CLF-C02 Questions and Answers

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You can use IAM to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is always provided at nocharge12. References: 1: AWS Identity and Access Management (IAM) - Amazon Web Services (AWS), 2: Which aws service is always provided at no charge? - Brainly.in

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service that can route internet traffic to the company’s ecommerce platform1. Route 53 can also register domain names, check the health of resources, and provide global DNS features2. Route 53 can connect users to the platform by translating human-readable names like www.example.com into the numeric IP addresses that computers use to communicate witheach other2. References: 1: Amazon Route 53 | DNS Service | AWS; 2: What is Amazon Route 53? - Amazon Route 53

ASecurity Groupacts as a virtual firewall for your Amazon EC2 instances to control inbound and outbound traffic. It provides granular control over network connections to and from a specific EC2 instance or set of instances. Unlike Network ACLs, which operate at the subnet level, Security Groups operate at the instance level, allowing control over network traffic for individual instances.

A. Network ACL: Incorrect, as it controls traffic at the subnet level and not for individual instances.

B. AWS WAF: Incorrect, as AWS WAF is a web application firewall that helps protect web applications from common web exploits but is not designed for controlling instance-level traffic.

C. Route table: Incorrect, as route tables are used for network routing within a VPC and do not act as firewalls.

AWS Cloud References:

AWS Security Groups

Amazon RDS (Relational Database Service)is a managed database service that simplifies the setup, operation, and scaling of relational databases in the AWS Cloud. It supports several SQL-based databases, such as MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB, while automating common administrative tasks such as backups, patch management, and scaling. This significantly reduces the operational overhead compared to managing databases on Amazon EC2 instances, which would require manual management of the operating system, database software, backups, and maintenance.

A. Amazon EC2 instances: Incorrect, as this would involve more operational overhead, including manual management of the database server.

C. Amazon DynamoDB: Incorrect, as it is a NoSQL database service, not suitable for migrating SQL-based databases.

D. OpenSearch: Incorrect, as it is used for search and analytics workloads, not for hosting SQL-based databases.

AWS Cloud References:

Amazon RDS

AWS Organizationsis a service that helps users centrally manage and govern multiple AWS accounts. With AWS Organizations, a company can consolidate billing and receive a single bill for all AWS accounts under an organization, making it easier for the finance team to track costs.

Why other options are not suitable:

B. AWS Trusted Advisor: Provides real-time guidance to help optimize AWS resources, not for consolidated billing.

C. Cost Explorer: A tool for visualizing and managing AWS costs and usage, but it does not consolidate billing.

D. AWS Budgets: Allows setting custom budgets and alerts but does not consolidate billing across accounts.

AWS Glue is a serverless data integration service designed to discover, prepare, move, and integrate data from multiple sources for data analytics and machine learning purposes. It provides a managed ETL (Extract, Transform, Load) service that is ideal for preparing and transforming data for analytics. AWS Data Exchange is used for finding and subscribing to third-party data, Amazon Athena is for querying data stored in Amazon S3 using SQL, and Amazon EMR is for big data processing using Apache Hadoop and Spark, but AWS Glue is specifically designed for data integration and preparation tasks.

Amazon Lexis a service for building conversational interfaces into any application using voice and text. It provides the tools necessary to create, test, and publish intelligent chatbots that can be integrated with web applications to provide a conversational experience.

A. Amazon Textract: Incorrect, as it is a service for extracting text and data from documents, not for creating chatbots.

C. AWS Glue: Incorrect, as it is a data integration service used for preparing and transforming data.

D. Amazon Rekognition: Incorrect, as it is an image and video analysis service.

AWS Cloud References:

Amazon Lex

Amazon Elastic File System (Amazon EFS) is a fully managed, scalable, and serverless NFS (Network File System) file system specifically designed for use with AWS services and on-premises resources. It enables companies to create and configure file systems that can be accessed from multiple Amazon EC2instances simultaneously, making it ideal for use cases that require shared file storage for AWS compute services.

Why Amazon EFS Fits the Requirements:

Managed Service: Amazon EFS is a fully managed file storage service that simplifies the process of setting up and managing NFS file systems.

Scalability and Elasticity: EFS automatically scales to accommodate the storage needs of applications, without the need to provision or manage storage capacity.

NFS Compatibility: Amazon EFS natively supports the NFSv4 protocol, making it compatible with a wide range of applications and workloads that require NFS access.

Integration with AWS Compute Services: EFS integrates seamlessly with Amazon EC2 and other AWS services, providing a shared file storage solution across multiple instances and services within the AWS cloud environment.

Why Other Options Do Not Fit:

A. Amazon Elastic Block Store (Amazon EBS): While EBS provides block-level storage that can be attached to individual EC2 instances, it is not a file system, nor does it provide managed NFS file storage capabilities. EBS is designed for single-instance access rather than shared file access across multiple instances.

B. AWS Storage Gateway Tape Gateway: Tape Gateway is designed for archival purposes and allows companies to store virtual tape backups in Amazon S3 or Glacier. It does not support NFS file storage and is not intended for regular compute access.

C. Amazon S3 Glacier Flexible Retrieval: Amazon S3 Glacier is optimized for data archiving and long-term storage of infrequently accessed data, but it does not provide NFS file system capabilities, nor is it suitable for high-performance access needs associated with compute services.

For more details, you can refer to theAWS Cloud Practitioner Essentialscontent, specifically the modules onStorage Serviceswhere Amazon EFS is covered as the managed NFS file storage solution offered by AWS.

According to theAWS Shared Responsibility Model, AWS is responsible for the security "of" the cloud (such as protecting the infrastructure, including hardware, software, networking, and facilities that run AWS Cloud services). In contrast, customers are responsible for security "in" the cloud. This includes configuring and using AWS services securely.

D. Use AWS Identity and Access Management (IAM) according to the principle of least privilegeis a customer's responsibility. Customers must manage their credentials, control access to resources, and ensure that IAM policies follow the principle of least privilege, which means granting only the permissions necessary to perform a task.

Why other options are not suitable:

A. Patch the Amazon DynamoDB operating system: AWS is responsible for managing and patching the infrastructure for managed services like DynamoDB.

B. Secure Amazon CloudFront edge locations by allowing physical access according to the principle of least privilege: AWS handles physical security of its edge locations.

C. Protect the hardware that runs AWS services: AWS is responsible for protecting the physical hardware that runs AWS services.

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections12. References: 1: Dedicated Network Connection - AWS Direct Connect - AWS, 2: What is AWS Direct Connect? - AWS Direct Connect

AWS CloudTrailis a service that enables governance, compliance, and operational and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail logs provide a history of AWS API calls for your account, including those made by the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. In this case, AWS CloudTrail will help the administrator identify which user deleted the resources by reviewing the event history that records details such as which user performed the action, the time of the action, and which resources were affected.

B. Amazon Inspector: Incorrect, as it is a security assessment service that helps identify vulnerabilities and deviations from best practices, not for tracking user activity.

C. Amazon GuardDuty: Incorrect, as it is a threat detection service that monitors malicious activity and unauthorized behavior, not specifically for tracking changes made by users.

D. AWS Trusted Advisor: Incorrect, as it provides best practices and guidance for cost optimization, security, fault tolerance, and performance, not for logging user actions.

AWS Cloud References:

AWS CloudTrail

According to theAWS Shared Responsibility Model, the customer is responsible for managing the guest operating system (including patches and updates) and any applications that they run on their Amazon EC2 instances.

Why other options are not suitable:

B. Control physical access to an AWS data center: AWS is responsible for the physical security of its data centers.

C. Control access to AWS underlying hardware: AWS manages the hardware infrastructure.

D. Patch a host operating system that is deployed on Amazon S3: Amazon S3 is a managed storage service, and AWS manages the underlying infrastructure, including the operating system.

Elasticity is a characteristic of the AWS Cloud that helps users eliminate underutilized CPU capacity. Elasticity refers to the ability to dynamically provision and de-provision computing resources as per demand, ensuring that the application or service always has the required resources to operate efficiently. Elasticity helps users optimize performance and costs, as theyonly pay for the resources they use and avoid wasting resources when the demand is low345. References: 3: Which characteristic of the aws cloud helps users eliminate …, 4: AWS Elastic Load Balancing and Application Load Balancer, 5: Which characteristic of the AWS Cloud helps users eliminate …

TheAWS Cloud Development Kit (AWS CDK)currently supports multiple programming languages, includingPythonandTypeScript. These languages allow developers to define cloud infrastructure using familiar programming constructs. Python and TypeScript are among the first languages supported by AWS CDK, which also supports Java, C#, and JavaScript. This enables developers to use their existing programming skills and tools to define cloud infrastructure in code.

B. Swift: Incorrect, as Swift is not currently supported by AWS CDK.

D. Ruby: Incorrect, as Ruby is not currently supported by AWS CDK.

E. PHP: Incorrect, as PHP is not currently supported by AWS CDK.

AWS Cloud References:

AWS Cloud Development Kit (AWS CDK)

 The trade of infrastructure expenses for operating expenses is one of the benefits of the AWS Cloud. By moving to the AWS Cloud, the company can avoid the upfront costs of purchasing and maintaining on-premises infrastructure, such as servers, storage, network, and software. Instead, the company can pay only for the AWS resources and services that they use, as they use them. This reduces the risk and complexity of planning and managing IT infrastructure, and allows the company to focus on innovation and growth. Increased speed to market, massive economies of scale, and the ability to go global in minutes are also benefits of the AWS Cloud, but they are not the best ones to describe this scenario. Increased speed to market means that the company can launch new products and services faster by using AWS services and tools. Massive economies of scale means that the company can benefit from the lower costs and higher performance that AWS achieves by operating at a large scale. The ability to go global in minutes means that the company can deploy their applications and data in multiple regions and availability zones around the world to reach their customers faster and improve performance and reliability5

Cloud fluency is a capability that belongs to the people perspective of the AWS Cloud Adoption Framework (AWS CAF). Cloud fluency is the ability of the workforce to understand the benefits, challenges, and best practices of cloud computing, and to apply them to their roles and responsibilities. Cloud fluency helps the organization to adopt a cloud mindset, culture, and skills, and to leverage the full potential of the cloud. Cloud fluency can be achieved through various methods, such as training, certification, mentoring, coaching, and hands-on experience. Cloud fluency is one of the four capabilities of the people perspective, along with culture, organizational structure, and leadership. The other three capabilities belong to different perspectives of the AWS CAF. Data architecture is a capability of the platform perspective, which helps you design and implement data solutions that meet your business and technical requirements. Event management is a capability of the operations perspective, which helps you monitor and respond to events that affect the availability, performance, and security of your cloud resources. Strategic partnership is a capability of the business perspective, which helps you establish and maintain relationships with external stakeholders, such as customers, partners, suppliers, and regulators, to create value and achieve your business goals. References: AWS Cloud Adoption Framework: People Perspective, AWS CAF - Cloud Adoption Framework - W3Schools

 Elasticity in the AWS Cloud refers to the ability to acquire resources as you need them and release resources when you no longer need them. In the cloud, you want to do this automatically1. This means that you can rightsized resources as demand shifts, and you can easily procure resources when they are needed. Elasticity is not related to how quickly an Amazon EC2 instance can be restarted, the maximum amount of RAM an Amazon EC2 instance can use, or the pay-as-you-go billing model. These are aspects of scalability, performance, and cost, respectively2.

For more information on elasticity, you can refer to the following sources:

Elasticity - AWS Well-Architected Framework

Elastic - Reactive Systems on AWS

What is the difference between scalability and elasticity?

Amazon EC2 is the AWS service that the company should use to meet its requirements of retaining full control of patch management for the guest operating systems that host its applications. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. Users can launch virtual servers, called instances, that run various operating systems, such as Linux, Windows, macOS, and more. Users have full administrative access to their instances and can install and configure any software, including patches and updates, on their instances. Users are responsible for managing the security and maintenance of their instances, including patching the guest operating system and applications. Users can also use AWS Systems Manager to automate and simplify the patching process for their EC2 instances. AWS Systems Manager is a service that helps users manage their AWS and on-premises resources atscale. Users can use AWS Systems Manager Patch Manager to scan their instances for missing patches, define patch baselines and maintenance windows, and apply patches automatically or manually across their instances. Users can also use AWS Systems Manager to monitor the patch compliance status and patching history of their instances. References: What is Amazon EC2?, AWS Systems Manager Patch Manager

Amazon Inspector is a service that provides automated security assessment and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector can scan applications for common vulnerabilities, such as SQL injection, cross-site scripting, and remote code execution. Amazon Inspector can also check the configuration of AWS resources against security best practices, such as the CIS Benchmarks and the AWS Security Best Practices. Amazon Inspector can help customers identify and remediate security issues, comply with security standards, and improve the security posture of their AWS environment12. References:

Amazon Inspector

Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector | AWS News Blog

 Realigning teams to focus on products and value streams, and using agile methods to rapidly iterate and evolve are tasks that the company should perform to meet the requirements of becoming more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS CAF organizes guidance into six areas of focus, called perspectives: business, people, governance, platform, security, and operations. Each perspective is divided into capabilities, which describe the skills and processes to execute the transition effectively. The people perspective helps you prepare your organization for cloud adoption, and includes capabilities such as organizational change management, staff skills and readiness, and organizational alignment. The business perspective helps you align IT strategy with business strategy, and includes capabilities such as business case development, value proposition, and product ownership. Creating new value propositions with new products and services is a task that belongs to the business perspective, but it is not directly related to the requirement of becoming more responsive to customer inquiries and feedback. Using a new data and analytics platform to create actionable insights is a task that belongs to the platform perspective, which helps you design, implement, and optimize the architecture of the AWS environment. However, it is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback. Migrating and modernizing legacy infrastructure is a task that belongs to the operations perspective, which helps you enable, run, use, operate, and recover IT workloads to the level agreed upon with your business stakeholders.However, it is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback.

