Amazon Exam Practice Questions - Page 31

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company stores multiple Amazon Machine Images (AMIs) in an AWS account to launch its Amazon EC2 instances. The AMIs contain critical data and configurations that are necessary for the company's operations. The company wants to implement a solution that will recover accidentally ...

Let's analyze each option in detail: A) Create Amazon Elastic Block Store (Amazon EBS) snapshots of the AMIs. Store the snapshots in a separate AWS account. - Explanation: EBS snapshots can be used to create backups of AMIs. Storing snapshots in a separate AWS account can provide an additional layer of protection in case the primary account is compromised or suffers accidental deletions. However, while this helps with backup, it introduces complexity in management (e.g., cross-account permissions, recovery processes) and does not provide a seamless solution for recovering deleted AMIs directly. - Why Rejected: Although snapshots can help with data recovery, they don't directly address the need for quick recovery of deleted AMIs, and the operational overhead of managing snapshots across accounts could increase complexity. - Scenario it can be used: This would be useful in situations where you want to ensure cross-account protection for critical data but still have to manage recovery manually. B) Copy all AMIs to another AWS account periodically. - Explanation: Copying AMIs to another AWS account provides redundancy in case of accidental deletion or other issues. However, this requires continuous management, periodic copying, and ensuring synchronization of AMIs across accounts. This option also introduces operational overhead to handle copy processes and cost implications. - Why Rejected: This option is not the most efficient because of the manual effort or automation overhead needed to periodically copy AMIs. It also lacks the fine-grained control and simplicity that might be ideal for quickly recovering deleted AMIs. - Scenario it can be used: If there is a need for geographic or account-level redundancy of AMIs and the company is willing to manage additional overhead, this could be a viable option...

Author: Ethan · Last updated Apr 16, 2026

A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for this purpose during the night o...

Let's analyze each option and evaluate the best choice based on the requirements: A) Use AWS Snowmobile to ship the data to AWS. - Explanation: AWS Snowmobile is a physical data transport solution designed for transferring large volumes of data (up to 100 PB) to AWS. It involves using a shipping container (basically a truck) that holds up to 100 PB of data. It is typically used for extremely large-scale data migrations and offers high bandwidth with a fast data transfer process. - Why Rejected: AWS Snowmobile is intended for extremely large datasets (hundreds of petabytes), which is far beyond the 150 TB requirement in this case. This solution would be overkill, and the associated cost is not ideal for the amount of data the company needs to migrate. Furthermore, its scale and logistics (like shipping and handling) make it less suitable for relatively smaller migrations like this one. - Scenario it can be used: This would be a viable option if the company were migrating multiple petabytes of data, but not for the current situation with only 150 TB. B) Order multiple AWS Snowball devices to ship the data to AWS. - Explanation: AWS Snowball is a data transport solution for transferring large amounts of data (up to 50 TB per device) to AWS. It is an effective solution for situations where network bandwidth is limited or when data needs to be moved quickly without depending on internet speed. The company can order multiple Snowball devices to move the data, and they are cost-effective for transferring data in the range of tens to hundreds of terabytes. - Why Selected: This is the most cost-effective and practical solution given the requirements. The company needs to move 150 TB, so they would likely need 3 Snowball devices (since each Snowball can handle 50 TB). It avoids the issues related to slow upload speeds and allows for fast, physical data transfer to AWS. AWS Snowball offers a relatively low operational overhead compared to alternatives. - Scenario ...

Author: Madison · Last updated Apr 16, 2026

A company wants to migrate its three-tier application from on premises to AWS. The web tier and the application tier are running on third-party virtual machines (VMs). The database tier is running on MySQL. The company needs to migrate the application by making the fewest possible changes to the architecture. The company also needs a data...

Let's analyze each option and see which best meets the company’s requirements of migrating with minimal changes and ensuring point-in-time database restoration: A) Migrate the web tier and the application tier to Amazon EC2 instances in private subnets. Migrate the database tier to Amazon RDS for MySQL in private subnets. - Explanation: In this option, both the web tier and application tier are moved to Amazon EC2 instances in private subnets. The database is migrated to Amazon RDS for MySQL. Amazon RDS for MySQL supports point-in-time recovery (PITR) and is a fully managed solution, minimizing operational overhead. - Why Selected: This solution meets the requirement of making minimal changes to the application architecture. The use of RDS for MySQL ensures that the database supports point-in-time recovery and reduces operational overhead since RDS handles backups, scaling, and maintenance automatically. The web and application tiers are hosted on EC2 instances, preserving the original setup of the application with minimal changes. - Scenario it can be used: This is ideal for scenarios where the application needs minimal modification and a managed, reliable database solution that supports PITR. B) Migrate the web tier to Amazon EC2 instances in public subnets. Migrate the application tier to EC2 instances in private subnets. Migrate the database tier to Amazon Aurora MySQL in private subnets. - Explanation: Aurora MySQL is a high-performance, managed database solution compatible with MySQL. While Aurora supports point-in-time recovery, it might require some application changes due to performance optimizations and slight differences in behavior compared to MySQL. Also, migrating the web tier to EC2 instances in public subnets introduces exposure to the internet, which increases security risks. - Why Rejected: This solution introduces unnecessary complexity, such as possible changes to the application layer (due to the switch to Aurora) and security concerns with exposing the web tier to the public internet. The solution also deviates from the company’s requirement of minimal changes to the architecture. - Scenario it can be used: This is ideal when moving to a more scalabl...

Author: FrostFalcon88 · Last updated Apr 16, 2026

A development team is collaborating with another company to create an integrated product. The other company needs to access an Amazon Simple Queue Service (Amazon SQS) queue that is contained in the development team's account. The other company wants to poll the queue withou...

Let's analyze each option to determine the most suitable solution for providing the other company access to the Amazon SQS queue: A) Create an instance profile that provides the other company access to the SQS queue. - Explanation: Instance profiles are used to assign permissions to Amazon EC2 instances, not to allow access to an SQS queue. This would involve creating an EC2 instance that the other company could use to access the SQS queue, but this is not an efficient or secure way to grant access, especially since the other company wants to poll the SQS queue without giving up their own account permissions. - Why Rejected: This option is not the most suitable as it unnecessarily involves EC2 instances, which is not aligned with the requirement of allowing the other company to directly poll the SQS queue without requiring their own account permissions. B) Create an IAM policy that provides the other company access to the SQS queue. - Explanation: An IAM policy can grant permissions to resources such as SQS queues. However, IAM policies are typically associated with IAM users, groups, or roles within a specific AWS account. To grant cross-account access, the IAM policy would need to be applied to a role in the development team's AWS account, and the other company would need to assume that role. - Why Rejected: While technically feasible, this approach introduces additional complexity because it requires the other company to assume an IAM role in the development team's account. This process may not be the most straightforward solution if the goal is to allow the other company to directly access the queue without giving them full control of the account. C) Create an SQS access policy that prov...

Author: Maya · Last updated Apr 16, 2026

A company's developers want a secure way to gain SSH access on the company's Amazon EC2 instances that run the latest version of Amazon Linux. The developers work remotely and in the corporate office. The company wants to use AWS services as a part of the solution. The EC2 instances are hosted in a VPC private subnet and access the internet...

Let's break down each of the options and analyze their pros and cons based on the key requirements of the scenario. A) Create a bastion host in the same subnet as the EC2 instances. Grant the `ec2:CreateVpnConnection` IAM permission to the developers. Install EC2 Instance Connect so that the developers can connect to the EC2 instances. Analysis: - A bastion host in the same subnet as the EC2 instances would be costly and would increase the attack surface. If the bastion host is in the same subnet as the EC2 instances, it negates the purpose of having a private subnet, which is designed for security. - EC2 Instance Connect is an option for SSH access, but this option requires specific setup for instance-based access. It also requires managing key pairs and user permissions, adding complexity. - Granting `ec2:CreateVpnConnection` IAM permission to developers does not directly help with the secure connection to EC2 instances and doesn't address the core requirement. Rejection Reason: The solution is not cost-effective, does not follow best practices, and introduces unnecessary complexity and security risks by using a bastion in the same subnet as the EC2 instances. --- B) Create an AWS Site-to-Site VPN connection between the corporate network and the VPC. Instruct the developers to use the Site-to-Site VPN connection to access the EC2 instances when the developers are on the corporate network. Instruct the developers to set up another VPN connection for access when they work remotely. Analysis: - A Site-to-Site VPN is a solid solution for corporate office network access to AWS resources. However, it requires complex configuration and maintenance, particularly for remote developers who need a separate VPN setup. - The solution lacks flexibility and is more expensive due to the need for two separate VPN connections (corporate and remote), which introduces overhead in both setup and operational management. - This solution would require additional VPN infrastructure for remote developers, making it less cost-effective and adding complexity. Rejection Reason: While secure, it is unnecessarily complex and costly for remote developers, and it ...

Author: Michael · Last updated Apr 16, 2026

A pharmaceutical company is developing a new drug. The volume of data that the company generates has grown exponentially over the past few months. The company's researchers regularly require a subset of the entire dataset to be immediately available with minimal lag. However, the entire dataset does not need to be accessed on a daily basis. All the data currently resides in on-premises...

Let's evaluate the options based on the company's requirements: Requirements: - Exponential growth of data: The company needs a scalable solution. - Subset of data immediately available with minimal lag: A need for low-latency access to a subset of the data. - Entire dataset does not need to be accessed daily: The company likely needs an option where the data can be archived but also be readily accessible when needed. - Data resides on-premises: The company is looking to move data to the cloud and reduce capital expenses. --- A) Run AWS DataSync as a scheduled cron job to migrate the data to an Amazon S3 bucket on an ongoing basis. Analysis: - AWS DataSync is a service designed to efficiently transfer large amounts of data between on-premises storage and AWS services (like S3). It's effective for periodic data migration. - Pros: It's suitable for transferring large datasets with minimal latency during the transfer process. It's a fully managed solution, reducing the need for infrastructure management. - Cons: DataSync typically moves large volumes of data in batches and may not provide the required "immediate availability with minimal lag" for subsets of data that are actively being worked on by researchers. The data may not be readily accessible immediately after migration if not structured properly in S3. - Use case: DataSync is a good solution for migrating or syncing large datasets but may not suit the immediate low-latency access requirement as it isn't optimized for quick subset retrieval. Rejection Reason: While DataSync is great for data migration, it does not provide the best solution for immediate, low-latency access to subsets of the data. --- B) Deploy an AWS Storage Gateway file gateway with an Amazon S3 bucket as the target storage. Migrate the data to the Storage Gateway appliance. Analysis: - AWS Storage Gateway (File Gateway) provides on-premises file-based access to Amazon S3. The data is stored in S3, but it is presented as files to on-premises applications. It supports standard file protocols like NFS and SMB. - Pros: It offers on-premises access to cloud storage, allowing researchers to access subsets of the data stored in S3 with minimal latency. Data is stored in S3, which is highly scalable and cost-effective. - Cons: While this provides low-latency access to frequently accessed data, it still depends on on-premises infrastructure to a degree. For data not accessed frequently, the access might not be as efficient as directly using cloud-native solutions like S3 or EFS. - Use case: This option is useful if the company wants to provide a seamless on-premises file interface to access data in the cloud. However, it might not be the best for cost optimization in the long run. Rejection Reason: This solution may still be more costly and less scalable than alternatives, especially when full cloud-based options are available. --- C) Deploy an AWS Storage Gateway volume gateway with cached volumes with an Amazon S3...

Author: NightmareDragon2025 · Last updated Apr 16, 2026

A company has a business-critical application that runs on Amazon EC2 instances. The application stores data in an Amazon DynamoDB table. The company must be able to revert the table to any point within the las...

