Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

A company has more than 20 application development teams. All the teams use AWS CloudFormation to deploy application resources in the company ' s production AWS account. The production account is a member of an organization in AWS Organizations that has all features enabled.

The company must ensure that all resources that the development teams provision match a set of predefined rules. The company needs a solution to prevent users from provisioning noncompliant resources through CloudFormation.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Implement each configuration rule as a separate AWS Config custom AWS Lambda rule. Deploy the Lambda functions to the company ' s production account. Implement SCPs to prevent changes to the Lambda functions and to deny any operation that could disable AWS Config or its rules or triggers in the production account.

B.

Use CloudFormation Hooks to implement the configuration rules. Use a separate AWS Lambda function to enforce each rule. Use CloudFormation StackSets to deploy and register Hooks across all member accounts in the organization. Use SCPs and IAM policies to prevent Hook modifications and Lambda function changes in member accounts.

C.

Implement the configuration rules as an AWS Lambda function. Configure a CloudFormation macro definition to make the Lambda function available to CloudFormation. Configure the function to check the CloudFormation template against the configuration rules. Use the macro in all CloudFormation deployment templates.

D.

Implement the configuration rules by using AWS CloudFormation Guard rules. Use the cfn-guard-lambda command to install Guard as an AWS Lambda function. Build and run Guard by invoking the Lambda function. Provide the CloudFormation template and the rule set as inputs to the function.

A company has implemented an ordering system using an event-driven architecture. During initial testing, the system stopped processing orders. Further log analysis revealed that one order message in an Amazon Simple Queue Service (Amazon SQS) standard queue was causing an error on the backend and blocking all subsequentorder messages The visibility timeout of the queue is set to 30 seconds, and the backend processing timeout is set to 10 seconds. A solutions architect needs to analyze faulty order messages and ensure that the system continues to process subsequent messages.

Which step should the solutions architect take to meet these requirements?

A.

Increase the backend processing timeout to 30 seconds to match the visibility timeout.

B.

Reduce the visibility timeout of the queue to automatically remove the faulty message.

C.

Configure a new SQS FIFO queue as a dead-letter queue to isolate the faulty messages.

D.

Configure a new SQS standard queue as a dead-letter queue to isolate the faulty messages.

A company is using Amazon SageMaker AI Notebook Instances and SageMaker APIs to train machine learning models. The SageMaker AI Notebook Instances are deployed in a VPC that does not have access to or from the internet. Datasets for model training are stored in an Amazon S3 bucket. Interface VPC endpoints provide access to Amazon S3 and the SageMaker APIs.

Occasionally, data scientists require access to a private Git repository to update application packages that they use as part of their workflow. The company must provide access to the Git repository while ensuring that the SageMaker AI Notebook Instances remain isolated from the internet.

Which solution meets these requirements with the LEAST operational overhead?

A.

Add the Git repository as a resource for SageMaker by referencing the remote URL. Configure AWS Secrets Manager to use Git credentials to access the repository.

B.

Add the Git repository as a resource for SageMaker by referencing the remote URL. Add the username to the URL that is required to access the repository.

C.

Create a NAT gateway in the VPC. Configure VPC routes to allow access to the internet. Configure network ACL rules that allow the SageMaker AI Notebook Instances access to only the Git repository URL.

D.

Create a NAT gateway in the VPC. Configure VPC routes to allow access to the internet with a network ACL that allows access to only the Git repository URL.

A company has deployed applications to thousands of Amazon EC2 instances in an AWS account. A security audit discovers that several unencrypted Amazon EBS volumes are attached to the EC2 instances. The company ' s security policy requires the EBS volumes to be encrypted.

The company needs to implement an automated solution to encrypt the EBS volumes. The solution also must prevent development teams from creating unencrypted EBS volumes.

Which solution will meet these requirements?

A.

Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an AWS KMS customer managed key. In the key policy, include a statement to deny the creation of unencrypted EBS volumes.

B.

Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes. Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an SCP to deny the creation of unencrypted EBS volumes.

C.

Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes. Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.

D.

Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.

A retail company has an ecommerce application that uses ML to make product recommendations. The company creates two new ML model variants to improve the recommendations. The company wants to A/B test the two model variants to determine which one performs better. The company wants to split traffic evenly between the two variants. The company wants a solution that minimizes the impact to the existing ecommerce application.

Which solution will meet these requirements?

A.

Deploy both model variants to an Amazon SageMaker AI serverless inference endpoint. In the endpoint configuration, set the weight for each model variant to 0.5. In the ecommerce application, invoke the inference endpoint.

B.

Deploy each model variant to its own Amazon SageMaker AI serverless inference endpoint. In the ecommerce application, invoke each model variant endpoint directly by using a round robin strategy. Log variant invocations in Amazon CloudWatch Logs.

C.

