- (Exam Topic 3)
A company has hundreds of AWS accounts. The company uses an organization in AWS Organizations to manage all the accounts. The company has turned on all features.
A finance team has allocated a daily budget for AWS costs. The finance team must receive an email notification if the organization's AWS costs exceed 80% of the allocated budget. A solutions architect needs to implement a solution to track the costs and deliver the notifications.
Which solution will meet these requirements?

1. A. In the organization's management account, use AWS Budgets to create a budget that has a daily period.Add an alert threshold and set the value to 80%. Use Amazon Simple Notification Service (Amazon SNS) to notify the finance team.
2. B. In the organization’s management account, set up the organizational view feature for AWS Trusted Adviso
3. C. Create an organizational view report for cost optimizatio
4. D. Set an alert threshold of 80%.Configure notification preference
5. E. Add the email addresses of the finance team.
6. F. Register the organization with AWS Control Towe
7. G. Activate the optional cost control (guardrail). Set a control (guardrail) parameter of 80%. Configure control (guardrail) notification preference
8. H. Use Amazon Simple Notification Service (Amazon SNS) to notify the finance team.
9. I. Configure the member accounts to save a daily AWS Cost and Usage Report to an Amazon S3 bucket in the organization's management accoun
10. J. Use Amazon EventBridge to schedule a daily Amazon Athena query to calculate the organization’s cost
11. K. Configure Athena to send an Amazon CloudWatch alert if the total costs are more than 80% of the allocated budge
12. L. Use Amazon Simple Notification Service (Amazon SNS) to notify the finance team.

Correct Answer: A

- (Exam Topic 2)
A solutions architect must provide a secure way for a team of cloud engineers to use the AWS CLI to upload objects into an Amazon S3 bucket Each cloud engineer has an IAM user. IAM access keys and a virtual multi-factor authentication (MFA) device The IAM users for the cloud engineers are in a group that is named S3-access The cloud engineers must use MFA to perform any actions in Amazon S3
Which solution will meet these requirements?

1. A. Attach a policy to the S3 bucket to prompt the 1AM user for an MFA code when the 1AM user performs actions on the S3 bucket Use 1AM access keys with the AWS CLI tocall Amazon S3
2. B. Update the trust policy for the S3-access group to require principals to use MFA when principals assume the group Use 1AM access keys with the AWS CLI to call Amazon S3
3. C. Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Use 1AM accesskeys with the AWS CLI to call Amazon S3
4. D. Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Request temporary credentials from AWS Security Token Service (AWS STS) Attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3

Correct Answer: D
The company should attach a policy to the S3-access group to deny all S3 actions unless MFA is present. The company should request temporary credentials from AWS Security Token Service (AWS STS). The company should attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3. This solution will meet the requirements because AWS STS is a service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users). You can use MFA with AWS STS to provide an extra layer of security when requesting temporary credentials1. You can use the sts get-session-token AWS CLI command to request temporary credentials that include an MFA token2. You can then use these credentials with the AWS CLI to access Amazon S3 resources. To do this, you need to attach a policy to the IAM group that denies all S3 actions unless MFA is present3. You also need to create a profile in the AWS CLI configuration file that references the temporary credentials.
The other options are not correct because:
Attaching a policy to the S3 bucket to prompt the IAM user for an MFA code when the IAM user performs actions on the S3 bucket would not work because policies attached to S3 buckets cannot enforce MFA authentication. Policies attached to S3 buckets are resource-based policies that define what actions can be performed on the bucket and by whom. They do not have any logic to prompt for an MFA code or verify it.
Updating the trust policy for the S3-access group to require principals to use MFA when principals assume the group would not work because trust policies are used for roles, not groups. Trust policies are policies that define which principals can assume a role. They do not apply to groups, which are collections of IAM users that share permissions.
Creating an Amazon Route 53 Resolver DNS Firewall domain list that contains the allowed domains and configuring a DNS Firewall rule group with rules to allow or block requests based on the domain list would not help with enforcing MFA authentication for Amazon S3 actions. Amazon Route 53 Resolver DNS Firewall is a feature that enables you to filter and regulate outbound DNS traffic for your VPC. You can create reusable collections of filtering rules in DNS Firewall rule groups and associate them with your VPCs. You can specify lists of domain names to allow or block, and you can customize the responses for the DNS queries that you block. This feature is useful for controlling access to sites and blocking DNS-level threats, but not for requiring MFA authentication.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html

- (Exam Topic 2)
A company is migrating a legacy application from an on-premises data center to AWS. The application uses MongoDB as a key-value database According to the company's technical guidelines, all Amazon EC2 instances must be hosted in a private subnet without an internet connection. In addition, all connectivity between applications and databases must be encrypted. The database must be able to scale based on demand.
Which solution will meet these requirements?