Let's evaluate the options based on the requirements: the company needs the ability to revert the table to any point within the last 24 hours with the least operational overhead. A) Configure point-in-time recovery for the table. Analysis: - Point-in-Time Recovery (PITR) is a feature in Amazon DynamoDB that allows you to restore a table to any point in time within the last 35 days (up to the nearest second). This can be done without the need for manual intervention or creating additional backups. - Pros: PITR is specifically designed to allow easy restoration to a previous point in time. It integrates seamlessly with DynamoDB and requires minimal management once enabled. - Cons: There are no significant downsides here, as PITR is straightforward, fully managed, and requires no additional infrastructure or manual intervention after being set up. - Use case: This is the ideal solution for reverting a DynamoDB table to any point within a 24-hour window. Selected option reason: This option perfectly meets the requirement of reverting the table to any point within the last 24 hours with minimal operational overhead. It is a fully managed service, requiring no additional infrastructure or manual backup management. --- B) Use AWS Backup for the table. Analysis: - AWS Backup is a centralized backup service that can automate and manage backups for various AWS resources, including DynamoDB tables. - Pros: AWS Backup provides centralized management and automation for backups. - Cons: It typically works on scheduled backup intervals, and restoring from backups is less granular compared to PITR. AWS Backup is better suited for long-term backup and recovery rather than frequent point-in-time restores. It also has more operational overhead in terms of backup management, especially if you need frequent, granular restores. - Use case: AWS Backup is ideal for creating periodic backups for longer-term retention, but it is not designed for frequent, granular point-in-time restores like PITR. Rejection Reason: AWS Backup introduces more operational overhead than PITR, and it does not offer the same flexibility for quickly restoring to any point within the last 24 hours. --- C) Use an AWS Lambda function to make an on-demand backup of the table every hour. Analysis: - AWS Lambda can be used to trigger backups of the DynamoDB table on a scheduled basis (e.g., hourly) by using th...

Author: NebulaEagle11 · Last updated Apr 16, 2026

A company hosts an application used to upload files to an Amazon S3 bucket. Once uploaded, the files are processed to extract metadata, which takes less than 5 seconds. The volume and frequency of the uploads varies from a few files each hour to hundreds of concurrent uploads. The company has asked a solutions ...

Let’s evaluate each option based on the requirements: the company needs a cost-effective architecture to handle varying upload volumes and process files for metadata extraction quickly after they are uploaded to S3. The processing should take less than 5 seconds. A) Configure AWS CloudTrail trails to log S3 API calls. Use AWS AppSync to process the files. Analysis: - AWS CloudTrail is designed to log API activity for auditing and monitoring, not for real-time file processing. - AWS AppSync is a fully managed service for building GraphQL APIs, which is not suited for file processing tasks. - Pros: CloudTrail is great for security auditing and tracking API calls, and AppSync is useful for building APIs that provide real-time data. - Cons: Neither CloudTrail nor AppSync is suitable for the real-time file processing required. CloudTrail cannot invoke file processing tasks, and AppSync does not fit the use case of processing files uploaded to S3 in a simple, cost-effective manner. - Use case: CloudTrail and AppSync are not designed to handle file upload and metadata extraction tasks. Rejection Reason: CloudTrail is for monitoring and security, not for file processing, and AppSync is not a good fit for the task of file processing. --- B) Configure an object-created event notification within the S3 bucket to invoke an AWS Lambda function to process the files. Analysis: - Amazon S3 event notifications can be configured to trigger when an object is created in the S3 bucket (e.g., after a file is uploaded). - AWS Lambda is ideal for processing small tasks, such as extracting metadata from files, and it integrates well with S3. - Pros: This solution is event-driven, meaning the file is processed automatically and quickly (typically in less than 5 seconds), and only the processing costs are incurred. The architecture scales automatically based on the volume of uploads without requiring any additional resources. - Cons: No significant downsides. Lambda functions may have a limit on execution time, but for a small metadata extraction task, this is not an issue. The system is cost-effective because you only pay for Lambda execution time and S3 events. - Use case: This is a perfect fit for real-time processing of files uploaded to S3 with minimal latency and cost, given the nature of the task. Selected option reason: This is the most cost-effective and efficient solution, leveraging event-driven architecture with S3 and Lambda to meet the requirements for metadata extraction with...

Author: MysticJaguar44 · Last updated Apr 16, 2026

A company's application is deployed on Amazon EC2 instances and uses AWS Lambda functions for an event-driven architecture. The company uses nonproduction development environments in a different AWS account to test new features before the company deploys the features to production. The production instances show constant usage because of customers in different time zones. The company uses nonproduction instances only during business hours on weekdays. The compa...

Let’s evaluate each option based on the requirements: The company wants to optimize costs while running production instances with constant usage and nonproduction instances that are used only during business hours on weekdays, with no usage on weekends. A) Use On-Demand Instances for the production instances. Use Dedicated Hosts for the nonproduction instances on weekends only. Analysis: - On-Demand Instances are flexible but expensive, as you pay for computing resources by the hour without committing to a long-term contract. - Dedicated Hosts provide physical EC2 instances dedicated to a single customer and are typically used for licensing requirements (e.g., bringing your own license). They are more expensive than other instance types. - Pros: This setup provides flexibility for both production and nonproduction environments. - Cons: On-Demand Instances for production are not cost-efficient for constant usage. Dedicated Hosts for nonproduction instances, especially for just weekends, will not provide cost optimization as Dedicated Hosts are expensive and would be underutilized during non-working hours. The cost of running Dedicated Hosts even for limited hours would be much higher than using other options like Savings Plans or On-Demand Instances for nonproduction. - Use case: Dedicated Hosts are typically better suited for applications with specific licensing requirements, not for optimizing nonproduction cost efficiency. Rejection Reason: Dedicated Hosts are expensive and not the most cost-effective solution for nonproduction instances that are used only during weekdays. On-Demand Instances for production are also more costly than necessary. --- B) Use Reserved Instances for the production instances and the nonproduction instances. Shut down the nonproduction instances when not in use. Analysis: - Reserved Instances allow you to commit to using specific instance types in exchange for a lower rate. This is a great option for workloads that have consistent, predictable usage, such as production environments. - Pros: Reserved Instances provide significant savings compared to On-Demand pricing, especially for production workloads that need constant usage. - Cons: Reserved Instances for nonproduction environments are not ideal because the nonproduction instances are only used during business hours. Shutting them down outside of working hours doesn’t align with the commitment of Reserved Instances, which would result in wasted costs for nonproduction environments. The nonproduction instances might not get the maximum cost benefit from Reserved Instances since they won’t be running 24/7. - Use case: Reserved Instances work well for production, but they are not ideal for environments with intermittent usage like nonproduction environments. Rejection Reason: Reserved Instances are better suited for workloads that run 24/7. The nonproduction instances' usage pattern does not justify Reserved Instances. --- C) Use Compute Savings Plans for the production instances. Use On-Demand Instances for the nonproduction instances. Shut down the nonproduction instances when not in use. Analysis: - Compute Savings Plans offer a flexible pricing model that applies to EC2, AWS La...

Author: Leah · Last updated Apr 16, 2026

A company stores data in an on-premises Oracle relational database. The company needs to make the data available in Amazon Aurora PostgreSQL for analysis. The company uses an AWS Site-to-Site VPN connection to connect its on-premises network to AWS. The company must capture the changes...

In this scenario, the company is looking to migrate data from an on-premises Oracle relational database to Amazon Aurora PostgreSQL while capturing ongoing changes to the source database during the migration. Let's analyze each option in detail to determine the best solution. Option A: Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use the AWS Database Migration Service (AWS DMS) full-load migration task to migrate the data. - Pros: - AWS SCT can convert the Oracle schema to the Aurora PostgreSQL schema. - AWS DMS can help in migrating the initial data from Oracle to Aurora PostgreSQL. - Cons: - DMS full-load migration only migrates data initially. It does not capture ongoing changes or replicates them in real-time during the migration process. - Conclusion: This option is not ideal for the scenario because it doesn't meet the requirement of capturing ongoing changes. Option B: Use AWS DataSync to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension. - Pros: - AWS DataSync is an efficient tool for moving large datasets between on-premises environments and AWS, including to Amazon S3. - Cons: - This solution doesn't directly involve migrating data to Aurora PostgreSQL. The data must be stored in an S3 bucket, and then the `aws_s3` extension needs to be used to import the data into Aurora PostgreSQL. - No capability to track ongoing changes to the Oracle source database during the migration. - Conclusion: This option is not suitable because it doesn’t address ongoing change data capture, which is a key requirement for this migration. Option C: Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use AWS Database Migratio...

Author: Samuel · Last updated Apr 16, 2026

A company built an application with Docker containers and needs to run the application in the AWS Cloud. The company wants to use a managed service to host the application. The solution must scale in and out appropriately according to demand on the individual container services. The solution also must not ...

In this scenario, the company is looking for a managed service to run Docker containers in the AWS Cloud, ensuring scalability according to demand without the need for managing infrastructure. Let's analyze each option and determine which ones best meet these requirements. Option A: Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate. - Pros: - Managed service: AWS Fargate abstracts away the underlying infrastructure, so the company doesn't need to manage EC2 instances or worker nodes. - Scalability: ECS with Fargate automatically scales the containers based on demand, providing elasticity without the need to manage the underlying compute resources. - No operational overhead: With Fargate, AWS handles the infrastructure management (like provisioning and scaling compute resources), reducing operational overhead. - Cons: - This solution is well-suited for containerized applications and meets all the requirements. - Conclusion: This option perfectly meets the requirements since it is fully managed, scales with demand, and requires no infrastructure management. Option B: Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate. - Pros: - Managed service: EKS is a managed Kubernetes service, and using it with AWS Fargate abstracts away the infrastructure management. - Scalability: EKS with Fargate enables automatic scaling of containerized applications based on demand, just like ECS with Fargate. - No infrastructure management: Fargate handles the compute layer, so there is no need to manage worker nodes. - Cons: - Complexity: Kubernetes, even when managed through EKS, can introduce additional complexity compared to ECS, which might require more expertise and management overhead for setting up and managing Kubernetes clusters. - However, if the application is built specifically with Kubernetes in mind, this option could be ideal. - Conclusion: This option meets the requirements, though it introduces more complexity compared to ECS. However, it's still fully managed and abstracts away infrastructure concerns. Option C: Provision an Amazon API Gateway API. Connect the API to AWS Lambda to run the containers. - Pros: - Serverless: AWS Lambda is a serverless compute service, and API Gateway provides a fully managed way to expose the application to the internet. - No infrastructure management: Since Lambda is serverless, there is no need to manage servers or containers directly. - Cons: - Not suitable for Docker containers: Lambda is typically...

Author: Lucas · Last updated Apr 16, 2026

An ecommerce company is running a seasonal online sale. The company hosts its website on Amazon EC2 instances spanning multiple Availability Zones. The company wants its website to manage sudden traffic increa...

The e-commerce company is looking for a solution to handle sudden traffic increases during a seasonal online sale in a cost-effective way while hosting the website on Amazon EC2 instances across multiple Availability Zones. Let's break down each option to determine which best meets the requirements. Option A: Create an Auto Scaling group that is large enough to handle peak traffic load. Stop half of the Amazon EC2 instances. Configure the Auto Scaling group to use the stopped instances to scale out when traffic increases. - Pros: - This option allows you to prepare for peak traffic by creating an Auto Scaling group with a large enough base of EC2 instances to handle peak load. - Stopping half of the instances helps reduce costs when the traffic is low. - Cons: - Wasted resources: The stopped instances still incur costs in terms of storage (EBS volumes), and this approach can be inefficient. Auto Scaling does not scale in an optimized manner when using stopped instances. - The stopped instances cannot be used efficiently for scaling out without causing unnecessary resource overhead. - Conclusion: This option is not ideal because it still incurs costs for the stopped instances, making it less cost-effective than other solutions. Option B: Create an Auto Scaling group for the website. Set the minimum size of the Auto Scaling group so that it can handle high traffic volumes without the need to scale out. - Pros: - Auto Scaling ensures that the number of EC2 instances can adjust automatically based on demand. - This option ensures that there are enough instances to handle high traffic, providing reliability. - Cons: - Inefficient resource utilization: Setting the minimum size of the Auto Scaling group high enough to handle peak traffic means you will have many instances running even when traffic is low. This leads to overprovisioning, which is not cost-effective. - It does not take advantage of Auto Scaling's ability to scale dynamically with traffic, leading to unnecessary costs. - Conclusion: This option is not cost-effective because it assumes peak traffic load at all times, which doesn't align with the goal of minimizing cost during periods of low traffic. Option C: Use Amazon CloudFront and Amazon ElastiCache to cache dynamic content with an Auto Scaling group set as the origin. Configure the Auto Scaling group with the instances necessary to populate CloudFront and ElastiCache. Scale in after the cache is fully populated. - Pros: - CloudFront can reduce the load on EC2 instances by caching static and dynami...

Author: Elijah · Last updated Apr 16, 2026

A solutions architect must provide an automated solution for a company's compliance policy that states security groups cannot include a rule that allows SSH from 0.0.0.0/0. The company needs to be notified if there is any breach in the policy. A solution is needed as soon ...

