SAA-C03 Questions and Answers

Amazon OpenSearch Service is the AWS-native service for real-time search, analytics, and visualization. Ingesting streaming data with Amazon Kinesis Data Streams ensures scalable and reliable data ingestion. OpenSearch supports indexing and querying the data in near real time. QuickSight can then be integrated for visualization and reporting. Options A and B involve batch processing and are not optimized for real-time search. Option C (EKS + DynamoDB) is not a fit for search workloads, as DynamoDB does not support advanced text search. Option D provides the closest AWS-native equivalent to the company’s existing search-and-visualization architecture.

Detailed Explanation:

A. EventBridge Rule:Detects modifications to CloudFront distributions in real time and triggers the Lambda function for further action.

B. ALB + Config:Focuses on ALB security violations, not relevant for CloudFront logging changes.

C. Lambda + SNS:Provides real-time notifications about changes in logging configuration.

D. GuardDuty:Focuses on threat detection, not logging configuration changes.

E. API Gateway + WAF:Unrelated to CloudFront logging changes.

The correct answer isBbecause the company explicitly wants to move from amonolithic architectureto aloosely coupled architecturethat supportsindependent scaling. Refactoring the application intomicroservicesis the architectural approach that best meets that requirement. Running the microservices onAmazon ECScontainers provides a managed container orchestration platform with less operational overhead than managing a Kubernetes environment.

With microservices, separate business functions such as product catalog management and customer checkout can be deployed as individual services. Each service can scale independently based on its own traffic and performance characteristics. This is far more efficient than scaling the entire monolithic application when only one part of the system experiences increased demand.

AnApplication Load Balanceris appropriate because it can route HTTP and HTTPS traffic and supports path-based and host-based routing, which is useful for directing requests to different services. This design improves agility, performance, and operational flexibility while supporting the company’s need for growth.

Option A improves availability and scalability, but it still runs a copy of thesame monolithic applicationon multiple EC2 instances. That does not enable independent scaling of individual functions. Option C creates a basic two-tier design, but it is not a fully loosely coupled microservices architecture. Option D uses Amazon EKS but places the application into asingle container, which does not achieve independent scaling of separate components and introduces more operational complexity than necessary.

AWS architectural best practices recommend decomposing monoliths intomicroserviceswhen independent scaling, agility, and component isolation are required. Therefore,Amazon ECS with microservicesis the best solution.

Analysis:

The company ' s requirements are to migrate 5 PB of data from physical tapes to AWS within 6 months, preserve the data for 10 years, and ensure cost efficiency.AWS Storage Gateway Tape Gatewayis purpose-built for such use cases, as it seamlessly integrates with backup applications and provides virtual tape storage in Amazon S3 Glacier Deep Archive.

Why Option D is Correct:

Tape Gateway: Enables the migration of physical tapes to virtual tapes. Virtual tapes are stored in Amazon S3 and can later be archived in Amazon S3 Glacier Deep Archive for long-term storage.

Cost Efficiency: Amazon S3 Glacier Deep Archive is the lowest-cost storage class for long-term data preservation.

Operational Simplicity: Tape Gateway integrates with existing on-premises backup software, reducing the need for additional tools or manual processes.

Scalability: Can handle the migration of large datasets, such as 5 PB, within the required timeframe.

Why Other Options Are Not Ideal:

Option A:

AWS DataSync is not designed for reading data directly from physical tapes. Staging the data on local storage adds unnecessary complexity and cost.Not suitable.

Option B:

Using backup applications to write directly to S3 Glacier Deep Archive may not leverage AWS-native services optimally. Tape Gateway simplifies the workflow significantly.Less efficient.

Option C:

Snowball Edge is ideal for environments without high-bandwidth connectivity. However, the company already has a 10 Gbps Direct Connect, making Tape Gateway a better choice.Not cost-effective.

AWS References:

AWS Storage Gateway - Tape Gateway:AWS Documentation - Tape Gateway

Amazon S3 Glacier Deep Archive:AWS Documentation - Glacier Deep Archive

Option B (Amazon FSx for Lustre): FSx for Lustre is optimized for high-performance file systems required by HPC workloads, scaling to millions of IOPS and supporting parallelized data access.

Option E (Cluster Placement Group with Auto Scaling): A cluster placement group ensures low-latency communication between EC2 instances, critical for HPC workloads. Amazon EMR simplifies running large-scale analytics jobs.

Amazon FSx for Lustre Documentation,AWS Placement Groups Documentation

The Requester Pays feature in Amazon S3 allows the bucket owner to configure the bucket so that the requester, rather than the bucket owner, pays for data transfer and request costs. This is ideal for sharing large datasets with the public or with other AWS accounts when you want to minimize your own data transfer expenses.

Reference Extract from AWS Documentation / Study Guide:

" Requester Pays buckets allow you to configure the bucket so that the requester instead of the bucket owner pays the cost of the request and the data download from the bucket. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Cost Management section.

Since the company already usesIAM Identity Center, the lowest-overhead and most consistent design is to manage access throughpermission setsassigned to groups. AWS documentation explains that permission sets are the central mechanism IAM Identity Center uses to grant least-privilege access to AWS accounts and resources. This approach fits team-based access for development, testing, and operations without having to manage individual IAM users in each account. It also aligns with AWS guidance to apply least privilege by creating restrictive permission sets instead of broad standing permissions. The other options either introduce more manual identity management or create unnecessary account complexity for the scenario described. (AWS Documentation)

============

To ensure ALB access only via CloudFront, AWS prescribes restricting the origin to traffic from CloudFront. For ALB origins, the standard pattern is to allow inbound to the ALB only from CloudFront edge IP ranges using security groups or ALB listener rules. Network ACLs are coarse and stateless and add operational burden. CloudFront does not have a “VPC origin” object; instead, CloudFront references the ALB DNS name. By limiting the ALB’s security group to CloudFront IP ranges, direct client access to the ALB is blocked while CloudFront remains permitted. This aligns with security best practices to “restrict origin access to only CloudFront” and use SGs for instance/ALB layer controls.

Amazon CloudFront uses a globally distributed network of edge locations that cache content close to users. When Outposts servers around the world download large software packages, CloudFront provides significantly reduced latency due to edge caching. This is the AWS-recommended solution for accelerating downloads of static files at scale and across global locations.

S3 Transfer Acceleration optimizes uploads and downloads to a single Region but does not provide edge caching. Multi-Region replication with failover does not reduce latency globally because requests still must reach the regional origins. Therefore, CloudFront with caching enabled is the correct design for improving download speed worldwide.

=====================================================

A read replica is the best answer because the new application needs to read frequently changing data while minimizing load on the production writer. Amazon RDS read replicas are designed to offload read traffic from the primary DB instance, which improves overall performance for the main workload. ElastiCache is not the best fit because the application rarely repeats the same query, so a cache would not provide strong benefit. An ALB is unrelated to database querying, and snapshots are not appropriate for querying near-current data. Since the requirement is fresh read access with minimal impact on the primary database, using a read replica is the correct architectural choice.

============

Comprehensive and Detailed Explanation (from AWS Solutions Architect documentation):

Amazon DynamoDB supports two read consistency models: eventually consistent reads and strongly consistent reads. When an application must always receive the most up-to-date data, it must use strongly consistent reads. Eventually consistent reads can return stale data because they provide best-effort propagation across storage nodes.

Since the problem states that requests are “not returning the latest data,” the correct solution is to enable strongly consistent reads, which immediately reflect all successful writes. This is the explicit AWS-recommended method for ensuring clients always receive the most current version of an item.

====================================

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The key constraint is no application code changes, while the observed failure mode during spikes is heavy write load on the database that makes the site unresponsive. Scaling the web tier alone (Option B) may not help if the database is the bottleneck; in fact, adding more EC2 instances can increase concurrent write pressure and worsen the database overload. Caching (Option A) would require modifying the application to use Redis for query caching, which violates the no-code-change requirement. Option C is not a fit: CloudFront caching is effective for cacheable content, but authenticated, personalized pages are typically not cacheable without application changes, and “write throttle” is not a standard CloudFront feature to protect the database.

Migrating from RDS for MySQL to Amazon Aurora Serverless is a managed approach designed to automatically adjust database capacity to match workload demand, which is well suited to “low baseline traffic with occasional sudden spikes.” By setting an appropriate maximum capacity, Aurora Serverless can scale to handle bursts more gracefully than a fixed-size RDS instance, improving availability during unpredictable demand. This reduces operational overhead because capacity management is largely handled by the service rather than by manual instance resizing or complex scaling scripts.

The final step—configuring EC2 instances to connect to the new Aurora endpoint—is an infrastructure configuration change, not an application code rewrite. The application continues to speak the same MySQL-compatible protocol (Aurora MySQL-compatible), preserving compatibility while improving resilience to spikes.

Therefore, D best meets the requirement to improve availability during sudden traffic increases driven by heavy database writes, with minimal operational effort and no application code changes.

To enforce that IAM users can only access Amazon RDS and no other AWS services, the recommended approach is to use a Deny statement with NotAction. This ensures that all actions are denied except RDS actions. Options A and B do not fully achieve the restriction: A only allows RDS but does not explicitly deny access to other services if another policy grants access; B’s explicit Deny for “*” would override all other permissions, including the intended RDS Allow, which would result in no access at all. Option D with permissions boundaries still allows other attached policies to grant access outside RDS. Therefore, C is the correct approach to enforce RDS-only access.

The workload is Windows-based and requires a shared file system with SMB support and very high throughput for 4K video editing.

Amazon FSx for Windows File Server is a fully managed, highly available native Windows file system that supports the SMB protocol, Active Directory integration, and can deliver high throughput and low latency suitable for media workloads.

FSx for Windows File Server supports automatic storage scaling to grow file system capacity as data increases, matching the requirement of +1 TB per week with minimal admin effort.

A Multi-AZ SSD deployment provides high availability and performance.

Why others are not correct:

B: Amazon EFS is NFS, not SMB, and is optimized for Linux clients, not Windows-based environments.

C: FSx for Lustre is a high-performance POSIX file system typically used with Linux-based HPC workloads, not Windows + SMB.

D: S3 File Gateway is not designed for sustained multi-GB/s shared-edit performance and adds additional complexity; it is more suited for backup/archival and limited shared file access.

AWS VPC endpoints (interface and gateway) allow private connectivity from VPC resources to AWS services without requiring public IP addresses or internet gateways. This ensures applications remain isolated in private subnets while securely accessing AWS services. NAT gateways (B) would allow internet access, which does not meet the security requirement. Internet gateways (C) directly expose traffic to the internet, which violates the isolation requirement. Direct Connect (D) connects on-premises environments to AWS but does not provide service access from private subnets. Therefore, option A — using interface VPC endpoints — is the correct solution.

Comprehensive and Detailed Explanation (from AWS Solutions Architect documentation):

Amazon DynamoDB is a fully managed NoSQL database engineered for extremely high throughput and millisecond-level response times at any scale. It can automatically scale to support millions of requests per second and requires no management of infrastructure, storage provisioning, or server maintenance.

AWS documentation specifically highlights DynamoDB as the optimal solution for ecommerce workloads that require consistent low-latency performance, massive scalability, and near-zero operational overhead.

Aurora and RDS cannot support millions of requests per second, and Redshift is a data warehouse not intended for transactional workloads.

Encryption at Rest: AWS Key Management Service (AWS KMS) provides centralized control over the cryptographic keys used to protect data. By using AWS KMS with Amazon S3, you can manage encryption keys and define policies to control access to them.

Encryption in Transit: By enforcing the aws:SecureTransport condition in the S3 bucket policy, you ensure that all data is transmitted over HTTPS, protecting data in transit.

Access Control: IAM policies allow you to define fine-grained permissions for users and roles, ensuring that only authorized entities can access the customer records.

Monitoring: AWS CloudTrail provides a record of actions taken by a user, role, or AWS service in Amazon S3, enabling you to monitor access to the records.

AWS Lambda SnapStart is designed to improve the cold start performance of Java Lambda functions by initializing the function, taking a snapshot of the execution environment, and then reusing that snapshot for subsequent invocations. However, some code (such as code that generates unique IDs or session-specific data) should run during each invocation, not during the snapshot process. By using a pre-snapshot hook and moving the unique ID generation into the handler, you ensure that non-deterministic or per-invocation code is executed correctly, while the rest of the initialization benefits from SnapStart. This delivers the lowest latency and cost, as you do not need to pay for provisioned concurrency.

AWS Documentation Extract:

" Lambda SnapStart is ideal for Java functions with long cold starts due to heavy initialization. Move non-deterministic code such as unique ID generation to the handler, and use pre-snapshot hooks to customize what gets snapshotted. SnapStart works only for published versions, not $LATEST. "

(Source: AWS Lambda documentation, Using SnapStart for Java Functions)

Other options:

A: SnapStart is not supported for the $LATEST version; must be a published version.

B & C: Provisioned concurrency removes cold starts but is more expensive than SnapStart for most workloads.

C: You must use SnapStart on published versions, but provisioned concurrency is not required for SnapStart and adds cost.

S3 Object Lock: Enables Write Once Read Many (WORM) protection for data, preventing objects from being deleted or modified for a set retention period.

S3 Versioning: Helps maintain object versions and ensures a recovery path for accidental overwrites.

CloudFront Distribution: Ensures secure and efficient public access by serving content through an edge-optimized delivery network while protecting S3 data with OAC.

Bucket Policy for OAC: Restricts public access to only the CloudFront origin, ensuring maximum security.

Amazon S3 Object Lock Documentation

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

Option Bensures the use of S3 Object Lock and Versioning to meet compliance for immutability. CloudFront enhances performance while a bucket policy ensures secure access.

Option Alacks immutability safeguards.

Option Cintroduces unnecessary complexity.

Option Dmisses out on additional security benefits offered by CloudFront.

Amazon Aurora Serverless is a cost-effective, on-demand, autoscaling configuration for Amazon Aurora. It automatically adjusts the database ' s capacity based on the current demand, which is ideal for workloads with variable and unpredictable usage patterns. Since the application is expected to be read-heavy with occasional writes and steady growth, Aurora Serverless can provide the necessary performance without requiring the management of database instances.

Cost-Optimization: Aurora Serverless only charges for the database capacity you use, making it a more cost-effective solution compared to always running provisioned database instances, especially for workloads with fluctuating demand.

Scalability: It automatically scales database capacity up or down based on actual usage, ensuring that you always have the right amount of resources available.

Performance: Aurora Serverless is built on the same underlying storage as Amazon Aurora, providing high performance and availability.

Why Not Other Options?:

Option A (RDS with Provisioned IOPS SSD): While Provisioned IOPS SSD ensures consistent performance, it is generally more expensive and less flexible compared to the autoscaling nature of Aurora Serverless.

Option C (DynamoDB with On-Demand Capacity): DynamoDB is a NoSQL database and may not be the best fit for applications requiring relational database features.

Option D (RDS with Magnetic Storage and Read Replicas): Magnetic storage is outdated and generally slower. While read replicas help with read-heavy workloads, the overall performance might not be optimal, and magnetic storage doesn’t provide the necessary performance.

AWS References:

Amazon Aurora Serverless- Information on how Aurora Serverless works and its use cases.

Amazon Aurora Pricing- Details on the cost-effectiveness of Aurora Serverless.