Pay-as-you-go pricing is one of the main benefits of AWS. With pay-as-you-go pricing, you pay only for what you use, when you use it. There are no long-term contracts, termination fees, or complex licensing. You replace upfront expenses with lower variable costs and pay only for the resources you consume.

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious attempts to disrupt the normal functioning of a website or application by overwhelming it with a large volume of traffic from multiple sources. AWS Shield provides two tiers of protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects your AWS resources, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection for your AWS resources and applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWSShield Advanced offers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost protection against DDoS-related spikes in your AWS bill12

 AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One

Security groups are the AWS service or feature that can be used to apply security rules to specific Amazon EC2 instances. Security groups are virtual firewalls that control the inbound and outbound traffic for one or more instances. Customers can create security groups and add rules that reflect the role of the instance that is associated with the security group. For example, a web server instance needs security group rules that allow inbound HTTP and HTTPS access, while a database instance needs rules that allow access for the type of database12. Security groups are stateful, meaning that the responses to allowed inbound traffic are alsoallowed, regardless of the outbound rules1. Customers can assign multiple security groups to an instance, and the rules from each security group are effectively aggregated to create one set of rules1.

Network ACLs are another AWS service or feature that can be used to control the traffic for a subnet. Network ACLs are stateless, meaning that they do not track the traffic that they allow. Therefore, customers must add rules for both inbound and outbound traffic3. Network ACLs are applied at the subnet level, not at the instance level.

AWS Trusted Advisor is an AWS service that provides best practice recommendations for security, performance, cost optimization, and fault tolerance. AWS Trusted Advisor does not apply security rules to specific Amazon EC2 instances, but it can help customers identify security gaps and improve their security posture4.

AWS WAF is an AWS service that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. AWS WAF does not apply security rules to specific Amazon EC2 instances, but it can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. You can use CloudTrail to identify who accessed an AWS service and what action was performed for a given time period. Amazon CloudWatch, AWS Security Hub, and Amazon Inspector are AWS services that provide different types of monitoring and security capabilities.

AWS Cloud Development Kit (AWS CDK) is a software development framework that allows you to define cloud resources as code using familiar programming languages, such as TypeScript, Python, Java, .NET, and Go (in Developer Preview). You can use AWS CDK to model your application resources using high-level constructs that provide sensible defaults and best practices, or use low-level constructs that provide full access to the underlying AWS CloudFormation resources. AWS CDK synthesizes your code into AWS CloudFormation templates that you can deploy using the AWS CDK CLI or the AWS Management Console. AWS CDK also integrates with other AWS services, such as AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS Lambda, Amazon EC2, Amazon S3, and more, to help you automate your development and deployment processes. AWS CDK is an open-source framework that you can extend and contribute to. References: Cloud Development Framework - AWS Cloud Development Kit - AWS, AWS Cloud Development Kit Documentation, AWS Cloud Development Kit - Wikipedia, AWS CDK Intro Workshop | AWS CDK Workshop

 AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield Advanced provides you with 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS attacks of any size or duration. AWS Shield Advanced also provides near real-time visibility into attacks, advanced attack mitigation capabilities, and integration with AWS WAF and AWS Firewall Manager1. AWS Shield is a standard service that provides always-on detection and automatic inline mitigations to minimize application downtime and latency, but it does not offer the same level of features and support as AWS Shield Advanced2. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, but it does not provide DDoS protection3. Network ACLs are stateless filters that can be associated with a subnet to control the traffic to and from the subnet, but they are not designed to protect against DDoS attacks

 The AWS shared responsibility model describes the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the hardware, software, networking, and facilities that run AWS services. The customer is responsible for security in the cloud, which includes the customer data, applications, operating systems, and network and firewall configurations. Therefore, updating the guest operating system on Amazon EC2 instances is the customer’s responsibility2

 AWS Personal Health Dashboard and AWS Service Health Dashboard are two AWS services that can help the company to verify that underlying AWS services and general AWS infrastructure are operating normally. AWS Personal Health Dashboard provides a personalized view into the performance and availability of the AWS services you are using, as well as alerts that are automatically triggered by changes in the health of those services. In addition to event-based alerts, Personal Health Dashboard provides proactive notifications of scheduled activities, such as any changes to the infrastructure powering your resources, enabling you to better plan for events that may affect you. These notifications can be delivered to you via email or mobile for quick visibility, and can always be viewed from within the AWS Management Console. When you get an alert, it includes detailed information and guidance, enabling you to take immediate action to address AWS events impacting your resources3. AWS Service Health Dashboard provides a general status of AWS services, and the Service health view displays the current and historical status of all AWS services. This page shows reported service events for services across AWS Regions. You don’t need to sign in or have an AWS account to access the AWS Service Health Dashboard – Service health page. You can also subscribe to RSS feeds for specific services or regions to receive notifications about service events4. References: Gettingstarted with your AWS Health Dashboard – Your account health, Introducing AWS Personal Health Dashboard

An internet gateway is a service that allows for internet traffic to enter into a VPC. Otherwise, a VPC is completely segmented off and then the only way to get to it is potentially through a VPN connection rather than through internet connection. An internet gateway is a logical connection between an AWS VPC and the internet. It supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic1. An internet gateway enables resources in your public subnets (such as EC2 instances) to connect to the internet if the resource has a public IPv4 address or an IPv6 address. Similarly, resources on the internet can initiate a connection to resources in your subnet using the public IPv4 address or IPv6 address2. An internet gateway also provides a target in your VPC route tables for internet-routable traffic. For communication using IPv4, the internet gateway also performs network address translation (NAT). For communication using IPv6, NAT is not needed because IPv6 addresses are public2. To enable access to or from the internet for instances in a subnet in a VPC using an internet gateway, you must create an internet gateway and attach it to your VPC, add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway, ensure thatinstances in your subnet have a public IPv4 address or an IPv6 address, and ensure that your network access control lists and security group rules allow the desired internet traffic to flow to and from your instance2. References: Connect to the internet using an internet gateway, AWS Internet Gateway and VPC Routing

The AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities are the organizational skills and processes that enable effective cloud adoption.According to the AWS CAF people perspective whitepaper1, there are seven capabilities in this perspective, two of which are:

Organizational alignment: This capability helps you align your organizational structure, roles, and responsibilities to support your cloud transformation goals and objectives.It involves assessing your current and desired state ofalignment, identifying gaps and misalignments, and designing and implementing changes to optimize your cloud performance1.

Organization design: This capability helps you design and evolve your organization to enable agility, innovation, and collaboration in the cloud.It involvesdefining your cloud operating model, identifying the skills and competencies needed for cloud roles, and creating career paths and development plans for your cloud workforce1.

The other options are not capabilities in the AWS CAF people perspective.Portfolio management, risk management, and modern application development are capabilities in the AWS CAF business perspective, governance perspective, and platform perspective respectively2.

1: AWS Cloud Adoption Framework: People Perspective - AWS Cloud Adoption Framework: People Perspective

2: AWS Cloud Adoption Framework - AWS Cloud Adoption Framework

 Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data sources, such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious activities and unauthorized actions, such as reconnaissance, instance compromise, account compromise, and data exfiltration. Amazon GuardDuty can also detect threats to your data stored in Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon GuardDuty generates findings that summarize the details of the detected threats and provides recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are not the best services to meet this requirement. AWS Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows you to centrally configure and manage firewall rules across your accounts and resources. Amazon Inspector is a service that assesses the security and compliance of your applications running on EC2 instances.

 Amazon S3 and Amazon EBS are two AWS services that can be used to store files . Amazon S3 is an object storage service that offers high scalability, durability, availability, and performance. Amazon EBS is a block storage service that provides persistent and low-latency storage volumes for Amazon EC2 instances. AWS Lambda, Amazon SageMaker, and AWS Storage Gateway are other AWS services that have different purposes, such as serverless computing, machine learning, and hybrid cloud storage .

Amazon EC2 usage is calculated by either the hour or the second based on the size of the instance, operating system, and the AWS Region where the instances are launched. Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it’s terminated or stopped. Each partial instance-hour consumed is billed per-second for Linuxinstances and as a full hour for all other instance types1. Therefore, the customer will be billed for 3 hours and 6 minutes for running an On-Demand Amazon Linux EC2 instance for 3 hours, 5 minutes, and 6 seconds. References: Understand Amazon EC2 instance-hours billing

IAM credential report is a feature that allows you to generate and download a report that lists all IAM users in your AWS account and the status of their various credentials, including access keys and MFA devices. You can use this report to audit the security status of your IAM users and ensure that they follow the best practices for using AWS1.

AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys to protect your data. It does not provide information about IAM users or their credentials2.

IAM Access Analyzer is a feature that helps you identify the resources in your AWS account, such as S3 buckets or IAM roles, that are shared with an external entity. It does not provide information about IAM users or their credentials3.

Amazon CloudWatch is a service that monitors and collects metrics, logs, and events from your AWS resources and applications. It does not provide information about IAM users or their credentials4.

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth. Amazon EFS offers two storage classes: the Standard storage class, and the Infrequent Access storage class (EFS IA). EFS IA provides price/performance that is cost-optimized for files not accessed every day. Amazon EFS encrypts data at rest and in transit, and supports direct access over the internet4.

On-Demand Instances are the default pricing model for Amazon EC2 instances. They allow users to pay for compute capacity by the second, with no long-term commitments or upfront payments. They are suitable for applications with short-term, irregular, or unpredictable workloads that cannot beinterrupted3. Savings Plans are a pricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1-year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2 compute capacity at up to 90% discount compared to On-Demand prices, but they can be interrupted by AWS with a two-minute notice when the demand exceeds the supply. Reserved Instances are a pricing model that offer up to 75% discount compared to On-Demand prices, in exchange for a commitment to use a specific instance type and size in a specific region for a 1-year or 3-year term.

Scaling horizontally across multiple Availability Zones is a way to adopt a highly available architecture, as it increases the fault tolerance and resilience of the application. Scaling vertically to a larger EC2 instance size is a way to improve the performance of the application, but it does not improve the availability. Purchasing an EC2 Dedicated Instance is a way to isolate the instance from other AWS customers, but it does not improve the availability. Changing the EC2 instance family to a compute optimized instance is a way to optimize the instance type for the workload, but it does not improve the availability. These concepts are explained in the AWS Well-Architected Framework2.

AWS Trusted Advisor is a service that provides real-time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor provides recommended actions in five categories: cost optimization, performance, security, fault tolerance, and service quotas. Cost optimization helps you reduce your overall AWS costs by identifying idle and underutilized resources. Service quotas helps you monitor and manage your usage of AWS service quotas and request quota increases. Operating system patches, repetitive tasks, and account activity records are not categories that AWS Trusted Advisor provides recommended actions for. Source: [AWS Trusted Advisor]

 AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

 D is correct because security groups are the AWS service or feature that can be used to control inbound and outbound traffic on an Amazon EC2 instance. Security groups act as a virtual firewall for the EC2 instance, allowing users to specify which protocols, ports, and source or destination IP addresses are allowed or denied. A is incorrect because internet gateways are the AWS service or feature that enable communication between instances in a VPC and the internet. They do not control the traffic on an EC2 instance. B is incorrect because AWS Identity and Access Management (IAM) is the AWS service or feature that enables users to manage access to AWS services and resources securely. It does not control the traffic on an EC2 instance. C is incorrect because network ACLs are the AWS service or feature that provide an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They do not control the traffic on an EC2 instance.

Savings Plans are an AWS pricing model or offering that can meet the requirements of seeking cost savings in exchange for a commitment to use a specific amount of an AWS service or category of AWS services for 1 year or 3 years. Savings Plans are flexible plans that offer significant discounts on AWS compute usage, such as EC2, Lambda, and Fargate. The company can choose from two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans provide the most flexibility and apply to any eligible compute usage, regardless of instance family, size, region, operating system, or tenancy. EC2 Instance Savings Plans provide more savings and apply to a specific instance family within a region. The company can select the amount of compute usage per hour (e.g., $10/hour) that they want to commit to for the duration of the plan (1 year or 3 years). The company will pay the discounted Savings Plan rate for the amount of usage that matches their commitment, and the regular on-demand rate for any usage beyond that

 AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely. You can use IAM to perform the following actions:

Control access to AWS service APIs and to other specific resources: You can create users, groups, roles, and policies that define who can access which AWS resources and how. You can also use IAM to grant temporary access to users or applications that need to perform certain tasks on your behalf3

Protect the AWS environment using multi-factor authentication (MFA): You can enable MFA for your IAM users and root user to add an extra layer of security to your AWS account. MFA requires users to provide a unique authentication code from an approved device or SMS text message, in addition to their user name and password, when they sign in to AWS4

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. It works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience. By using CloudFront, you can cache your content at the edge locations that are closest to your end users, reducing the network latency and improving theperformance of your application. CloudFront also offers a pay-as-you-go pricing model, so you only pay for the data transfer and requests that you use.