To meet the company’s compliance policy with the least operational overhead, we need a solution that ensures security groups cannot include rules allowing SSH from 0.0.0.0/0 and that generates a notification when such a breach occurs. Let’s analyze each option to identify the best solution. Option A: Write an AWS Lambda script that monitors security groups for SSH being open to 0.0.0.0/0 addresses and creates a notification every time it finds one. - Pros: - AWS Lambda is highly flexible, allowing the creation of custom logic for monitoring and notifying based on security group rules. - Cons: - Operational overhead: Writing a custom Lambda function requires ongoing maintenance, debugging, and monitoring. - This solution requires manually setting up monitoring and notification for each security group, which adds complexity and overhead. - Error handling and testing: The Lambda script needs to handle various edge cases, such as newly created security groups or changes to existing rules, which requires additional operational effort. - Conclusion: While functional, this option involves more manual setup and ongoing maintenance, making it more complex than necessary for this use case. Option B: Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created. - Pros: - Automated solution: AWS Config provides a managed rule (restricted-ssh) that automatically checks for noncompliant security group rules. - Low operational overhead: AWS Config is fully managed and requires minimal setup and maintenance. - Notifications: Config can be integrated with Amazon SNS to notify you when a security group rule is found that violates the policy (e.g., SSH open to 0.0.0.0/0). - Scalable: AWS Config automatically monitors all security groups and does not require custom scripts or manual intervention. - Cons: - Dependency on AWS Config: You need to ensure AWS Config is enabled in your account and properly set up to monitor security groups. - Conclusion: This option is the most efficient and low-overhead solution, as it leverages a fully managed AWS Config rule to enforce the policy and integrates with SNS for notifications without requiring custom code or ongoing maintenance. Option C: Create an IAM role ...

Author: Liam · Last updated Apr 16, 2026

Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 worker nodes. A company has deployed an application in an AWS account. The application consists of microservices that run on AWS Lambda and Amazon Elastic Kubernetes Service (Amazon EKS). A separate team supports each microservice. The company has multiple AWS accounts and wants to give each team its own account for its microservices. A solutions architect needs to design a solution that will provide service...

To meet the company's requirements of service-to-service communication over HTTPS with a service registry for service discovery while minimizing administrative overhead, let's evaluate each option. Option A: Create an inspection VPC. Deploy an AWS Network Firewall firewall to the inspection VPC. Attach the inspection VPC to a new transit gateway. Route VPC-to-VPC traffic to the inspection VPC. Apply firewall rules to allow only HTTPS communication. - Pros: - Provides centralized traffic inspection with the firewall, which ensures that only HTTPS communication is allowed. - Cons: - High administrative overhead: Setting up and managing a dedicated inspection VPC, transit gateway, and firewall adds significant complexity and maintenance overhead. - Service discovery: This solution does not inherently provide service discovery, which is another requirement. - Not the most efficient: This approach is more complex than necessary for the given task, especially with a need to manage multiple VPCs and firewall rules. - Conclusion: This option is not optimal because it introduces significant complexity and operational overhead for simple HTTPS communication and service discovery. Option B: Create a VPC Lattice service network. Associate the microservices with the service network. Define HTTPS listeners for each service. Register microservice compute resources as targets. Identify VPCs that need to communicate with the services. Associate those VPCs with the service network. - Pros: - Service discovery: VPC Lattice provides a built-in service registry and service discovery, which meets the requirement for service-to-service communication and allows for easy configuration. - HTTPS communication: You can configure HTTPS listeners directly in VPC Lattice. - Simplified architecture: VPC Lattice abstracts much of the network configuration and traffic routing, reducing administrative overhead. - Cross-account communication: VPC Lattice supports communication across multiple accounts, which is ideal for the company's multiple AWS accounts. - Cons: - Relatively new: While VPC Lattice is a powerful solution, it's a relatively new service and may not be as mature as other networking solutions. - Conclusion: This option perfectly meets the requirements with minimal administrative overhead by providing built-in service discovery and HTTPS communication. Option C: Create a Network Load Balancer (NLB) with an HTTPS listener and target groups for each microservice. Create an AWS PrivateLink endpoint service for each microservice. Create an interface VPC endpoint in each VPC that needs to consume that microservice. - Pros: - HTTPS communication: NLBs can ...

Author: Aditya · Last updated Apr 16, 2026

A company has a mobile game that reads most of its metadata from an Amazon RDS DB instance. As the game increased in popularity, developers noticed slowdowns related to the game's metadata load times. Performance metrics indicate that simply scaling the database will not help. A solutions architect must explore all options that include ca...

To solve the performance issues with the mobile game's metadata load times, the solutions architect needs to focus on options that address the slowdowns in a way that ensures scalability, low latency, and the capability for snapshots, replication, and sub-millisecond response times. Let's evaluate each option: Option A: Migrate the database to Amazon Aurora with Aurora Replicas - Why it might work: Amazon Aurora is a relational database service that offers high performance, scalability, and reliability. Aurora provides automatic replication, which can help with read-heavy workloads by allowing Aurora Replicas to distribute read requests, improving response times. Aurora also supports snapshots, which are useful for backup and recovery. - Why it might not work: Since the performance metrics indicate that scaling the database will not help, the underlying issue might not be just about horizontal scaling or replication. Aurora, while faster than RDS in some cases, still may not address the specific latency or response time issues caused by the need for sub-millisecond read times. - Scenario: This would be ideal for scenarios where the metadata is complex and highly relational, where replication is key, but it might not be optimal for sub-millisecond latencies. Option B: Migrate the database to Amazon DynamoDB with global tables - Why it might work: DynamoDB is a NoSQL database designed for low-latency access at scale. DynamoDB global tables provide replication across regions, ensuring high availability and fault tolerance. It can also offer sub-millisecond response times for read-heavy workloads. - Why it might not work: If the game’s metadata is relational in nature, migrating to DynamoDB might require a redesign of the data model, which could introduce significant complexity. Moreover, DynamoDB is better suited for key-value or document-style access patterns, which may not fit the structure of the metadata stored in a relational database. - Scenario: DynamoDB with global tables is optimal for use cases requiring extremely low-latency, distributed access, and high availability. However, relational data structure limitations could be a challenge. Option C: Add an Amazon ElastiCache for Redis layer in front of the database - Why it might work: ElastiCache for Redis is an in-memor...

Author: IronLion88 · Last updated Apr 16, 2026

A company uses AWS Organizations for its multi-account AWS setup. The security organizational unit (OU) of the company needs to share approved Amazon Machine Images (AMIs) with the development OU. The AMIs are created by using AWS Key Managem...

To meet the requirement of sharing encrypted AMIs between the Security and Development organizational units (OUs), the solution must ensure that: 1. The AMI is available to the development team. 2. The encrypted snapshot in the AMI is accessible to the development OU, which requires granting permission to use the AWS Key Management Service (KMS) key used for encryption. Let’s evaluate the provided options: Option A: Add the development team's OU Amazon Resource Name (ARN) to the launch permission list for the AMIs - Why it might work: Adding the development OU’s ARN to the launch permission list for the AMI ensures that the AMI is available for launching by instances in the development OU. However, since the AMI is encrypted with KMS keys, the development OU also needs permission to use the KMS key to decrypt the AMI’s snapshot. - Why it might not work: This option doesn’t address KMS permissions, which are essential because the AMI’s snapshots are encrypted with KMS keys. The development team may still not be able to launch the AMI unless they also have the necessary permissions on the KMS key. Option B: Add the Organizations root Amazon Resource Name (ARN) to the launch permission list for the AMIs - Why it might work: This would grant the root of the AWS Organization permission to use the AMI. However, this doesn’t ensure that the specific development team can use the AMI unless the development OU also has access to the KMS key. - Why it might not work: The Organization’s root ARN doesn’t necessarily grant specific permissions to child accounts or OUs within the organization. Moreover, it doesn't address the KMS key permissions required for accessing the encrypted snapshot. Option C: Update the key policy to allow the development team's OU to use the AWS KMS keys that are used to decrypt the snapshots - Why it might work: This option addresses the main problem — the KMS key used to encrypt the snapshot needs to be accessible to the development OU. Updating the key policy to allow the development team’s OU to use the ...

Author: Aarav · Last updated Apr 16, 2026

A data analytics company has 80 offices that are distributed globally. Each office hosts 1 PB of data and has between 1 and 2 Gbps of internet bandwidth. The company needs to perform a one-time migration of a large amount of data from its offices to Amazon S3. The comp...

In this scenario, the company has a significant amount of data (1 PB per office across 80 offices) and must complete the migration within a 4-week timeframe. Each office has between 1 and 2 Gbps of internet bandwidth, and cost-effectiveness is a key factor. Let’s evaluate each option based on these criteria: Option A: Establish a new 10 Gbps AWS Direct Connect connection to each office. Transfer the data to Amazon S3. - Why it might work: Direct Connect provides a private and potentially high-bandwidth connection between on-premises networks and AWS. If each office can get 10 Gbps of bandwidth, it would significantly speed up the transfer. - Why it might not work: Even with a 10 Gbps connection, transferring 1 PB of data per office would take time. Specifically, transferring 1 PB (1,000,000 GB) over 10 Gbps (1.25 GBps) would take approximately 800,000 seconds or around 9 days for just one office. Given that there are 80 offices, the time needed for data transfer would likely exceed the 4-week requirement, especially considering network congestion, overhead, and potential bandwidth fluctuations. Additionally, establishing Direct Connect connections across all offices would incur significant setup costs and may not be the most cost-effective solution. Option B: Use multiple AWS Snowball Edge storage-optimized devices to store and transfer the data to Amazon S3. - Why it might work: AWS Snowball Edge is a highly efficient solution for transferring large amounts of data. Snowball Edge devices can store up to 100 TB each, and since each office has 1 PB of data, it would require about 10 devices per office. This approach is ideal for offices with limited internet bandwidth, as it minimizes reliance on the internet. The company can ship the devices to AWS, where the data can be loaded directly into S3. - Why it might not work: This solution requires logistics for shipping and collecting the devices, but it is still much faster and more cost-effective compared to relying solely on bandwidth. Given the constraints of limited internet bandwidth in the offices, Snowball Edge devices are a highly cost-effective choice and provide good scalability. Option C: Use an AWS Snowmobile to store and transfer the data to Amazon S3. - Why it mi...

Author: Sofia · Last updated Apr 16, 2026

A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access contr...

To prevent the applications running on Amazon EC2 instances from modifying or deleting the dataset stored in an Amazon Elastic File System (Amazon EFS), while allowing them to read the data, IAM access control and EFS-specific mechanisms should be used. Let's evaluate each option in detail: Option A: Mount the EFS file system in read-only mode from within the EC2 instances. - Why it might work: Mounting the file system in read-only mode would prevent the applications from modifying or deleting the dataset. - Why it might not work: While this would prevent write access at the file system level, it does not use IAM access control. The requirement is to use IAM access control, not just mounting the file system with read-only permissions. Moreover, read-only mounting is not controlled via IAM policies, which is an important aspect for this solution. - Scenario: This would be a simple solution if IAM access control were not a requirement, but it doesn't meet the IAM access control requirement. Option B: Create a resource policy for the EFS file system that denies the `elasticfilesystem:ClientWrite` action to the IAM roles that are attached to the EC2 instances. - Why it might work: A resource policy for Amazon EFS can be used to control permissions at the file system level. By denying the `elasticfilesystem:ClientWrite` action, you can prevent applications from modifying the dataset. - Why it might not work: This option may not be effective in this case because Amazon EFS does not support fine-grained resource-based policies for actions such as `ClientWrite` directly in the way this solution suggests. This policy-based approach would be better suited for other AWS services, but EFS primarily relies on POSIX-based permissions (file-level permissions) and NFS (network-level) access controls. - Scenario: Resource policies are typically used for other AWS services (e.g., S3, Lambda), but EFS has different access mechanisms, making this solution not ideal. Option C: Create an identity policy for the EFS file system that denies the `elasticfilesystem:ClientWrite` action on the EFS file system. - Why it might work: An IAM identity policy could...

Author: Liam · Last updated Apr 16, 2026

A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account. The company needs to gr...