Amazon EMR on EC2 supports “runtime roles (application-scoped IAM roles)” so each application/step assumes its own IAM role with least-privilege S3 access. You enable this via an EMR security configuration by setting “EnableApplicationScopedIAMRole = true.” The EMR core/Task nodes run under the cluster’s EC2 instance profile; therefore the instance profile must be permitted to “sts:AssumeRole” into the defined EMR runtime roles, and each runtime role must trust the instance profile (trust policy principal is the instance profile role). This design limits each job’s S3 scope via role policies and enforces per-job access segregation. Option B reverses the trust (incorrect). Option E trusts the EMR service role (not used to assume runtime roles). Option F is unrelated (encryption in transit). The correct trio is to enable application-scoped roles (A), authorize the instance profile to assume them (C), and configure the runtime roles’ trust relationship to allow that assumption (D).

The key issue is repeated reads of identical data from an RDS MySQL database, which leads to unnecessary database load and degraded performance. The AWS-recommended solution for this pattern is to introduce an in-memory cache between the application and the database.

Amazon ElastiCache (Redis OSS) is purpose-built for caching frequently accessed data with microsecond-level latency. By caching identical query results, the backend EC2 instances can serve responses directly from memory instead of repeatedly querying the database. This significantly reduces read pressure on the RDS instance and improves overall application performance and scalability.

Option B is correct because Redis integrates cleanly with EC2-based applications and supports advanced caching patterns such as key expiration, eviction policies, and fine-grained control over cached objects. This approach also improves resilience during traffic spikes by offloading work from the database.

Option A is incorrect because SNS is a messaging service and does not cache or accelerate database queries. Option C is incorrect because DynamoDB Accelerator (DAX) works only with DynamoDB tables, not Amazon RDS. Option D is designed for streaming data ingestion and analytics, not for optimizing synchronous database access.

Therefore, B is the correct solution because it addresses the root cause of the performance problem by caching repeated database reads, following AWS best practices for high-performing application architectures.

Amazon EKS Anywhere is the best fit because it is specifically designed to run Kubernetes on customer-managed infrastructure in on-premises and edge environments while simplifying cluster lifecycle management. AWS states that EKS Anywhere helps automate cluster management on your own infrastructure, which matches the requirement to keep network connectivity and underlying infrastructure on premises. By contrast, EKS on Outposts moves the platform to AWS Outposts hardware, and the self-hosted options increase operational burden because the company would still manage the Kubernetes platform itself. The key distinction here is that the company wants simpler management without giving up control of its current on-premises environment. EKS Anywhere is the AWS service built for exactly that balance.

============

AWS recommends usingSystems Manager Session Managerinstead of direct SSH for administrative access because it provides browser-based or CLI-based access without bastion hosts and supports centralized audit logging. To allow private instances to reach Systems Manager without internet exposure, the VPC needs the appropriateinterface VPC endpoint. The managed instances also need the proper instance permissions, and AWS documentation points to theAmazonSSMManagedInstanceCorepolicy for that purpose. A gateway endpoint is not used for Session Manager, and attaching a user-facing Session Manager policy to the EC2 instances themselves is the wrong permission model. This makesB and Ethe most operationally efficient and secure combination. (AWS Documentation)

============

Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.

From AWS Documentation:

“You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.”

(Source: Amazon RDS User Guide – Encrypting Amazon RDS Resources)

Why B is correct:

Meets the requirement for dedicated HSM hardware.

Fully integrates with RDS for transparent encryption at rest.

Satisfies compliance standards for healthcare and regulated data.

Why others are incorrect:

A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.

C: EC2 instance stores are ephemeral, not suitable for RDS databases.

D: SSE-S3 applies to S3 objects, not databases.

Amazon S3 is the most cost-effective storage service for large and growing collections of image files, and Amazon CloudFront is the standard way to deliver those objects globally with low latency. AWS documentation states that CloudFront can use an S3 bucket as an origin and cache the objects at edge locations around the world. This reduces latency for viewers and reduces repeated load on the origin. EBS, EFS, and FSx are not the best fit for large-scale internet-facing object delivery because they are not purpose-built global object distribution services. Therefore, S3 plus CloudFront is the correct and most economical architecture for global image delivery at scale.

============

Amazon RDS Proxy helps manage thousands of concurrent database connections by pooling and reusing them efficiently. It is especially useful for serverless applications like AWS Lambda that can open numerous connections quickly, potentially overwhelming the database. Using RDS Proxy reduces connection management overhead and improves fault tolerance.

AWS Config allows for creation of custom rules to monitor EBS configurations. Combined with CloudWatch metrics and Amazon SNS, custom rules can track over-provisioned IOPS and send alerts when thresholds are breached, allowing proactive cost and performance management.

AWS DataSync provides managed, incremental, parallelized transfers between EFS file systems across Regions, supporting scheduled or continuously running tasks with automatic change detection, encryption in transit, and integrity verification. You can configure two tasks in opposite directions (bi-directional) to achieve two-way synchronization with high availability using agents in each Region and EFS locations connected via VPC endpoints. Native EFS replication (B) is one-way (read-only target) and not intended for active/active two-way sync. Options A and D rely on custom rsync and cross-Region mounts or SFTP, which introduce operational overhead, latency, and fail to provide resilient, managed synchronization. DataSync minimizes operational burden while delivering fault-tolerant, scalable, cross-Region EFS sync.

Unpredictable Lambda traffic can create a “connection storm” against a relational database because each concurrent Lambda invocation may open its own database connection. Relational engines like PostgreSQL have finite connection capacity, and excessive connections can degrade performance, increase latency, and exhaust database resources. Amazon RDS Proxy is designed to address this by pooling and reusing database connections, multiplexing many application requests over a smaller number of established database connections. This helps keep database performance more predictable under spiky, highly concurrent workloads such as Lambda.

Because the database is a private RDS for PostgreSQL instance, the Lambda functions must run with network access to the VPC subnets and security groups that can reach the database and proxy. Therefore, deploying the Lambda functions inside a VPC and pointing the database client to the RDS Proxy endpoint is the correct operational pattern. RDS Proxy also provides benefits like improved failover behavior handling and centralizing credential management integration patterns (commonly with IAM authentication and/or Secrets Manager), further reducing operational risk.

Option A uses a custom endpoint, which does not solve the fundamental connection scaling problem; it’s not a connection pooler. Option C and D place Lambda outside the VPC, which will not work for a private database that has no public connectivity path. Even if connectivity were possible, D would still be incomplete because you’d need private networking to reach the proxy.

Therefore, B best meets the requirement by introducing managed connection pooling via RDS Proxy and ensuring private network reachability by running Lambda in the VPC.

Amazon EFS is a regional, elastic file system that “scales to petabytes” and can be accessed from “thousands of compute instances” concurrently. You can mount EFS across VPCs and across AWS accounts by providing network connectivity (e.g., VPC peering) to the EFS mount targets and allowing NFS (TCP 2049) in the mount target security group, optionally using EFS access points and a file system policy for cross-account access control. VPC peering has no hourly charge and minimal operational overhead, and EFS automatically scales as files are added—meeting the scalability and cost goals.

Option A duplicates data, incurs DataSync and extra storage costs, and adds sync lag.

Option C adds an extra Lambda hop and complexity without exposing a shared filesystem to the primary function.

Option D is impractical: Lambda layers are immutable artifacts with tight size limits (up to 50 MB compressed/250 MB uncompressed) and are not suited for dynamic, growing file sets.

The correct answer isAbecause the application must acceptTLS connections from IPv4 clients, provideoutbound internet access, present asingle entry point, and maintain thelowest possible attack surface. Placing the Amazon ECS tasks inprivate subnetsis the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through aNAT gatewayin the public subnet.

ANetwork Load Balancer (NLB)is well suited for handlingTLSat Layer 4 and can expose a single public endpoint for client connections. Withawsvpcnetwork mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because anegress-only internet gatewayis forIPv6 outbound traffic only, while the requirement specifically mentionsIPv4 clients. Option C is incorrect because placing ECS tasks inpublic subnetsincreases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses anegress-only internet gateway, which does not satisfy IPv4 outbound needs, and it places tasks inpublic subnets, which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a publicNLBwith private ECS tasks and aNAT gatewayis the most secure and appropriate architecture.

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

For global low latency, AWS recommends using Amazon CloudFront as a content delivery network in front of both static and dynamic origins when possible.

Static content on Amazon S3 + CloudFront is the standard cost-effective pattern: S3 for low-cost durable storage, CloudFront for global edge caching.

Dynamic content exposed via Amazon API Gateway HTTP API can also be used as an origin for CloudFront, giving global users reduced latency and the ability to cache appropriate responses (when safe).

This pattern minimizes cost by:

Using S3 instead of EC2 for static hosting.

Using HTTP APIs (cheaper than REST APIs) for dynamic content.

Offloading a significant portion of requests to CloudFront cache.

Why the other options are not correct:

B: Static content is not fronted by CloudFront, so global latency is higher.

C: EC2-based web servers for the core web tier add more operational and cost overhead than needed for a mostly static + API pattern.

D: Only the static content uses CloudFront; the dynamic API still lacks a latency-optimized global entry point.

A & B. GuardDuty:Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets.

C. Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.

D. Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.

The most cost-effective and scalable solution for generating thumbnails when photos are uploaded to an S3 bucket is to useS3 event notificationsto trigger anAWS Lambda function. This approach avoids the need for a long-running EC2 instance or EMR cluster, making it highly cost-effective because Lambda only charges for the time it takes to process each event.

S3 Event Notifications: Automatically triggers the Lambda function when a new photo is uploaded to the S3 bucket.

AWS Lambda: A serverless compute service that scales automatically and only charges for execution time, which makes it the most economical choice when dealing with periodic events like photo uploads.

The Lambda function can generate the thumbnail and upload it to a second S3 bucket, fulfilling the requirement efficiently.

Option AandOption B(EMR or EC2 with scheduled scripts)**: These are less cost-effective as they involve continuously running infrastructure, which incurs unnecessary costs.

Option D (S3 Storage Lens): S3 Storage Lens is a tool for storage analytics and is not designed for event-based photo processing.

AWS References:

Amazon S3 Event Notifications

AWS Lambda Pricing

Amazon EC2 On-Demand Instances: Since the batch jobs cannot be disrupted, On-Demand Instances provide the necessary reliability and availability.

Amazon S3 Standard: Storing data in S3 Standard for the first 30 days ensures quick and frequent access.

S3 Glacier Deep Archive: After 30 days, moving data to S3 Glacier Deep Archive significantly reduces storage costs for data that is rarely accessed.

S3 Lifecycle Configuration: Automating the transition and deletion of objects using lifecycle policies ensures cost optimization and compliance with data retention requirements.

To improve availability and fault tolerance of an Amazon RDS instance, the recommended approach is to configure a Multi-AZ deployment.

Multi-AZ deployments for RDS automatically replicate data to a standby instance in a different Availability Zone (AZ).

If a failure occurs in the primary AZ (due to hardware, network, or power), RDS will automatically failover to the standby instance with minimal downtime, without administrative intervention.

This is an AWS-managed feature and does not require application modification.

It does not provide scalability or load balancing; it ' s designed for high availability and resiliency.

Options A, B, and D are incorrect:

A refers to cross-Region, which is used for disaster recovery, not high availability.

B and D with SQS do not address high availability directly for the RDS instance; queues help decouple systems but do not make a database more resilient.

???? Reference:

Amazon RDS Multi-AZ Deployments

Amazon S3 is suitable for storing data that needs to be accessed weekly and integrates with AWS Key Management Service (KMS) to provide encryption at rest with server-side encryption using KMS-managed keys (SSE-KMS).

SSE-KMS uses envelope encryption and allows automatic key rotation and logging through AWS CloudTrail, satisfying the requirements for audit trails and compliance.

S3 Glacier Deep Archive is unsuitable due to its high retrieval latency. SSE-C requires customer-side management of encryption keys, with no support for automatic rotation or audit. SSE-S3 does not use customer-managed keys and lacks fine-grained control and auditing.

CloudFront Signed URLs: These URLs allow you to provide limited access to content that is being served through an Amazon CloudFront distribution. Signed URLs can be generated to grant time-limited access to premium customers.

Content Restriction:

By using CloudFront signed URLs, you can control access to your media streams and file content stored in S3.

These URLs can be customized with an expiration time, ensuring that access is only available for a specific period, which is useful for scenarios like movie rentals or music downloads.

Security and Flexibility:

Signed URLs ensure that only authenticated users (premium customers) can access the restricted content.

This approach integrates seamlessly with CloudFront and S3, providing an efficient way to manage access controls without additional overhead.

Operational Efficiency: Using CloudFront signed URLs leverages AWS managed services to handle the complexity of access control, reducing the need for custom implementation and maintenance.

Express Workflows in AWS Step Functions are optimized for high-throughput, short-duration, and low-cost workflows. They are suitable for applications with large volumes of parallel and interdependent tasks. When paired with HTTP APIs from API Gateway, which are more cost-efficient than REST APIs, this setup offers scalability and cost-effectiveness.

The best AWS-native design isAmazon Kinesis Data Streamsfor real-time ingestion andAmazon OpenSearch Servicefor near-real-time search and analytics. AWS describes OpenSearch Service as a managed search and analytics engine for real-time application monitoring and similar use cases, and AWS also provides architectures for delivering real-time data from Kinesis into OpenSearch. QuickSight is then appropriate for dashboards and visualizations. The other answers either introduce more operational overhead or use services that are not the best fit for real-time search workloads. For an on-premises search application moving to AWS, Kinesis plus OpenSearch is the most natural managed solution.

============

For globally distributed consumers of REST APIs, API Gateway edge-optimized endpoints “route requests to the nearest CloudFront edge location, which then forwards them to your API in the [home] Region,” reducing latency for users worldwide and scaling automatically for unknown or spiky traffic. By contrast, Regional endpoints are intended for clients within the same or nearby Region and do not provide global edge acceleration. AWS Lambda provides automatic scaling for serverless backends; latency can be further reduced by right-sizing memory (which also increases CPU) and, when needed, enabling provisioned concurrency to keep functions initialized and eliminate cold starts for critical paths. Using NLBs across Regions is not serverless and adds operational complexity without CloudFront edge acceleration. Therefore, combining API Gateway edge-optimized REST APIs with Lambda meets the requirements of minimal global latency and unknown initial traffic.

Hardcoded database credentials create security risks and operational challenges, especially when compliance requires regular credential rotation. AWS Secrets Manager is the AWS-recommended service for securely storing, managing, and rotating secrets such as database credentials.

Option B is the correct solution because Secrets Manager natively supports automated credential rotation using AWS-managed or custom Lambda functions. By enabling rotation on a 90-day schedule, Secrets Manager automatically updates the credentials in the RDS database and stores the new values securely. The application retrieves credentials dynamically at runtime, eliminating the need for storing passwords on EC2 instances.

Options A, C, and D all rely on custom scripts, SSH access, and manual distribution of secrets, which significantly increases operational overhead, security risk, and failure potential. These approaches also violate AWS best practices by spreading sensitive credentials across multiple hosts.

Secrets Manager integrates with IAM for fine-grained access control, supports auditing through AWS CloudTrail, and improves overall security posture while reducing operational complexity. Therefore, B best meets the requirements in a secure, scalable, and compliant manner.