 The AWS service that meets the requirements of providing a graph database service that is scalable and highly available is Amazon Neptune. Amazon Neptune is a fast, reliable, and fully managed graph database service that supports property graph and RDF graph models. Amazon Neptune is designed to store billions of relationships and query the graph with milliseconds latency. Amazon Neptune also offers high availability and durability by replicating six copies of the data across three Availability Zones and continuously backing up the data to Amazon S35. Amazon Aurora, Amazon Redshift, and Amazon DynamoDB are other AWS services that provide relational or non-relational database solutions, but they do not support graph database models.

AWS Marketplace is a digital catalog that offers thousands of software products and solutions from independent software vendors (ISVs) and AWS partners. Customers can use AWS Marketplace to find, buy, and deploy software on AWS. Some of the benefits of using AWS Marketplace are:

Speed of business: You can quickly and easily discover and deploy software that meets your business needs, without having to go through lengthy procurement processes. You can also use AWS Marketplace to test and compare different solutions before making a purchase decision.

Fewer legal objections: You can benefit from standardized contract terms and conditions that are pre-negotiated between AWS and the ISVs. This reduces the time and effort required to review and approve legal agreements.

S3 Versioning is a feature that allows you to keep multiple versions of an object in the same bucket. You can use S3 Versioning to protect your data from accidental deletion or overwriting by enabling it on a bucket or a specific object. S3 Versioning also allows you to restore previous versions of an object if needed. S3 Lifecycle rules are used to automate the transition of objects between storage classes or to expire objects after a certain period of time. S3 bucket policies are used to control access to the objects in a bucket. S3 server-side encryption is used toencrypt the data at rest in S3. References: S3 Versioning, S3 Lifecycle rules, S3 bucket policies, S3 server-side encryption

Decoupling the components of an application means reducing the dependencies and interactions between them, which can improve the application’s reliability, scalability, and performance. Decoupling can be achieved by using services such as Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), and AWS Lambda1

 Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront can cache web server content in edge locations, which are located closer to the end users, toimprove the web service’s performance globally2.

AWS Organizations is an AWS service that enables you to centrally manage and govern your AWS Cloud environments across multiple business units. AWS Organizations allows you tocreate an organization that consists of AWS accounts that you create or invite to join. You can group your accounts into organizational units (OUs) and apply service control policies (SCPs) to them. SCPs are a type of policy that specify the maximum permissions for the accounts in your organization, and can help you enforce compliance and security requirements. AWS Organizations also simplifies billing processes by enabling you to consolidate and pay for all member accounts with a single payment method. You can also use AWS Organizations to automate the creation of AWS accounts by using APIs or AWS CloudFormation templates. References: What is AWS Organizations?, Policy-Based Management - AWS Organizations

B and D are correct because AWS availability and security enable customers to improve their SLAs while reducing risk and unplanned downtime1, and AWS reduces IT costs related to infrastructure, allowing customers to reinvest in other areas2. A is incorrect because migrating to the AWS Cloud does not automatically make applications available on mobile devices, as it depends on the application design and compatibility. C is incorrect because companies that migrate to the AWS Cloud still need to plan for high availability and disaster recovery, as AWS is a shared responsibility model3. E is incorrect because migrating to the AWS Cloud does not require companies to rearchitect and rewrite all enterprise applications, as AWS offers different migration strategies depending on the application complexity and business objectives4.

Hardware and infrastructure is the option that AWS is responsible for under the AWS shared responsibility model. The AWS shared responsibility model describes how AWS and customers share responsibilities for security and compliance in the cloud. AWS is responsible for security of the cloud, which means protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Customers are responsible for security in the cloud, which means taking care of the security of their own applications, data, and operating systems. This includes network and firewall configuration, client-side data encryption, management of user permissions, and more.

IAM access keys are long-term credentials that consist of an access key ID and a secret access key. You use access keys to sign programmatic requests that you make to AWS. If you need to access AWS services from an on-premises application, you can use IAM access keys to authenticate your requests. AWS account user name and password are used to sign in to the AWS Management Console. Amazon EC2 key pairs are used to connect to your EC2 instances using SSH. AWS Key Management Service (AWS KMS) keys are used to encrypt and decrypt your data using the AWS Encryption SDK or the AWS CLI.

This is the AWS service or resource that will meet the requirements of distributing traffic between the Amazon EC2 instances that host the website. Application Load Balancer is a type of Elastic Load Balancing that distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. Application Load Balancer operates at the application layer (layer 7) of the OSI model and supports advanced features such as path-based routing, host-based routing, health checks, and SSL termination. You can learn more about Application Load Balancer from [this webpage] or [this digital course].

 AWS Cost Explorer is an AWS service or tool that the company can use to periodically review its AWS account for cost optimization opportunities. AWS Cost Explorer is a tool that enables the company to visualize, understand, and manage their AWS costs and usage over time. The company can use AWS Cost Explorer to access interactive graphs and tables that show the breakdown of their costs and usage by service, region, account, tag, and more. The company can also use AWS Cost Explorer to forecast their future costs, identify trends and anomalies, and discover potential savings by using Reserved Instances or Savings Plans.

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center, which can support the requirement of retaining certain data on-premises due to legal obligations5.

 Basing the selection of Amazon EC2 instance types on past utilization patterns is a way to right size the AWS resources and optimize the performance and cost. Using Amazon S3 Lifecycle policies to move objects that users access infrequently to lower-cost storage tiers is another way to reduce the storage costs and align them with the business value of the data. These two actions are recommended by the AWS Cost Optimization Pillar1. Switching from Amazon RDS to Amazon DynamoDB is not necessarily a cost-saving action, as it depends on the use case and the data model. Using Multi-AZ deployments for Amazon RDS is a way to improve the availability and durability of the database, but it also increases the cost. Replacing existing Amazon EC2 instanceswith AWS Elastic Beanstalk is a way to simplify the deployment and management of the application, but it does not affect the cost of the underlying EC2 instances.

Amazon Timestream is a fast, scalable, and serverless time-series database service for IoT and other operational applications that makes it easy to store and analyze trillions of events per day up to 1,000 times faster and at as little as 1/10th thecost of relational databases1. Amazon Timestream saves you time and cost in managing the lifecycle of time series data, and its purpose-built query engine lets you access and analyze recent and historical data together with a single query1. Amazon Timestream has built-in time series analytics functions, helping you identify trends and patterns in near real time1.

The other options are not suitable for storing and analyzing trillions of events per day. Amazon Neptune is a graph database service that supports highly connected data sets. Amazon Forecast is a machine learning service that generates accurate forecasts based on historical data. Amazon DocumentDB (with MongoDB compatibility) is a document database service that supports MongoDB workloads.

1: Time Series Database – Amazon Timestream – Amazon Web Services

AWS Budgets is a tool that allows users to set AWS spending targets and track costs against those targets. Users can create budgets for various dimensions, such as service, linked account, tag, and more. Users can also receive alerts when the actual or forecasted costs exceed or are projected to exceed the budgeted amount. AWS Cost Explorer, AWS Cost and Usage Report, and Savings Plans are other AWS tools or features that can help users manage and optimize their AWS costs, but they do not enable users to set and track spending targets .

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the virtualization layer down to the physical security of the facilities in which AWSservices operate1. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications that they use1.

Amazon RDS is a managed database service that handles most of the common database administration tasks, such as hardware provisioning, server maintenance, backup and recovery, patching, scaling, and replication. However, Amazon RDS does not optimize the application that interacts with the database. The company is stillresponsible for tuning the performance, security, and availability of the application according to its business requirements and best practices12.

The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the email address and password that were used to create the account1. The root user should be protected and used only for a few account and service management tasks that require it1. Therefore, the following actions are best practices for an AWS account root user:

Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that requires users to provide two or more pieces of information to authenticate themselves, such as a password and a code from a device. MFA adds an extra layer of protection for the root user credentials, which can access sensitive information and perform critical operations in the account2.

Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user. IAM is a service that helps customers manage access to AWS resources for users and groups. Customers can create IAM users and assign them permissions to perform specific tasks on specific resources. Customers can also create IAM roles and policies to delegate access to other AWS services or external entities3. By creating an IAM user with administrator privileges, customers can avoid using the root user for everyday tasks and reduce the risk of accidental or malicious changes to the account1.

 A is correct because Amazon RDS is the AWS service that provides a managed relational database service that supports various database engines, such as MySQL, PostgreSQL, Oracle, and SQL Server. B is incorrect because Amazon Redshift is the AWS service that provides a managed data warehouse service that is optimized for analytical queries. C is incorrect because Amazon ElastiCache is the AWS service that provides a managed in-memory data store service that supports Redis and Memcached. D is incorrect because Amazon Neptune is the AWS service that provides a managed graph database service that supports property graph and RDF models.

Using EC2 instances in a single Availability Zone is a solution that meets the requirements of minimizing network latency between the EC2 instances and not needing high availability. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. EC2 instances within the same Availability Zone can communicate with each other using low-latency private IP addresses. However, EC2 instances in a single Availability Zone are not highly available, because they are vulnerable to failures or disruptions that affect the Availability Zone

Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of use cases, including backup and archive, big data analytics, disaster recovery, and cloud applications. Amazon S3 offers 99.999999999% (11 9’s) of durability, meaning that data is designed to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes with different price and performance characteristics, such as S3 Glacier and S3 Glacier Deep Archive, which are ideal for long-term archival of data that is rarely accessed. AWS Snowball, AWS Storage Gateway, and Amazon Kinesis are not designed to provide the same level of durability and cost-effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3

This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing failure scenarios regularly and validating the understanding of the impact of potential failures. The operational excellence pillar covers the best practices for designing, running, monitoring, and improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the system’s resilience, reliability, and recovery. You can learn more about the operational excellence pillar from this whitepaper or this digital course.

 Amazon EFS is a fully managed service that provides scalable and elastic file storage for multiple Amazon EC2 instances. Amazon EFS supports the Network File System (NFS) protocol, which allows multiple EC2 instances to access the same file system concurrently. You can learn more about Amazon EFS from this webpage or this digital course.

 The AWS Cloud Adoption Framework (AWS CAF) helps organizations understand how cloud adoption transforms the way they work, and it provides structure to identify and address gaps in skills and processes. The AWS CAF organizes guidance into six areas of focus, called perspectives. Each perspective reflects a different stakeholder viewpoint with its own distinct responsibilities, skills, and attributes. The Security Perspective helps you structure the selection and implementation of security controls that meet your organization’s needs2.

Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size4. AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Amazon Polly is a service that turns text into lifelike speech, allowing you to create applications that talk, and build entirely new categories of speech-enabled products. Polly’s Text-to-Speech (TTS) service uses advanced deep learning technologies to synthesize natural sounding human speech1. Amazon Polly supports dozens of languages and a wide range of natural-sounding voices. You can customizeand control the speech output by using lexicons and SSML tags. You can also store and redistribute the speech output in standard audio formats like MP3 and OGG2.

Amazon Transcribe is a service that converts speech to text, enabling you to create text transcripts from audio or video files. It can recognize multiple speakers, different languages, accents, dialects, and background noises. It can also add punctuation and formatting to the transcripts. Amazon Transcribe is useful for applications such as subtitling, captioning, transcription, and voice search.

Amazon Rekognition is a service that provides image and video analysis using computer vision and deep learning. It can detect objects, faces, text, scenes, activities, and emotions in images and videos. It can also perform face recognition, face comparison, face search, celebrity recognition, and facial analysis. Amazon Rekognition is useful for applications such as security, social media, e-commerce, and media and entertainment.

Amazon Textract is a service that extracts text and data from scanned documents using optical character recognition (OCR) and machine learning. It can identify the contents of fields in forms and tables, as well as the relationships between them. It can also preserve the layout and structure of the original document. Amazon Textract is useful for applications such as data entry, document management, compliance, and analytics.

AWS Security Token Service (AWS STS) is a service that provides temporary security credentials to users or applications that need to access AWS resources. The temporarycredentials have a limited lifetime and can be configured to last from a few minutes to several hours. The credentials are not stored with the user or application, but are generated dynamically and provided on request. The credentials work almost identically to long-term access key credentials, but have the advantage of not requiring distribution, rotation, or revocation1.

AWS Key Management Service (AWS KMS) is a service that provides encryption and decryption services for data and keys. It does not provide temporary security credentials2.

AWS CloudHSM is a service that provides hardware security modules (HSMs) for cryptographic operations and key management. It does not provide temporary security credentials3.

Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. It can also provide temporary security credentials for authenticated users, but not for applications4.

Amazon Aurora is a fully managed MySQL-compatible database that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open-source databases. Amazon Aurora is part of the Amazon Relational Database Service (Amazon RDS) family, which means it inherits the benefits of a fully managed service, such as automated backups, patches, scaling, monitoring, and security. Amazon Aurora also offers up to five times the throughput of standard MySQL, as well as high availability, durability, and fault tolerance with up to 15 read replicas, cross-Region replication, and self-healing storage. Amazon Aurora is compatible with the latest versions of MySQL, as well as PostgreSQL, and supports various features and integrations that enhance its functionality and usability123

 Amazon Aurora, Amazon RDS, AWS — Amazon Aurora Overview

AWS Transit Gateway serves as a central hub that enables connectivity between multiple VPCs and on-premises networks. It simplifies network architecture and management by acting as a centralized gateway for traffic flowing between all connected networks. Other options, such as Gateway VPC Endpoints and AWS PrivateLink, do not provide the centralized, scalable connectivity that Transit Gateway offers across multiple VPCs and on-premises environments.