To grant access to an external vendor without directly providing IAM access to the company's AWS account, the most secure and scalable solution needs to ensure that the vendor can access only the required resources and actions without compromising the security of the company's AWS environment. Let's evaluate each option: Option A: Create an IAM role in the company’s account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires. - Why it works: This option uses cross-account access with an IAM role, which is a highly secure method for granting access to external vendors. By creating an IAM role with appropriate permissions in the company’s account and allowing the vendor’s IAM role to assume that role, the company can securely delegate access. This solution minimizes risk by not creating a direct IAM user for the vendor but instead leveraging a role with strict permissions and the ability to be assumed only by the vendor's account. - Why it might be the best option: This option meets the security requirement of providing the vendor access without directly giving them IAM credentials. It also allows for fine-grained access control through IAM policies attached to the role. This is a standard, secure, and flexible approach. - Scenario: This is ideal when an external vendor needs temporary access to resources in your AWS account, and you want to limit that access with precision. Option B: Create an IAM user in the company’s account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires. - Why it might not work: Creating an IAM user directly for the vendor means that the vendor would have a permanent set of credentials (username and password) for the company's AWS account, which is a less secure method. Sharing IAM user credentials with an external party increases the risk of unauthorized access or credential misuse. - Why it might not be ideal: While this method provides direct access, it does not follow the principle of least privilege as securely as an assumed role does. It also introduces management overhead, as you would need to manage password policies and rotate crede...

Author: Zara · Last updated Apr 16, 2026

A company wants to run its experimental workloads in the AWS Cloud. The company has a budget for cloud spending. The company's CFO is concerned about cloud spending accountability for each department. The CFO wants to receive notification...

Key Factors for Selecting the Right Solution: - Cloud Spending Accountability: The CFO is concerned about accountability for cloud spending by department. Hence, we need a solution that can clearly track and allocate costs to individual departments or owners. - Alert Notifications: The CFO wants a notification when the spending reaches 60% of the budget. This requires setting up an alert system based on spending thresholds. - Budget Management: The solution should allow for budgeting and cost tracking, and it should provide automated alerts when certain spending limits are exceeded. Option Analysis: 1. A) Use cost allocation tags on AWS resources to label owners. Create usage budgets in AWS Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget. - Reasoning: This option allows labeling resources by owners or departments using cost allocation tags, which directly addresses the CFO’s concern about spending accountability by department. AWS Budgets can set a budget and trigger alerts when the spending reaches 60%, satisfying the notification requirement. - Why this is Selected: This solution combines both resource-level accountability (via tags) and budget-based alerting (via AWS Budgets), making it an effective choice for tracking and managing costs across departments. 2. B) Use AWS Cost Explorer forecasts to determine resource owners. Use AWS Cost Anomaly Detection to create alert threshold notifications when spending exceeds 60% of the budget. - Reasoning: AWS Cost Explorer is useful for analyzing cost trends and forecasts, and AWS Cost Anomaly Detection can detect unusual spending patterns. However, this option does not directly provide the ability to manage budget thresholds based on specific department allocations, making it less ideal for this scenario where accountabilit...

Author: Abigail · Last updated Apr 16, 2026

A company wants to deploy an internal web application on AWS. The web application must be accessible only from the company's office. The company needs to download security patches for the web application from the internet. The company has created a VPC and has configured an AWS Site-to-Site VPN connection to the company...

Key Factors to Consider: - Accessibility: The web application must only be accessible from the company’s office. - Security Patches: The web application needs to download security patches from the internet, so it requires internet access. - VPC Configuration: The company has already set up a VPC and Site-to-Site VPN for secure communication from the office. Option Analysis: 1. A) Deploy the web application on Amazon EC2 instances in public subnets behind a public Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the inbound source of the ALB's security group to 0.0.0.0/0. - Reasoning: The ALB is exposed to the internet because the inbound rule allows traffic from 0.0.0.0/0 (anywhere). This violates the requirement that the web application should only be accessible from the company’s office. While the EC2 instances are in public subnets and can access the internet, the open access to the ALB makes the application publicly accessible. - Why Rejected: This setup allows internet traffic, which does not meet the security requirement of limiting access to the company’s office. 2. B) Deploy the web application on Amazon EC2 instances in private subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet gateway to the VPC. Set the inbound source of the ALB's security group to the company's office network CIDR block. - Reasoning: The EC2 instances are in private subnets, which are not directly exposed to the internet. The ALB is internal, which means it is not publicly accessible. The inbound rule limits access to the company's office network CIDR block, making it possible for only the office to access the application. The NAT gateways allow the EC2 instances in private subnets to access the internet for downloading security patches. - Why Selected: This solution meets all the requirements: - The web application is only accessible from the office. - EC2 instances in private subnets can still download patches via the NAT gateway. - ...

Author: Sophia · Last updated Apr 16, 2026

A company maintains its accounting records in a custom application that runs on Amazon EC2 instances. The company needs to migrate the data to an AWS managed service for development and maintenance of the application data. The solution must require minimal operational support and provide immut...

Key Factors to Consider: - Minimal Operational Support: The solution should require minimal ongoing management and operational effort. - Immutable, Cryptographically Verifiable Logs: The company needs a system that ensures that data changes are immutable and can be verified cryptographically, providing an audit trail for data changes. - Cost-Effectiveness: The solution should balance functionality with cost efficiency. Option Analysis: 1. A) Copy the records from the application into an Amazon Redshift cluster. - Reasoning: Amazon Redshift is a managed data warehouse service designed for analytics. It is optimized for running complex queries and providing large-scale data analytics. However, it does not natively provide immutability or cryptographically verifiable logs of data changes. It’s also designed for analytic workloads, not transactional systems. - Why Rejected: Redshift doesn’t fulfill the requirement for immutable and cryptographically verifiable logs of data changes, and it’s more suited for analytics, not operational transactional workloads. 2. B) Copy the records from the application into an Amazon Neptune cluster. - Reasoning: Amazon Neptune is a fully managed graph database service. It is optimized for storing relationships and graphs between data, such as social networks or recommendation engines. While Neptune is useful for graph-based queries, it doesn’t provide a built-in mechanism for immutable, cryptographically verifiable logs of data changes. - Why Rejected: Neptune is not designed for immutable logs and doesn't provide native features to guarantee cryptographic verifiability of data changes, which is a core requirement in this scenario. 3. C) Copy the records from the application into an Amazon Timestream database. - Reasoning...

Author: Manish · Last updated Apr 16, 2026

A company's marketing data is uploaded from multiple sources to an Amazon S3 bucket. A series of data preparation jobs aggregate the data for reporting. The data preparation jobs need to run at regular intervals in parallel. A few jobs need to run in a specific order later. The company wants to remove...

Key Factors to Consider: - Regular and Parallel Execution: The data preparation jobs need to run at regular intervals and in parallel, with a few jobs needing to execute in a specific order. - Operational Overhead: The solution should handle job error handling, retry logic, and state management automatically, reducing the operational burden. - Automation: The solution should automate as much as possible, including scheduling, execution, and management of the jobs. Option Analysis: 1. A) Use an AWS Lambda function to process the data as soon as the data is uploaded to the S3 bucket. Invoke other Lambda functions at regularly scheduled intervals. - Reasoning: AWS Lambda can automatically trigger functions when new data is uploaded to an S3 bucket. However, managing job dependencies, retries, and state across multiple Lambda invocations can become complex, especially when jobs need to run in parallel or in a specific sequence. Lambda functions are stateless by design, so maintaining state and handling retries without a complex external system would add operational complexity. - Why Rejected: Although Lambda can process the data as it arrives and schedule periodic tasks, handling error management, retry logic, and job dependencies between multiple functions would require extra work. Additionally, Lambda is not ideal for complex workflows that need to ensure jobs run in a particular order later. 2. B) Use Amazon Athena to process the data. Use Amazon EventBridge Scheduler to invoke Athena on a regular interval. - Reasoning: Amazon Athena allows you to query data directly in S3 using SQL, and EventBridge Scheduler can trigger Athena queries at regular intervals. However, Athena is primarily a query service, not a job orchestration tool. It does not provide built-in features for managing job dependencies, retries, or parallel execution. - Why Rejected: While Athena is great for querying data, it does not handle job orchestration or error handling and retry logic. The company would still need additional infrastructure for scheduling and managing jobs, which adds complexity and operational overhead. 3. C) Use AWS Glue DataBrew to process the data. Use an AWS Step Functions state machine ...

Author: Andrew · Last updated Apr 16, 2026

A solutions architect is designing a payment processing application that runs on AWS Lambda in private subnets across multiple Availability Zones. The application uses multiple Lambda functions and processes millions of transactions each day. The architecture mus...

Key Factors to Consider: - Avoiding Duplicate Payments: The application needs to ensure that it does not process the same payment multiple times. - Scalability: The system must handle millions of transactions per day efficiently. - Reliability: The solution should provide reliable message delivery, ensuring payments are processed without duplicates. - Integration with AWS Lambda: The solution should integrate well with AWS Lambda to allow for serverless processing. Option Analysis: 1. A) Use Lambda to retrieve all due payments. Publish the due payments to an Amazon S3 bucket. Configure the S3 bucket with an event notification to invoke another Lambda function to process the due payments. - Reasoning: While this option could work for processing payments, there are several drawbacks: - S3 is primarily a storage service, not designed for message queuing or handling transactional integrity. - S3 does not provide built-in guarantees against duplicate messages or message deduplication. - Managing duplicate processing via Lambda from S3 events would require additional logic within the Lambda function to track previously processed payments. - Why Rejected: This approach does not naturally guarantee deduplication and introduces unnecessary complexity in managing state and tracking previously processed payments. 2. B) Use Lambda to retrieve all due payments. Publish the due payments to an Amazon Simple Queue Service (Amazon SQS) queue. Configure another Lambda function to poll the SQS queue and to process the due payments. - Reasoning: SQS is a fully managed message queue service that ensures reliable message delivery, but the standard SQS queue does not guarantee message deduplication. If the same payment is accidentally sent to the queue multiple times, it could result in duplicate processing. - Why Rejected: This option lacks built-in deduplication, meaning additional steps would be required within the Lambda function to ensure that duplicate payments are not processed. 3. C) Use Lambda to retrieve all due payments....

Author: ShadowWolf101 · Last updated Apr 16, 2026

A company runs multiple workloads in its on-premises data center. The company's data center cannot scale fast enough to meet the company's expanding business needs. The company wants to collect usage and configuration data about the on-pre...

When planning a migration to AWS, it's important to assess the on-premises workloads by collecting data on their usage, configuration, and dependencies. This data helps make informed decisions about how to best migrate the workloads, optimize for AWS, and ensure successful implementation. Let’s analyze the given options one by one based on the scenario and key requirements: Option A: Set the home AWS Region in AWS Migration Hub. Use AWS Systems Manager to collect data about the on-premises servers. - Analysis: AWS Systems Manager is more suited for managing and automating tasks on existing servers, including patch management, compliance, and configuration management. However, it’s not specifically designed for gathering detailed usage and configuration data for migration planning. - Why Rejected: While AWS Systems Manager is useful for managing servers in AWS or on-premises, it doesn't directly offer detailed insight into workloads, configurations, and usage metrics that would support migration planning, as it focuses on operational tasks rather than migration planning. Option B: Set the home AWS Region in AWS Migration Hub. Use AWS Application Discovery Service to collect data about the on-premises servers. - Analysis: AWS Application Discovery Service is specifically designed for this use case. It collects detailed information about on-premises servers, including resource utilization (CPU, memory, storage), and application dependencies. This is exactly what’s needed to plan for a migration. - Why Selected: AWS Application Discovery Service provides the critical data necessary to assess workloads, configurations, and performance. It integrates well with AWS Migration Hub, providing visibility into migration progress, which is useful for long-term planning. - Why Not Rejected: This is the correct solution because it directly addresses the need to collect data about on-premises servers and workloads to plan a migration to AWS. Option C: Use the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates. Use AWS Trusted Advisor to...

Author: Olivia Johnson · Last updated Apr 16, 2026

A company has an organization in AWS Organizations that has all features enabled. The company requires that all API calls and logins in any existing or new AWS account must be audited. The company needs a managed solution to prevent additional work and to minimize costs. The company also needs to know when any AWS account is not compliant wi...