Storage Gateway Volume Gateway (Cached Volumes): This configuration allows you to store your primary data in Amazon S3 while retaining frequently accessed data locally in a cache for low-latency access.

Low-Latency Access: Frequently accessed data is cached locally on-premises, providing low-latency access while the less frequently accessed data is stored cost-effectively in Amazon S3.

Implementation:

Deploy a Storage Gateway appliance on-premises or in a virtual environment.

Configure it as a volume gateway with cached volumes.

Create volumes and configure your applications to use these volumes.

Minimal Infrastructure Changes: This solution integrates seamlessly with existing on-premises infrastructure, requiring minimal changes and reducing dependency on on-premises storage servers.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The security requirement is preventive: “prevent the deployment” of IAM roles that contain an overly permissive inline policy (Allow on Action:* and Resource:*). Preventive enforcement should occur at deployment time so noncompliant IAM resources are blocked before they exist. In a Control Tower-governed environment where resources are provisioned through CloudFormation, the most appropriate mechanism is a proactive control that evaluates templates and denies noncompliant stack operations.

Option A matches this intent. Control Tower proactive controls are designed to provide preventative guardrails by checking resource configurations (including Infrastructure as Code deployments) against defined rules and blocking deployments that violate policy. This stops risky IAM roles from being created in the first place, which is preferable to after-the-fact detection and cleanup.

Options B, C, and D are detective or reactive patterns. Detective controls (and AWS Config rules) can identify noncompliance after resources are created, but that does not “prevent deployment.” Even if remediation is automated (Option C), there is still a window where an overly permissive role exists and could be assumed or exploited. Option D only notifies, which is insufficient. Option B suggests deleting policies on deployment, but Control Tower detective controls are not intended to automatically delete deployed IAM policies; they primarily detect and report drift/noncompliance.

Therefore, A is the best solution because it enforces the requirement proactively by blocking noncompliant CloudFormation deployments, maintaining a stronger security posture and reducing operational burden associated with detection and remediation.

The correct answer isBbecause the requirement explicitly calls for awrite once, read many (WORM)approach and a mandatory retention period of1 year.Amazon S3 Object Lock in compliance modeis the AWS feature designed specifically for this purpose. It prevents objects from being deleted or overwritten for a fixed retention period, even by privileged users. That directly satisfies the need to preserve confidential medical results for at least one year after creation.

Usingcompliance modeis important because it enforces retention in a way that cannot be bypassed by users or administrators. This is appropriate for regulated workloads such as medical records, where strong immutability controls are required. The company can then useIAM policiesto allow only a small set of approved users to upload new files while granting other authorized users read-only access.

Option A is incorrect becauseMFA Deletehelps protect against accidental deletion, but it does not provide a full WORM retention model and does not prevent overwrites in the same way as Object Lock. Option C is not sufficient because IAM and bucket policies can be changed by administrators with enough permissions and therefore do not provide the same immutable retention guarantee. Option D is overly complex and does not enforce WORM behavior; tracking object hashes only detects changes after the fact.

AWS best practices for immutable retention on S3 recommendS3 Object Lockwhen legal hold or retention requirements exist. For least implementation effort and proper WORM enforcement,S3 Object Lock in compliance modeis the most appropriate solution.

ElastiCache for Redis OSS supportsMulti-AZ with automatic failover, which is exactly the feature required here. AWS documentation states that when Multi-AZ is enabled and the primary node fails, ElastiCache automatically promotes a read replica to primary, minimizing downtime and restoring write capability without requiring manual promotion steps. Backups are useful for recovery, but they do not provide automatic operational failover. A design that depends on manual promotion is also weaker than native automatic failover. Since the question explicitly asks for a solution that canautomatically fail over, the correct answer is to enableMulti-AZfor the replication group.

============

Service control policies (SCPs) in AWS Organizations apply to the accounts or OUs to which they are attached:

To restrict only nonproduction accounts, you can:

Attach the SCP directly to those specific member accounts (Option B), or

Create a dedicated OU for the nonproduction accounts and attach the SCP to that OU (Option E).

Both methods ensure that the deny policy affects only the nonproduction accounts and does not impact the production account.

Why the others are incorrect:

A: Attaching the SCP to the root OU would apply the deny to all accounts, including production, which does not meet the requirement.

C: SCPs attached to the management account only affect that account, not all member accounts.

D: Creating an OU for the production account and attaching the deny SCP there would block the prohibited instance types in production, which is the opposite of what is required.

AWS Spot best practices recommend diversifying capacity across multiple instance types and Availability Zones and using the capacity-optimized (price-capacity-optimized) allocation strategy to choose pools with the deepest capacity for higher availability. Adding a small On-Demand base in the Auto Scaling group maintains steady, uninterrupted baseline processing while keeping costs low and absorbing Spot interruptions. Option C (lowest price) increases interruption risk. Capacity Reservations (B) target On-Demand capacity guarantees and add cost, not needed for Spot-based elasticity. Option E is redundant; diversification is already achieved with (D). This combination maximizes resiliency of Spot workloads while preserving strong cost efficiency and aligns with AWS guidance for fault-tolerant, stateless applications on Spot.

The most secure way to grant an external vendor’s AWS-hosted automation tool access into a company AWS account is to use cross-account IAM role assumption. Option A follows the standard AWS pattern: the company creates an IAM role in its own account that has only the permissions the vendor needs, and the role’s trust policy allows the vendor’s IAM role (in the vendor’s AWS account) to assume it. This approach avoids creating long-lived credentials in the company account and supports least privilege, auditing, and easy revocation.

With role assumption, the vendor continues to authenticate in its own AWS account and uses AWS STS to obtain temporary credentials when accessing the company account. Temporary credentials reduce exposure compared to access keys because they expire automatically and can be constrained with session duration, external IDs (where appropriate), and conditions. The company retains full control over permissions through the role policy, and CloudTrail can record AssumeRole events and subsequent API activity for auditing.

Option B is less secure because it creates an IAM user in the company account and would typically require managing long-lived credentials for the vendor tool, increasing the risk of leakage and ongoing operational overhead. Option C is not valid because IAM users are not shared across accounts; you cannot “add” a user from another account into an IAM group in your account. Option D is incorrect because “AWS account” is not a typical IAM identity provider type for this purpose; cross-account access is done through role trust policies, not by creating an IdP with an AWS account ID and username.

Therefore, A is the most secure solution because it uses short-lived credentials, enforces least privilege, centralizes control in the company account, and provides strong auditability without issuing permanent access keys.

The correct answers areA, C, and Ebecause the company needs a fully managed solution forSFTP uploads to Amazon S3, followed byautomatic decryptionandmovement of files to another directorywithminimal operational overhead.AWS Transfer Familyis the best fit because it provides a managed SFTP endpoint directly integrated with Amazon S3. Configuring the S3 bucket as the home directory enables customers to upload files without the company needing to manage its own file transfer servers.

The requirement to avoid separate authentication services and minimize operational work is well served by nativeAWS Transfer Family workflows. A workflow can automatically run post-upload steps on files as they arrive. TheDECRYPTaction is specifically designed to decrypt uploaded encrypted files as part of the managed workflow. After decryption, theCOPYaction can place the processed file into the second directory in the same S3 bucket for downstream processing.

Option B is less appropriate because using S3 events and Lambda adds custom orchestration where a native Transfer Family workflow already handles the need more simply. Option D is incorrect because polling with an external script introduces unnecessary infrastructure and operational overhead. Option F is also incorrect because AWS Batch polling and custom decryption logic is far more complex than a managed file-transfer workflow.

AWS best practices favor managed services and native workflow features to reduce custom code and infrastructure management. Therefore, the best solution is to useAWS Transfer Family for SFTP uploads, along withTransfer Family workflow DECRYPTandCOPYactions to automate the full post-upload process.

Amazon DynamoDB supports two read consistency models: eventually consistent reads and strongly consistent reads. By default, DynamoDB uses eventual consistency, which means reads might not immediately reflect the most recent writes. This behavior explains why the application is not always receiving the latest data.

Because latency and performance are acceptable, the problem is not throughput or response time—it is data consistency. Therefore, the correct design change is to enable strongly consistent reads, which guarantee that reads always return the most up-to-date data after a successful write.

Option C is correct because strongly consistent reads ensure that the application sees the latest committed value for an item. This is critical for use cases such as inventory systems, user profiles, or transactional workflows where stale data can cause incorrect behavior.

Option A is invalid because DynamoDB does not support traditional read replicas. Option B does not affect consistency; GSIs are used to query data by alternative keys. Option D would worsen the problem because eventual consistency already causes stale reads.

Therefore, C is the appropriate recommendation to ensure correctness of returned data without changing the table schema or introducing additional complexity.

The company is looking for a solution that provides single sign-on (SSO) across multiple AWS accounts while continuing to manage users and groups in their on-premises Active Directory (AD). AWS IAM Identity Center (formerly AWS SSO) is the recommended solution for this type of requirement.

AWS IAM Identity Centerprovides a centralized identity management solution, enabling single sign-on across multiple AWS accounts and other cloud applications. It can integrate with on-premises Active Directory to leverage existing users and groups.

By configuring a two-way forest trust relationship between AWS Directory Service for Microsoft Active Directory and the company ' s on-premises Active Directory, users can be authenticated by their on-premises AD and still access AWS resources through IAM Identity Center. This solution allows centralized management of AWS accounts within AWS Organizations.

The two-way trust allows mutual access between the on-premises AD and the AWS Directory Service. This means that users and groups in the on-premises AD can be used for authentication in AWS IAM Identity Center while maintaining the existing identity management system.

AWS References:

AWS IAM Identity Center Documentation

AWS Directory Service for Microsoft Active Directory Trust Relationships

AWS Directory Service Integration with IAM Identity Center

Why the other options are incorrect:

A. Create an Enterprise Edition Active Directory in AWS Directory Service: This would require setting up a new directory and managing it in AWS, which adds unnecessary overhead. The requirement is to continue using the existing on-premises AD, making this option unsuitable.

C. Use AWS Directory Service and create a two-way trust relationship: While this approach establishes a trust between on-premises AD and AWS Directory Service, it does not address the single sign-on (SSO) requirements across multiple AWS accounts through IAM Identity Center.

D. Deploy an identity provider (IdP) on Amazon EC2: This is more complex than necessary and introduces more management overhead. AWS IAM Identity Center natively supports integration with on-premises Active Directory without requiring a custom IdP.

The least operational overhead approach is to use AWS Directory Service with AWS Managed Microsoft AD and establish a trust relationship with the existing on-premises Microsoft Active Directory. This pattern lets employees continue using their existing corporate credentials while AWS operates the directory infrastructure (patching, monitoring, availability, and domain controller management), reducing the burden compared to building and maintaining custom federation components. With a trust in place, identities and group memberships from the on-premises directory can be used for authentication and authorization workflows in AWS.

To provide role-based access to AWS resources and the AWS Management Console, users should assume IAM roles that grant permissions based on job function. IAM roles with appropriate trust policies enable temporary credentials and least-privilege access without creating long-lived IAM users for every employee. This aligns with AWS best practices of centralized identity management and using roles for access control.

Option B is not a standard direct integration pattern: IAM does not “LDAP bind” directly to on-premises AD for console access. Option C can work (custom identity broker + STS) but increases operational overhead because the company must build, secure, operate, and maintain the broker, including availability, updates, and incident response. Option D is not the typical solution for employee console federation from AD; Amazon Cognito is primarily aimed at customer identity and application sign-in, not as the primary mechanism for workforce console access to AWS accounts.

Therefore, A provides the required federation with the smallest operational footprint while supporting role-based access control.

AWS provides EBS Block Public Access at the organization level in AWS Organizations. When enabled, it prevents any EBS snapshot—across all member accounts—from being shared publicly.

This is an organization-wide control implemented centrally, with no need for per-account configuration, monitoring rules, or custom IAM policy enforcement.

AWS Config (Option A) would only detect issues after they occur. IAM restrictions (Option C) are less effective because snapshot permission changes can occur through multiple paths. CloudTrail (Option D) only logs events and does not block public sharing.

=====================================================

AWS Glue Crawler: AWS Glue is a fully managed ETL (Extract, Transform, Load) service that makes it easy to prepare and load data for analytics. A Glue crawler can automatically discover new data and schema in Amazon S3, making it easy to keep the data catalog up-to-date.

Crawling the Data:

Set up an AWS Glue crawler to scan the S3 bucket containing the clickstream data.

The crawler will automatically detect the schema and create/update the tables in the AWS Glue Data Catalog.

Amazon Athena:

Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Once the data catalog is updated by the Glue crawler, use Athena to query the clickstream data directly in S3.

Operational Efficiency: This solution leverages fully managed services, reducing operational overhead. Glue crawlers automate data cataloging, and Athena provides a serverless, pay-per-query model for quick data analysis without the need to set up or manage infrastructure.

Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.

Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.

AWS Documentation Extract:

" Amazon S3 provides cost-effective storage for ML data sets, and Amazon SageMaker can directly access data in S3. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers, optimizing costs for changing data access patterns. "

(Source: AWS S3 and SageMaker documentation)

A, D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.

C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.

For high availability, Amazon ElastiCache for Redis supports Multi-AZ with automatic failover, which provides primary and replica nodes in different Availability Zones. If the primary node fails, Redis automatically promotes a replica to primary.

From AWS Documentation:

“When you enable Multi-AZ with automatic failover, Amazon ElastiCache automatically detects failures and promotes a read replica to primary with minimal downtime.”

(Source: Amazon ElastiCache for Redis User Guide)

Why B is correct:

Multi-AZ provides automatic failover and data replication.

Ensures continuous availability and protects against node or AZ failures.

Fully managed with no manual intervention needed.

Why others are incorrect:

A: Manual promotion is not automatic.

C & D: Restoring from backup is slow and meant for disaster recovery, not failover.

The primary requirements are automatic scaling, resilience to traffic spikes, and guaranteed order durability without losing customer orders. Option D follows a well-established, AWS-recommended decoupled architecture pattern that meets all these requirements.

Using an Application Load Balancer (ALB) provides Layer 7 request routing and distributes incoming traffic across multiple EC2 instances in Auto Scaling groups, allowing the application layer to scale horizontally as traffic increases. This ensures that spikes in web traffic do not overwhelm individual instances.

The critical resilience feature in this design is Amazon SQS, which acts as a durable buffer for unprocessed customer orders. If the application experiences a sudden traffic surge or if downstream processing slows, SQS stores incoming orders reliably until they can be processed. This decoupling prevents request loss and protects the user experience by absorbing load bursts.

Processed orders are stored in Amazon RDS with a Multi-AZ deployment, which provides synchronous replication to a standby instance in another Availability Zone and automatic failover. This ensures high availability and data durability for transactional order data.

The other options misuse services or introduce unnecessary complexity. NAT gateways (Option A) do not manage web traffic or provide resiliency for application workloads. Redshift (Option B) is an analytics data warehouse and not suitable for transactional order processing. Gateway Load Balancer (Option C) is designed for network appliances, not application traffic management or order capture.

Therefore, D is the correct solution because it combines load balancing, auto scaling, message queuing, and highly available databases to deliver a resilient, scalable, and fault-tolerant order processing architecture.