AWS Config enables users to assess, audit, and evaluate the configurations of AWS resources. It provides information that can be used by external auditors to ensure compliance with various regulatory requirements by tracking changes and maintaining configuration history. Amazon Cognito, FSx, and Inspector do not provide detailed configuration tracking for audit purposes.

Amazon Rekognition provides machine learning capabilities to analyze images and videos, enabling the detection of objects, people, text, and scenes. It is designed specifically for image and video analysis, making it suitable for various use cases like facial recognition and content moderation. Other services like Amazon Connect, Lightsail, and Personalize do not offer image or video analysis capabilities.

Amazon EC2 is a service that provides resizable compute capacity in the cloud. Users can launch and manage virtual servers, known as instances, that run on the AWS infrastructure. Users are responsible for maintaining the underlying operating system of the instances, as well as any applications or software that run on them. Amazon DynamoDB is a service that provides a fully managed NoSQL database that delivers fast and consistent performance at any scale. Users do not need to manage the underlying operating system or the database software. Amazon S3 is a service that provides scalable and durable object storage in the cloud. Users do not need to manage the underlying operating system or the storage infrastructure. AWS Lambda is a service that allows users to run code without provisioning or managing servers. Users only need to upload their code and configure the triggers and parameters. AWS Lambda takes care of the underlying operating system and the execution environment.

AWS Artifact Overview:

AWS Artifact is a service that provides on-demand access to AWS compliance documentation and agreements.

It includes reports such as PCI DSS, SOC, and ISO certifications.

How AWS Artifact Meets the Requirement:

The PCI DSS compliance documentation can be downloaded directly from the Artifact console.

Artifact helps customers demonstrate compliance to auditors by providing official certifications and attestations.

Why Other Options Are Incorrect:

B. AWS Organizations:Used for managing accounts, not compliance reports.

C. AWS Trusted Advisor:Offers best practice checks but does not provide compliance documentation.

D. AWS Support Center:Provides customer support and ticket management but not compliance documentation.

AWS Artifact is a service that provides on-demand access to AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports. You can download these documents and submit them as evidence to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. AWS Artifact also allows you to review, accept, and manage AWS agreements, such as the Business Associate Addendum (BAA) for customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). References: AWS Artifact, What is AWS Artifact?

Rightsizing is the cloud concept that is demonstrated by using AWS Compute Optimizer. Rightsizing is the process of adjusting the type and size of your cloud resources to match the optimal performance and cost for your workloads. AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of your AWS resources, such as Amazon EC2 instances, Amazon EBS volumes, AWS Lambda functions, and Amazon ECS services on AWS Fargate. It reports whether your resources are optimal, and generates optimization recommendations to reduce the cost and improve the performance of your workloads. AWS Compute Optimizer uses machine learning to analyze your historical utilization data and compare it with the most cost-effective AWS alternatives. You can use the recommendations toevaluate the trade-offs between cost and performance, and decide when to move or resize your resources to achieve the best results. References: Workload Rightsizing - AWS Compute Optimizer - AWS, What is AWS Compute Optimizer? - AWS Compute Optimizer

Amazon S3 Glacier Deep Archive is the lowest-cost storage class in the cloud. It is designed for long-term data archiving that is rarely accessed. It offers a retrieval time of 12 hours and a durability of 99.999999999% (11 9’s). It is ideal for data that must be retained for 7 years or longer to meet regulatory compliance requirements.

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, including security and performance. It can help you monitor for misconfigured security groups that are allowing unrestricted access to specific ports. Amazon CloudWatch is a service that monitors your AWS resources and the applications you run on AWS. Amazon GuardDuty is a threat detection service that continuously monitors for maliciousactivity and unauthorized behavior. AWS Health Dashboard provides relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities.

Amazon Textract is a service that automatically extracts text and data from scanned documents. Amazon Textract goes beyond simple optical character recognition (OCR) to also identify thecontents of fields in forms and information stored in tables. Amazon Textract can analyze images of scanned financial invoices and extract the total balance amounts, as well as other relevant information, such as invoice number, date, vendor name, etc5.

To follow the principle of least privilege, the company should create an IAM user with only programmatic access since the access is limited to AWS CLI and SDKs, not the Management Console. Additionally, a custom IAM policy granting specific Amazon RDS permissions should be created and attached to this user to restrict access solely to necessary actions. Providing programmatic access only ensures adherence to security best practices by limiting access to the required interfaces.

AWS Trusted Advisor provides checks and recommendations across various categories, including cost optimization, security, and performance. Access to all Trusted Advisor checks is available with AWS Business Support, ensuring the company can follow AWS best practices comprehensively. The Developer Support plan offers limited Trusted Advisor checks, and AWS Health Dashboard provides insights into service health but not specific best practice recommendations.

Amazon S3 Glacier Flexible Retrieval is optimized for storing infrequently accessed data at a very low cost, making it suitable for data archiving and long-term backups. It provides flexible retrieval options for archived data. Other services like FSx for Lustre, EBS, and EFS are more suited for frequently accessed data and higher-performance use cases, not archival storage.

Amazon EC2 M1 Mac instances are the AWS service or resource that the company should use for its iOS application development and build activities, as they enable users to run macOS on AWS and access a broad and growing set of AWS services. AWS CodeCommit is a service that provides a fully managed source control service that hosts secure Git-based repositories. AWS Amplify is a set of tools and services that enable developers to build full-stack web and mobile applications using AWS. AWS App Runner is a service that makes it easy for developers to quickly deploy containerized web applications and APIs. These concepts are explained in the AWS Developer Tools page4.

AWS Enterprise Support provides strategic planning assistance, infrastructure event management, and real-time support, which are necessary for business-critical applications. Trusted Advisor and APN do not offer direct strategic support, and while AWS Professional Services can assist with complex solutions, Enterprise Support specifically includes ongoing operational support and event management.

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards AWS applications against network and transport layer attacks. AWS Shield Standard is automatically included with all AWS services and offers protection against common DDoS attacks. For more advanced protection, AWS Shield Advanced provides additional DDoS mitigation measures. Although AWS WAF, Firewall Manager, and GuardDuty contribute to security, they do not specialize in DDoS mitigation at the network layer like AWS Shield does.

Enforcing multi-factor authentication (MFA) for privileged users enhances account security by requiring a second form of authentication. It reduces the risk of unauthorized access, even if credentials are compromised. Removing the root account is not possible, and creating access keys for the root account or privileged users can increase security risks rather than reduce them.

AWS Budgets allows organizations to set custom cost and usage budgets and receive notifications when they exceed predefined thresholds. This feature helps the finance department monitor spending and manage budget forecasts effectively. AWS Cost and Usage Reports and Cost Explorer provide detailed billing data but do not include budget notifications. Consolidated billing in AWS Organizations is useful for aggregating billing across accounts but does not provide budget alerts.

Architecture optimization is the best practice for cost governance that this example shows. Architecture optimization is the process of designing and implementing AWS solutions that are efficient, scalable, and cost-effective. By using specific AWS services to improve efficiency and reduce cost, the company is following the architecture optimization best practice. Some of the techniques for architecture optimization include using the right size and type of resources, leveraging elasticity and scalability, choosing the most suitable storage class, and using serverless and managed services2.

AWS Storage Gateway file gateway allows companies to use protocols such as NFS and SMB to store and retrieve objects in Amazon S3. File gateway provides a seamless integration between on-premises applications and Amazon S3, and enables low-latency access to data through local caching. File gateway also supports encryption, compression, and lifecycle management of the objects in Amazon S3. For more information, see What is AWS Storage Gateway? and File Gateway.

The correct answer is B because Application Load Balancer is an AWS load balancer that will meet the requirements and take the least amount of effort to deploy. Application Load Balancer is a type of Elastic Load Balancing that operates at the application layer (layer 7) of the OSI model and routes requests to targets based on the content of the request. Application Load Balancer supports advanced features, such as path-based routing, host-based routing, and HTTP header-based routing. The other options are incorrect because they are not AWS load balancers that will meet the requirements and take the least amount of effort to deploy. Network Load Balancer is a type of Elastic Load Balancing that operates at the transport layer (layer 4) of the OSI model and routes requests to targets based on the destination IP address and port. Network Load Balancer does not support path-based routing. AWS OpsWorks Load Balancer is not an AWS load balancer, but rather a feature of AWS OpsWorks that enables users to attach an Elastic Load Balancing load balancer to a layer of their stack. Custom Load Balancer on Amazon EC2 is not an AWS load balancer, but rather a user-defined load balancer that runs on an Amazon EC2 instance. Custom Load Balancer on Amazon EC2 requires more effort to deploy and maintain than an AWS load balancer. Reference: Elastic Load Balancing

 EFS Standard-Infrequent Access (EFS Standard-IA) is the storage class that meets the requirements of storing data across multiple Availability Zones in an AWS Region, that will not be accessed regularly but must be immediately retrievable, most cost-effectively. EFS Standard-IA is designed for files that are accessed less frequently, but still require the same high performance, low latency, and high availability as EFS Standard. EFS Standard-IA has a lower storage cost than EFS Standard, but charges a small additional fee for each access. EFS One Zone and EFS One Zone-IA store data in a single Availability Zone, which reduces the availability and durability compared to EFS Standard and EFS Standard-IA.

 The correct answer is A because an Availability Zone consists of one or more data centers in a single location. An Availability Zone is an isolated location within an AWS Region that has independent power, cooling, and networking. Each Availability Zone has one or more data centers that host the physical servers and storage devices that run the AWS services. The other options are incorrect because they are not accurate descriptions of an Availability Zone. Two or more data centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within an AWS Region. One or more physical hosts in a single data center are not an Availability Zone, butrather the components of a data center within an Availability Zone. Two or more physical hosts in multiple data centers are not an Availability Zone, but rather the components of multiple data centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local Zones]

 AWS IAM Identity Center (AWS Single Sign-On) is the AWS service that the company should use to meet the requirements of managing access and permissions for its third-party SaaS applications. AWS Single Sign-On is a cloud-based service that makes it easy to centrally manage single sign-on(SSO) access to multiple AWS accounts and business applications. You can use AWS Single Sign-On to enable your users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place4.

The architecture concept of the AWS Cloud that meets the requirements of the company that wants to migrate to the AWS Cloud and needs the ability to acquire and release resources as needed is elasticity. Elasticity means that AWS customers can quickly and easily provision and scale up or down AWS resources as their demand changes, without any upfront costs or long-term commitments. AWS provides various tools and services that enable customers to achieve elasticity, such as Amazon EC2 Auto Scaling, Amazon CloudWatch, and AWS CloudFormation. Elasticity helps customers optimize their performance, availability, and cost efficiency. Availability, reliability, and durability are other architecture concepts of the AWS Cloud, but they are not directly related to the ability to acquire and release resources as needed. Availability means that AWS customers can access their AWS resources and applications whenever and wherever they need them. Reliability means that AWS customers can depend on their AWS resources and applications to functioncorrectly and consistently. Durability means that AWS customers can preserve their data and objects for long periods of time without loss or corruption12

 AWS Systems Manager Patch Manager is a capability that allows users to automate the security updates for their operating systems and applications. It enables users to scan their instances for missing patches, define patch baselines, schedule patching windows, and monitor patch compliance. It supports Amazon EC2 instances, Amazon Lightsail instances, and on-premises servers. AWS Shield is a service that provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources and services. It does not automate the security updates for operating systems and applications. Connecting to each server by using a remote desktop connection and running an update script is a manual and time-consuming solution that requires a lot of operational effort. It is not a recommended best practice for automating the security updates for operating systems and applications. Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for AWS accounts and resources. It does not automate the security updates for operating systems and applications.

The AWS shared responsibility model describes how AWS and the customer share responsibility for security and compliance of the AWS environment. AWS is responsible for the security of the cloud, which includes the physical security of AWS facilities, the infrastructure, hardware, software, and networking that run AWS services. The customer is responsible for security in the cloud, which includes the configuration of security groups, the encryption of customer data on AWS, the management of AWS Lambda infrastructure, and the management of network throughput of each AWS Region. One of the customer responsibilities is to ensure that Amazon EBS volumes are backed up.

 Performance efficiency is the pillar of the AWS Well-Architected Framework that represents the requirements of designing a solution for the efficient use of compute resources for an enterprise workload and making informed decisions as the technology needs evolve. It focuses on using the right resources and services for the workload, monitoring performance, and continuously improving the efficiency of the solution. Operational excellence is the pillar of the AWS Well-Architected Framework that represents the ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. Cost optimization is the pillar of the AWS Well-Architected Framework that represents the ability to run systems to deliver business value at the lowest price point. Reliability is the pillar of the AWS Well-Architected Framework that represents the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

 Availability Zones contain multiple data centers. This is a characteristic of the AWS global infrastructure, which consists of AWS Regions, Availability Zones, and edge locations. AWS Regions are geographically isolated areas that contain multiple Availability Zones. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures and connected by low-latency, high-throughput, and highly redundant networking. Each Availability Zone contains one or more data centers that house the servers and storage devices that run AWS services. Edge locations are sites that are located closer to the end users and provide caching and content delivery services. AWS Global InfrastructureAWS Certified Cloud Practitioner - aws.amazon.com

AWS Pricing Calculator is a web-based planning tool that customers can use to create estimates for their AWS use cases. They can use it to model their solutions before building them, explore the AWS service price points, and review the calculations behind their estimates. Therefore, the correct answer is A. You can learn more about AWS Pricing Calculator and how it works.