Deploy both variants to an Amazon SageMaker AI real-time inference endpoint. In the endpoint configuration, set the weight for each model variant to 0.5. In the ecommerce application, invoke the inference endpoint.

D.

Deploy both variants to an Amazon SageMaker AI real-time inference endpoint. In the ecommerce application, invoke each model variant directly by using a round robin strategy. Log variant invocations in Amazon CloudWatch Logs.

A global healthcare analytics company runs a regulated workload on AWS across dozens of AWS accounts. The company uses an organization in AWS Organizations to manage the accounts. The company must regularly provide external auditors with evidence that specific security controls are implemented and continuously enforced. The security controls include encryption requirements for storage services, centralized logging configurations, and restrictions on public network access.

The company wants an automated solution that continuously collects evidence that shows that the controls are implemented across accounts. The solution must preserve historical evidence for specified time periods. The solution must also generate reports for the auditors that are mapped to specific regulatory frameworks. The company does not want to build custom evidence collection pipelines.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Enable AWS CloudTrail organization trails across all accounts and deliver the logs to a centralized Amazon S3 bucket in an audit account. Use Amazon Athena to query the centralized logs and build scheduled reports that auditors can review for evidence of the required security controls.

B.

Enable AWS Security Hub across all accounts. Designate a delegated administrator account to aggregate security findings across the organization. Export Security Hub findings and compliance check results to Amazon S3. Generate periodic compliance reports for auditors.

C.

Enable AWS Config rules in each account to evaluate the required security controls. Deliver configuration snapshots to a centralized Amazon S3 bucket. Use AWS Lambda functions in an audit account to periodically analyze the snapshots and generate compliance evidence reports for auditors.

D.

Enable AWS Config rules across all accounts to evaluate the required security controls. Use an AWS Config aggregator in an audit account to centralize configuration data. Deploy AWS Config conformance packs that are aligned to the required regulatory frameworks. Use AWS Audit Manager to collect evidence and generate audit reports.

A company completed a successful Amazon Workspaces proof of concept. They now want to make Workspaceshighly available across two AWS Regions. Workspaces are deployed in the failover Region. A hosted zone is available in Amazon Route 53.

What should the solutions architect do?

A.

Create a connection alias in the primary Region and in the failover Region. Associate each with a directory in its Region. Create a Route 53 failover routing policy with Evaluate Target Health = Yes.

B.

Create a connection alias in both Regions. Associate both with a directory in the primary Region. Use a Route 53 multivalue answer routing policy.

C.

Create a connection alias in the primary Region. Associate with the directory in the primary Region. Use Route 53 weighted routing.

D.

Create a connection alias in the primary Region. Associate it with the directory in the failover Region. Use Route 53 failover routing with Evaluate Target Health = Yes.

A company is using AWS CloudFormation as its deployment tool for all applications. It stages all application binaries and templates within Amazon S3 buckets with versioning enabled. Developers use an Amazon EC2 instance with IDE access to modify and test applications. The developers want to implement CI/CD with AWS CodePipeline with the following requirements:

Use AWS CodeCommit for source control.

Automate unit testing and security scanning.

Alert developers when unit tests fail.

Toggle application features and allow lead developer approval before deployment.

Which solution will meet these requirements?

A.

Use AWS CodeBuild for testing and scanning. Use EventBridge and SNS for alerts. Use AWS CDK with a manifest to toggle features. Use a manual approval stage.

B.

Use Lambda for testing and alerts. Use AWS Amplify plugins for feature toggles. Use SES for manual approval.

C.

Use Jenkins and SES for alerts. Use nested CloudFormation stacks for features. Use Lambda for approvals.

D.

Use CodeDeploy for testing and scanning. Use CloudWatch alarms and SNS. Use Docker images for features and AWS CLI for toggles.

A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.com for the resources stored within VPCs.

The company has the following DNS resolution requirements:

• On-premises systems should be able to resolve and connect to cloud.example.com.

• All VPCs should be able to resolve cloud.example.com.

There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway. Which architecture should the company use to meet these requirements with the HIGHEST performance?

A.

Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in theshared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

B.

Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder.

C.

Associate the private hosted zone to the shared services VPC. Create a Route 53 outbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the outbound resolver.

D.

Associate the private hosted zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Attach the shared services VPC to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

A company is running a containerized workload on AWS. The workload consists of several data-processing services that run on a group of Amazon EC2 instances.

The company uploads new data to an Amazon S3 bucket every night. A cron job on each EC2 instance starts the data processing every night. The amount of uploaded data varies. The data-processing tasks can take hours to finish running. After the data is processed, the services remain idle until the next processing window occurs the next night. The company needs a solution to modernize the architecture and reduce the operational overhead.

Which solution will meet these requirements?

A.