To ensure that log files are immutable and cannot be deleted or overwritten for a specified retention period, Amazon S3 offers Object Lock in Compliance Mode. When enabled:

Compliance Mode: Ensures that a protected object version can ' t be overwritten or deleted by any user, including the root user in your AWS account, for the duration of the retention period. AWS Documentation

S3 Versioning: Must be enabled on the bucket to use Object Lock. This allows multiple versions of an object to be stored, ensuring that previous versions are preserved and protected. Amazon Web Services, Inc.

By enabling S3 Versioning and applying Object Lock in Compliance Mode with a 1-year retention period, the company can meet regulatory requirements to retain log data securely and prevent any modifications or deletions during that time.

To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.

Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.

Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs. Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.

Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.

For the migration of data from an on-premises Oracle database to Amazon Aurora PostgreSQL, this solution effectively handles schema conversion, data migration, and ongoing data replication.

AWS Schema Conversion Tool (SCT): SCT is used to convert the Oracle database schema to a format compatible with Aurora PostgreSQL. This tool automatically converts the database schema and code objects, like stored procedures, to the target database engine.

AWS Database Migration Service (DMS): DMS is employed to perform the data migration. It supports both full-load migrations (for initial data transfer) and continuous replication of ongoing changes (Change Data Capture, or CDC). This ensures that any updates to the Oracle database during the migration are captured and applied to the Aurora PostgreSQL database, minimizing downtime.

Why Not Other Options?:

Option A (SCT + DMS full-load only): This option does not capture ongoing changes, which is crucial for a live database migration to ensure data consistency.

Option B (DataSync + S3): AWS DataSync is more suited for file transfers rather than database migrations, and it doesn’t support ongoing change replication.

Option D (Snowball + S3): Snowball is typically used for large-scale data transfers that don’t require continuous synchronization, making it less suitable for this scenario where ongoing changes must be captured.

AWS References:

AWS Schema Conversion Tool- Guidance on using SCT for database schema conversions.

AWS Database Migration Service- Detailed documentation on using DMS for data migrations and ongoing replication.

Kinesis Data Streams is the right ingestion service for real-time streaming data, and AWS Lambda is the least-operations compute option for processing and transforming records from the stream. AWS documents that Lambda can process events from stream sources such as Kinesis without infrastructure management. Storing the transformed data in DynamoDB provides durable, scalable storage for later analysis. The EC2 option introduces server management overhead. SQS is useful for queued work, but the question specifically centers on streaming data. SNS with ElastiCache is also not a durable analysis store design. Therefore, Kinesis Data Streams plus Lambda plus DynamoDB is the lowest-overhead architecture among the choices.

============

Amazon S3 presigned URLs are the most secure fit because they providetime-limited access to specific objectswithout requiring the external vendor to have AWS credentials or direct bucket permissions. AWS documentation states that presigned URLs grant temporary access to private S3 objects and can be used for downloads through a browser or program. This is stronger than creating an IAM user or sharing temporary keys because those methods still expose AWS credentials to a third party. A bucket policy based only on source IP is broader and less precise than object-level, time-bounded access. Presigned URLs let the company control exactlywhich objectcan be downloaded andfor how long, which is exactly what the scenario requires. (AWS Documentation)

============

AWS STS is the best choice because it issuestemporary security credentialsthat expire automatically, which removes the need to create and later deactivate long-lived IAM users. AWS guidance for third-party and short-term access explicitly recommends roles and temporary credentials instead of sharing long-term credentials. Using predefined IAM roles also makes it easy to assign different permission levels to different contractors while keeping access centrally controlled. IAM users create more administrative effort and leave credential-lifecycle management to the company. AWS Config and CloudTrail are useful for governance and auditing, but they are not the primary mechanism for granting short-term role-based access. Therefore, STS with predefined roles is the most secure and lowest-overhead solution.

============

This workload is a strong candidate forAWS Batch with EC2 Spot Instancesbecause the jobs can tolerate interruptions and resume after restart. AWS documents that Spot Instances are a cost-saving option for interruption-tolerant workloads, and AWS Batch is built to manage batch jobs efficiently across EC2 capacity. AWS Batch guidance also notes that Spot is well suited when jobs can be retried or resumed, which matches the scenario. On-Demand Capacity Reservations do not optimize cost, and Savings Plans still cost more than Spot for an interruption-tolerant batch pattern. Therefore, AWS Batch with Spot gives the best balance of automation and lower compute cost.

============

The most effective and AWS-recommended way to mitigate unwanted traffic at the edge is to use AWS WAF integrated with CloudFront. Option D allows the architect to block or throttle malicious traffic before it reaches the ALB or EC2 instances.

Rate-based rules automatically block IP addresses that exceed a defined request threshold, making them ideal for mitigating abusive traffic patterns. This reduces load on backend resources and improves performance for legitimate users.

Options A, B, and C are less effective or introduce unnecessary cost and complexity. Shield does not provide granular rate control, Auto Scaling increases cost, and NACLs are difficult to manage dynamically.

Therefore, D is the correct and most secure solution.

Amazon API Gateway with CloudFront: API Gateway allows you to create, deploy, and manage APIs, while CloudFront provides a CDN to deliver content with low latency and high transfer speeds.

AWS WAF (Web Application Firewall):

AWS WAF can be configured in CloudFront to protect against common web exploits, including SQL injection and cross-site scripting (XSS).

WAF allows you to create custom rules to block specific attack patterns and can be managed centrally.

Configuration:

Deploy your APIs using Amazon API Gateway.

Set up an Amazon CloudFront distribution in front of the API Gateway.

Configure AWS WAF on the CloudFront distribution to apply security rules.

Operational Efficiency: This solution provides robust protection with minimal operational overhead by leveraging managed AWS services, ensuring that your APIs are secure without extensive custom implementation.

To meet the requirement of controlling key rotation with minimal operational overhead, creating acustomer managed key(CMK) in AWS KMS is the optimal solution. With CMKs, you can define custom key rotation policies, ensuring that you retain control over the key lifecycle, including enabling automatic key rotation every year.

Key AWS features:

Custom Key Management: A customer managed key allows you to control the key policies, lifecycle, and enable key rotation for compliance.

Least Operational Overhead: Using a customer managed key simplifies encryption management while offering more flexibility than AWS managed or owned keys.

AWS Documentation: The AWS Well-Architected Framework recommends customer managed keys for environments where key control and flexibility are required​.

Amazon ECS is the lowest-overhead choice because it avoids the control-plane and node-management work of EKS or raw EC2 while still supporting highly available multi-AZ placement. AWS ECS guidance notes that the service scheduler canspread tasks across Availability Zones, and target tracking scaling is a standard way to scale ECS services based on demand. Setting a minimum capacity of 3 ensures at least one task can remain in each Availability Zone, improving resilience. The EC2 and EKS options require more infrastructure management, and Lambda is not the right fit for generic containerized application workloads. Therefore, ECS with spread placement across AZs and service auto scaling is the best answer.

When designing a microservice architecture where each microservice interacts with different AWS services, it ' s essential to follow the principle of least privilege. This means granting each microservice only the permissions it needs to perform its tasks, reducing the risk of unauthorized access or accidental actions.

The recommended approach is to create individualIAM roleswith policies that grant each microservice the specific permissions it requires. Then, these roles should be associated with the EC2 instances that run the corresponding microservice. By doing so, each EC2 instance will assume its specific IAM role, and permissions will be automatically managed by AWS.

IAM roles provide temporary credentials via the instance metadata service, eliminating the need to hard-code credentials in your application code, which enhances security.

AWS References:

IAM Roles for Amazon EC2explains how EC2 instances can use IAM roles to securely access AWS services without managing long-term credentials.

Best Practices for IAMincludes recommendations for implementing the least privilege principle and using IAM roles effectively.

Why the other options are incorrect:

A. Assign an IAM user to each microservice: This requires managing long-term credentials (access keys), which should be avoided. Storing keys in application code is insecure and creates a maintenance burden.

B. Create a single IAM role: This violates the principle of least privilege, as a single role with broad permissions across all services is less secure.

C. Use AWS Organizations: This approach adds unnecessary complexity. Managing permissions at the account level for each microservice is excessive for this use case and doesn ' t adhere to the principle of least privilege.

The most scalable and managed solution for streaming ingestion, real-time transformation, and delivery to Amazon S3 is Amazon Kinesis Data Streams, Amazon Managed Service for Apache Flink, and Amazon Kinesis Data Firehose.

From AWS Documentation:

“Amazon Kinesis Data Streams enables real-time processing of streaming data at massive scale. With Apache Flink on Kinesis Data Analytics, you can process data streams in near real-time, then use Amazon Kinesis Data Firehose to reliably deliver that data to S3.”

(Source: Amazon Kinesis Developer Guide)

Why A is correct:

Fully managed: All services involved are serverless and managed.

Real-time ingestion: Kinesis Data Streams supports sub-second latency and can handle high-throughput workloads like 100,000+ devices.

Near real-time processing: Apache Flink is designed for continuous stream processing with complex event handling.

Efficient delivery: Kinesis Firehose delivers processed data directly to S3 with retry and backup capability.

Why other options are incorrect:

Option B: SQS is not optimized for real-time streaming at high volume.

Option C: EC2 + Kafka + EMR adds high operational overhead and cost.

Option D: EventBridge is event-driven, not designed for high-throughput streaming; AWS Batch is unsuitable for near real-time processing.

A Network Load Balancer (NLB) supports IP address-based targets, which allows the use of both EC2 and on-premises endpoints. It also supports a static IP address or Elastic IP, which meets the requirement for a fixed IP address needed by some users.

NLB offers high performance, low latency, and minimal operational overhead. Application Load Balancer only supports instance or Lambda targets, not IP addresses outside the VPC. Route 53 Resolver is for DNS, and API Gateway is for HTTP-based APIs, not web applications.

AWS Certificate Manager (ACM) issues and automatically renews public TLS certificates used by Amazon CloudFront. With DNS validation, ACM creates CNAME records that prove domain control; once validated, renewals occur automatically without manual approval, providing the lowest operational effort. For CloudFront, ACM certificates must be in the US East (N. Virginia) Region. CloudFront security policies (A) configure protocol/cipher requirements, not certificate issuance. OAC (B) secures origin access and is unrelated to certificate management. Email validation (D) requires mailbox approvals and operational handling at issuance/renewal, which is less efficient than DNS validation. Thus, ACM with DNS validation delivers automated creation and renewal with minimal overhead.

Amazon QuickSight includes built-in ML-powered forecasting capabilities, allowing you to create, visualize, and interact with time series forecasts directly within the BI dashboard, with no ML experience or infrastructure management required. This is the lowest management overhead solution.

AWS Documentation Extract:

" Amazon QuickSight provides built-in ML-powered forecasting, allowing business users to forecast future trends with a few clicks and no machine learning expertise required. "

(Source: Amazon QuickSight documentation)

A, C, D: Require additional setup, management, or ML knowledge.

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed " green " environment with the upgraded database version. You can test the new version in the green environment while the " blue " environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

This solution offers the most scalable and cost-effective approach with minimal changes to the existing web portal and no code modifications.

Amazon EC2 On-Demand Instances in an Auto Scaling Group: Running the web portal on EC2 On-Demand instances ensures 100% uptime and scalability. The Auto Scaling group will maintain the desired number of instances, automatically scaling up or down as needed, ensuring high availability for the employee web portal.

AWS Lambda for Document Extraction: Lambda is a serverless compute service that allows you to run code in response to events without provisioning or managing servers. By using Lambda to run the document extraction program, you can trigger the function whenever an employee uploads a document. This approach is cost-effective since you only pay for the compute time used by the Lambda function.

No Code Changes Required: This solution integrates with the existing infrastructure with minimal implementation effort and does not require any modifications to the web portal ' s code.

Why Not Other Options?:

Option B (Spot Instances): Spot Instances are not suitable for workloads requiring 100% uptime, as they can be terminated by AWS with short notice.

Option C (Savings Plan): A Savings Plan could reduce costs but does not address the requirement for running the document extraction program efficiently or without code changes.

Option D (S3 with API Gateway and Lambda): This would require significant changes to the existing web portal setup, including moving the portal to S3 and reconfiguring its architecture, which contradicts the requirement of minimal implementation effort and no code changes.

AWS References:

Amazon EC2 Auto Scaling- Information on how to use Auto Scaling for EC2 instances.

AWS Lambda- Overview of AWS Lambda and its use cases.

The requirements include:

Scalability: The solution must scale as video files are uploaded.

Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

Analysis of Options:

Option A:

AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

Option B:

AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

Option C:

Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

Option D:

Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

AWS References:

Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

AWS Step Functions:AWS Documentation - Step Functions

AWS Fargate:AWS Documentation - Fargate

Comparison of Storage Services:AWS Storage Options

By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

The requirement that the security team manage key lifecycle actions such as creation, deletion, and rotation points tocustomer managed AWS KMS keys, not SSE-S3. Customer managed KMS keys allow fine-grained IAM authorization for both the Lambda execution role and the security administrator group. That supports least privilege because the Lambda role can be restricted to decrypt usage, while the administrator group can be limited to the KMS management actions it actually needs. The other answers either do not provide the required KMS management control or grant permissions too broadly. Therefore, using customer managed KMS keys with separate, scoped IAM permissions for decryption and key administration is the correct design.

============

AWS Transfer Family is a fully managed service that provides SFTP, FTPS, and FTP access directly to Amazon S3. It allows organizations to support legacy data transfer protocols without managing infrastructure. This approach gives the vendors a familiar SFTP interface, with files landing directly in S3, and requires minimal operational effort compared to managing EC2 servers or using gateways.

Reference Extract from AWS Documentation / Study Guide:

" AWS Transfer Family enables secure transfer of files directly into and out of Amazon S3 using SFTP, FTPS, and FTP, and is fully managed by AWS, significantly reducing operational overhead. "

Source: AWS Certified Solutions Architect – Official Study Guide, Data Migration and Transfer section.

Edge-Optimized API: Designed for global users by routing requests through CloudFront ' s edge locations, reducing latency.

Content Encoding: Enabling content encoding compresses data, further optimizing performance by decreasing payload size.

Caching: Adding API Gateway caching reduces the number of calls to Lambda and database backends, improving latency.

Reserved Concurrency: Although useful, this does not directly affect latency for transferring static and dynamic content.

AWS API Gateway Edge-Optimized APIs Documentation

The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.

Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.

Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.

Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.

AWS References:

Amazon S3 for Media Storage

Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) is a fully managed, serverless service for real-time processing of streaming data. You can consume data from Kinesis Data Streams, perform anomaly detection, and then output the results to another Kinesis stream. This approach is loosely coupled, fully managed, and does not require modifying the application code.

AWS Documentation Extract:

“Amazon Managed Service for Apache Flink enables you to process streaming data in real time, integrating with Kinesis Data Streams as source and sink, and is fully managed and serverless.”

(Source: Apache Flink on AWS documentation)

B: S3/Redshift is not real-time and adds complexity.

C, D: EC2/ECS solutions are not serverless or fully managed.

Analysis:

The solution must handle variable sales volumes, preserve transaction information, and store data in an Amazon Aurora database with minimal operational overhead. UsingAPI Gateway, AWS Lambda, and SQSis the best option because it provides scalability, reliability, and resilience.