 Identity and access management is the customer’s responsibility, according to the AWS shared responsibility model. This means that the customer is responsible for managing user access to the AWS resources, using tools such as AWS Identity and Access Management (IAM), AWS Single Sign-On (SSO), and AWS Organizations. The customer is also responsible for securing their data in transit and at rest, using encryption, key management, and other methods. Hard drive initialization, protection of data center hardware, and security of Availability Zones are AWS’s responsibility, as they are part of the infrastructure, physical security, and network security that AWS provides to the customer12

 The services that can be used to deploy applications on AWS are:

AWS Elastic Beanstalk. This is a service that simplifies the deployment and management of web applications on AWS. Users can upload their application code and Elastic Beanstalk automatically handles the provisioning, scaling, load balancing, monitoring, and health checking of the resources needed to run the application. Users can also retain full control and access to the underlying resources and customize their configuration settings. Elastic Beanstalk supports multiple platforms, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker. [AWS Elastic Beanstalk Overview] AWS Certified Cloud Practitioner - aws.amazon.com

AWS OpsWorks. This is a service that provides configuration management and automation for AWS resources. Users can define the application architecture and the configuration of each resource using Chef or Puppet, which are popular open-source automation platforms. OpsWorks then automatically creates and configures the resources according to the user’s specifications. OpsWorks also provides features such as auto scaling, monitoring, and integration with other AWS services. OpsWorks has two offerings: OpsWorks for Chef Automate and OpsWorks for Puppet Enterprise. [AWS OpsWorks Overview] AWS Certified Cloud Practitioner - aws.amazon.com

 AWS offers different support plans to meet the needs of different customers. The AWS Enterprise Support plan is the highest level of support that provides customers with concierge-like service, where the main focus is helping them achieve their outcomes and find success in the cloud. One of the benefits of the AWS Enterprise Support plan is that customers get designated support from an AWS technical account manager (TAM), who provides consultative architectural and operational guidance based on their applications and use cases. Therefore, the correct answer is B. You can learn more about AWS support plans and their benefits .

 The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys. Reference: AWS CloudHSM FAQs

Compute Savings Plans are a flexible and cost-effective way to optimize long-term compute costs of AWS Lambda functions and Amazon EC2 instances. With Compute Savings Plans, customers can commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year termand receive a discount of up to 66% compared to On-Demand prices3. Dedicated Hosts are physical servers with EC2 instance capacity fully dedicated to the customer’s use. They are suitable for customers who have specific server-bound software licenses or compliance requirements4. Reserved Instances are a pricing model that provides a significant discount (up to 75%) compared to On-Demand pricing and a capacity reservation for EC2 instances. They are available in 1-year or 3-year terms and different payment options5. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for customers who have flexible start and end times, can withstand interruptions, and can handle excess capacity.

Amazon Route 53 is a highly available and scalable DNS web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating domain names into the numeric IP addresses that computers use to connect to each other2. Amazon Route 53 also offers other features such as health checks, traffic management, domain name registration, and DNSSEC3.

Amazon ElastiCache is a fully managed in-memory data store service that is compatible with open source engines such as Redis and Memcached1. It provides fast and scalable performance for applications that require high throughput and low latency1. Amazon DynamoDB is a fully managed NoSQL database service that provides consistent and single-digit millisecond latency at any scale2. Amazon EBS is a block storage service that provides persistent and durable storage volumes for Amazon EC2 instances3. Amazon Redshift is a fully managed data warehouse service that allows users to run complex analytic queries using SQL4.

The correct answer is C because Amazon QuickSight is an AWS service that will provide the dashboards and charts for the insights from business data. Amazon QuickSight is a fully managed, scalable, and serverless business intelligence service that enables users to create and share interactive dashboards and charts. Amazon QuickSight can connect to various data sources, such as Amazon S3, Amazon RDS, Amazon Redshift, and more. Amazon QuickSight also provides users with machine learning insights, such as anomaly detection, forecasting, and natural languagenarratives. The other options are incorrect because they are not AWS services that will provide the dashboards and charts for the insights from business data. Amazon Macie is an AWS service that helps users discover, classify, and protect sensitive data stored in Amazon S3. Amazon Aurora is an AWS service that provides a relational database that is compatible with MySQL and PostgreSQL. AWS CloudTrail is an AWS service that enables users to track user activity and API usage across their AWS account. Reference: Amazon QuickSight FAQs

Managing service control policies (SCPs) is an activity that companies can complete by using AWS Organizations. AWS Organizations is a service that enables the user to consolidate multiple AWS accounts into an organization that can be managed as a single unit. AWS Organizations allows the user to create groups of accounts and apply policies to them, such as service control policies (SCPs) that specify the services and actions that users and roles can access in the accounts. AWS Organizations also enables the user to use consolidated billing, which combines the usage and charges from all the accounts in the organization into a single bill3.

The correct answer is B because Spot Instances enable the company to optimize costs and meet the requirements. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible applications that can run for any duration. The other options are incorrect because they do not enable the company to optimize costs and meet the requirements. Reserved Instances are EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. On-Demand Instances are EC2 instances that are launched and billed at a fixed hourly rate. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads that cannot be interrupted. Dedicated Instances are EC2 instances that run on hardware that is dedicated to a single customer. Dedicated Instances are suitable for workloads that require regulatory compliance or data isolation. Reference: [Amazon EC2 Instance Purchasing Options]

AWS is responsible for decommissioning end-of-life underlying storage devices that are used to host data on AWS. AWS follows strict and audited data destruction processes to ensure that customer data is not exposed to unauthorized individuals or devices when an AWS storage device reaches the end of its useful life. AWS uses techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process3.

The correct answers are B and C because they are advantages of the AWS Cloud. High economies of scale means that AWS can achieve lower variable costs than customers can get on their own. Launch globally in minutes means that AWS has a global infrastructure that allows customers to deploy their applications and data across multiple regions and availability zones. The other options are incorrect because they are not advantages of the AWS Cloud. Trade variable expenses for capital expenses means that customers have to invest heavily in data centers and servers before they know how they will use them. Focus on managing hardware infrastructure means that customers have to spend time and money on maintaining and upgrading their physical resources. Overprovision to ensure capacity means that customers have to pay for more resources than they actually need to avoid performance issues. Reference: What is Cloud Computing?

 According to the AWS shared responsibility model, the customer is responsible for configuring logical access controls for resources, and protecting account credentials. This includes managing IAM user permissions, security group rules, network ACLs, encryption keys, and other aspects of access management1. AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud, such as the hardware, software, networking, and facilities. AWS isalso responsible for configuring the security used by managed services, such as Amazon RDS, Amazon DynamoDB, and Amazon Aurora2.

Amazon Route 53 is the AWS service that provides DNS resolution. DNS (Domain Name System) is a service that translates domain names into IP addresses. Amazon Route 53 is a highly available and scalable cloud DNS service that offers domain name registration, DNS routing, and health checking. Amazon Route 53 can route the traffic to various AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront. Amazon Route 53 can also integrate with other AWS services, such as AWS Certificate Manager, AWS Shield, and AWS WAF. For more information, see [What is Amazon Route 53?] and [Amazon Route 53 Features].

Designing for automatic failover to healthy resources is an AWS best practice when designing AWS workloads to be operational even when there are component failures. This means that you should architect your system to handle the loss of one or more components without impacting the availability or performance of your application. You can use various AWS services and features to achieve this, such as Auto Scaling, Elastic Load Balancing, Amazon Route 53, Amazon CloudFormation, and AWS CloudFormation4.

Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into microservices is an example of a loosely coupled architecture. A loosely coupled architecture is one where the components are independent and can communicate with each other through well-defined interfaces. This allows for greater scalability, flexibility, and resilience. A tightly coupled architecture is one where the components are interdependent and rely on each other for functionality. This can lead to increased complexity, fragility, and difficulty in changing or scaling the system. Amazon ECS OverviewAWS Well-Architected Framework

To achieve high availability in the event of a natural disaster, the company should use EC2 instances in multiple AWS Regions. AWS Regions are geographically isolated areas that consist of multiple Availability Zones. Availability Zones are physically separate locations within an AWS Region that areengineered to be isolated from failures. By using EC2 instances in multiple AWS Regions, the company can ensure that its applications can continue to run even if one Region is affected by a disaster. AWS Global InfrastructureAWS Well-Architected Framework

The correct answer is D because AWS Enterprise Support is the support plan that provides customers with access to an AWS technical account manager (TAM). AWS Enterprise Support is the highest level of support plan offered by AWS, and it provides customers with the most comprehensive and personalized support experience. An AWS TAM is a dedicated technical resource who works closely with customers to understand their business and technical needs, provide proactive guidance, and coordinate support across AWS teams. The other options are incorrect because they are not support plans that provide customers with access to an AWS TAM. AWS Basic Support is the default and free support plan that provides customers with access to online documentation, forums, and account information. AWS Developer Support is the lowest level of paid support plan that provides customers with access to technical support during business hours, general guidance, and best practice recommendations. AWS Business Support is the intermediate level of paid support plan that provides customers with access to technical support 24/7, system health checks, architectural guidance, and case management. Reference: AWS Support Plans

Amazon RDS is the AWS service that will meet the requirements of using a managed service to simplify the setup, operation, and scaling of a MySQL database in the AWS Cloud. Amazon RDS is a relational database service that supports MySQL and other popular database engines. Amazon RDS handles routine database tasks such as provisioning, patching, backup, recovery, and scaling. Amazon RDS also offers high availability, security, and compatibility features3

 AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. With AWS Organizations, you can create a single payment method for all the AWS accounts in your organization through consolidated billing. Consolidated billing enables you to see a combined view of AWS charges incurred by all accounts in your organization, as well as get a detailed cost report for each individual AWS account associated with your organization. AWS Artifact is a service that provides on-demand access to AWS’ security and compliance reports and select online agreements. AWS Budgets is a service that enables you to plan your service usage, service costs, and instance reservations. AWS Trusted Advisor is a servicethat provides real-time guidance to help you provision your resources following AWS best practices. None of these services or tools offer consolidated billing.

The correct answer is C because Dedicated Hosts are Amazon EC2 instances that are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS. Dedicated Hosts are physical servers that are dedicated to a single customer. Dedicated Hosts allow customers to use their existing server-bound software licenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server, subject to their license terms. The other options are incorrect because they are not Amazon EC2 instances that are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS. Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from interruptions easily. Dedicated Instances are Amazon EC2 instances that run on hardware that is dedicated to a single customer, but not to a specific physical server. Dedicated Instances do not allow customers to use their existing server-bound software licenses. Reserved Instances are Amazon EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. Reserved Instances do not allow customers to use their existing server-bound software licenses. Reference: Dedicated Hosts, Amazon EC2 Instance Purchasing Options

Cost optimization is the pillar of the AWS Well-Architected Framework that aligns with the requirements of not relying on elaborate forecasting and paying only for the resources that are used. The cost optimization pillar focuses on the ability of a system to deliver business value at the lowest price point. Cost optimization involves using the right AWS services and resources for the workload, measuring and monitoring the cost and usage, and continuously improving the cost efficiency. Cost optimization also leverages the benefits of the AWS Cloud, such as pay-as-you-go pricing, elasticity, and scalability. For more information, see [Cost Optimization Pillar] and [Cost Optimization].

Scaling horizontally, or adding more instances of resources rather than increasing the size of a single instance, is a core principle of the Performance Efficiency pillar of the AWS Well-Architected Framework. It enables applications to handle increasing loads by distributing traffic across multiple resources. Other options, such as serverless architectures, managed services, and cost measurement, align with other pillars of the framework.

The AWS services and features that are provided to all customers at no charge are VPC and AWS Identity and Access Management (IAM). VPC is a service that allows you to launch AWS resources in a logically isolated virtual network that you define. You can create and use a VPC at no additional charge, and you only pay for the resources that you launch in the VPC, such as EC2 instances or EBSvolumes. IAM is a service that allows you to manage access and permissions to AWS resources. You can create and use IAM users, groups, roles, and policies at no additional charge, and you only pay for the AWS resources that the IAM entities access. Amazon Aurora, Amazon SageMaker, andAmazon Polly are not free services, and they charge based on the usage and features that you choose5

Management of the guest operating systems is a customer’s responsibility, according to the AWS shared responsibility model. The AWS shared responsibility model defines the different security and compliance responsibilities of AWS and the customer. AWS is responsible for the security of the cloud, which includes the physical infrastructure, hardware, software, and facilities that run the AWS Cloud. The customer is responsible for security in the cloud, which includes the configuration and management of the guest operating systems, applications, data, and network traffic protection

The correct answer to the question is D because AWS Trusted Advisor is an AWS service that can be used to accomplish the goal of identifying any security group that is allowing unrestricted incoming SSH traffic. AWS Trusted Advisor is a service that provides customers with recommendations that help them follow AWS best practices. Trusted Advisor evaluates the customer’s AWS environment and identifies ways to optimize their AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. One of the checks that Trusted Advisor performs is the Security Groups - Specific Ports Unrestricted check, which flags security groups that allow unrestricted access to specific ports, such as port 22 for SSH. Customers can use this check to review and modify their security group rules to restrict SSH access to only authorized sources. Reference: Security Groups - Specific Ports Unrestricted

 Physical and environmental controls are entirely the responsibility of AWS, according to the AWS shared responsibility model. The AWS shared responsibility model defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical and environmental controls of the AWS global infrastructure, such as power, cooling, fire suppression, and physical access. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications. For more information, see [AWS Shared Responsibility Model] and [AWS Cloud Security].