Let's break down the requirements and the available options to find the best solution. Requirements: 1. Audit all API calls and logins: This means enabling the monitoring of user activity and API usage, which is generally handled by services like AWS CloudTrail. 2. Comply with AWS Foundational Security Best Practices (FSBP): This requires regular auditing to ensure that AWS accounts adhere to security best practices. The monitoring solution should provide a way to track this compliance. 3. Managed solution to minimize operational overhead: The company wants a solution that minimizes manual intervention and leverages AWS-managed services to handle most of the workload. 4. Minimize costs: The solution should be cost-efficient while meeting security and auditing requirements. --- Option A: Deploy an AWS Control Tower environment in the Organizations management account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment. - Analysis: AWS Control Tower provides a pre-configured landing zone for multi-account AWS environments. It automatically sets up governance controls such as guardrails, logging, and compliance checks across all accounts. By enabling AWS Security Hub, you get security posture monitoring and automated compliance checks with AWS Foundational Security Best Practices (FSBP). - Why Selected: This option meets all the requirements in the most efficient manner: - Auditing: AWS Control Tower automatically manages CloudTrail logging and tracks activities across all accounts. - Compliance with FSBP: AWS Control Tower comes with built-in controls to ensure compliance with AWS security standards. - Minimized overhead: It is a fully managed service, and AWS takes care of the operational aspects. - Cost-effective: AWS Control Tower and Security Hub are both designed to minimize manual configuration and operational overhead. - Why Not Rejected: This option leverages AWS managed services (Control Tower and Security Hub) that are built to handle these requirements with minimal operational overhead. Option B: Deploy an AWS Control Tower environment in a dedicated Organizations member account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment. - Analysis: While this option also utilizes AWS Control Tower and Security Hub, deploying Control Tower in a dedicated member account could introduce complexity. The management account is the recommended place to deploy Control Tower because it centrally manages the organization’s...

Author: Emma · Last updated Apr 16, 2026

A company has stored 10 TB of log files in Apache Parquet format in an Amazon S3 bucket. The company occasionally needs to use SQL to analyze the log files. ...

Let’s break down the key requirements and analyze each option based on cost-effectiveness, operational overhead, and the ability to perform SQL queries on the stored data in Amazon S3. Requirements: - 10 TB of log files in Apache Parquet format: The data is stored in a columnar format, so it is optimized for analytics and can be efficiently queried using tools designed for big data analysis. - Occasional SQL querying: The company needs to run SQL queries against the data, but it's not a continuous or high-frequency requirement. - Cost-effectiveness: Since the company is querying data occasionally, the solution should be cost-effective, avoiding the need for constantly running services or maintaining expensive infrastructure. --- Option A: Create an Amazon Aurora MySQL database. Migrate the data from the S3 bucket into Aurora by using AWS Database Migration Service (AWS DMS). Issue SQL statements to the Aurora database. - Analysis: Amazon Aurora is a relational database service, and while it supports SQL queries, it is primarily used for transactional workloads. Migrating 10 TB of data into an Aurora MySQL database would be a significant overhead, especially since Aurora is not optimized for large-scale log analytics. - Why Rejected: This option involves unnecessary complexity and higher costs, especially given the large volume of data. Additionally, Aurora is not designed for direct querying of large log files stored in S3, which is a much better fit for data lakes and analytics platforms. Using AWS DMS to migrate the data also adds more operational overhead. Option B: Create an Amazon Redshift cluster. Use Redshift Spectrum to run SQL statements directly on the data in the S3 bucket. - Analysis: Amazon Redshift is a powerful data warehouse solution for large-scale analytics, and Redshift Spectrum allows for running SQL queries directly on data stored in S3. Redshift is excellent for analytics, but for occasional queries, maintaining a full Redshift cluster can become expensive. You’d need to provision an active cluster for querying, which may lead to higher costs if the queries are not frequent. - Why Rejected: While Redshift Spectrum is capable of querying data directly from S3, the need to maintain an active Redshift cluster can be cost-prohibitive for occasional querying, especially when other more lightweight solutions exist. Option C: Create an AWS Glue crawler to store and retrieve table metada...

Author: Lucas · Last updated Apr 16, 2026

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or '*' in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The comp...

Let’s analyze the requirements and the available options to find the best solution that meets the company’s needs: Requirements: 1. Prevent deployment of IAM resources with inline policies or policies containing “”: This requirement aims to restrict the use of overly permissive IAM policies, especially those with wildcard `` permissions, which can lead to security risks. 2. Prevent deployment of EC2 instances with public IP addresses: This restriction is meant to ensure that EC2 instances are not exposed to the internet. 3. Use AWS Control Tower: The company already has AWS Control Tower enabled in their AWS Organization, which provides governance and management of multi-account environments. 4. Solution must block non-compliant resources proactively: The solution needs to stop these deployments before they happen, not just detect them after the fact. --- Option A: Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “”. - Analysis: AWS Control Tower provides proactive controls as part of its governance capabilities. Proactive controls can enforce rules to prevent specific configurations from being created, such as EC2 instances with public IP addresses or IAM resources with overly permissive policies. - Why Selected: This is the most appropriate solution because proactive controls allow you to block the deployment of non-compliant resources before they are created. This directly addresses both the IAM and EC2 restrictions. AWS Control Tower integrates seamlessly with proactive controls for enforcing rules across multiple accounts. - Why Not Rejected: This option aligns well with the goal of enforcing security standards before deployment, which is exactly what the company needs. Option B: Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “”. - Analysis: Detective controls in AWS Control Tower are designed to monitor compliance and detect when resources are non-compliant after they have been deployed. While this can be useful for identifying and alerting on policy violations, it does not prevent resources from being deployed in the first place. - Why Rejected: Detective controls do not prevent the actual deployment of non-compliant resources; they only detect and alert on them after deployment. Since the company requires proactive prevention, this option does not meet the needs. O...

Author: SolarFalcon11 · Last updated Apr 16, 2026

A company's web application that is hosted in the AWS Cloud recently increased in popularity. The web application currently exists on a single Amazon EC2 instance in a single public subnet. The web application has not been able to meet the demand of the increased web traffic. The company needs a solution that will provide high availability and scala...

Let's analyze the key requirements and available options for ensuring high availability and scalability for the web application without requiring a rewrite of the app: Requirements: 1. High availability: The application should be able to handle traffic even if one server or Availability Zone fails. This ensures that there is no single point of failure. 2. Scalability: The application should scale to meet increased user demand. It should be able to automatically scale up or down based on traffic spikes. 3. No application rewrite: The solution should not require changes to the web application's code or architecture. --- Option A: Replace the EC2 instance with a larger compute-optimized instance. - Analysis: Replacing the current EC2 instance with a larger, more powerful instance can temporarily address performance issues caused by increased traffic. However, it doesn't provide scalability or high availability in the long term. It only increases the capacity of a single instance, meaning the application will still be vulnerable to failures and won't scale automatically based on demand. - Why Rejected: This option only temporarily solves performance issues but doesn’t address the need for high availability or automatic scalability. Option B: Configure Amazon EC2 Auto Scaling with multiple Availability Zones in private subnets. - Analysis: Amazon EC2 Auto Scaling ensures that the application can scale horizontally by adding more EC2 instances as traffic increases. Configuring Auto Scaling across multiple Availability Zones provides high availability by ensuring that if one Availability Zone fails, the application can continue running in others. However, the instances should be deployed in public subnets for web-facing traffic. - Why Rejected: This option provides scalability and high availability but would need a public subnet for the EC2 instances to receive web traffic directly. Since the instances are placed in private subnets, they won’t be directly reachable from the internet. This option alone does not meet the requirements fully unless paired with other configurations (e.g., load balancing). Option C: Configure a NAT gateway in a public subnet to handle web requests. - Ana...

Author: Zain · Last updated Apr 16, 2026

A company has AWS Lambda functions that use environment variables. The company does not want its developers to see environment variables i...

To meet the requirement that developers should not see environment variables in plaintext, we need a solution that securely encrypts and manages environment variables for AWS Lambda functions. Let’s evaluate the options based on the key factors: Option A: Deploy code to Amazon EC2 instances instead of using Lambda functions - Rejection Reasoning: While EC2 instances provide more flexibility, the goal is to avoid plaintext exposure of environment variables. The EC2 instances would still require proper management of secrets, and this would involve more overhead compared to using Lambda functions, which is a serverless option designed for simplified operations. - Key Factors: The company wants to use Lambda, not EC2. Switching to EC2 introduces unnecessary complexity and still does not address the core concern about environment variables. Option B: Configure SSL encryption on the Lambda functions to use AWS CloudHSM to store and encrypt the environment variables - Rejection Reasoning: CloudHSM is a hardware security module (HSM) that is primarily designed for cryptographic key storage and management. However, it doesn’t directly provide a seamless mechanism for encrypting Lambda function environment variables. Additionally, setting up and managing CloudHSM is more complex and typically overkill for this use case. - Key Factors: While CloudHSM is a strong security option, it’s more complex and not ideal for simple use cases like securing Lambda environment variables. Option C: Create a certificate in AWS Certificate Manager (ACM). Configure the Lambda functions to use the certificate to encrypt ...

Author: Kai99 · Last updated Apr 16, 2026

An analytics company uses Amazon VPC to run its multi-tier services. The company wants to use RESTful APIs to offer a web analytics service to millions of users. Users must be verified by using an authentication service to acc...

To determine the best solution that meets the company's requirements for operational efficiency and user authentication, let's analyze the options: Option A: Configure an Amazon Cognito user pool for user authentication. Implement Amazon API Gateway REST APIs with a Cognito authorizer. - Selected Reasoning: Amazon Cognito User Pools are specifically designed for handling user authentication and managing user sign-ups, sign-ins, and other related tasks in a scalable, secure, and easy-to-integrate manner. By integrating Cognito with Amazon API Gateway via a Cognito authorizer, the company can handle large volumes of authenticated users without managing authentication infrastructure directly. This solution is simple to implement, scalable, and managed by AWS, which offers significant operational efficiency. - Key Factors: - Operational efficiency: Cognito is fully managed and designed for this exact use case, reducing the need for custom authentication logic. - Scalability: Cognito is designed to handle millions of users, which is crucial for the company’s web analytics service. - Security: The integration with API Gateway using Cognito authorizers ensures that only authenticated users can access the APIs. Option B: Configure an Amazon Cognito identity pool for user authentication. Implement Amazon API Gateway HTTP APIs with a Cognito authorizer. - Rejection Reasoning: While Amazon Cognito Identity Pools are used for federating identities and granting access to AWS resources (such as temporary AWS credentials), they are typically used in scenarios where authenticated identities from external providers (such as social logins) need to be mapped to AWS roles. This isn't directly aligned with the use case of verifying users to access RESTful APIs. The company needs a solution focused on managing users' authentication, not federated identity management. - Key Factors: - Cognito Identity Pools are more suited for scenarios where users nee...

Author: Maya · Last updated Apr 16, 2026

A company has a mobile app for customers. The app's data is sensitive and must be encrypted at rest. The company uses AWS Key Management Service (AWS KMS). The company needs a solution that prevents the accidental deletion of KMS keys. The solution must use Amazon Simple Notification Service (Amazon SNS) to send an email notificatio...

Let's break down each option and evaluate it based on operational efficiency, ease of implementation, and how well it meets the requirements: Option A: Create an Amazon EventBridge rule that reacts when a user tries to delete a KMS key. Configure an AWS Config rule that cancels any deletion of a KMS key. Add the AWS Config rule as a target of the EventBridge rule. Create an SNS topic that notifies the administrators. - Rejection Reasoning: While EventBridge can capture KMS key deletion events, AWS Config is typically used for tracking and ensuring compliance, not for directly preventing operations. AWS Config rules can only evaluate the configuration state, and they don’t directly block operations like deleting KMS keys. This solution also introduces unnecessary complexity by combining EventBridge, AWS Config, and SNS for relatively simple needs. - Key Factors: It introduces unnecessary components like AWS Config and adds complexity without fully addressing the prevention of KMS key deletion efficiently. Option B: Create an AWS Lambda function that has custom logic to prevent KMS key deletion. Create an Amazon CloudWatch alarm that is activated when a user tries to delete a KMS key. Create an Amazon EventBridge rule that invokes the Lambda function when the DeleteKey operation is performed. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that notifies the administrators. - Rejection Reasoning: This option introduces significant complexity by requiring a Lambda function to handle the deletion logic and CloudWatch alarms for monitoring. A Lambda function may also involve custom code and additional operational overhead for handling the deletion prevention logic, making this solution more complicated than necessary. - Key Factors: While it provides control over deletion, it involves custom logic that increases the operational overhead for something that could be handled more simply with a more integrated solution. Option C: Create an Amazon EventBridge rule that reacts when the KMS DeleteKey operation is performed. Configure the ru...

Author: Evelyn · Last updated Apr 16, 2026

A company wants to analyze and generate reports to track the usage of its mobile app. The app is popular and has a global user base. The company uses a custom report building program to analyze application usage. The program generates multiple reports during the last week of each month. The program takes less than 10 minutes to produce each report. The company rarely uses the program to generate reports outside of the last w...