Why Option A is Correct:

API Gateway: Serves as an entry point for transaction data in a serverless, scalable manner.

AWS Lambda: Processes the transactions and sends them to Amazon SQS for queuing.

Amazon SQS: Buffers the transaction data, ensuring durability and resilience against spikes in transaction volume.

Second Lambda Function: Processes messages from the SQS queue and updates the Aurora database, decoupling the workflow for better scalability.

Dead-Letter Queue (DLQ): Ensures failed transactions are logged for later debugging or reprocessing.

Why Other Options Are Not Ideal:

Option B:

Using an ALB with ECS on EC2 introduces operational overhead, such as managing EC2 instances and scaling ECS tasks.Not cost-effective.

Option C:

EKS is highly operationally intensive and requires Kubernetes cluster management, which is unnecessary for this use case.Too complex.

Option D:

Amazon Data Firehose and DMS are not designed for real-time transactional workflows. They are better suited for data analytics pipelines.Not suitable.

AWS References:

Amazon API Gateway:AWS Documentation - API Gateway

AWS Lambda:AWS Documentation - Lambda

Amazon SQS:AWS Documentation - SQS

Amazon Aurora:AWS Documentation - Aurora

AWSDirect Connectis the best solution for establishing a consistent, low-latency connection from an on-premises data center to AWS without using the public internet. Direct Connect offers dedicated, high-throughput, and low-latency network connections, which are ideal for performance-sensitive applications like a trading platform that processes high volumes of market data and stock trades.

Direct Connect provides a private connection to your AWS VPC, ensuring that data doesn ' t traverse the public internet, which enhances both security and performance consistency.

AWS References:

AWS Direct Connectprovides a dedicated network connection to AWS services with consistent, low-latency performance.

Best Practices for High Performance on AWSfor performance-sensitive workloads like trading platforms.

Why the other options are incorrect:

A. AWS Client VPN: While this offers secure connectivity, it ' s over the public internet and is not designed for the low-latency, high-performance needs of a trading platform.

C. AWS PrivateLink: PrivateLink is used for connecting VPCs and services within AWS, but it is not designed for connecting on-premises data centers to AWS.

D. AWS Site-to-Site VPN: Although this provides secure connectivity, it uses the public internet, which can introduce latency and doesn ' t meet the low-latency requirements of the use case.

Key Problem:

Delayed Inventory table updates during peak sales.

DynamoDB Streams and Lambda processing require optimization.

Analysis of Options:

Option A:Adding a GSI is unrelated to the issue. It does not address stream processing delays or capacity issues.

Option B:Optimizing batch size reduces latency and allows the Lambda function to process larger chunks of data at once, improving performance during peak load.

Option C:Increasing write capacity for the Inventory table ensures that it can handle the increased volume of updates during peak times.

Option D:Increasing read capacity for the Orders table does not directly resolve the issue since the problem is with updates to the Inventory table.

Option E:Increasing Lambda timeout only addresses longer processing times but does not solve the underlying throughput problem.

AWS References:

DynamoDB Streams Best Practices

Provisioned Throughput in DynamoDB

The Kubernetes Horizontal Pod Autoscaler (HPA) scales pods, not nodes. When the cluster runs out of node capacity, the HPA cannot schedule more pods.

On Amazon EKS, AWS recommends using the Kubernetes Cluster Autoscaler to automatically adjust the number of nodes in the cluster’s underlying Auto Scaling group based on pending pods.

Cluster Autoscaler watches for pods that cannot be scheduled because of insufficient resources and then scales out nodes automatically with minimal administrative overhead. It also scales in nodes when they are underutilized.

Why others are not correct:

A: Just tracking memory usage does not automatically scale nodes or integrate with Kubernetes scheduling.

C: A custom Lambda-based resizer is unnecessary undifferentiated heavy lifting compared to the native Cluster Autoscaler.

D: An Auto Scaling group is already typically used under EKS, but by itself it does not respond to pod scheduling pressure without Cluster Autoscaler.

Amazon EBS io2 Block Express volumes are designed to deliver sub-millisecond latency and up to 256,000 IOPS per volume, with durability and high availability. This makes io2 Block Express the recommended choice for workloads requiring very high and predictable IOPS, such as enterprise databases and high-transaction-rate applications.

Reference Extract:

" EBS io2 Block Express volumes deliver up to 256,000 IOPS and sub-millisecond latency, supporting high-performance, high-durability workloads. "

Source: AWS Certified Solutions Architect – Official Study Guide, EBS Performance section.

Amazon EMR is the strongest fit here because AWS describes EMR as a service for processing, analyzing, transforming, and moving large amounts of data, and EMR supports running parallel steps for distributed processing. The question explicitly wantsparallel processingof large semistructured data in S3, which matches EMR well. AWS also documents a supported pattern forloading data from Amazon EMR to Amazon Redshift, and Redshift supports querying semistructured data, which makes EMR plus Redshift a natural enrichment workflow. Athena and Glue can be useful in some analytics patterns, but the requirement for parallel high-volume processing points most directly to EMR.

============

Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.

Option Arequires the management of IAM temporary credentials, adding complexity.

Option Cinvolves unnecessary development effort.

Option Dintroduces more complexity with STS and roles than pre-signed URLs.

AWS documentation states that EC2 Auto Scaling is the recommended, cost-effective, and fault-tolerant method to manage workloads with predictable or varying demand. Auto Scaling automatically adds instances during peak traffic and terminates them when demand is low, reducing compute cost while maintaining availability across multiple Availability Zones.

Reserved Instances (Option B) would force the company to pay for peak capacity all day, which is not cost-effective.

Stopping instances manually (Option C) or vertically scaling instances (Option D) reduces fault tolerance and increases operational overhead.

=====================================================

To optimize storage costs, migrating data from Amazon EFS to Amazon S3 with the Intelligent-Tiering storage class is a cost-effective solution.

Amazon S3 Intelligent-Tiering: This storage class automatically moves data between frequent, infrequent, and archive access tiers based on access patterns, reducing storage costs without impacting performance.

Cost Savings: By leveraging Intelligent-Tiering, the company can achieve significant cost savings, especially for data with unpredictable access patterns.

Application Update: The application must be updated to interact with Amazon S3 APIs for storing and retrieving files, ensuring seamless integration with the new storage solution.

This approach provides a scalable, durable, and cost-effective storage solution, aligning with the company ' s optimization goals.

An Application Load Balancer supports path- and host-based routing, which makes it ideal for routing requests based on subdomains. EC2 Auto Scaling ensures that the number of instances adjusts dynamically based on traffic, which helps manage cost and performance during predictable peak hours.

For cross-account access, the standard AWS pattern is to create an IAM role in the resource-owning account (the company’s account) and configure the trust policy to allow the external vendor account to assume that role.

Option D correctly follows this model. The company creates an IAM role with the necessary CloudWatch Logs permissions and configures the trust policy to trust the vendor’s IAM role ARN. The vendor then assumes this role to access logs securely.

The other options misconfigure trust relationships or place permissions in the wrong account, breaking the cross-account access model. Therefore, D is the correct solution.

Amazon DynamoDB supports TTL (Time To Live) for automated, scheduled deletion of expired items. It also offers point-in-time recovery (PITR) to restore the table to any second within the retention window (typically up to 35 days), providing full data durability and protection. DynamoDB can efficiently handle frequent updates and offers predictable performance. MemoryDB is an in-memory store, not designed for durable recovery. S3 with lifecycle policies does not handle updates as efficiently for small, frequent writes and is not as optimal for session data.

Reference Extract:

" DynamoDB supports TTL for automated expiration and deletion of items and PITR for continuous backups and restoration of data. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB section.

For infrequent or ad hoc querying of log data, Amazon S3 + Amazon Athena provides the most cost-effective, serverless, and scalable analytics solution.

From AWS Documentation:

“Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.”

(Source: Amazon Athena User Guide)

Why A is correct:

Amazon S3 offers durable, scalable, and cost-efficient storage.

Athena allows SQL-based querying on structured or semi-structured data like logs.

No need to provision or manage infrastructure.

Ideal for occasional querying at low cost.

Why the others are not optimal:

Option B: OpenSearch adds cost and is best for frequent, low-latency log querying.

Option C: RDS is not optimized for large-scale write-heavy log ingestion and costs more.

Option D: CloudWatch Logs is suitable for real-time monitoring, not for long-term storage and analytics of large log volumes.

Among the listed choices, the best solution is to place an AWS Lambda function in the same VPC and use it as the EventBridge target. EventBridge natively supports Lambda as a target, and a Lambda function that runs in the VPC can call the private API without exposing that API publicly. The internet-facing ALB and NLB options violate the requirement to avoid public IP exposure. The direct-target option is also not expressed correctly for a plain private API endpoint, because modern direct private API targeting in EventBridge requiresconnections and VPC Lattice resource configurations, not simply naming a private VPC endpoint as a raw target. Therefore, Lambda as the bridge component is the correct answer from the provided choices. (AWS Documentation)

============

Automated backupsare the correct answer because Amazon RDS uses daily automated backups together with transaction logs to support point-in-time recovery. AWS documentation states that RDS can retain automated backups for up to 35 days and uploads transaction logs every 5 minutes, which supports restoring to a specific point in time with a maximum of about 5 minutes of data loss. Read replicas are mainly for scaling reads, not for fine-grained restore after accidental edits. Manual snapshots are point-in-time copies, but they do not provide continuous point-in-time recovery. Multi-AZ improves availability, not historical recovery from user mistakes. Therefore, automated backups are the right feature for this data-loss recovery requirement. (AWS Documentation)

============

To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.

Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.

VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.

AWS Direct Connect: Provides a dedicated network connection from your on-premises data center to AWS, ensuring low latency and consistent network performance.

Direct Connect Gateway Association:

Direct Connect Gateway: Acts as a global network transit hub to connect VPCs across different AWS regions.

Association with Transit Gateway: Enables communication between on-premises data centers and multiple VPCs connected to the transit gateway.

Transit Virtual Interface (VIF):

Create Transit VIF: To connect Direct Connect with a transit gateway.

Setup Steps:

Establish a Direct Connect connection.

Create a transit VIF to the Direct Connect gateway.

Associate the Direct Connect gateway with the transit gateway attached to the VPCs.

Cost Efficiency: This combination avoids the recurring costs and potential performance variability of VPN connections, providing a robust, low-latency hybrid network solution.

The correct approach is to attach anIAM roleto the EC2 instance profile and grant that role permission to read the secret fromAWS Secrets Manager. AWS documentation states that Secrets Manager uses IAM for authentication and authorization, and EC2 instance profiles are the supported mechanism for providing temporary credentials to applications running on EC2 instances. This avoids hardcoded credentials and removes the need for long-term access keys on the server. The other options either misuse IAM users, rely on the wrong access mechanism, or do not reflect how Secrets Manager permissions are normally granted to workloads.

============

Aservice control policyattached at the organization root is the right preventive control because SCPs define the maximum permissions for principals in member accounts across the organization. AWS documentation states that SCPs restrict permissions for IAM users and roles in member accounts and that an explicit deny overrides allows from other policies. That makes an SCP the cleanest centralized way to block creation of IAM users and access keys everywhere. Inline user policies would be harder to maintain, and GuardDuty or Config would be detective or corrective controls rather than the preventive control the question asks for.

============

Amazon FSx for NetApp ONTAP fully supports native NetApp SnapMirror replication, making it the most efficient and reliable option for migrating NetApp data from on-premises to AWS.

From AWS Documentation:

“You can use SnapMirror to replicate data from your on-premises NetApp systems to FSx for ONTAP for seamless, block-level, incremental transfers. This provides a highly efficient and performant method for migration, especially for large datasets.”

(Source: Amazon FSx for NetApp ONTAP – Migration Guide)

Why Option C is correct:

SnapMirror offers block-level replication, making it highly efficient for millions of small files.

It supports NFS and SMB file shares, preserving directory structures and permissions.

Reduces cutover time and allows for incremental syncs.

Uses the existing 10 Gbps network for fast transfers.

Why the other options are incorrect:

Option A (DataSync): Suitable for many file-based migrations but less efficient for very large datasets with millions of small files compared to SnapMirror.

Option B (Storage Gateway): Volume Gateway is not used for full-scale file migrations; it ' s for hybrid cloud access.

Option D (Snowball Edge): Useful for offline migrations, but online SnapMirror is more efficient and avoids shipping delays.

Explanation (AWS Docs):

To allow private subnets to access the internet, deploy NAT gateways in a public subnet in each AZ for high availability. NAT instances are less scalable and less fault-tolerant.

“To create a highly available architecture, create a NAT gateway in each Availability Zone and configure your routing to use it.”

— NAT Gateway Overview

Comprehensive and Detailed Step-by-Step Explanation:

To meet the requirements of copying only relevant data as soon as possible and receiving notifications upon completion, the following steps are recommended:

Generate a Manifest File (Option A):

Action:Modify the on-premises data generation process to create a manifest file at the end of each data generation cycle. This manifest should list the names of the objects that need to be copied to Amazon S3.

Implementation:Develop a custom script that runs after data generation. This script compiles the list of relevant data files into a manifest file and uploads it to a designated S3 bucket.

Justification:Using a manifest allows AWS DataSync to transfer only the specified files, reducing unnecessary data transfer and associated costs.

docs.aws.amazon.com

Automate DataSync Task Execution (Option D):

Action:Set up an S3 Event Notification to trigger an AWS Lambda function whenever a new manifest file is uploaded to the S3 bucket.

Implementation:Configure the Lambda function to invoke the DataSync task by calling the StartTaskExecution API action, specifying the manifest file. This ensures that only the files listed in the manifest are copied from on-premises storage to Amazon S3.

Justification:This automation ensures timely data transfer as soon as relevant data is available, minimizing delays and manual intervention.

docs.aws.amazon.com

Set Up Completion Notifications (Option E):

Action:Create an Amazon SNS topic to handle notifications. Then, establish an Amazon EventBridge rule that monitors the DataSync task execution status and sends an email notification to the SNS topic when the status changes to SUCCESS or ERROR.

Implementation:Configure EventBridge to capture state changes of the DataSync task. When a task completes successfully or encounters an error, EventBridge triggers a notification to the SNS topic, which then sends an email to the subscribed recipients.

Justification:This setup provides immediate feedback on the data transfer process, allowing the analytics team to act promptly based on the success or failure of the data copy operation.

docs.aws.amazon.com

AWS Global Accelerator improves the performance and availability of applications by directing user traffic through the AWS global network of edge locations using anycast IP addresses. It reduces latency and jitter for global users accessing applications in a single Region.

Why this works:

Global Accelerator routes user requests to the nearest AWS edge location using AWS’s high-performance backbone network.

It then forwards traffic to the optimal endpoint — in this case, the public API hosted on EC2.

This is much more cost-effective and requires less operational complexity than deploying and maintaining multiple API Gateway endpoints across regions (Option B), or setting up Direct Connect links for every international location (Option A).

Option C requires no application change and is designed specifically for latency improvement and high availability.

???? References:

AWS Global Accelerator Documentation

Use Cases for Global Accelerator

Performance Improvements for Global Users

To secure data in transit, the company should use AWS Certificate Manager (ACM) to provide SSL/TLS certificates for the Application Load Balancer. ACM allows easy provisioning, management, and renewal of public and private certificates, ensuring secure communication between users and applications.