To maximize sustainability and minimize environmental impact, a company should apply the following design principles to AWS Cloud workloads: maximize utilization of Amazon EC2 instances and reduce the need for users to reinstall applications. Maximizing utilization of Amazon EC2 instances means that the company can optimize the performance and efficiency of their compute resources, and avoid wasting energy and money on idle or underutilized instances. The company can use features such as Amazon EC2 Auto Scaling, Amazon EC2 Spot Instances, and AWS Compute Optimizer to automatically adjust the number and type of instances based on demand, cost, and performance. Reducing the need for users to reinstall applications means that the company can minimize the amount of data and bandwidth required to deliver their applications to users, and avoid unnecessary downloads and updates that consume energy and resources. The company can use services such as Amazon CloudFront, AWS AppStream 2.0, and AWS Amplify to deliver their applications faster, more securely, and more efficiently to users across the globe. Minimizing utilization of Amazon EC2 instances, minimizing usage of managed services, and forcing frequent application reinstallations by users are not design principles that would maximize sustainability and minimize environmental impact. Minimizing utilization of Amazon EC2 instances would reduce the performance and efficiency of the compute resources, and potentially increase the costs and complexity of the cloud workloads. Minimizing usage of managed services would increase the operational overhead and responsibility of the company, and potentially expose them to more security and reliability risks. Forcing frequent application reinstallations by users would increase the amount of data and bandwidth required to deliver the applications to users, and potentially degrade the user experience and satisfaction.

 The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements. Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups andnetwork ACLs do not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]

 An AWS Region is a specific location within a geographic area that provides high availability. An AWS Region consists of two or more Availability Zones, which are isolated locations within the sameRegion. Each Availability Zone has independent power, cooling, and physical security, and is connected to the other Availability Zones in the same Region by low-latency, high-throughput, and highly redundant networking. AWS services are available in multiple Regions around the world, allowing the user to choose where to run their applications and store their data1.

 AWS is responsible for performing hardware maintenance in the AWS facilities that run the AWS Cloud. This is part of the shared responsibility model, where AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud. AWS is also responsible for the global infrastructure that runs all of the services offered in the AWS Cloud, including the hardware, software, networking, and facilities that run AWS Cloud services3. The customer is responsible for the guest operating system, including updates and security patches, as well as the web application and services developed with Docker4.

 Pay-as-you-go pricing is an AWS benefit that demonstrates the ability of users to replace upfront fixed expenses with variable expenses. With pay-as-you-go pricing, users only pay for the resources they consume, without any long-term contracts or commitments. This can lower the total cost of ownership and increase the return on investment. Pay-as-you-go pricing also provides flexibility and scalability, as users can adjust their resource usage according to their changing needs and demands. AWS Cloud Value FrameworkAWS Certified Cloud Practitioner - aws.amazon.com

 The AWS services or features that can control VPC traffic are security groups and network ACLs. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level. You can associate one network ACL with each subnet in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon GuardDuty, and Amazon Connect are not services or features that can control VPC traffic. AWS Direct Connect is a service that establishes a dedicated network connection between your premises and AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact center solution.

AWS customer carbon footprint tool is an AWS service or tool that helps companies measure the environmental impact of their AWS usage. It allows users to estimate the carbon emissions associated with their AWS resources and services, such as EC2, S3, and Lambda. It also provides recommendations and best practices to reduce the carbon footprint and improve the sustainability of their AWS workloads4. AWS Compute Optimizer is an AWS service that helps users optimize the performance and cost of their EC2 instances and Auto Scaling groups. It provides recommendations for optimal instance types, sizes, and configurations based on the workload characteristics andutilization metrics. It does not help users measure the environmental impact of their AWS usage. Sustainability pillar is a concept that refers to the ability of a system to operate in an environmentally friendly and socially responsible manner. It is not an AWS service or tool that helps users measure the environmental impact of their AWS usage. OS-Climate (Open Source Climate Data Commons) is an initiative that aims to provide open source data, tools, and platforms to accelerate climate action and innovation. It is not an AWS service or tool that helps users measure the environmental impact of their AWS usage.

Amazon RDS is the AWS service that will meet the requirements of migrating a relational database server to the AWS Cloud and minimizing administrative overhead of database maintenance tasks. Amazon RDS is a fully managed relational database service that handles routine database tasks, such as provisioning, patching, backup, recovery, failure detection, and repair. Amazon RDS supports several database engines, such as MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora5.

 Amazon Elastic Container Service (Amazon ECS) is a solution that meets the requirements of deploying and managing a Docker-based application on AWS with the least amount of operational overhead. Amazon ECS is a fully managed container orchestration service that makes it easy to run, scale, and secure Docker container applications on AWS. Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features likesecurity groups, Elastic Load Balancing, EBS volumes, and IAM roles3.

 Amazon Elastic File System (Amazon EFS) and Amazon FSx offer file storage. File storage is a type of storage that organizes data into files and folders, and allows multiple users or applications to access and share the same files over a network. Amazon EFS is a fully managed, scalable, and elastic file system that supports the Network File System (NFS) protocol and can be used with Amazon EC2 instances and AWS Lambda functions. Amazon FSx is a fully managed service that provides two file system options: Amazon FSx for Windows File Server, which supports the Server Message Block(SMB) protocol and is compatible with Microsoft Windows applications; and Amazon FSx for Lustre, which is a high-performance file system that is optimized for compute-intensive workloads

AWS Direct Connect provides a dedicated, low-latency, and consistent network connection between on-premises data centers and AWS. This private connection minimizes latency and improves network stability compared to a public internet connection or VPN. AWS Direct Connect is ideal for applications requiring real-time data transfer with minimal latency.

Spot Instances offer the lowest cost for Amazon EC2 and are suitable for non-production workloads like development and testing where occasional unavailability is acceptable. Spot Instances take advantage of unused EC2 capacity at a reduced cost, making them ideal for environments that can tolerate interruptions. Reserved or On-Demand Instances would be more expensive for this scenario, and Dedicated Hosts are not cost-effective for non-production environments.

AWS Storage Gateway provides on-premises applications with low-latency access to data stored in AWS by caching frequently accessed data locally. It seamlessly integrates on-premises environments with cloud storage, enabling hybrid storage solutions. AWS DataSync is for data transfer, CloudFront is a content delivery network, and AWS Backup is for backup management, not low-latency access.

AWS Organizations enables consolidated billing across multiple AWS accounts and allows for centralized management of security and compliance policies. It provides account grouping and centralized payment management, making it the optimal choice for a company requiring consolidated billing and centralized governance. AWS Cost and Usage Report only provides billing information, and AWS Config and Security Hub offer monitoring and security insights but do not handle billing consolidation.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. It supports both document and key-value data models and is designed to handle large amounts of data across multiple servers. Other options, like Amazon RDS and Aurora, are managed relational database services, and Amazon Redshift is a data warehousing service.

AWS Snowball Edge offers configurations that are either storage-optimized or compute-optimized, providing flexibility for different data migration and processing needs. It supports local processing and data transfer to AWS, catering to scenarios that require heavy storage or compute resources. AWS Snowcone and DataSync do not offer these optimizations, and Storage Gateway focuses on hybrid cloud storage.

TheRehostmigration strategy, often referred to as “lift-and-shift,” involves moving applications to the cloud with minimal or no modifications. This approach is suitable when a company wants to migrate legacy workloads to AWS without altering them. Other strategies, such asRepurchase,Replatform, andRefactor, involve making changes to the application or adopting different services, which is not aligned with the requirement to avoid modifications.

AWS Marketplace is a digital catalog that offers third-party software, including security solutions like intrusion detection systems, which can be deployed directly within an AWS environment. By using AWS Marketplace, companies can find, purchase, and deploy ISP intrusion detection systems or other security tools that meet their specific requirements. Other services, such as AWS Security Hub and Quick Starts, do not directly provide third-party application deployment.

S3 Intelligent-Tiering is cost-effective for data with unpredictable access patterns. It automatically moves data between two access tiers (frequent and infrequent) based on access patterns, which is suitable for data accessed daily or infrequently. S3 Glacier Deep Archive is for archival data accessed infrequently, and S3 One Zone-IA is for infrequent access data stored in a single availability zone, which may not be ideal for data accessed daily.

AWS CloudFormation allows developers to create, manage, and deploy AWS resources using templates, ensuring a standardized and repeatable infrastructure setup. It’s ideal for setting up development, test, and production environments consistently. AWS Cloud Map, CloudFront, and CloudTrail do not provide templated infrastructure management capabilities.

AWS Lambda is a serverless compute service that is ideal for applications with short-running processes and low-frequency invocation, as it only charges for the compute time consumed. Since the application is invoked only a few times a day and runs for less than 5 minutes, Lambda is the most cost-effective option. ECS, EKS, and EC2 are better suited for more persistent workloads and would be more costly in this use case.

AWS Certificate Manager (ACM) Overview:

ACM simplifies the process of provisioning, managing, and deploying SSL/TLS certificates.

These certificates are used to secure HTTPS connections, ensuring encrypted communication between clients and servers.

How ACM Meets the Goal:

Provides free public SSL/TLS certificates.

Automates certificate renewals and deployment with services like Elastic Load Balancing and Amazon CloudFront.

Reduces the operational overhead of managing SSL/TLS certificates.

Why Other Options Are Incorrect:

A. AWS WAF:Focuses on application-layer protection (e.g., SQL injection, cross-site scripting) but does not handle SSL/TLS encryption.

B. AWS Shield:Provides protection against DDoS attacks, not encryption.

C. Amazon VPC:Used for networking and security at the infrastructure level but does not manage SSL/TLS certificates.

AWS Direct Connect provides a dedicated private network connection from on-premises data centers directly to the AWS Cloud, bypassing the public internet. This setup is ideal for reducing network costs, increasing bandwidth throughput, and providing a more consistent network experience compared to standard internet connections. Other services, such as Amazon VPC, relate to networking but do not establish a private network connection from on-premises to AWS.

Creating an IAM role with the required permissions and attaching the role to the EC2 instance is the most operationally efficient solution to delegate permissions. An IAM role is an entity that defines a set of permissions for making AWS service requests. An IAM role can be assumed by an EC2 instance to access other AWS resources, such as Amazon S3 and Amazon DynamoDB, without having to store any credentials on the instance. This solution is more secure and scalable than using IAM users and their access keys. For more information, see [IAM Roles for Amazon EC2] and [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances].

Amazon Simple Notification Service (Amazon SNS) is the AWS service or feature that is used to send both text and email messages from distributed applications. Amazon SNS is a fully managed pub/sub messaging service that enables the user to send messages to multiple subscribers or endpoints, such as email addresses, phone numbers, HTTP endpoints, AWS Lambda functions, and more. Amazon SNS can be used to send notifications, alerts, confirmations, and reminders from applications to users or other applications4.

AWS Shield Standard and AWS WAF are the AWS services or tools that are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks. According to the AWS Shield Developer Guide, "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection."5 According to the AWS WAF Developer Guide, “AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.” VPC endpoint, virtual private gateway, and AWS Config are not designed to protect a workload from these types of attacks.

 AWS Direct Connect gives users the ability to provision a dedicated and private network connection from their internal network to AWS. AWS Direct Connect links the user’s internal network to an AWSDirect Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to the user’s router, the other to an AWS Direct Connect router. With this connection in place, the user can create virtual interfaces directly to the AWS cloud and Amazon Virtual Private Cloud (Amazon VPC), bypassing internet service providers in the network path2.

 Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data to acquire new insights for your business and customers. Amazon Redshift is designed for complex analytical queries that often involve aggregations and joins across very large tables. Amazon Redshift supports standard SQL and integrates with many existing business intelligence tools1.

Amazon S3 is the AWS service that provides highly durable object storage. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This means that you can store your data with high confidence that it will not be lost. Amazon S3 also provides high availability, scalability, security, and performance for your data. You can use Amazon S3 to store and retrieve any amount of data, at any time, from anywhere on the web5.

In the AWS Cloud Adoption Framework (AWS CAF), theGovernanceperspective focuses on aligning IT strategy and goals with business processes, which includes managing data assets, setting up an inventory of data products, and ensuring that data cataloging and metadata management are in place. This perspective is crucial for organizing data products and services, which aligns with building a comprehensive data catalog. Other perspectives like Operations, Business, and Platform do not specifically address the management of a data catalog.

Amazon EventBridge (formerly CloudWatch Events) allows users to respond to changes in the state of AWS resources. It can be configured to invoke an AWS Lambda function when an EC2 instance enters the “stopping” state, providing a serverless way to automate responses to changes in EC2 instance states. AWS Config, SNS, and CloudFormation do not provide direct triggering for specific instance state changes.