To determine the best solution, let's assess each option based on cost-effectiveness, scalability, and the requirement of generating reports in the least amount of time. Option A: Run the program by using Amazon EC2 On-Demand Instances. Create an Amazon EventBridge rule to start the EC2 instances when reports are requested. Run the EC2 instances continuously during the last week of each month. - Rejection Reasoning: Running EC2 On-Demand Instances continuously for the last week of each month is not cost-effective. Even though EC2 On-Demand Instances can be used to run the reports, this approach incurs costs for the entire week. Additionally, EC2 instances are underutilized during the other weeks of the month, leading to unnecessary costs. - Key Factors: - Cost: Continuous running of On-Demand instances can be expensive. - Scalability: While EC2 can scale, it’s not the most cost-effective solution for the limited usage. Option B: Run the program in AWS Lambda. Create an Amazon EventBridge rule to run a Lambda function when reports are requested. - Selected Reasoning: AWS Lambda is a serverless compute service that charges only for the actual compute time used, which is highly cost-effective for a program that runs only for a few minutes. With Lambda, there is no need to provision or manage any infrastructure, and it scales automatically. Since the reports are generated on demand and the execution time is short, this is an ideal solution that is cost-effective and efficient. The program will only incur costs when the reports are generated, and Lambda's pay-as-you-go model makes it very economical for infrequent usage. - Key Factors: - Cost-Effectiveness: Pay-per-use model that is perfect for the infrequent report generation. - Scalability: Lambda automatically scales as needed without the need for continuous infrastructure running. - Ease of Use: No need to manage servers or instances. Option C: Run the program in Amazon Elastic C...

Author: Stella · Last updated Apr 16, 2026

A company is designing a tightly coupled high performance computing (HPC) environment in the AWS Cloud. The company needs to include features that will optimize the HPC environment for networking and ...

To meet the requirements of a tightly coupled high performance computing (HPC) environment, it’s important to focus on optimizing both networking and storage. Let’s analyze each option: Option A: Create an accelerator in AWS Global Accelerator. Configure custom routing for the accelerator. - Rejection Reasoning: While AWS Global Accelerator is designed to optimize internet traffic routing for global applications, it primarily focuses on improving application availability and performance for global end users, not necessarily for the internal communication within a tightly coupled HPC environment. HPC environments generally require high-performance networking and storage within the cloud infrastructure, not for external global access. - Key Factors: - Networking: Global Accelerator is useful for improving internet traffic routing but does not focus on low-latency, high-throughput networking for HPC workloads, which is the primary concern for this use case. - Application: Global Accelerator is better suited for global application performance rather than internal cloud infrastructure. Option B: Create an Amazon FSx for Lustre file system. Configure the file system with scratch storage. - Selected Reasoning: Amazon FSx for Lustre is a high-performance file system designed for workloads like HPC, machine learning, and data analytics that require fast storage with low latency. Scratch storage is used for temporary storage in HPC environments, which can be highly useful when working with large datasets in parallel computations. Lustre file systems are known for their scalability and speed, which makes them ideal for high-performance computing tasks. - Key Factors: - Storage: FSx for Lustre provides high throughput and low latency, which are crucial for HPC workloads. - HPC Optimization: It integrates seamlessly with other AWS services and is optimized for use with compute-intensive workloads. - Flexibility: Configuring scratch storage enables temporary data handling, which is common in HPC tasks. Option C: Create an Amazon CloudFront distribution. Configure the viewer protocol policy to be HTTP and HTTPS. - Rejection Reasoning: Amazon CloudFront is a content delivery network (CDN) designed to distribute static content globally, typically for use with web applications or media delivery. It does not offer the low-latency, high-throughput storage or networking needed for HPC work...

Author: Lucas · Last updated Apr 16, 2026

A company needs a solution to prevent photos with unwanted content from being uploaded to the company's web application. The solution must not involve training a mach...

Explanation of Each Option: 1. Option A: Create and deploy a model using Amazon SageMaker Autopilot - Explanation: Amazon SageMaker Autopilot is a fully managed service that automates the process of building, training, and deploying machine learning models. This would involve creating a custom model to detect unwanted content, which contradicts the requirement of not using a machine learning model. - Rejection Reason: This option requires training a model, which does not meet the given requirement of not using a machine learning model. - Use Case: This could be useful in cases where the organization is willing to create a custom model to handle specific types of content beyond what pre-built services offer. 2. Option B: Create an AWS Lambda function that uses Amazon Rekognition to detect unwanted content - Explanation: Amazon Rekognition provides pre-trained models for detecting inappropriate or unwanted content such as nudity, violence, or explicit images. This service does not require the user to train a machine learning model themselves. Instead, Rekognition can detect unwanted content out-of-the-box using its built-in capabilities. - Rejection Reason: This solution does not require training a machine learning model, and fits the requirement of detecting unwanted content in uploaded images. AWS Lambda can be used to handle image uploads and call Rekognition. - Use Case: This is a good solution for preventing unwanted content in photos without the need for custom machine learning training, especially when using pre-trained capabilities for general unwanted cont...

Author: Harper · Last updated Apr 16, 2026

A company uses AWS to run its ecommerce platform. The platform is critical to the company's operations and has a high volume of traffic and transactions. The company configures a multi-factor authentication (MFA) device to secure its AWS account root user credentials. The company wants to ensure ...

Explanation of Each Option: 1. Option A: Set up a backup administrator account that the company can use to log in if the company loses the MFA device - Explanation: This is a viable solution. Setting up a separate administrator account with its own credentials, separate from the root user account, ensures that the company will still have administrative access even if the MFA device for the root user is lost. The backup account will allow the company to manage AWS resources and take actions like disabling the MFA or resetting it, should the need arise. - Rejection Reason: This is a good solution and does not involve relying on the root user account for daily administrative tasks, which is a best practice. - Use Case: This is ideal for any company that wants to reduce dependency on the root user account and maintain access to its AWS account, even if the MFA device is lost. 2. Option B: Add multiple MFA devices for the root user account to handle the disaster scenario - Explanation: AWS does support the ability to register multiple MFA devices for the root user, but this only works if you set it up beforehand. This provides redundancy in case one MFA device is lost or damaged. - Rejection Reason: While this solution does provide some redundancy, it still keeps the root user as the central point of administration, which is not a best practice. Additionally, the company may forget or neglect to set up the second MFA device, which would render it ineffective in an emergency. - Use Case: This could be used in scenarios where a company insists on keeping the root user as the primary access point but wants redundancy in their MFA devices. 3. Option C: Create a new administrator account when the company cannot access the root account - Explanation: If the company loses access to the root account, creating a new administrator account is a potential solution. However, this would ...

Author: Olivia · Last updated Apr 16, 2026

A social media company is creating a rewards program website for its users. The company gives users points when users create and upload videos to the website. Users redeem their points for gifts or discounts from the company's affiliated partners. A unique ID identifies users. The partners refer to this ID to verify user eligibility for rewards. The partners want to receive notification of user IDs through an HTTP endpoint when the company gives users points. Hundreds of vendors are interested in becoming affiliated ...

Explanation of Each Option: 1. Option A: Create an Amazon Timestream database to keep a list of affiliated partners. Implement an AWS Lambda function to read the list. Configure the Lambda function to send user IDs to each partner when the company gives users points. - Explanation: Amazon Timestream is a time-series database designed for storing and analyzing time-series data. While it could store partner information, it is overkill for a simple list of affiliated partners, as this database is optimized for time-series data rather than managing lists of entities. Additionally, implementing a Lambda function to handle partner notifications for each point award would likely require custom logic and more operational overhead as the number of partners grows. - Rejection Reason: This solution involves unnecessary complexity with Timestream and requires more effort to implement and scale compared to other solutions. It's not ideal for quickly adding hundreds of partners. 2. Option B: Create an Amazon Simple Notification Service (Amazon SNS) topic. Choose an endpoint protocol. Subscribe the partners to the topic. Publish user IDs to the topic when the company gives users points. - Explanation: Amazon SNS is a fully managed pub/sub messaging service that can be used to send messages to multiple subscribers simultaneously. In this case, the SNS topic can be configured to send user IDs to partners' HTTP endpoints. The partners would simply subscribe to the SNS topic, and when user points are awarded, the SNS service will send notifications to all subscribed partners automatically. This approach is highly scalable and allows the company to add partners rapidly by just having them subscribe to the topic. - Selected Reasoning: This is the best solution because it allows easy and scalable integration. New partners can be added with minimal implementation effort by simply subscribing to the SNS topic, and SNS can handle the distribution of user IDs to multiple partners efficiently. 3. Option C: Create an AWS Step Functions ...

Author: Henry · Last updated Apr 16, 2026

A company needs to extract the names of ingredients from recipe records that are stored as text files in an Amazon S3 bucket. A web application will use the ingredient names to query an Amazon DynamoDB table and determine a nutrition score. The application can handle non-food records and errors. The company does not have any...

Explanation of Each Option: 1. Option A: Use S3 Event Notifications to invoke an AWS Lambda function when PutObject requests occur. Program the Lambda function to analyze the object and extract the ingredient names by using Amazon Comprehend. Store the Amazon Comprehend output in the DynamoDB table. - Explanation: Amazon Comprehend is a fully managed Natural Language Processing (NLP) service that can be used to extract entities from text, such as ingredient names. By triggering a Lambda function on an S3 event (e.g., when a new recipe is uploaded), the Lambda function can call Amazon Comprehend to process the text and extract ingredient names. The extracted ingredient names can then be stored in the DynamoDB table for use in the web application. - Selected Reasoning: This solution leverages a fully managed service, Amazon Comprehend, to extract entities (ingredients) from recipe text with minimal setup. The Lambda function and S3 event notifications provide an automated and scalable way to handle incoming files without requiring machine learning expertise. This is cost-effective and easy to implement, making it a great fit for the use case. 2. Option B: Use an Amazon EventBridge rule to invoke an AWS Lambda function when PutObject requests occur. Program the Lambda function to analyze the object by using Amazon Forecast to extract the ingredient names. Store the Forecast output in the DynamoDB table. - Explanation: Amazon Forecast is a time-series forecasting service that uses machine learning to predict future trends based on historical data. It is not designed to extract entities from text and is thus not appropriate for this use case, which requires natural language processing to extract ingredient names from recipe texts. - Rejection Reason: Amazon Forecast is not suited for text analysis or entity extraction. Using it in this scenario would introduce unnecessary complexity and would not be cost-effective. 3. Option C: Use S3 Event Notifications to invoke an AWS Lambda function when PutObject requests occur. Use Amazon Polly to create audio recordings of the recipe records. Save the audio files in the S3 bucket. Use Amazon Simpl...

Author: Layla · Last updated Apr 16, 2026

A company needs to create an AWS Lambda function that will run in a VPC in the company's primary AWS account. The Lambda function needs to access files that the company stores in an Amazon Elastic File System (Amazon EFS) file system. The EFS file system is located in a secondary AWS account. As the company adds fil...

Explanation of Each Option: 1. Option A: Create a new EFS file system in the primary account. Use AWS DataSync to copy the contents of the original EFS file system to the new EFS file system. - Explanation: This option involves creating a new EFS file system in the primary AWS account and using AWS DataSync to copy the data from the existing EFS in the secondary account to the new one. While this would allow the Lambda function in the primary account to access the files, it adds unnecessary complexity and costs due to creating a new EFS file system and using DataSync to transfer data. Additionally, ongoing sync of data may be required, increasing operational overhead. - Rejection Reason: This solution involves data duplication and introduces unnecessary cost and complexity with AWS DataSync, which is not ideal for this use case, especially since scaling needs are already covered by EFS and Lambda. 2. Option B: Create a VPC peering connection between the VPCs that are in the primary account and the secondary account. - Explanation: A VPC peering connection allows two VPCs in different accounts to communicate securely. If the EFS file system is mounted in a VPC in the secondary account, a VPC peering connection would allow the Lambda function in the primary account to access the file system. However, setting up VPC peering introduces additional complexity in managing the peering connection, routing tables, and ensuring security, especially as the VPCs grow or scale. - Rejection Reason: While VPC peering would allow network access, it is more complex and can introduce limitations, especially when scaling (due to peering limitations in terms of the number of VPCs that can be peered). Also, managing peering connections across accounts can be cumbersome. 3. Option C: Create a second Lambda function in the secondary account that has a mount that is configured for the file system. Use the primary account's Lambda function to invoke the secondary account's Lambda function. - ...