1. A. Create new Amazon DocumentDB (with MongoDB compatibility) tables for the application with Provisioned IOPS volume
2. B. Use the instance endpoint to connect to Amazon DocumentDB.
3. C. Create new Amazon DynamoDB tables for the application with on-demand capacit
4. D. Use a gateway VPC endpoint for DynamoDB to connect to the DynamoDB tables
5. E. Create new Amazon DynamoDB tables for the application with on-demand capacit
6. F. Use an interface VPC endpoint for DynamoDB to connect to the DynamoDB tables.
7. G. Create new Amazon DocumentDB (with MongoDB compatibility) tables for the application with Provisioned IOPS volumes Use the cluster endpoint to connect to Amazon DocumentDB

Correct Answer: A
A is the correct answer because it uses Amazon DocumentDB (with MongoDB compatibility) as a key-value database that can scale based on demand and supports encryption in transit and at rest. Amazon DocumentDB is a fully managed document database service that is designed to be compatible with the MongoDB API. It is a NoSQL database that is optimized for storing, indexing, and querying JSON data. Amazon DocumentDB supports encryption in transit using TLS and encryption at rest using AWS Key Management Service (AWS KMS). Amazon DocumentDB also supports provisioned IOPS volumes that can scale up to 64 TiB of storage and 256,000 IOPS per cluster. To connect to Amazon DocumentDB, you can use the instance endpoint, which connects to a specific instance in the cluster, or the cluster endpoint, which connects to the primary instance or one of the replicas in the cluster. Using the cluster endpoint is recommended for high availability and load balancing purposes. References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/what-is.html
https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.html
https://docs.aws.amazon.com/documentdb/latest/developerguide/limits.html
https://docs.aws.amazon.com/documentdb/latest/developerguide/connecting.html

- (Exam Topic 3)
An environmental company is deploying sensors in major cities throughout a country to measure air quality The sensors connect to AWS loT Core to ingest timesheets data readings. The company stores the data in Amazon DynamoDB
For business continuity the company must have the ability to ingest and store data in two AWS Regions Which solution will meet these requirements?

1. A. Create an Amazon Route 53 alias failover routing policy with values for AWS loT Core data endpoints in both Regions Migrate data to Amazon Aurora global tables
2. B. Create a domain configuration for AWS loT Core in each Region Create an Amazon Route 53latency-based routing policy Use AWS loT Core data endpoints in both Regions as values Migrate the data to Amazon MemoryDB for Radis and configure Cross-Region replication
3. C. Create a domain configuration for AWS loT Core in eac
4. D. Region Create an Amazon Route 53 health check that evaluates domain configuration health Create a failover routing policy with values for the domain name from the AWS loT Core domain configurations Update the DynamoDB table to a global table
5. E. Create an Amazon Route 53 latency-based routing polic
6. F. Use AWS loT Core data endpoints in both Regions as value
7. G. Configure DynamoDB streams and Cross-Region data replication

Correct Answer: C
https://aws.amazon.com/solutions/implementations/disaster-recovery-for-aws-iot/

- (Exam Topic 3)
A company has a web application that securely uploads pictures and videos to an Amazon S3 bucket. The company requires that only authenticated users are allowed to post content. The application generates a presigned URL that is used to upload objects through a browser interface. Most users are reporting slow upload times for objects larger than 100 MB.
What can a Solutions Architect do to improve the performance of these uploads while ensuring only authenticated users are allowed to post content?

1. A. Set up an Amazon API Gateway with an edge-optimized API endpoint that has a resource as an S3service prox
2. B. Configure the PUT method for this resource to expose the S3 PutObject operatio
3. C. Secure the API Gateway using a COGNITO_USER_POOLS authorize
4. D. Have the browser interface use API Gateway instead of the presigned URL to upload objects.
5. E. Set up an Amazon API Gateway with a regional API endpoint that has a resource as an S3 service prox
6. F. Configure the PUT method for this resource to expose the S3 PutObject operatio
7. G. Secure the API Gateway using an AWS Lambda authorize
8. H. Have the browser interface use API Gateway instead of the presigned URL to upload API objects.
9. I. Enable an S3 Transfer Acceleration endpoint on the S3 bucke
10. J. Use the endpoint when generating the presigned UR
11. K. Have the browser interface upload the objects to this URL using the S3 multipart upload API.
12. L. Configure an Amazon CloudFront distribution for the destination S3 bucke
13. M. Enable PUT and POST methods for the CloudFront cache behavio
14. N. Update the CloudFront origin to use an origin access identity (OAI). Give the OAI user s3:PutObject permissions in the bucket polic
15. O. Have the browser interface upload objects using the CloudFront distribution.

Correct Answer: C
S3 Transfer Acceleration is a feature that enables fast, easy, and secure transfers of files over
long distances between your client and an S3 bucket1. It works by leveraging the CloudFront edge network to route your requests to S3 over an optimized network path1. By using a Transfer Acceleration endpoint when generating a presigned URL, you can allow authenticated users to upload objects faster and more
reliably2. Additionally, using the S3 multipart upload API can improve the performance of large object uploads by breaking them into smaller parts and uploading them in parallel3.
References:
S3 Transfer Acceleration
Using Transfer Acceleration with presigned URLs
Uploading objects using multipart upload API