AWS Migration Hub assists users in planning and tracking the progress of their server and application migrations. It centralizes migration tracking across various AWS services, providing visibility into application inventory and migration status. While AWS Application Migration Service also assists with migrations, Migration Hub is specifically designed for tracking migration data comprehensively.

A VPC endpoint enables private connections between an Amazon VPC and AWS services, like Amazon S3, without requiring internet access. This allows secure access to S3 from an EC2 instance within the same VPC, reducing latency and improving security. VPN connections and NAT gateways do not eliminate internet traffic, and an internet gateway would expose the VPC to the public internet.

Amazon Aurora (with PostgreSQL compatibility) and Amazon EC2 can both host PostgreSQL databases. Aurora is a managed database service that provides a fully compatible PostgreSQL environment with automated management. EC2 can also host PostgreSQL, but it requires more manual setup and maintenance. Amazon S3 and EFS do not host databases, and Amazon OpenSearch Service is intended for search and analytics, not relational databases.

The reliability pillar of the AWS Well-Architected Framework includes the principle of testing recovery procedures to ensure systems can effectively recover from failures. Regular testing of recovery processes helps verify that systems are resilient and can handle potential disruptions. The other options align with different pillars like cost optimization and operational excellence.

Using multiple Availability Zones within the same AWS Region meets the requirements for having instances in different locations with independent power and networking. Availability Zones are distinct physical locations within a region, each with separate power sources and networking. Edge locations are used for content delivery, and Amazon Connect and AWS Artifact locations are not relevant to EC2 deployment and infrastructure.

Rightsizing involves adjusting instance types based on actual utilization to optimize costs and performance. Changing the size and type of EC2 instances according to utilization data achieves this with minimal operational overhead. Adding instances or changing payment methods does not directly address instance resizing, and reprovisioning with larger instances may not be optimal based on actual usage.

AWS Secrets Manager is a service designed to securely store and manage access to sensitive information such as API keys, passwords, and database credentials. It allows automatic rotation, secure storage, and fine-grained access control for these credentials, ensuring they are securely managed. The other options do not provide encrypted storage for credentials specifically.

The reliability pillar of the AWS Well-Architected Framework emphasizes building systems that can recover from failures and dynamically adjust to meet demand. This includes designing to automatically recover from failures and implementing mechanisms to manage capacity demands, avoiding manual guesswork. The other options do not align with core reliability principles, as operating in a single Availability Zone or preemptively adjusting quotas in a secondary region does not inherently improve reliability.

Amazon EventBridge Overview:

EventBridge is a serverless event bus that enables applications to react to changes in AWS resources.

It supports routing events such as EC2 state changes to various targets, including AWS Step Functions.

How EventBridge Meets the Requirement:

EventBridge can capture the EC2 instance state change event and trigger the execution of a Step Functions workflow.

The integration is seamless and supports workflows triggered by multiple event sources.

Why Other Options Are Incorrect:

A. Amazon SageMaker:Used for building, training, and deploying machine learning models; not related to event triggers.

B. Amazon Connect:A cloud-based contact center service; unrelated to event triggers.

D. AWS Fargate:A compute engine for containers; does not manage events or invoke workflows.

Application Load Balancer (ALB) integrates with AWS WAF to deploy and manage WAF rules for incoming traffic. ALB can route HTTP and HTTPS traffic and apply WAF rules to protect applications from common web exploits. Network Load Balancer does not support AWS WAF, and Trusted Advisor does not deploy WAF rules.

The AWS Architecture Center provides examples, best practices, and architectural blueprints for various AWS Cloud solutions. It includes whitepapers, reference architectures, and detailed diagrams to help users design secure, scalable, and reliable applications on AWS. Other services like AWS Marketplace, Service Catalog, and Trusted Advisor do not offer solution design examples.

The AWS Cloud's global infrastructure enables rapid deployment across multiple geographic regions, allowing companies to extend applications to new markets quickly. This capability to "go global in minutes" is especially valuable for businesses looking to reach customers in new countries without building data centers. Other options, like speed and agility, are advantages but do not specifically address global deployment.

AWS Transit Gateway acts as a cloud router for connecting multiple VPCs and on-premises networks, simplifying network management by creating a hub-and-spoke model for routing traffic. Direct Connect provides a private connection to AWS but does not function as a central router. Amazon Connect is unrelated, and Route 53 is for DNS services, not VPC connectivity.

Amazon Kendra is a service that provides a highly accurate and easy-to-use enterprise search service that is powered by machine learning. Kendra delivers powerful natural language search capabilities to your websites and applications so your end users can more easily find the information they need within the vast amount of content spread across your company. Amazon SageMaker is a service that provides a fully managed platform for data scientists and developers to quickly and easily build, train, and deploy machine learning models at any scale. Amazon Augmented AI (Amazon A2I) is a service that makes it easy to build the workflows required for human review of ML predictions. Amazon A2I brings human review to all developers, removing the undifferentiated heavy lifting associated with building human review systems or managing large numbers of human reviewers. Amazon Polly is a service that turns text into lifelike speech, allowing you to create applications that talk, and build entirely new categories of speech-enabled products. None of these services provide an enterprise search service that is powered by machine learning.

 The correct answer is C because AWS Trusted Advisor is an AWS service or tool that provides users with the ability to monitor AWS service quotas. AWS Trusted Advisor is an online tool that provides users with real-time guidance to help them provision their resources following AWS best practices. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other options are incorrect because they are not AWS services or tools that provide users with the ability to monitor AWS service quotas. AWS CloudTrail is a service that enables users to track user activity and API usage across their AWS account. AWS Cost and Usage Reports is a tool that enables users to access comprehensive information about their AWS costs and usage. AWS Budgets is a tool that enables users to plan their service usage, costs, and reservations. Reference: [AWS Trusted Advisor FAQs]

The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. The operational excellence pillar focuses on the ability to run workloads effectively, gain insight into operations, and continuously improve supporting processes and procedures. Therefore, the correct answer is C. You can learn more about the AWS Well-Architected Framework and its pillars.

AWS Pricing Calculator is the AWS service or tool that the company should use to estimate its future AWS service costs before the migration. AWS Pricing Calculator is a web-based tool that allows the company to create cost estimates for various AWS services and scenarios. AWS Pricing Calculator helps the company to compare the costs of running the workload on premises versus on AWS, and to optimize the costs by choosing the best options for the workload. AWS Pricing Calculator also provides a detailed breakdown of the cost components and a downloadable report. For more information, see [AWS Pricing Calculator] and [Getting Started with AWS Pricing Calculator].

AWS Cost Explorer provides a visualization of historical AWS spending patterns and allows users to project future costs based on past usage. It offers advanced filtering and grouping features, enabling users to analyze costs and usage at a granular level. The AWS Cost and Usage Report provides detailed AWS cost and usage data but does not offer visualization or future cost projections. AWS Budgets is used for setting custom cost and usage budgets and receiving alerts. Amazon CloudWatch is for monitoring AWS resources and applications, not for cost management.

The pillar of the AWS Well-Architected Framework that is supported by the goals of protecting AWS Cloud information, systems, and assets while performing risk assessment and mitigation tasks is security. Security is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. The security pillar covers topics such as identity and access management, data protection, infrastructure protection, detective controls, incident response, and compliance

The correct answers are A and B because Amazon Aurora and Amazon RDS are AWS services that the company could use for the relational databases. Amazon Aurora is a relational database that is compatible with MySQL and PostgreSQL. Amazon Aurora is a fully managed, scalable, and high-performance service that offers up to five times the throughput of standard MySQL and up to three times the throughput of standard PostgreSQL. Amazon RDS is a service that enables users to set up, operate, and scale relational databases in the cloud. Amazon RDS supports six popular database engines: MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, and Amazon Aurora. The other options are incorrect because they are not AWS services that the company could use for the relational databases. Amazon DocumentDB (with MongoDB compatibility) is a document database that is compatible with MongoDB. Amazon Neptune is a graph database that supports property graph and RDF models. Amazon DynamoDB is a key-value and document database. Reference: Amazon Aurora, Amazon RDS

When a company moves from on-premises IT architecture to the AWS Cloud, it gains several benefits:

A. Reduced or eliminated tasks for hardware troubleshooting, capacity planning, and procurement: In an on-premises environment, companies must maintain their own hardware, which involves procuring servers, configuring them, managing capacity, and troubleshooting hardware failures. Moving to the AWS Cloud eliminates or greatly reduces these tasks since AWS is responsible for the underlying infrastructure.

E. Faster deployment of new features and applications: AWS provides scalable resources and automation tools that allow companies to deploy applications faster. Services like AWS Elastic Beanstalk, AWS CloudFormation, and AWS Lambda help streamline the deployment process, enabling quicker time-to-market for new features and applications.

Why other options are not suitable:

B. Elimination of the need for trained IT staff: While the cloud reduces certain operational burdens, it does not eliminate the need for skilled IT professionals to manage cloud services, ensure proper configurations, handle security, and manage applications.

C. Automatic security configuration of all applications that are migrated to the cloud: AWS provides security tools and services, but security configurations and management still require input from the customer to tailor them to specific application requirements.

D. Elimination of the need for disaster recovery planning: While AWS offers robust disaster recovery options, companies must still plan and implement disaster recovery strategies, such as backups and multi-region deployments.

AnApplication Load Balancer (ALB)is the best choice for distributing incoming HTTP/HTTPS traffic evenly across multiple Amazon EC2 instances. It operates at theapplication layer (Layer 7 of the OSI model) and is specifically designed to handle HTTP and HTTPS traffic, which is ideal for web applications.

Here is why the ALB is the correct choice:

Layer 7 Load Balancing: The ALB works at the application layer and provides advanced routing capabilities based on content. It can inspect the incoming HTTP requests and make decisions on how to route traffic to various backend targets, which include Amazon EC2 instances, containers, or Lambda functions. This is particularly useful for web applications where you need to make routing decisions based on HTTP headers, paths, or query strings.

HTTP and HTTPS Support: The ALB natively supports HTTP and HTTPS protocols, making it the ideal load balancer for web-based applications. It can efficiently manage and route these types of traffic and handle tasks such as SSL/TLS termination.

Health Checks: The ALB can continuously monitor the health of the registered EC2 instances and only route traffic to healthy instances. This ensures high availability and reliability of the web application.

Path-based and Host-based Routing: The ALB can route traffic based on the URL path or host header. This feature allows the same load balancer to serve multiple applications hosted on different domains or subdomains.

Integration with Auto Scaling: The ALB can integrate seamlessly with Amazon EC2 Auto Scaling. As the number of EC2 instances increases or decreases, the ALB automatically includes the new instances in its traffic distribution pool, ensuring even distribution of incoming requests.

WebSocket Support: It also supports WebSocket and HTTP/2 protocols, which are essential for modern web applications that require real-time, bidirectional communication.

Why other options are not suitable:

A. Amazon EC2 Auto Scaling: This service is used to automatically scale the number of EC2 instances up or down based on specified conditions. However, it does not provide load balancing capabilities. It works well with load balancers but does not handle the distribution of incoming traffic by itself.

C. Gateway Load Balancer: This is designed to distribute traffic to virtual appliances like firewalls, IDS/IPS systems, or deep packet inspection systems. It operates at Layer 3 (Network Layer) and is not ideal for distributing HTTP/HTTPS traffic to EC2 instances.

D. Network Load Balancer: This load balancer operates at Layer 4 (Transport Layer) and is designed to handle millions of requests per second while maintaining ultra-low latencies. It is best suited for TCP, UDP, and TLS traffic but does not provide advanced Layer 7 routing features required for HTTP/HTTPS traffic.

AWS Storage Gateway is a hybrid cloud storage service that provides on-premises access to virtually unlimited cloud storage. You can use AWS Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. One of these use cases is tape-based backup, which allows you to store data backups on virtual tapes in the AWS Cloud. You can use the Tape Gateway feature of AWS Storage Gateway to extend your existing physical tape library to the AWS Cloud. Tape Gateway provides a virtual tape infrastructure that scales seamlessly with your backup needs and eliminates the operational burden of provisioning, scaling, and maintaining a physical tape infrastructure123. References: 1: CloudStorage Appliances, Hybrid Device - AWS Storage Gateway - AWS, 2: AWS Storage Gateway Documentation, 3: AWS Storage Gateway Features | Amazon Web Services

Amazon SageMakeris a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. It offers integrated Jupyter notebooks for data exploration, pre-built algorithms, and automatic model tuning to optimize hyperparameters.

Why other options are not suitable:

A. Amazon Personalize: A managed machine learning service that provides personalized recommendations, but does not offer the full suite of ML tools for building, training, and deploying models.

B. Amazon Comprehend: A natural language processing (NLP) service, not a general-purpose ML model building and deployment service.

C. Amazon Forecast: A managed service specifically for creating accurate forecasts using machine learning, not for general-purpose ML model development.

TheBusiness perspectiveof the AWS Cloud Adoption Framework (AWS CAF) focuses on ensuring that cloud investments align with business strategies and that the organization achieves business value from cloud adoption. It provides real-time insights into the organization's strategic goals, financial objectives, and metrics.

This perspective helps answer questions about strategy, ensuring that cloud adoption aligns with the organization's long-term business goals.