Author: Vivaan · Last updated Apr 16, 2026

A financial company needs to handle highly sensitive data. The company will store the data in an Amazon S3 bucket. The company needs to ensure that the data is encrypted in transit and at rest. The company must mana...

To meet the company's requirements of ensuring data is encrypted in transit and at rest, and the keys must be managed outside the AWS Cloud, let's evaluate the options based on key factors such as encryption methods, key management, and the company's need for control over the keys. A) Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) customer-managed key. - Explanation: This option uses AWS KMS for key management, and the company would manage the customer-managed keys (CMKs) themselves. Since this solution uses AWS KMS, it allows the company to have full control over key creation, rotation, and access policies while still leveraging AWS's encryption capabilities. However, this does not satisfy the requirement of managing the keys outside the AWS Cloud. - Reason for rejection: The company's requirement specifies that keys should be managed outside the AWS Cloud, but this option involves key management within AWS, making it incompatible with the requirement. B) Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) AWS-managed key. - Explanation: This option uses AWS-managed keys for encryption, where AWS handles the key management. While this ensures encryption at rest and in transit, the company does not have control over the encryption keys, as they are managed by AWS. - Reason for rejection: The key management requirement is not satisfied because the company does not control the keys, and the keys are stored and managed within the AWS Cloud. C) Encrypt the data in the S3 bucket with the default server-side encryption (SSE). - Explanation: This option uses ...

Author: Liam · Last updated Apr 16, 2026

A company wants to run its payment application on AWS. The application receives payment notifications from mobile devices. Payment notifications require a basic validation before they are sent for further processing. The backend processing application is long running and requires compute and memory to be adjusted. T...

Let's evaluate the options based on the requirements: - The application needs to receive payment notifications and perform basic validation. - The backend application is long-running and requires flexible compute and memory scaling. - The company does not want to manage the infrastructure, which suggests minimizing operational overhead. A) Create an Amazon Simple Queue Service (Amazon SQS) queue. Integrate the queue with an Amazon EventBridge rule to receive payment notifications from mobile devices. Configure the rule to validate payment notifications and send the notifications to the backend application. Deploy the backend application on Amazon Elastic Kubernetes Service (Amazon EKS) Anywhere. Create a standalone cluster. - Explanation: This option involves using Amazon SQS and EventBridge to handle payment notifications. The backend application would be deployed on Amazon EKS Anywhere, which is an on-premise solution for Kubernetes. - Reason for rejection: Although it addresses the scaling and validation needs, deploying the backend application using EKS Anywhere adds significant operational overhead. The company would have to manage the infrastructure, scaling, and other operational aspects of the Kubernetes cluster, which contradicts the goal of minimizing operational overhead. B) Create an Amazon API Gateway API. Integrate the API with an AWS Step Functions state machine to receive payment notifications from mobile devices. Invoke the state machine to validate payment notifications and send the notifications to the backend application. Deploy the backend application on Amazon Elastic Kubernetes Service (Amazon EKS). Configure an EKS cluster with self-managed nodes. - Explanation: This option uses API Gateway for receiving notifications and AWS Step Functions for validation and routing. The backend application is deployed on EKS with self-managed nodes. - Reason for rejection: While this option satisfies the requirement of processing and validating payment notifications, using EKS with self-managed nodes would still require the company to manage the infrastructure, such as provisioning, scaling, and maintaining the Kubernetes cluster. This option doesn't minimize the operational overhead, especially for a long-running backend application. C) Create an Amazon Simple Queue Service (Amazon SQS) queue. Integrate the queue with an Amazon EventBridge rule to receive payment notifications from mobile devices. Con...

Author: Isabella · Last updated Apr 16, 2026

A solutions architect is designing a user authentication solution for a company. The solution must invoke two-factor authentication for users that log in from inconsistent geographical locations, IP addresses, or devices. The solution must al...

Let's evaluate each of the options based on the requirements: - The solution must enforce two-factor authentication (MFA) for users logging in from inconsistent geographical locations, IP addresses, or devices (risk-based MFA). - The solution must scale to millions of users, which suggests a solution that is highly scalable and designed for large-scale user management. A) Configure Amazon Cognito user pools for user authentication. Enable the risk-based adaptive authentication feature with multifactor authentication (MFA). - Explanation: Amazon Cognito user pools support risk-based adaptive authentication, which means that Cognito can evaluate the risk of the login (e.g., based on location, device, and IP address) and enforce MFA as needed. This is a built-in feature of Amazon Cognito that works well for handling inconsistent login patterns, and it provides a scalable solution that can accommodate millions of users. - Why this is the best option: This solution satisfies all the requirements. It provides risk-based MFA, which adapts based on user behavior (geographical location, device, IP), and it is highly scalable, designed specifically for applications with millions of users. Additionally, Cognito is a fully managed service, so the operational overhead is minimized. B) Configure Amazon Cognito identity pools for user authentication. Enable multi-factor authentication (MFA). - Explanation: Amazon Cognito identity pools are used for federating users into AWS, providing temporary AWS credentials for accessing AWS resources. While MFA can be enabled for these identity pools, it does not provide risk-based MFA (i.e., triggering MFA based on user behavior such as geographical location or device). The identity pools are more focused on identity federation rather than user authentication in the context of inconsistent login patterns. - Reason for rejection: This solution does not provide the risk-based MFA feature required to handle inconsistent geographical locations, IPs, or devices. It focuses more on identity federation than on the authentication behavior needed for this scenario. C) Co...

Author: Kai99 · Last updated Apr 16, 2026

A company has an Amazon S3 data lake. The company needs a solution that transforms the data from the data lake and loads the data into a data warehouse every day. The data warehouse must have massively parallel processing (MPP) capabilities. Data analysts then need to create and train machine learning (ML) models by usin...

Let's evaluate each of the options based on the company's requirements: - Serverless: The solution should use serverless AWS services where possible. - Data transformation and loading: The solution needs to transform data from the S3 data lake and load it into a data warehouse daily. - Massively Parallel Processing (MPP): The data warehouse needs to have MPP capabilities for high-performance analytics. - Machine learning (ML): Data analysts need to create and train ML models using SQL commands. A) Run a daily Amazon EMR job to transform the data and load the data into Amazon Redshift. Use Amazon Redshift ML to create and train the ML models. - Explanation: Amazon EMR can be used for transforming data, and it can load the data into Amazon Redshift, which is a data warehouse with MPP capabilities. Amazon Redshift ML can then be used to create and train machine learning models using SQL queries. - Reason for rejection: While this solution meets most of the requirements, Amazon EMR is not serverless and requires infrastructure management. This doesn't align with the goal of using serverless services wherever possible. Additionally, managing an EMR cluster introduces more operational overhead compared to other options that are fully serverless. B) Run a daily Amazon EMR job to transform the data and load the data into Amazon Aurora Serverless. Use Amazon Aurora ML to create and train the ML models. - Explanation: This option suggests transforming the data with Amazon EMR and loading it into Amazon Aurora Serverless, followed by using Amazon Aurora ML to create and train machine learning models. - Reason for rejection: While Aurora Serverless is a serverless database service, it is not designed for massively parallel processing (MPP), and Aurora ML doesn't support the level of machine learning capabilities needed at scale. Aurora is more suited for transactional workloads rather than large-scale analytics, and it is not optimized for the data warehouse use case that requires MPP. This makes it unsuitable for the use case. C) Run a daily AWS Glue job to transform the data and load the data into Amazon Redshift Serverless. Use Amazon Redshift ML to create and train the ML models. - Explanation: AWS Glue is a fully managed, serverless ETL service that can transform d...

Author: Leah · Last updated Apr 16, 2026

A company runs containers in a Kubernetes environment in the company's local data center. The company wants to use Amazon Elastic Kubernetes Service (Amazon EKS) and other AWS managed services. Data must remain locally in the company's data center and canno...

Let's evaluate the options based on the company's requirement to use Amazon Elastic Kubernetes Service (EKS) and other AWS managed services, while ensuring that data remains locally in the company's data center and does not move to any remote site or cloud for compliance reasons. A) Deploy AWS Local Zones in the company's data center. - Explanation: AWS Local Zones extend AWS infrastructure to cities outside of AWS regions, but they are managed by AWS. Local Zones enable customers to run applications that require single-digit millisecond latency to end-users in specific locations, with the data stored in those locations. However, the data would still reside in the AWS-managed Local Zone, not in the company's local data center. - Reason for rejection: Since the company requires the data to remain locally within its own data center and not in any remote site or cloud, using AWS Local Zones would contradict this requirement. The data would be stored in the Local Zone, which is considered a part of AWS infrastructure. B) Use an AWS Snowmobile in the company's data center. - Explanation: AWS Snowmobile is a physical data transport service designed for large-scale data migrations. It is a large shipping container that can hold up to 100 PB of data, which is transported to AWS data centers. - Reason for rejection: AWS Snowmobile is designed for large-scale data transfer to AWS, and while it provides a way to move large amounts of data, it is not an ongoing operational solution and would require data to be transferred to AWS. This is not suitable for the company's requirement to keep data in the local data center. C) Install an AWS Outposts rack in the company's data center. - Explanation: AWS Outposts bring AWS infrastructure, services, and operating models to an on-premises environment. An Outposts ra...

Author: Maya · Last updated Apr 16, 2026

A social media company has workloads that collect and process data. The workloads store the data in on-premises NFS storage. The data store cannot scale fast enough to meet the company's expanding business needs. The company wants to migra...

Let's evaluate the options in the context of the company's requirement to migrate data from on-premises NFS storage to AWS, with an emphasis on scalability, cost-effectiveness, and the nature of the data access. Key factors to consider: - Scalability: The data store needs to scale fast enough to meet growing business demands. - Cost-effectiveness: The solution must be affordable for the company, as they are likely facing high data storage demands due to expanding business needs. - Data access pattern: We need to consider how often the data is accessed (frequent or infrequent) and the appropriate storage class. Option Analysis: A) AWS Storage Gateway Volume Gateway with Amazon S3 Lifecycle policy - Volume Gateway is ideal for hybrid cloud storage setups where a portion of on-premises data is replicated in the cloud and stored in Amazon EBS volumes. - Why it’s not ideal: This solution is more focused on use cases that require block-level storage (like database storage) and wouldn’t be an optimal solution for NFS-based workloads, which require file-based storage. - Scenario where this can be used: This option is suitable for applications that need to store block data in the cloud but is not designed for NFS-style file-based workloads. B) AWS Storage Gateway Amazon S3 File Gateway with Amazon S3 Lifecycle policy - File Gateway provides file-based access to Amazon S3, and it integrates well with NFS workloads. - Why it’s not ideal: While this is a great option for a hybrid approach where data is frequently accessed and stored as files, using S3 as the backend introduces potential latency in data retrieval, especially for workloads needing low-latency performance. The cost of using S3 lifecycle policies with frequent access to data may not be cost-effective enough for large-scale workloads. - Scenario where this can be used: It is a good fit for scenarios where you need to archive data to S3 but is no...

Author: Andrew · Last updated Apr 16, 2026

A company uses high concurrency AWS Lambda functions to process a constantly increasing number of messages in a message queue during marketing events. The Lambda functions use CPU intensive code to process the messages. The company wants to reduce the co...

Let's evaluate the options in the context of the company’s need to reduce compute costs while maintaining service latency, especially when dealing with high concurrency and CPU-intensive workloads on AWS Lambda. Key factors to consider: - High concurrency: The system needs to handle a large number of concurrent requests, which means that the Lambda function must scale efficiently without causing delays or throttling. - CPU-intensive workloads: The processing involves CPU-bound tasks, so optimizing memory and compute resources is crucial. - Cost optimization: The goal is to reduce compute costs without sacrificing performance (latency). - Latency: It's important to maintain low-latency response times to meet customer expectations during high-demand periods. Option Analysis: A) Configure reserved concurrency for the Lambda functions. Decrease the memory allocated to the Lambda functions. - Reserved concurrency guarantees that a certain number of Lambda function instances are always available for execution, which helps with handling high concurrency but doesn’t directly optimize cost in this case. - Decreasing memory: Lambda functions with CPU-intensive workloads benefit from higher memory allocation because Lambda allocates more CPU resources as the memory increases. Lowering memory would reduce costs initially, but it could significantly degrade the function's performance because the CPU would be throttled, leading to longer execution times and potentially increased costs in the long term due to longer processing times. - Why it’s not ideal: This option sacrifices performance (higher latency) for reduced memory, which can increase overall processing time and result in higher costs, particularly with CPU-bound tasks. B) Configure reserved concurrency for the Lambda functions. Increase the memory according to AWS Compute Optimizer recommendations. - Reserved concurrency remains a good approach here, as it guarantees capacity during high concurrency events. - Increasing memory based on Compute Optimizer recommendations: Compute Optimizer helps identify the optimal memory settings based on the Lambda function's usage patterns. For CPU-intensive workloads, increasing memory will provide more CPU power (because AWS Lambda allocates more CPU with higher memory), resulting in better performance and reduced execution times. - Why it’s ...