To secure data at rest, AWS Key Management Service (KMS) is used to manage encryption keys for Amazon EBS volumes. EBS integrates with AWS KMS, allowing for server-side encryption using KMS-managed keys (SSE-KMS), thus meeting the encryption at rest requirement.

Other options:

GuardDuty (A) is for threat detection, not encryption.

AWS Shield (B) protects against DDoS attacks, not encryption.

Secrets Manager (D) manages credentials, not general data encryption.

This solution follows the AWS Well-Architected Framework – Security Pillar.

???? References:

Encrypting EBS volumes with KMS

Using ACM with ALB

The Amazon CloudWatch agent is required to collect memory utilization metrics (as memory metrics are not reported by default). A target tracking policy is the simplest and most effective way to scale based on a custom metric such as mem_used_percent.

Reference Extract:

" Install the CloudWatch agent to collect memory metrics, and create a target tracking scaling policy using these custom metrics. "

Source: AWS Certified Solutions Architect – Official Study Guide, Monitoring and Scaling section.

The best practice for secure access control in AWS is to use IAM roles with least-privilege policies, granting only the permissions necessary to perform required tasks. Assigning roles individually ensures that developers cannot overstep their intended access boundaries.

Sharing credentials or using permanent access keys increases the risk of security breaches. Cognito is primarily intended for managing user access to applications, not AWS infrastructure. Thus, Option B best meets security and access control requirements.

Amazon S3 Access Grantsis designed to providefine-grained, prefix-level accessto S3 data for users and groups, including identities coming from a corporate directory or IAM Identity Center. AWS documentation explains that S3 Access Grants can map users or groups to specific S3 locations and vend temporary credentials, which makes it far more scalable than building separate IAM users, role-sharing workflows, or presigned URLs for every vendor. IAM Identity Center adds centralized user lifecycle and identity administration. This combination is especially strong when different vendors need access todifferent datasetsin the same data lake. It is also more maintainable and secure than issuing permanent IAM credentials. For auditing, the environment can still rely on AWS logging controls while using Access Grants for access distribution.

============

The requirement is an event-driven pub/sub system that guarantees ordered delivery of events.

Amazon SNS FIFO topics provide the publish-subscribe model along with FIFO (First-In-First-Out) delivery and exactly-once message processing, ensuring ordered delivery to multiple subscribers.

Option A, EventBridge, provides event buses but does not guarantee event ordering across multiple subscribers. Option C (SNS standard topics) provides pub/sub but without ordering guarantees. Option D (SQS FIFO queues) guarantees order but are point-to-point queues, not pub/sub.

Thus, Amazon SNS FIFO topics meet the requirements for ordered pub/sub messaging.

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

Amazon S3 Glacier Flexible Retrieval is a low-cost archival storage class that supports retrieval of data within minutes (expedited access ~1–5 minutes), making it ideal for audit scenarios where occasional, quick access to archived data is required. In contrast, Glacier Deep Archive takes hours to retrieve.

To grant cross-account access to an Amazon S3 bucket, you can use a bucket policy that specifies the AWS account ID of the account you want to grant access to. This method allows Account B to access the S3 bucket in Account A without the need for additional services or configurations.

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

" With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources. "

" LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column. "

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.

To capture DNS query and response data, including response codes, Amazon Route 53 provides query logging, which is the most precise and AWS-supported solution for this requirement.

Option A enables Route 53 query logging, which records detailed information about DNS queries, such as the queried domain, record type, source IP, and DNS response code. These logs are delivered to Amazon CloudWatch Logs, where administrators can search, analyze, and retain them for forensic investigation and root cause analysis.

Option B is incorrect because AWS CloudTrail records API calls to AWS services, not DNS query traffic. Option C provides aggregated metrics (such as query counts and health checks) but does not include per-query response codes. Option D offers best-practice recommendations but does not collect or analyze DNS query data.

Therefore, A is the correct solution because Route 53 query logging provides the detailed, low-level DNS visibility required for troubleshooting and operational analysis.

Aurora blue/green deployments are specifically designed for safe schema changes, zero-downtime updates, and production isolation.

The staging (green) environment can receive schema changes without affecting production (blue). After validation, you perform a fast, minimally disruptive switchover that updates production.

Read replicas (Option B) do not allow schema changes. Creating an independent staging cluster (Option A) does not provide automated, low-downtime cutover. DynamoDB (Option D) is not compatible with MySQL schemas.

=====================================================

A. Fixed desired instances:Does not adapt to traffic load fluctuations, leading to inefficiencies.

B. Larger EC2 instances:Increases costs unnecessarily.

C. Target tracking scaling policy:Adjusts capacity based on actual demand, optimizing costs.

D. Instance store volumes:Not persistent and unsuitable for shared data across instances.

This solution directly addresses the scalability and high availability requirements with minimal downtime.

Additional Reader Instances: Adding more reader instances to the Aurora cluster will distribute the read load, improving the performance of the application under heavy read traffic. Aurora reader instances automatically replicate the data from the writer instance, enabling you to scale out read operations.

Amazon RDS Proxy: RDS Proxy improves database availability by managing database connections more efficiently and providing a connection pool. This reduces the overhead on the Aurora cluster during peak loads, further enhancing performance and availability without requiring changes to the application code.

Why Not Other Options?:

Option A (EventBridge and Lambda): This doesn’t directly address the performance and availability issues. Logging state changes and adding reader nodes on failure events doesn’t provide proactive scalability.

Option B (Zero-Downtime Restart and Activity Streams): Zero-Downtime Restart (ZDR) is useful for minimizing downtime during maintenance but doesn’t directly improve scalability. Database Activity Streams are more for security monitoring than for performance enhancement.

Option D (ElastiCache for Redis): While adding a caching layer can help with read performance, it introduces complexity and may not be necessary if additional reader instances can handle the load.

AWS References:

Amazon Aurora Scaling- Information on scaling Aurora clusters with reader instances.

Amazon RDS Proxy- Details on how RDS Proxy can improve database performance and availability.

To manage EC2 instances with AWS Systems Manager (SSM), the EC2 instance must be configured as a managed instance by attaching an IAM role that has the AmazonSSMManagedInstanceCore managed policy.

This policy allows:

SSM agent to register the instance with SSM

Perform actions like patching, automation, session management, inventory collection, etc.

Access to SSM endpoints (via internet or VPC endpoint if needed)

Since the EC2 instance already has an IAM role, the least operational overhead option is to attach the required policy to the existing role (Option C). No need to create new IAM roles or users, which simplifies management and adheres to the principle of least privilege.

Patching can then be automated via SSM Patch Manager, ensuring consistency, compliance, and operational efficiency.

???? References:

SSM Managed Instance Setup

AmazonSSMManagedInstanceCore Policy

Patching EC2 with SSM

To securely integrate Amazon S3 with an application that uses Amazon Cognito for user authentication, the following two steps are essential:

Step 1: Create an Amazon Cognito Identity Pool (Option A)

Amazon Cognito Identity Poolsallow users to obtain temporary AWS credentials to access AWS resources, such as Amazon S3, after successfully authenticating with the Cognito user pool. The identity pool bridges the gap between user authentication and AWS service access by generating temporary credentials using AWS Identity and Access Management (IAM).

Once a user logs in using theCognito User Pool, the identity pool providesIAM roles with specific permissionsthat the application can use to access S3 securely. This ensures that each user has appropriate access controls while accessing the S3 bucket.

This is a secure way to ensure that users only have temporary and least-privilege access to the S3 bucket for their documents.

Step 2: Create an Amazon S3 VPC Endpoint (Option C)

By creating anAmazon S3 VPC endpoint, the company ensures that communication between the application (which is hosted in a private subnet) and the S3 bucket occurs over theAWS private network, without the need to traverse the internet. This enhances security and prevents exposure of data to public networks.

TheVPC endpointallows the application to access the S3 bucket privately and securely within the VPC. It also ensures that traffic stays within the AWS network, reducing attack surface and improving overall security.

Why the Other Options Are Incorrect:

Option B: This is incorrect becauseAmazon Cognito User Poolsare used for user authentication, not for generating S3 access tokens. To provide S3 access, you need to useAmazon Cognito Identity Pools, which offer AWS credentials.

Option D: ANAT gatewayis unnecessary in this scenario. Using aVPC endpointfor S3 access provides a more secure and cost-effective solution by keeping traffic within AWS.

Option E: Attaching a policy to restrict access based on IP addresses is not scalable or efficient. It would require managing users’ dynamic IP addresses, which is not an effective security measure for this use case.

AWS References:

Amazon Cognito Identity Pools

Amazon VPC Endpoints for S3

Amazon EFS provides a fully managed, highly available, and shared file system that can be mounted by instances across multiple Availability Zones. This ensures consistency of files between EC2 instances and avoids replication issues. EBS volumes, in contrast, are AZ-scoped and not designed for multi-instance sharing. Options A and B rely on custom replication or manual file handling, which increases operational overhead and risks inconsistencies. Option D does not solve the shared access and consistency requirement. By migrating storage to EFS, both EC2 instances will read and write to the same storage system, ensuring that users always access the latest files without 404 errors.

AWS Lambda supports encrypting environment variables at rest using AWS KMS. You can use encryption helpers (or Lambda’s built-in support) to encrypt sensitive environment variable values using a KMS key. These encrypted variables are not visible in plaintext to developers, either in the console or when running the code.

AWS Documentation Extract:

" AWS Lambda automatically encrypts environment variables at rest. For additional security, you can use AWS KMS keys and encryption helpers to encrypt environment variables, ensuring they are never exposed in plaintext. "

(Source: AWS Lambda documentation, Environment Variables Security)

A: Does not address the issue (and adds more management overhead).

B, C: There is no native support for environment variable encryption via CloudHSM or ACM.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

The correct answer isDbecause the workload isinterruptible, runs for onlyup to 48 hours each week, and the company wants themost cost-effectivesolution while alsominimizing interruptions. These requirements strongly align withAmazon EC2 Spot Instances. Spot Instances provide significant savings compared with On-Demand pricing and are ideal for batch processing, analytics, and other fault-tolerant workloads that can recover from interruptions.

To minimize the chance of interruption, the best allocation strategy iscapacity-optimized. This strategy places Spot requests into the most available Spot capacity pools, which reduces the likelihood that the running instances will be reclaimed. That is more aligned with the requirement than focusing primarily on the absolute lowest price. By usinginstance type overridesin the Auto Scaling group, the company can specify multiple acceptable instance types across generations and sizes. This improves access to capacity and helps the company adoptnewer generation instancesover time without locking into a single family or type.

Option A is incorrect becauseConvertible Reserved Instancesare not as cost-effective as Spot for an interruptible workload that runs only part of the week, and a 3-year term reduces flexibility. Option B is incorrect becauseStandard Reserved Instancesare better for steady-state workloads and do not support the requirement to move to the latest generation each year as flexibly. Option C is close, butprice-capacity-optimizedbalances cost and capacity; the question prioritizes minimizing interruptions, socapacity-optimizedis the better answer.

AWS cost optimization guidance recommendsSpot Instances with a capacity-focused strategyfor fault-tolerant workloads that need low cost and fewer interruptions.

Spot Instances are the best pricing model because the jobscan tolerate interruptions, and the company wants the most cost-effective option. AWS recommends theprice-capacity-optimizedstrategy for Spot because it selects pools that balancelow pricewithlower interruption risk. Using multiple instance types in the Auto Scaling group also helps the company stay flexible enough to adopt newer generations over time. Reserved Instances do not fit as well because they reduce flexibility and do not align with the requirement to keep shifting toward the latest instance generations each year. Capacity-optimized alone minimizes interruption risk, but AWS recommends price-capacity-optimized when you want both lower interruption rates and better prices. Therefore, Spot with price-capacity-optimized allocation is the strongest answer.

============

The correct answer isBbecause the production environment runs continuously24 hours a day, all year, which makesReserved Instancesthe most cost-effective purchasing model for steady-state workloads. Reserved Instances provide a significant discount compared to On-Demand pricing when the usage is predictable and long-term. Since production instances are always running, the company can maximize savings by committing to Reserved Instances for that environment.

For the development and test environments, the company specifically wants toautomate stopping the EC2 instances when they are not in use. Because those instances do not run continuously,On-Demand Instancesare a better fit. On-Demand pricing allows the company to pay only for the compute time that is actually used. This flexibility works well with scheduled stop and start automation and avoids paying for unused reserved capacity.

Option A is less cost-effective because Reserved Instances for development and test environments would likely result in underutilized commitments due to those instances being stopped outside working hours. Option C is incorrect because production workloads are business-critical and should not rely on Spot capacity, which can be interrupted. Option D is also incorrect because keeping production on On-Demand misses substantial savings, and using Spot for development and test may be possible in some cases but is not the most appropriate answer here given the requirement simply to stop instances when not in use.

AWS cost optimization guidance recommends matching pricing models to workload patterns: useReserved Instances for predictable, always-on workloadsandOn-Demand Instances for intermittent workloads. That makes optionBthe most cost-effective solution.

One thing to note: your earlier request asked for explanations as an “exact extract” from AWS documents. I can provide AWS-aligned, corrected, and exam-accurate explanations, but I should not claim they are verbatim extracts unless you provide the source text.

Amazon Kinesis Data Streams provides a highly scalable and durable service for ingesting real-time streaming data. By decoupling ingestion and processing, Kinesis can handle large spikes in traffic without service disruption. Lambda functions (or other consumers) can then process the data as it arrives, scaling automatically. This pattern avoids 503 errors due to compute saturation and delivers a resilient, serverless, and highly scalable architecture.

Reference Extract from AWS Documentation / Study Guide:

" Kinesis Data Streams provides a scalable and durable real-time data streaming service. Coupling Kinesis with AWS Lambda enables event-driven processing, elasticity, and decoupling between ingestion and processing layers. "

Source: AWS Certified Solutions Architect – Official Study Guide, Streaming and Serverless section.

This solution allows for secure and least-privilege access with minimal operational overhead.

IAM Identity Center: AWS IAM Identity Center (formerly AWS SSO) enables you to centrally manage access to multiple AWS accounts and applications. By using IAM Identity Center, you can assign permission sets that define what users or groups can access, ensuring that only necessary permissions are granted.

Permission Sets: Permission sets in IAM Identity Center allow you to define granular access controls for specific services, such as Amazon RDS and S3. You can tailor these permissions to meet the needs of different teams, adhering to the principle of least privilege.

Group Management: By assigning users to groups and associating those groups with specific permission sets, you reduce the complexity and overhead of managing individual IAM roles and policies. This method also simplifies compliance and audit processes.

Why Not Other Options?:

Option A (IAM roles): While IAM roles can provide least-privilege access, managing multiple roles and policies across teams increases operational overhead compared to using IAM Identity Center.

Option C (Individual IAM users): Managing individual IAM users and roles can be cumbersome and does not scale well compared to group-based management in IAM Identity Center.

Option D (AWS Organizations with cross-account roles): Creating separate accounts and cross-account roles adds unnecessary complexity and overhead for this use case, where IAM Identity Center provides a more straightforward solution.

AWS References:

AWS IAM Identity Center- Overview and best practices for using IAM Identity Center.