Migrate the workload to AWS Lambda functions that run the container images. Configure an Amazon EventBridge rule to filter S3 events and invoke the Lambda functions when data is uploaded to the S3 bucket.

B.

Migrate the workload to run as tasks in an Amazon ECS cluster that runs on AWS Fargate. Create an AWS Step Functions state machine to invoke the Fargate tasks. Configure S3 Event Notifications to invoke the state machine tasks when data is uploaded to the S3 bucket.

C.

Migrate the workload to run as tasks in an Amazon ECS cluster that runs on AWS Fargate. Create an AWS Step Functions state machine to invoke the Fargate tasks. Configure an Amazon EventBridge rule to invoke the state machine when data is uploaded to the S3 bucket.

D.

Migrate the workload to AWS Lambda functions by packaging the container images as Lambda layers. Configure S3 Event Notifications to invoke the Lambda functions when data is uploaded to the S3 bucket.

An online survey company runs its application in the AWS Cloud. The application is distributed and consists of microservices that run in an automatically scaled Amazon Elastic Container Service (Amazon ECS) cluster. The ECS cluster is a target for an Application Load Balancer (ALB). The ALB is a custom origin for an Amazon CloudFront distribution.

The company has a survey that contains sensitive data. The sensitive data must be encrypted when it moves through the application. The application ' s data-handling microservice is the only microservice that should be able to decrypt the data.

Which solution will meet these requirements?

A.

Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated to the data-handling microservice. Create a field-level encryption profile and a configuration. Associate the KMS key and the configuration with the CloudFront cache behavior.

B.

Create an RSA key pair that is dedicated to the data-handling microservice. Upload the public key to the CloudFront distribution. Create a field-level encryption profile and a configuration. Add the configuration to the CloudFront cache behavior.

C.

Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated to the data-handling microservice. Create a Lambda@Edge function. Program the function to use the KMS key to encrypt the sensitive data.

D.

Create an RSA key pair that is dedicated to the data-handling microservice. Create a Lambda@Edge function. Program the function to use the private key of the RSA key pair to encrypt the sensitive data.

A company built an ecommerce website on AWS using a three-tier web architecture. The application is Java-based and composed of an Amazon CloudFront distribution, an Apache web server layer of Amazon EC2 instances in an Auto Scaling group, and a backend Amazon Aurora MySQL database.

Last month, during a promotional sales event, users reported errors and timeouts while adding items to their shopping carts. The operations team recovered the logs created by the web servers and reviewed Aurora DB cluster performance metrics. Some of the web servers were terminated before logs could be collected and the Aurora metrics were not sufficient for query performance analysis.

Which combination of steps must the solutions architect take to improve application performance visibility during peak traffic events? (Choose three.)

A.

Configure the Aurora MySQL DB cluster to publish slow query and error logs to Amazon CloudWatch Logs.

B.

Implement the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for Java.

C.

Configure the Aurora MySQL DB cluster to stream slow query and error logs to Amazon Kinesis

D.

Install and configure an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs.

E.

Enable and configure AWS CloudTrail to collect and analyze application activity from Amazon EC2 and Aurora.

F.

Enable Aurora MySQL DB cluster performance benchmarking and publish the stream to AWS X-Ray.

A solutions architect must create a business case for migration of a company ' s on-premises data center to the AWS Cloud. The solutions architect will use a configuration management database (CMDB) export of all the company ' s servers to create the case.

Which solution will meet these requirements MOST cost-effectively?

A.

Use AWS Well-Architected Tool to import the CMDB data to perform an analysis and generate recommendations.

B.

Use Migration Evaluator to perform an analysis. Use the data import template to upload the data from the CMDB export.

C.

Implement resource matching rules. Use the CMDB export and the AWS Price List Bulk API to query CMDB data against AWS services in bulk.

D.

Use AWS Application Discovery Service to import the CMDB data to perform an analysis.

A company ' s public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months.

Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount.

A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency.

Which solution meets these requirements?

A.

Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.

B.

Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.

C.

Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.

D.

Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.

A solutions architect has deployed a web application that serves users across two AWS Regionsunder a custom domain The application uses Amazon Route 53 latency-based routing The solutions architect has associated weighted record sets with a pair of web servers in separate Availability Zones for each Region

The solutions architect runs a disaster recovery scenario When all the web servers in one Region are stopped. Route 53 does not automatically redirect users to the other Region

Which of the following are possible root causes of this issue1? (Select TWO)

A.

The weight for the Region where the web servers were stopped is higher than the weight for the other Region.

B.

One of the web servers in the secondary Region did not pass its HTTP health check

C.

Latency resource record sets cannot be used in combination with weighted resource record sets

D.

The setting to evaluate target health is not turned on for the latency alias resource record set that is associated with the domain in the Region where the web servers were stopped.

E.

An HTTP health check has not been set up for one or more of the weighted resource record sets associated with the stopped web servers