the prefix of the radar station with the most accurate dat
12. L. Enable S3 Replication Time Control (S3 RTC). Monitor the maximum replication time to the destinatio
13. M. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an alert when the time exceeds the desired threshold.

Correct Answer: D
https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-time-control.html

- (Exam Topic 3)
An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:
Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.
Use a central account to manage the creation of infrastructure services.
Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.
Provide the ability to enforce tags on any infrastructure that is started by users.
Which combination of actions using AWS services will meet these requirements? (Choose three.)

1. A. Develop infrastructure services using AWS Cloud Formation template
2. B. Add the templates to a central Amazon S3 bucket and add the-IAM roles or users that require access to the S3 bucket policy.
3. C. Develop infrastructure services using AWS Cloud Formation template
4. D. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS accoun
5. E. Share these portfolios with the Organizations structure created for the company.
6. F. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permission
7. G. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
8. H. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions onl
9. I. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption assign users access and apply launch constraints.
10. J. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company.Apply the TagOption to AWS Service Catalog products or portfolios.
11. K. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.

Correct Answer: BDE

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable the company to
centrally manage the creation of infrastructure services and control who can use them1. AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on
AWS2. You can organize products into portfolios, which are collections of products along with configuration information3. You can share portfolios with other accounts in your organization using AWS Organizations4.
Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.
Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.
References:
Creating a product from an existing CloudFormation template
What is AWS Service Catalog?
Working with portfolios
Sharing a portfolio with AWS Organizations
[Providing least privilege access for users]
[AWS managed policies for job functions]
[Importing shared portfolios]
[Enforcing tag policies]
[Working with TagOptions]
[Creating a TagOption Library]
[Applying TagOptions]

- (Exam Topic 3)
A solutions architect is reviewing an application's resilience before launch. The application runs on an Amazon EC2 instance that is deployed in a private subnet of a VPC.
The EC2 instance is provisioned by an Auto Scaling group that has a minimum capacity of I and a maximum capacity of I. The application stores data on an Amazon RDS for MySQL DB instance. The VPC has subnets configured in three Availability Zones and is configured with a single NAT gateway.
The solutions architect needs to recommend a solution to ensure that the application will operate across multiple Availability Zones.
Which solution will meet this requirement?

1. A. Deploy an additional NAT gateway in the other Availability Zone
2. B. Update the route tables with appropriate route
3. C. Modify the RDS for MySQL DB instance to a Multi-AZ configuratio
4. D. Configure the Auto Scaling group to launch instances across Availability Zone
5. E. Set the minimum capacity and maximum capacity of the Auto Scaling group to 3.
6. F. Replace the NAT gateway with a virtual private gatewa
7. G. Replace the RDS for MySQL DB instance with an Amazon Aurora MySQL DB cluste
8. H. Configure the Auto Scaling group to launch instances across all subnets in the VP
9. I. Set the minimum capacity and maximum capacity of the Auto Scaling group to 3.
10. J. Replace the NAT gateway with a NAT instanc
11. K. Migrate the RDS for MySQL DB instance to an RDS for PostgreSQL DB instanc
12. L. Launch a new EC2 instance in the other Availability Zones.
13. M. Deploy an additional NAT gateway in the other Availability Zone
14. N. Update the route tables with appropriate route
15. O. Modify the RDS for MySQL DB instance to turn on automatic backups and retain the backups for 7 day
16. P. Configure the Auto Scaling group to launch instances across all subnets in the VP
17. Q. Keep the minimum capacity and the maximum capacity of the Auto Scaling group at 1.

Correct Answer: A