Managing Access Permissions Using IAM Identity Center- Guide on creating and managing permission sets for secure access.

This solution offers the least operational overhead while meeting the security and global availability requirements:

Amazon CloudFront and S3: Hosting the static frontend on S3 and serving it via CloudFront provides low-latency global distribution, high availability, and security. S3 is a cost-effective and serverless option for hosting static assets, and CloudFront ensures that the application is cached closer to the users, reducing latency globally.

AWS Lambda and API Gateway: Refactoring the microservices to use Lambda functions with API Gateway allows for a fully serverless, scalable, and highly available backend. This reduces the need for managing EC2 instances, as Lambda automatically scales to meet demand and only charges for the actual usage.

RDS for MySQL: Migrating the MySQL database from an EC2 instance to Amazon RDS significantly reduces operational overhead. RDS manages backups, patching, and scaling, and it offers high availability options (e.g., Multi-AZ).

Option AandDinvolve using EC2 Reserved Instances for the database, which requires more operational maintenance than using RDS.

Option Csuggests using a Network Load Balancer with Lambda, which adds unnecessary complexity for this use case.

AWS References:

Amazon S3 and CloudFront Integration

AWS Lambda with API Gateway

Amazon RDS for MySQL

Amazon EFS requires a mount target in each Availability Zone where EC2 instances access the file system. This is because each mount target provides an elastic network interface in the subnet and AZ, reducing network latency by allowing EC2 instances to communicate locally with the EFS mount target. Creating a mount target in each AZ optimizes file system access performance and availability. Instances mount the EFS file system via the mount target in their respective AZ, which provides the lowest possible latency and avoids cross-AZ traffic.

Option A, with only a single mount target in the VPC, will cause cross-AZ traffic for instances in other AZs, increasing latency and potentially incurring data transfer costs. Option B is incomplete and introduces complexity with sharing directories across instances. Option C is invalid because mount targets are per AZ and per subnet, not per instance.

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.

The requirement is secure, permanent connectivity to two VPCs without enabling VPC-to-VPC communication. Option B achieves this by establishing a separate Site-to-Site VPN connection between the remote office and each VPC. Updating each VPC’s route tables ensures traffic from the remote office reaches the correct VPC resources, while preventing routing between the VPCs themselves. Options involving transit gateways (A and D) would introduce transitive routing capabilities, which violates the requirement of isolation between VPCs. Option C (VPC peering) directly conflicts with the requirement by enabling cross-VPC access. Therefore, option B is the correct solution as it maintains isolation while providing secure VPN connectivity.

The best solution is to useAmazon SQSto receive updates from the mobile app and process them with anAWS Lambdafunction. The Lambda function can rewrite the message body as necessary for each shipper and then publish the updates to the appropriateSNS topicfor distribution. Thissetup ensures that each shipper receives only the relevant data and minimizes operational overhead by using managed services.

Option A (SNS filter policy): SNS does not have the capability to rewrite message bodies before forwarding.

Option C (Second SNS topic): Using an additional SNS topic adds unnecessary complexity without solving the message rewriting requirement.

Option D (EventBridge Pipes): EventBridge Pipes is more complex than necessary for this use case, and Lambda can handle the logic more efficiently.

AWS References:

Amazon SQS

Amazon SNS with Lambda

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To achieve resilience across multiple Availability Zones, the architecture should use services that natively provide Multi-AZ durability and failover with minimal manual intervention. For static website content, Amazon S3 is the natural choice because it stores objects durably and is designed for high availability; it also integrates well with common web delivery patterns. For the database, the requirement is explicitly Microsoft SQL Server and resilience across AZs.

An Amazon RDS for SQL Server Multi-AZ deployment (Option B) is designed to provide high availability by maintaining a standby replica in a different Availability Zone and performing automated failover in certain failure scenarios. This meets the Multi-AZ resiliency requirement while reducing operational overhead compared to self-managed database clustering on EC2.

Option A uses RDS Custom for SQL Server, which is intended for scenarios where you need OS-level and database-level access/customization. That typically increases operational responsibility and is not the simplest “resilient Multi-AZ” answer unless the scenario demands deep customization (it does not here). Options C and D propose using EBS Multi-Attach for static content, which is not a good fit for static website assets and adds complexity; Multi-Attach is limited and does not replace object storage semantics. Option D also adds substantial operational overhead by running and managing SQL Server across EC2 instances in multiple AZs, including patching, backups, and HA configuration.

Therefore, B best meets all requirements: S3 for static object content and RDS for SQL Server Multi-AZ for resilient, managed database high availability across Availability Zones.

The correct answer isCbecause the workload is abatch processing jobthat runs during a limited time window each night and can tolerate interruptions. The key statement is thatif a job fails on one instance, another instance will reprocess the job. That means the workload is fault-tolerant and well suited forAmazon EC2 Spot Instances, which provide unused EC2 capacity at a much lower cost than On-Demand Instances.

Batch jobs, big data processing, background analytics, and other interruptible workloads are classic use cases for Spot Instances. Because the instances run only from12:00 AM to 06:00 AMand do not need to be available continuously, committing to a 1-year Savings Plan or Reserved Instances would not be the most cost-effective approach. Those options are better for steady and predictable long-running usage, not for short-duration nightly workloads.

Using a new launch template configured for Spot Instances allows the Auto Scaling group to launch lower-cost capacity for the processing window. Scaling based on CPU usage can help the group add or remove instances according to processing demand, improving both elasticity and cost efficiency.

Option A is less cost-effective because Savings Plans are more suitable for consistent usage over time. Option B is also less cost-effective because Reserved Instances lock in a commitment for capacity that is used only a few hours each day. Option D does not address the cost model and could even increase cost by using larger instances.

AWS cost optimization guidance recommendsSpot Instances for fault-tolerant, flexible, interruption-tolerant workloads, making optionCthe best answer.

AWS Application Migration Service (AWS MGN) is the recommended tool for a lift-and-shift strategy, especially for time-sensitive migrations. It automates the replication of on-premises VMs to AWS, minimizing the effort required for migration and testing.

Key steps:

Replication with AWS MGN: The AWS Replication Agent is installed on the VMs to continuously replicate data to AWS, allowing you to manage migration easily.

Testing and Cutover: Initial replication allows for testing in AWS before performing the final cutover, ensuring that the migration process is smooth and data integrity is maintained.

AWS Documentation: AWS MGN is recommended for migrating virtual machines to the cloud with minimal downtime and disruption​​.

S3 Object Lock in Compliance Mode prevents objects from being deleted or overwritten for a fixed, specified retention period. Compliance Mode is specifically designed to meet regulatory requirements, ensuring that no user, including the root user, can modify or delete the object during the retention period.

Reference Extract:

" S3 Object Lock in compliance mode protects objects from being deleted or overwritten during the specified retention period, helping meet regulatory retention requirements. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Object Lock and Compliance section.

Detailed Explanation:

A. RDS:Suitable for relational databases but does not provide native support for data lakes or row-level access.

B. Redshift:Primarily for analytics, not designed for large-scale data lake governance.

C. S3 + Lake Formation:Provides native support for data lakes with granular access control, including row-level permissions.

D. Glue Catalog + DataBrew:Focused on data preparation and metadata management, not row-level access control.

The requirement has two parts: (1) continuously or regularly evaluate IAM access key age against a 90-day policy, and (2) remediate noncompliant keys by disabling and deleting them. The least operational effort generally comes from using managed compliance evaluation and lightweight serverless remediation.

AWS Config is designed to assess resource configuration compliance over time. Using an AWS Config rule to check access key age fits the governance model because Config maintains a compliance history, supports central reporting, and can evaluate keys across an account (and commonly across an organization with aggregation patterns). After detection, remediation should be automated with minimal infrastructure, and AWS Lambda is the lightest operational tool for directly calling IAM APIs (UpdateAccessKey to Inactive, then DeleteAccessKey) on a schedule.

Option C pairs these appropriately: Config performs compliance evaluation, and an EventBridge scheduled rule triggers a Lambda function to remediate keys older than 90 days. This avoids running and maintaining compute fleets or batch infrastructure. It also provides clear separation of duties: Config for detection and evidence, Lambda for corrective action.

Options A, B, and D rely on AWS Batch, which introduces additional operational overhead (compute environments, job definitions, queues, scaling, and monitoring) that is unnecessary for a simple IAM housekeeping task. Also, EventBridge by itself is not a compliance evaluation service; it can schedule a job, but it does not inherently track “key age” state or compliance posture the way Config does.

Therefore, C best meets the requirement with the least operational effort by using Config for continuous compliance visibility and a scheduled Lambda for automated key deactivation and deletion.

The correct answer isAbecause the company wants engineers to reach aspecific development EC2 instancethrough aRoute 53 hosted zone, while ensuring that traffic continues to route correctlyeven if the development instance is replaced. The best way to achieve this is to point the Route 53 record for the development website to theApplication Load Balancerand then configure anALB listener rulethat forwards requests for the development hostname to adedicated target groupcontaining the development instance.

This design works well because the ALB provides a stable endpoint, and Route 53 can alias the development DNS name to the ALB. If the development EC2 instance is replaced, the target group can simply register the new instance. The DNS record does not need to change, and engineers continue to use the same development URL. This minimizes operational effort and supports automatic continuity.

Option B is incorrect because using a public IP address for a specific instance does not automatically handle instance replacement unless additional manual steps are taken. Option C is incorrect because redirecting users to a public IP is not the intended design and introduces unnecessary exposure and management complexity. Option D is incorrect because placing all instances in the same target group would not ensure that requests for the development website are sent only to the specific development instance.

AWS best practices favor usingload balancers and target groupsas stable routing layers rather than binding DNS names directly to ephemeral instance IP addresses. Therefore, the most reliable and maintainable solution is to useRoute 53 + ALB + a dedicated target groupfor the development instance.

A. VPC peering:Creates a fully meshed architecture, which is complex to manage for multiple VPCs.

B. Transit gateway:Simplifies network management by connecting multiple VPCs and on-premises networks via a central hub.

C. PrivateLink:Restricts communication to the application endpoint but may not allow full VPC connectivity.

D. ALB with internet exposure:Not secure or specific to private network communication.

For steady, predictable EC2 usage with potential changes in instance families over time, AWS recommends Savings Plans. Compute Savings Plans “apply to any EC2 instance regardless of region, instance family, operating system, or tenancy,” and also apply to AWS Fargate and AWS Lambda, delivering the most flexibility over a multi-year horizon. A 3-year term provides the highest discount among Savings Plans for long-lived workloads. EC2 Instance Savings Plans are limited to a chosen instance family in a region; as needs evolve (e.g., size or family changes), discounts may not fully apply. Spot Instances are not appropriate for long, interruption-sensitive jobs because Spot capacity can be reclaimed with short notice. Therefore, a Compute Savings Plan (3-year) best matches cost optimization with flexibility for growth and changes.

The SELECT INTO OUTFILE S3 feature allows you to export Amazon Aurora MySQL data directly to Amazon S3 with minimal operational overhead. This method is efficient and cost-effective for archiving historical data.

You can configure S3 Lifecycle rules to transition the exported data to lower-cost storage (e.g., S3 Glacier or S3 Standard-IA) and eventually delete it after 5 years.

No need for additional ETL tools like Glue or DataBrew unless complex transformations are required.

For bidirectional communication such as chat applications, Amazon API Gateway WebSocket API is the correct service. WebSocket APIs allow clients to establish long-lived connections and exchange messages with the backend Lambda functions in real time.

HTTP APIs and REST APIs are suitable for request-response models, not continuous two-way communication. CloudFront cannot maintain stateful WebSocket connections, so only Option C fits the requirements for a real-time, bidirectional application.

Amazon RDS for MySQL supports read replicas that offload read-intensive workloads such as reporting, leaving the primary instance free for write operations.

“You can use Amazon RDS read replicas to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.”

— Working with Read Replicas

This is the recommended approach for minimizing performance impact on the primary DB instance.

A: Amazon Macie can scan S3 buckets for sensitive data and identify PII.

C: S3 Object Lock legal hold prevents object deletion until a review is complete, meeting compliance requirements.

E: EventBridge can trigger the Lambda function automatically when Macie detects sensitive data, creating an automated workflow.

AWS Documentation Extract:

" Amazon Macie automatically discovers, classifies, and protects sensitive data in AWS. You can use EventBridge to invoke a Lambda function for post-processing, such as applying Object Lock legal hold to flagged objects. "

(Source: AWS Macie and S3 Object Lock documentation)

B, D: Moving to Glacier Deep Archive or applying retention in governance mode is not specific to deletion prevention pending review.

F: MFA Delete adds a security layer but does not automate object retention for flagged PII.

Using API Gateway with API keys provides secure access control. Amazon SQS allows asynchronous decoupling between frontend and backend, ensuring that backend processing can scale independently. AWS Lambda reading from SQS ensures scalable, event-driven processing with minimal operational management. This architecture is resilient and decoupled.

The current architecture tightly couples image upload, resizing, and storage into a single synchronous workflow handled by EC2 instances. This increases upload latency and degrades user experience. The optimal solution is to decouple upload from processing and offload work to managed services.

Option C allows users’ browsers to upload images directly to Amazon S3 using presigned URLs, bypassing the EC2 web servers entirely. This significantly reduces server load, network hops, and request latency while improving scalability and performance. Presigned URLs also maintain security by granting time-limited, scoped access to S3.

Option D complements this by using S3 Event Notifications to invoke an AWS Lambda function whenever a new image is uploaded. The Lambda function performs the image resizing asynchronously and stores the processed image back in S3. This event-driven, serverless pattern eliminates tight coupling between upload and processing and ensures automatic scaling with minimal operational overhead.

Option A is unsuitable because Glacier is for archival storage and not designed for active uploads or processing. Option B still routes uploads through EC2, maintaining the bottleneck. Option E introduces unnecessary delays and inefficiency by resizing images on a schedule instead of reacting to upload events.

Therefore, C and D together provide the most performant, scalable, and operationally efficient image upload and processing architecture using AWS-native, event-driven services.

AWS Backup Audit Manager automates auditing and reporting of backup activity and compliance, while AWS Config provides visibility into configuration changes. Together, they provide the simplest, most automated, and compliant backup monitoring solution.

From AWS Documentation:

“AWS Backup Audit Manager automatically audits backup activity across AWS resources. You can use predefined or custom frameworks to monitor backup compliance and encryption status.”

(Source: AWS Backup Audit Manager User Guide)

Why D is correct:

Ensures centralized visibility into all backup jobs.

Verifies encryption status automatically.

Generates ready-to-use reports with minimal operational overhead.

Complies with regulatory requirements for data protection.

Why others are incorrect:

A & C: Custom Lambda automation increases maintenance effort.

B: Manual checking is operationally inefficient and error-prone.

Amazon EFS Lifecycle Management enables automatic cost optimization by transitioning files that haven’t been accessed for a defined period (e.g., 7 days) from EFS Standard to EFS Infrequent Access (IA).

“Amazon EFS Lifecycle Management automatically moves files that haven’t been accessed for a set period to the EFS Infrequent Access storage class, reducing storage costs for infrequently accessed files.”

— Amazon EFS Documentation

Key Points:

EFS IA is ideal for files larger than 128 KB and accessed less frequently.