Why other options are not suitable:

A. Operations: Focuses on operating cloud environments effectively.

B. People: Focuses on human resources and organizational structure.

D. Platform: Focuses on infrastructure and architecture.

Reserved Instances and Savings Plans are the most cost-effective purchasing options for a compute workload that is steady, predictable, and uninterruptible. Reserved Instances provide a significant discount compared to On-Demand Instances, and Savings Plans offer flexible and consistent savings on EC2 usage. Both options require a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads, but they are more expensive than Reserved Instances or Savings Plans. Spot Instances are the cheapest option, but they are not suitable for uninterruptible workloads, as they can be reclaimed by AWS at any time. Dedicated Hosts and Dedicated Instances are designed for compliance and licensing requirements, not for cost optimization. They are more expensive than the other options, as they run on single-tenant hardware. References: Instance purchasing options, Amazon EC2 Pricing, 4 Ways to Purchase Amazon EC2 Instances

Amazon EC2 On-Demand Instances are ideal for unpredictable workloads that do not require a long-term commitment. This option allows users to pay for compute capacity by the hour or second, with no long-term commitments. It is suitable for short-term, spiky, or unpredictable workloads that cannot be interrupted and require flexibility. Option A is better suited for Reserved Instances, Option B is ideal for Spot Instances, and Option D is more suited for Reserved Instances due to cost optimization for long-term use.

"There is no long-term commitment required when you purchase On-Demand Instances. You pay only for the seconds that your On-Demand Instances are in the running state, with a 60-second minimum. The price per second for a running On-Demand Instance is fixed, and is listed on the Amazon EC2 Pricing, On-Demand Pricing page. We recommend that you use On-Demand Instances for applications with short-term, irregular workloads that cannot be interrupted."https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-on-demand-instances.html

AWS Trusted Advisor is a tool that helps customers optimize their AWS environment by providing real-time guidance in five key areas: cost optimization, performance, security, fault tolerance, and service limits. However, the availability of the full set of Trusted Advisor checks depends on the AWS Support plan chosen.

AWS Developer Support: This plan provides access to only seven core Trusted Advisor checks. It is designed for developers experimenting or testing in AWS and does not offer the full set of Trusted Advisor checks.

AWS Business Support: This plan is the lowest-cost support plan that provides access to thefull set of AWS Trusted Advisor checks. Business Support is intended for production workloads, providing a broader range of checks, 24x7 access to Cloud Support Engineers, and more extensive support features.

AWS Enterprise On-Ramp Support: This plan offers access to all Trusted Advisor checks as well but is more expensive than the Business Support plan. It is designed for customers running production workloads and needing additional technical support but does not require the full level of engagement that comes with Enterprise Support.

AWS Enterprise Support: This is the most comprehensive and highest-cost support plan, providing access to all Trusted Advisor checks and a full range of AWS Support resources, including a Technical Account Manager (TAM), account management, concierge support, and more.

Conclusion:

The correct answer isB. AWS Business Support, as it provides access to the full set of AWS Trusted Advisor checks at thelowest cost. AWS Developer Support does not offer the complete checks, and both AWS Enterprise On-Ramp and AWS Enterprise Support are higher-cost plans that also provide the full checks.

AWS Cloud References:

AWS Support Plans

AWS Trusted Advisor

Amazon EC2 Auto Scaling is a service that helps you maintain application availability and allows you to automatically add or remove EC2 instances according to definable conditions. You can create collections of EC2 instances, called Auto Scaling groups, and specify the minimum and maximum number of instances in each group. You can also define scaling policies that adjust the number of instances based on the demand on your application. Amazon EC2 Auto Scaling helps you improve the performance, reliability, and cost-efficiency of your EC2workloads123. References: 1: VDI Desktops - Amazon WorkSpaces Family - AWS, 2: What is Amazon EC2 Auto Scaling? - Amazon EC2 Auto Scaling, 3: Discover Amazon EC2 Auto Scaling Unit | Salesforce Trailhead

 Amazon Neptune is a fully managed graph database service on AWS. A graph database is a type of database that stores and queries data as a network of nodes and edges, representing entities and relationships. Graph databases are useful for applications that deal with highly connected data, such as social networks, recommendation engines, fraud detection, and knowledge graphs45. Amazon Neptune is a fast, reliable, and scalable graph database service that supports two popular graph models: property graphs and RDF. Amazon Neptune also supports two open standards for querying graphs: Apache TinkerPop Gremlin and SPARQL. Amazon Neptune handles the heavy lifting of managing the database, such as provisioning, patching, backup, recovery, encryption, and replication456. References: 4: Managed Graph Database - Amazon Neptune - AWS, 5: Amazon Neptune – A Fully Managed Graph Database Service, 6: Working with AWS Neptune. Neptune is a fully-managed graph … - Medium

AWS Marketplaceis an online store where independent software vendors (ISVs) can list and sell their software products, including custom Amazon Machine Images (AMIs). It allows vendors to share, distribute, and monetize their AMIs with a broad audience of AWS customers.

B. AWS Data Exchange: Incorrect, as it is a service for finding, subscribing to, and using third-party data in the cloud, not for delivering custom AMIs.

C. Amazon EC2: Incorrect, as it is the service for running instances, but it does not provide a marketplace for distributing AMIs.

D. AWS Organizations: Incorrect, as it is a service for managing multiple AWS accounts, not for distributing software products like AMIs.

AWS Cloud References:

AWS Marketplace

AWS Software Development Kit (SDK) is a set of platform-specific building tools for developers. It allows developers to access AWS services from application code using familiar programming languages. It provides pre-built components and libraries that can be incorporated into applications, as well as tools to debug, monitor, and optimize performance2. References: What is SDK? - SDK Explained - AWS

AWS App Runneris a fully managed service that makes it easy for developers to quickly deploy containerized web applications and APIs at scale. It can automatically build container images from source code or directly from a container registry, and then deploy the application without requiring deep container knowledge or expertise.

AWS App Runner meets the requirements of:

Automatically creating container images from source code.

Managing the deployment of the containerized application with minimal operational overhead.

Why other options are not suitable:

A. AWS Elastic Beanstalk: While it simplifies deploying and scaling web applications, it does not automatically create container images from source code.

B. Amazon Elastic Container Service (Amazon ECS): ECS is a container orchestration service that requires more manual setup for creating and managing container images and deployments.

D. Amazon EC2: This service provides virtual servers but does not offer managed container image creation or deployment.

VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet. VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on-premises networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each connected network. AWS Transit Gateway supports transitive routing, which means that any network thatis attached to the transit gateway can communicate with any other network that is attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering - Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud, : [AWS Transit Gateway - Amazon Web Services], : [Connect VPCs using AWS Transit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]

AWS Database Migration Service (DMS) and AWS Schema Conversion Tool are the primary services for migrating a commercial relational database to an Amazon-managed open-source database. AWS DMS helps migrate the data, while the AWS Schema Conversion Tool converts the database schema from the source database format to the target format, including SQL code. AWS SDKs are for software development, AWS Systems Manager is for operational management, and Amazon EMR is for big data processing, which are not relevant to this use case.

Amazon Elastic Transcoder is a media transcoding service that enables companies to convert video and audio files into formats optimized for playback on various devices, including smartphones. It automates the transcoding process and supports a wide array of video and audio formats, making it ideal for converting files into mobile-friendly formats. Services like Amazon Comprehend, Rekognition, and Polly do not perform media transcoding functions.

 IAM roles are a secure way to grant permissions to applications running on an Amazon EC2 instance to make calls to other AWS services. IAM roles are entities that have specific permissions policies attached to them. You can create an IAM role and associate it with an EC2 instance when you launch it or later. The applications on the instance can then use the temporary credentials provided by the role to access AWS resources that the role allows. This way, you do not have tostore any long-term credentials or access keys on the instance, which reduces the risk of compromise or misuse12.

The other options are not correct, because:

Security groups are virtual firewalls that control the inbound and outbound traffic for your EC2 instances. Security groups do not grant permissions to access other AWS services, but rather filter the network traffic based on rules that you define3.

AWS Firewall Manager is a service that helps you centrally configure and manage firewall rules across your accounts and resources. AWS Firewall Manager works with AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. AWS Firewall Manager does not grant permissions to access other AWS services, but rather helps you enforce consistent security policies across your AWS infrastructure4.

IAM user SSH keys are credentials that allow you to connect to your EC2 instance using SSH. SSH keys do not grant permissions to access other AWS services, but rather authenticate your identity when you log in to your instance5.

Using an IAM role to grant permissions to applications running on Amazon EC2 instances - AWS Identity and Access Management

IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud

Security groups for your VPC - Amazon Virtual Private Cloud

What is AWS Firewall Manager? - AWS Firewall Manager

Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud

AWS Service Catalog enables companies to create, manage, and distribute catalogs of approved infrastructure as code (IaC) templates and software configurations. This service supports infrastructure automation by allowing users to deploy resources using predefined templates, which align with the company's policies and best practices. It helps in managing cloud resources at scale by utilizing IaC principles, enabling consistent deployments, and enforcing governance across AWS resources. AWS Service Catalog is an excellent choice for organizations implementing IaC.

Amazon RDS is a fully managed relational database service that supports several database engines, including PostgreSQL. Amazon RDS can run a managed PostgreSQL database that provides online transaction processing (OLTP), which is a type of database workload that handles frequent read and write operations on small amounts of data. Amazon RDS for PostgreSQL offers high performance, availability, scalability, security, and compatibility with the PostgreSQL community edition. Amazon RDS also provides automated backups, point-in-time recovery, encryption, monitoring, and maintenance for PostgreSQL databases. References:

Hosted PostgreSQL - Amazon RDS for PostgreSQL

OLTP Database, MySQL And PostgreSQL ManagedDatabase - Amazon Aurora

PostgreSQL options on AWS: Self- managed, managed, and serverless

Understanding Availability Zones (AZs): An Availability Zone is a distinct location within an AWS region that is engineered to be isolated from failures in other AZs.

Characteristics of Availability Zones:

Data Centers: Each AZ consists of one or more discrete data centers with redundant power, networking, and connectivity.

High Availability: AZs are designed for high availability, providing low-latency network connections to other zones in the same region.

Fault Isolation: They provide fault isolation and are used to deploy applications and services to ensure high availability and reliability.

Use Cases for Availability Zones:

Multi-AZ Deployments: For services like RDS, deploying in multiple AZs ensures fault tolerance.

Disaster Recovery: Setting up resources in multiple AZs helps in quick recovery from failures.

Load Balancing: Distributing traffic across AZs using Elastic Load Balancing ensures optimal performance and availability.

AWS Global Infrastructure

Understanding AWS Regions and Availability Zones

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront enables companies to deploy an application close to end users by caching the application’s content at edge locations that are geographically closer to the users. This reduces the network latency and improves the user experience. CloudFront also integrates with other AWS services, such as Amazon S3, Amazon EC2, AWS Lambda, AWS Shield, and AWS WAF, to provide a secure and scalable solution for delivering applications12. References:

What Is Amazon CloudFront? - Amazon CloudFront

Amazon CloudFront Features - Amazon CloudFront

TheAWS Developer Forumsare always free to use, regardless of the user's AWS Support plan. They provide a platform for users to ask questions, share knowledge, and collaborate with the AWS community.

A. AWS Developer Support: Incorrect, as it is a paid support plan option.

C. Programmatic case management: Incorrect, as this feature is available only with certain AWS Support plans (Business and Enterprise).

D. AWS Technical Account Manager (TAM): Incorrect, as a TAM is provided only under the AWS Enterprise Support plan, which is a paid support option.

AWS Cloud References:

AWS Support Plans

Amazon Macie is a data security and privacy service offered by AWS that uses machine learning and pattern matching to discover the sensitive data stored within Amazon S3. You can define your own custom type of sensitive data category that might be unique to your business or use case. Macie also provides you with dashboards and alerts that give you visibility into how your data is being accessed or moved. Macie helps you protect your data by enabling you to apply data protection techniques such as encryption, deletion, access control, and auditing. References: Strengthen the security of sensitive data stored in Amazon S3 by using additional AWS services, Security best practices for Amazon S3, Sensitive Data Protection on AWS, Sensitive Data Protection on Amazon Web Services

AWS Budgets is a service that allows you to set custom budgets for your AWS costs and usage, and receive alerts via email or Amazon SNS notifications if you exceed or are forecasted to exceed your budgeted amount1. You can create budgets based on different dimensions, such as service, linked account, tag, or purchase option, and define various types of alerts, such as actual, forecasted, or RI utilization alerts2. You can also configure custom actions to automatically execute remediation tasks or workflows when a budget threshold is breached3. AWS Budgets is the only service among the options that can send alerts to customers if custom spending thresholds are exceeded. The other options are not AWS services that provide this functionality.

Amazon Cognitois an AWS service that provides user sign-up, sign-in, and access control to web and mobile applications. It supports authentication for different identity providers, including social identity providers (such as Google, Facebook, and Apple), enterprise identity providers via SAML 2.0, and its own user pools.

Amazon Cognito offers:

User Poolsfor managing user registration, authentication, and account recovery.

Federated Identitiesfor managing user access from external identity providers.

Why other options are not suitable:

B. AWS Config: A service for tracking resource configuration changes, not related to user authentication.

C. Amazon GuardDuty: A threat detection service, not related to user sign-up or authentication.

D. AWS Systems Manager: A service to manage AWS resources, but it does not provide user authentication.