Author: Zara · Last updated Apr 16, 2026

A company runs its workloads on Amazon Elastic Container Service (Amazon ECS). The container images that the ECS task definition uses need to be scanned for Common Vulnerabilities and Exposures (CVEs). New container images that are created also ne...

Let’s evaluate the options in the context of the company’s requirement to scan container images for Common Vulnerabilities and Exposures (CVEs) with the fewest changes to the workloads. Key Factors to Consider: 1. Minimal changes to workloads: The solution should be simple and avoid significant modification to how the ECS workloads currently operate. 2. CVEs scanning for container images: The solution should scan both existing and new container images for vulnerabilities. 3. Scalability and integration with ECS: The solution should easily integrate into the existing ECS-based infrastructure. Option Analysis: A) Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository to store the container images. Specify scan on push filters for the ECR basic scan. - Amazon ECR is the most suitable option for container image storage when using ECS, as it integrates directly with ECS. - Scan on push: ECR offers built-in scanning for container images through its integration with Amazon Inspector, which automatically scans images for CVEs when they are pushed to the registry. - Why it’s ideal: This option requires minimal changes to the existing workloads. The company only needs to push images to Amazon ECR, where the images will be scanned automatically without needing any additional infrastructure. This meets the requirement for CVE scanning with the fewest changes to the ECS workloads. B) Store the container images in an Amazon S3 bucket. Use Amazon Macie to scan the images. Use an S3 Event Notification to initiate a Macie scan for every event with an s3:ObjectCreated:Put event type. - Amazon Macie is primarily designed for sensitive data discovery (e.g., PII) and not for scanning container images for vulnerabilities. - Why it’s not ideal: Using S3 and Macie is an unnecessary and convoluted solution for CVE scanning. It would require significant changes to the workflows, and Macie doesn’t natively scan for CVEs in container images. It would also introduce com...

Author: Liam123 · Last updated Apr 16, 2026

A company uses an AWS Batch job to run its end-of-day sales process. The company needs a serverless solution that will invoke a third-party reporting application when the AWS Batch job is successful. The reporting application has an HTTP API ...

Let's evaluate the options in the context of the company's requirement to trigger a third-party reporting application using a serverless solution after an AWS Batch job is successful, with the third-party API requiring HTTP authentication (username and password). Key Factors to Consider: - Serverless solution: The solution should be serverless to reduce the operational overhead of managing servers. - Trigger on AWS Batch success: The solution must trigger an action when the AWS Batch job successfully completes. - Authentication: The third-party API requires username and password authentication for HTTP requests. - Minimal complexity and cost-efficiency: The solution should be straightforward to implement with minimal complexity and cost. Option Analysis: A) Configure an Amazon EventBridge rule to match incoming AWS Batch job SUCCEEDED events. Configure the third-party API as an EventBridge API destination with a username and password. Set the API destination as the EventBridge rule target. - EventBridge API Destinations: EventBridge can integrate with HTTP endpoints, but as of now, it does not support basic authentication (username and password) directly for API destinations. This would require additional work to handle the authentication step. - Why it’s not ideal: Since EventBridge does not support direct HTTP authentication with username and password for API destinations, this would not meet the requirements without additional complexity and custom implementation. B) Configure Amazon EventBridge Scheduler to match incoming AWS Batch job SUCCEEDED events. Configure an AWS Lambda function to invoke the third-party API by using a username and password. Set the Lambda function as the EventBridge rule target. - EventBridge Scheduler: EventBridge Scheduler is designed to manage scheduled tasks, not specifically to handle real-time event-driven triggers. It's better suited for scheduling future actions, not reacting to job completions. - Lambda function: A Lambda function can be used to invoke the third-party API and handle the authentication. - Why it’s not ideal: While this option would work for invoking the API via Lambda, EventBridge Scheduler is not the best...

Author: NebulaEagle11 · Last updated Apr 16, 2026

A company collects and processes data from a vendor. The vendor stores its data in an Amazon RDS for MySQL database in the vendor's own AWS account. The company's VPC does not have an internet gateway, an AWS Direct Connect connection, or an AWS Site-to-Site VPN connectio...

Let's evaluate the options in the context of the company's requirement to access data from a vendor's Amazon RDS for MySQL database, while considering the constraints that the company's VPC does not have an internet gateway, Direct Connect, or a Site-to-Site VPN connection. Key Factors to Consider: - No internet access: The company's VPC does not have an internet gateway, which means it cannot access resources outside the VPC over the public internet. - VPC connectivity: The solution must allow secure, private communication between the company’s VPC and the vendor’s VPC. - Database access: The company needs to access a MySQL database in the vendor’s VPC securely and efficiently. Option Analysis: A) Instruct the vendor to sign up for the AWS Hosted Connection Direct Connect Program. Use VPC peering to connect the company's VPC and the vendor's VPC. - Direct Connect: While AWS Direct Connect is a private and dedicated network connection between on-premises environments and AWS, it would require significant changes to the network setup. The company would need a physical connection, and the vendor would need to sign up for Direct Connect, which may not be feasible in this scenario given the constraints (no Direct Connect in place). - VPC Peering: VPC peering is useful for connecting two VPCs. However, in this case, Direct Connect is not required for VPC peering, making this solution overly complicated and not necessary. It would require changes to both the company’s and vendor’s networks. B) Configure a client VPN connection between the company's VPC and the vendor's VPC. Use VPC peering to connect the company's VPC and the vendor's VPC. - Client VPN connection: A client VPN is a great option for providing remote access to a VPC, but it is not ideal for establishing a continuous, secure connection between two VPCs, especially for database access at scale. Client VPNs are usually for individual users or small groups rather than VPC-to-VPC communication. - VPC Peering: While VPC peering is a good option, combining it with a client VPN connection is unnecessary and would introduce additional complexity. - Why it’s not ideal: This solution does not align well with...

Author: NightmareDragon2025 · Last updated Apr 16, 2026

A company wants to set up Amazon Managed Grafana as its visualization tool. The company wants to visualize data from its Amazon RDS database as one data source. The company needs a secure solution that wil...

To meet the company's requirements of visualizing data from its Amazon RDS database securely without exposing the data over the internet, we need to select a solution that ensures private, secure access to the RDS database. Let's analyze the options based on security and architecture factors: Option A: Create an Amazon Managed Grafana workspace without a VPC. Create a public endpoint for the RDS database. Configure the public endpoint as a data source in Amazon Managed Grafana. - Security concern: Exposing the RDS database over the internet via a public endpoint introduces significant security risks. The public endpoint will expose the database to external traffic, increasing the risk of unauthorized access or attacks. - Rejected: This option is not secure and doesn't meet the requirement of not exposing the data over the internet. Option B: Create an Amazon Managed Grafana workspace in a VPC. Create a private endpoint for the RDS database. Configure the private endpoint as a data source in Amazon Managed Grafana. - Security benefit: By creating a workspace inside a VPC, and using a private endpoint for the RDS database, the connection between Amazon Managed Grafana and RDS remains within the private network. This avoids exposing the database to the internet and ensures secure communication. - Recommended: This option is secure and meets the requirements of not exposing the data over the interne...

Author: FlamePhoenix2025 · Last updated Apr 16, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company stores multiple Amazon Machine Images (AMIs) in an AWS account to launch its Amazon EC2 instances. The AMIs contain critical data and configurations that are necessary for the company's operations. The company wants to implement a solution that will recover accidentally ...

A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for this purpose during the night o...

A development team is collaborating with another company to create an integrated product. The other company needs to access an Amazon Simple Queue Service (Amazon SQS) queue that is contained in the development team's account. The other company wants to poll the queue withou...

A company has a business-critical application that runs on Amazon EC2 instances. The application stores data in an Amazon DynamoDB table. The company must be able to revert the table to any point within the las...

A company stores data in an on-premises Oracle relational database. The company needs to make the data available in Amazon Aurora PostgreSQL for analysis. The company uses an AWS Site-to-Site VPN connection to connect its on-premises network to AWS. The company must capture the changes...

An ecommerce company is running a seasonal online sale. The company hosts its website on Amazon EC2 instances spanning multiple Availability Zones. The company wants its website to manage sudden traffic increa...

A solutions architect must provide an automated solution for a company's compliance policy that states security groups cannot include a rule that allows SSH from 0.0.0.0/0. The company needs to be notified if there is any breach in the policy. A solution is needed as soon ...

A company uses AWS Organizations for its multi-account AWS setup. The security organizational unit (OU) of the company needs to share approved Amazon Machine Images (AMIs) with the development OU. The AMIs are created by using AWS Key Managem...

A data analytics company has 80 offices that are distributed globally. Each office hosts 1 PB of data and has between 1 and 2 Gbps of internet bandwidth. The company needs to perform a one-time migration of a large amount of data from its offices to Amazon S3. The comp...

A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access contr...

A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account. The company needs to gr...

A company wants to run its experimental workloads in the AWS Cloud. The company has a budget for cloud spending. The company's CFO is concerned about cloud spending accountability for each department. The CFO wants to receive notification...

A company maintains its accounting records in a custom application that runs on Amazon EC2 instances. The company needs to migrate the data to an AWS managed service for development and maintenance of the application data. The solution must require minimal operational support and provide immut...

A solutions architect is designing a payment processing application that runs on AWS Lambda in private subnets across multiple Availability Zones. The application uses multiple Lambda functions and processes millions of transactions each day. The architecture mus...

A company runs multiple workloads in its on-premises data center. The company's data center cannot scale fast enough to meet the company's expanding business needs. The company wants to collect usage and configuration data about the on-pre...

A company has stored 10 TB of log files in Apache Parquet format in an Amazon S3 bucket. The company occasionally needs to use SQL to analyze the log files. ...

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or '*' in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The comp...

A company has AWS Lambda functions that use environment variables. The company does not want its developers to see environment variables i...

An analytics company uses Amazon VPC to run its multi-tier services. The company wants to use RESTful APIs to offer a web analytics service to millions of users. Users must be verified by using an authentication service to acc...

A company is designing a tightly coupled high performance computing (HPC) environment in the AWS Cloud. The company needs to include features that will optimize the HPC environment for networking and ...

A company needs a solution to prevent photos with unwanted content from being uploaded to the company's web application. The solution must not involve training a mach...

A company uses AWS to run its ecommerce platform. The platform is critical to the company's operations and has a high volume of traffic and transactions. The company configures a multi-factor authentication (MFA) device to secure its AWS account root user credentials. The company wants to ensure ...

A financial company needs to handle highly sensitive data. The company will store the data in an Amazon S3 bucket. The company needs to ensure that the data is encrypted in transit and at rest. The company must mana...

A solutions architect is designing a user authentication solution for a company. The solution must invoke two-factor authentication for users that log in from inconsistent geographical locations, IP addresses, or devices. The solution must al...

A company runs containers in a Kubernetes environment in the company's local data center. The company wants to use Amazon Elastic Kubernetes Service (Amazon EKS) and other AWS managed services. Data must remain locally in the company's data center and canno...

A social media company has workloads that collect and process data. The workloads store the data in on-premises NFS storage. The data store cannot scale fast enough to meet the company's expanding business needs. The company wants to migra...

A company uses high concurrency AWS Lambda functions to process a constantly increasing number of messages in a message queue during marketing events. The Lambda functions use CPU intensive code to process the messages. The company wants to reduce the co...

A company runs its workloads on Amazon Elastic Container Service (Amazon ECS). The container images that the ECS task definition uses need to be scanned for Common Vulnerabilities and Exposures (CVEs). New container images that are created also ne...

A company uses an AWS Batch job to run its end-of-day sales process. The company needs a serverless solution that will invoke a third-party reporting application when the AWS Batch job is successful. The reporting application has an HTTP API ...

A company collects and processes data from a vendor. The vendor stores its data in an Amazon RDS for MySQL database in the vendor's own AWS account. The company's VPC does not have an internet gateway, an AWS Direct Connect connection, or an AWS Site-to-Site VPN connectio...

A company wants to set up Amazon Managed Grafana as its visualization tool. The company wants to visualize data from its Amazon RDS database as one data source. The company needs a secure solution that wil...