It’s seamless — no code or tools needed.

Meets requirement for cost optimization and high availability.

Incorrect Options:

A: File Gateway adds unnecessary complexity and does not use EFS.

B: Storing files locally breaks shared access and resiliency.

D: Glacier Deep Archive is cold storage — not " readily available. "

The correct answer isAbecause the company needs to rotatedatabase credentials every 30 dayswhile maximizing security and minimizing development effort.AWS Secrets Manageris the AWS service specifically designed to store, manage, and rotate secrets such as database usernames and passwords. It supportsautomatic rotationfor supported databases, includingAmazon Aurora MySQL, which makes it the most secure and operationally efficient solution.

With Secrets Manager, credentials are encrypted at rest, access can be controlled through IAM policies, and applications can retrieve secrets programmatically without embedding them in source code or configuration files. Automatic rotation reduces the risk associated with static credentials and helps meet compliance requirements with minimal manual work. Because rotation is built into the service, the development effort is significantly lower than creating and maintaining custom rotation logic.

Option B can work, but it requires building and operating a customLambda rotation function, which adds complexity compared with the native automation available in Secrets Manager. Options C and D are not best practices because storing credentials in environment files or configuration files increases security risk and does not provide a managed secrets lifecycle.

AWS security best practices recommend centralizing sensitive credentials inAWS Secrets Managerand enablingautomatic rotationwhenever possible. This improves security posture, reduces operational overhead, and aligns directly with compliance requirements for regular credential changes. Therefore, storing Aurora MySQL credentials inSecrets Managerwith30-day automatic rotationis the best solution.

AWS guidance is to deploy one NAT gateway per Availability Zone for production workloads to improve resiliency and avoid cross-AZ dependency. However, the question explicitly says only production requires high availability. In non-production environments, the company can reduce cost by keeping a single NAT gateway and updating private-subnet route tables to use that remaining gateway. This saves hourly NAT gateway charges while preserving internet egress for private subnets. Reducing Availability Zones would affect more than NAT cost and would also weaken overall environment design. NAT instances add operational overhead compared with a managed NAT gateway. A transit gateway is unrelated to this cost problem. Therefore, keeping one NAT gateway per AZ for production and reducing to one NAT gateway in non-production is the most cost-effective answer.

============

Amazon RDS Blue/Green Deploymentsis the best answer because AWS documents that it creates a synchronized staging environment from the production database so you canmake and test changesbefore switching traffic. AWS also specifically calls outmajor and minor engine version upgradesas a supported use case and notes that Blue/Green Deployments help reduce upgrade risk and minimize downtime. This is more operationally efficient than building a custom migration or relying only on snapshots and manual restore testing. Since the company wants a quick, low-overhead way to test the upgrade safely on critical data, Blue/Green Deployments is the strongest AWS-native solution.

============

Detailed Explanation:

A. IAM identity provider:Does not support centralized management across multiple accounts.

B. AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.

C. IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D. Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.

For bursty and seasonal workloads, AWS recommends serverless architectures using Amazon API Gateway + AWS Lambda:

API Gateway exposes a fully managed, scalable API endpoint.

Lambda provides automatic scaling based on request volume, with no need to provision or manage servers.

This is ideal for workloads with variable or seasonal demand, such as end-of-year tax computation bursts.

This combination minimizes operational overhead (no OS patching, no capacity planning) while scaling seamlessly to meet peak demand.

Options A, C, and D rely on EC2 instances. They require capacity planning, scaling configuration, and ongoing management. They do not scale as effortlessly as Lambda for unpredictable or highly seasonal workloads.

Amazon EFSwithMax I/O performance modeis designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn ' t support the high throughput needed for large, concurrent workloads.

AWS References:

Amazon EFS Performance Modes

IAM Access Analyzer analyzes permissions granted using policies to determine what resources are shared with an external entity, and helps identify excessive permissions or least privilege violations across all accounts in an AWS Organization. It is specifically designed for reviewing and refining IAM permissions with minimal administrative effort.

AWS Documentation Extract:

“IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. You can also use Access Analyzer policy checks to refine permissions and implement least privilege.”

(Source: IAM Access Analyzer documentation)

A: Network Access Analyzer is for VPC network access analysis, not IAM permissions.

B: CloudWatch alarms are not suitable for detailed permission analysis.

D: Amazon Inspector is for security vulnerability assessment, not IAM policy review.

The medical reports needreal-time accesseven though they are read only about once a year, which matchesS3 Glacier Instant Retrieval. AWS documents that objects in Glacier Instant Retrieval are immediately available with GET, making it the right archival class when access is infrequent but still must be immediate. The medical images are rarely accessed and can tolerate slower retrieval, soS3 Glacier Deep Archiveis the lowest-cost long-term archival choice. AWS recommends Deep Archive for long-lived data that is accessed less than once a year and can wait hours to days for restore completion. That combination optimizes cost while still meeting the very different retrieval requirements for reports and images. (AWS Documentation)

============

Amazon SQS supports Interface VPC endpoints (AWS PrivateLink), enabling private connectivity from your VPC to SQS without using public IPs, traversing the public Internet, or requiring NAT/IGW. You can restrict access by attaching a queue resource policy that allows only the specific VPC endpoint and denies all other principals/paths, enforcing that all traffic stays on the AWS network. SSE-SQS (B) encrypts data at rest but does not influence network pathing. STS temporary credentials (C) handle authentication/authorization, not routing. VPC Flow Logs (D) are monitoring/visibility and do not prevent public egress. Creating an SQS VPC endpoint and tightening the queue policy satisfies the requirement of no public IP usage while maintaining secure, private access from serverless components in VPC subnets.

AWSSecrets Manageris the best solution for securely storing and managing sensitive information, such as usernames and passwords. Secrets Manager provides automatic rotation, fine-grained access control, and encryption of credentials. It is designed to integrate easily with other AWS services, such as CloudFormation, to automate the retrieval of secrets via theBatchGetSecretValue API.

Secrets Manager has a lower operational overhead than manually managing credentials, and it offers features like automatic secret rotation that reduce the need for human intervention.

Option A and C (Parameter Store): While Systems Manager Parameter Store can store secrets, Secrets Manager provides more specialized capabilities for securely managing and rotating credentials with less operational overhead.

Option B and C (AWS Batch): Introducing AWS Batch unnecessarily complicates the solution. Secrets Manager already provides simple API calls for retrieving secrets without needing an additional service.

AWS References:

AWS Secrets Manager

Secrets Manager with CloudFormation

The workload isstateless,parallel, and each job runs for about20 minutes, which makes Lambda a poor fit because Lambda has a maximum execution time of 15 minutes. AWS Fargate is a strong match for event-driven container workloads because it removes server management overhead, andFargate Spotlowers cost for interruption-tolerant processing. AWS also provides patterns for runningevent-driven workloads at scale with Fargate, and EventBridge can be used to trigger container tasks from S3-originated events. Compared with EKS or EC2 On-Demand, ECS on Fargate Spot is the most cost-effective managed container approach here.

============

The company wants to reduce end-to-end load time for its global customer base.AWS Global Acceleratorprovides a network optimization service that reduces latency by routing traffic to the nearest AWS edge locations, improving the user experience for globally distributed customers.

AWS Global Accelerator:

Global Acceleratorimproves the performance of your applications by routing traffic through AWS’s global network infrastructure. This reduces the number of hops and latency compared to using the public internet.

By creating astandard acceleratorand configuring the existing NLBs as target endpoints, Global Accelerator ensures that traffic from users around the world is routed to the nearest AWS edge location and then through optimized paths to the NLBs in each region. This significantly improves end-to-end load time for global customers.

Why Not the Other Options?:

Option A (ALBs instead of NLBs): ALBs are designed for HTTP/HTTPS traffic and provide layer 7 features, but they wouldn’t solve the latency issue for a global customer base. The key problem here is latency, and Global Accelerator is specifically designed to address that.

Option B (Route 53 weighted routing): Route 53 can route traffic to different regions, but it doesn’t optimize network performance. It simply balances traffic between endpoints without improving latency.

Option C (Additional NLBs in more regions): This could potentially improve latency but would require setting up infrastructure in multiple regions. Global Accelerator is a simpler and more efficient solution that leverages AWS’s existing global network.

AWS References:

AWS Global Accelerator

By usingAWS Global Acceleratorwith the existing NLBs, the company can optimize global traffic routing and improve the customer experience by minimizing latency. Therefore,Option Dis the correct answer.

For the web tier, the company needs multi-AZ scaling and high availability, which is best achieved with anAuto Scaling group across multiple Availability Zones behind an Application Load Balancer. AWS fault-tolerance guidance recommends distributing EC2 instances across multiple AZs and using Auto Scaling to maintain balance and resilience. For the database tier, the question specifically requires reduced MySQL read latency, so anAurora MySQL cluster with a reader instance in a separate AZis the stronger fit. AWS Aurora guidance recommends distributing the primary and reader instances across Availability Zones and notes that Aurora Auto Scaling can add reader instances for handling increased connectivity and workload. Together, B and C deliver scalability, HA, and better read performance.

============

The requirement calls for three capabilities at fleet scale: (1) regular security/vulnerability scanning of EC2 instances, (2) scheduled patching, and (3) reporting on patch compliance/status. The AWS-managed services designed for this are Amazon Inspector for vulnerability scanning and AWS Systems Manager Patch Manager for patch orchestration and compliance reporting.

Amazon Inspector provides automated vulnerability management that can assess EC2 instances for software vulnerabilities and exposure, producing findings that identify missing patches and vulnerable packages. This addresses the security scanning portion without requiring custom tooling on each instance beyond standard agent/configuration requirements.

Systems Manager Patch Manager allows you to define patch baselines, schedule patching operations via maintenance windows, and apply patches across large fleets in a controlled manner. Patch Manager also provides compliance views and reporting so you can see which instances are compliant, which are missing patches, and the results of patch operations. This directly meets the need to patch “on a regular schedule” and to “provide a report of each instance’s patch status.”

The other options are mismatched services: Macie focuses on discovering and protecting sensitive data (especially in S3), not scanning EC2 for software vulnerabilities. GuardDuty is for threat detection based on logs and events; it is not an EC2 vulnerability scanner and does not function as a patching orchestrator. Detective helps investigate security events and relationships; it is not a vulnerability scanning or patch deployment tool. Additionally, cron jobs on each instance create high operational overhead and inconsistent reporting—exactly what the company wants to avoid.

Therefore, D is the correct, operationally excellent approach: use Inspector for vulnerability scanning and Systems Manager Patch Manager for automated, scheduled patching with centralized compliance reporting.

To run RDS instances only during business hours with the least operational overhead, you can useAmazon EventBridgeto schedule events that invokeAWS Lambda functions. The Lambda functions can be configured to start and stop the RDS instances based on the specified schedule (business hours). EventBridge rules allow you to define recurring events easily, and Lambda functions provide a serverless way to manage RDS instance start and stop operations, reducing administrative overhead.

Option A: While CloudWatch alarms could be used, they are more suited for monitoring, and using Lambda with EventBridge is simpler.

Option B (Trusted Advisor): Trusted Advisor is not ideal for scheduling tasks.

Option C (Systems Manager): Systems Manager could also work, but EventBridge and Lambda offer a more streamlined and lower-overhead solution.

AWS References:

Amazon EventBridge Scheduler

AWS Lambda

Amazon S3 and AWS Lambda form a classic serverless decoupling pattern for upload-and-process workflows. AWS documents that Amazon S3 can publishevent notificationswhen objects are created and that these events can invoke aLambda functionfor processing. This design automatically scales for high upload rates, durably stores the original images in S3, and cleanly separates upload from resize processing. Storing processed results in a second S3 bucket is also a common pattern that keeps originals and derivatives separate. The EC2 and EFS options add more operational work and do not provide the same event-driven elasticity.

============

Regulatory compliance often requires immutability, meaning data cannot be altered or deleted by any user, including administrators, during a retention period. Amazon S3 Object Lock in compliance mode is specifically designed for this requirement.

Option B enforces a write-once-read-many (WORM) model. Once compliance mode is enabled and a retention period is set, no one—including root users—can delete or overwrite the objects until the retention expires. This provides the strongest level of protection and satisfies strict regulatory standards.

Option A (governance mode) allows privileged users to override the lock, which may not satisfy regulatory mandates. Option C does not prevent deletion or modification before retention expiration. Option D addresses storage cost, not immutability.

Therefore, B is the correct solution for regulatory-grade data protection.

The correct answer isProvisioned IOPS SSD io2 Block Express. AWS documents that io2 Block Express is recommended for I/O-intensive, latency-sensitive workloads and is designed for consistent sub-millisecond latency with very high IOPS limits. AWS also notes that many instance types can achieve up to32,000 IOPS, which matches the baseline requirement in the question. S3 is object storage and not suitable for a transactional MySQL database. EFS is a shared file system, not the preferred low-latency block storage for this database pattern. gp3 is versatile and cost-effective, but it is not the targeted choice when the requirement explicitly emphasizes sustained, low-latency 32,000 IOPS performance. (AWS Documentation)

Lambda supports mounting an Amazon EFS file system inside your function to store larger dependencies beyond the 250 MB layer quota.

EFS automatically encrypts data in transit using TLS.

“You can configure your Lambda function to mount an Amazon EFS file system, enabling your function to access large amounts of data or large dependencies.”

“Amazon EFS automatically encrypts all data at rest and in transit.”

— Lambda with Amazon EFS

This is the least operational overhead approach.

UsingAD ConnectorwithAWS IAM Identity Center(formerly AWS Single Sign-On) allows the company to leverage its existingon-premises Active Directoryfor centralized identity management and access control. AD Connector acts as a proxy to the on-premises AD withoutrequiring additional infrastructure or complex setup. This solution integrates seamlessly with AWS, allowing the development team to use their existing AD credentials to access AWS resources across multiple accounts managed by AWS Organizations. The permissions for AWS resources can be managed centrally through IAM Identity Center by configuring permission sets.

This solution provides:

Least operational overhead: AD Connector is fully managed, and IAM Identity Center allows centralized management of permissions across accounts.

Secure access: The solution complies with security policies by using existing AD authentication mechanisms.

Option A (AWS Managed AD): Setting up a fully managed AWS AD and establishing a trust is more complex and involves additional operational overhead.

Option B (IAM Users): Manually managing IAM users and permissions is less scalable and increases operational complexity.

Option D (Cognito): Amazon Cognito is more suited for user-facing applications rather than internal identity management for AWS resources.

AWS References:

AD Connector with IAM Identity Center

AWS IAM Identity Center

Amazon S3 Storage Lens:

S3 Storage Lens provides organization-wide visibility into object storage usage and activity trends.

It can generate metrics and insights about your S3 buckets, including versioning status.

Configuration:

Enable S3 Storage Lens at the organization level.

Configure the dashboard to include the versioning status metric.

Identify Non-Versioned Buckets:

Use the S3 Storage Lens dashboard to filter and identify buckets that do not have versioning enabled.

Storage Lens provides detailed insights and reports which can be used to enforce compliance and manage storage effectively.

Operational Efficiency: Using S3 Storage Lens provides a centralized, easy-to-use interface for monitoring bucket configurations across multiple Regions and accounts, reducing the need for custom scripts or manual checks.