SAA-C03 Sample Questions Answers

The requirement is explicitly for database availability inanother AWS Region, so the correct solution isAurora cross-Region read replicas. AWS documentation states that cross-Region Aurora Replicas create a replica of the primary DB cluster in another Region using engine-native replication, which provides a low-disruption disaster recovery option. Multi-AZ and standard Aurora Replicas improve availability or scalingwithin a Region, not across Regions. EBS snapshots are not how Aurora disaster recovery is typically delivered and would involve more operational disruption and slower recovery. Therefore, cross-Region Aurora Replicas are the best match for cross-Region DR with minimal change to operations.

============

To address the high CPU utilization on the EC2 instance and the degraded performance of Amazon RDS for read requests, the solution involves two key actions: resizing the EC2 instance and leveraging Amazon RDS read replicas.

Resizing the EC2 Instance: The first step is to resize the EC2 instance to a type with more CPU capacity to handle the higher computational demands during peak usage times. This helps to alleviate the immediate pressure on the CPU.

Auto Scaling Group with a Size of 1: Although the application can only run on a single EC2 instance due to its monolithic nature, creating an Auto Scaling group with a minimum and maximum size of 1 ensures that the instance is automatically restarted or replaced in case of failure, maintaining high availability.

RDS Read Replica: Configuring an RDS read replica allows the application to offload read requests to a separate instance, thus reducing the load on the primary RDS instance. This improves the performance of read operations, which were previously bottlenecked due to the high CPU usage on the EC2 instance.

Why Not Other Options?:

Option B: Redirecting all traffic to the RDS read replica is not recommended because replicas are meant for read traffic only, not for write operations. This could lead to data consistency issues.

Option C: Increasing the RDS instance type capacity helps, but it doesn’t address the high CPU usage on the EC2 instance, nor does it provide a solution for scaling reads.

Option D: While resizing both the EC2 and RDS instances increases their capacities, it doesn’t address the specific need to offload read traffic from the primary RDS instance.

AWS References:

Amazon RDS Read Replicas- Explains how to create and use read replicas to offload read traffic from the primary database instance.

Resizing Your EC2 Instance- Guidance on resizing EC2 instances to meet workload demands.

Amazon RDS Multi-AZ deployment provides automated failover and increased availability for MySQL databases. In case of infrastructure failure or power outage in one Availability Zone, RDS automatically fails over to a standby replica in another AZ, minimizing downtime. This is the AWS-recommended way to achieve high availability for relational databases.

AWS Documentation Extract:

" Amazon RDS Multi-AZ deployments provide high availability, failover support, and data redundancy for database instances. In the event of infrastructure failure, Amazon RDS performs an automatic failover to the standby. "

(Source: Amazon RDS documentation, High Availability)

A: An ALB does not increase availability for a single database instance.

B: EC2 instance recovery does not move the instance across Availability Zones.

D: Termination protection prevents accidental deletion, not availability issues.

The correct answer isCbecause the existing application usesNFS storagefor an image cache that isa few terabytes in size, and the company wants themost cost-effective cloud alternative.Amazon EFS One Zoneis a managed file storage service that supports theNFS protocol, which allows the application to continue using a familiar file-based interface with minimal architectural change. Because this is acache, not primary durable data, storing it in aOne Zonefile system is a cost-optimized choice compared with a Regional EFS deployment.

Amazon EFS is designed for shared file storage and can scale to multiple terabytes automatically. It avoids the operational overhead of managing EC2 instances and local disks for cache storage. It is also better aligned than object storage for workloads that already expect direct NFS semantics. The application can mount the EFS file system and use it as the cache backend without redesigning around object APIs or in-memory caching models.

Option A is incorrect becauseElastiCache Memcachedis an in-memory cache and is typically much more expensive for multi-terabyte cache data than file storage. Option B is incorrect because using EC2 instance store volumes creates significant management overhead and the cache would be lost whenever instances are terminated or replaced. Option D is incorrect becauseAmazon S3 Express One Zoneis object storage, not NFS storage, and would require application redesign and additional metadata management in DynamoDB.

AWS storage guidance recommends matching file-based workloads to managed file services. For a largeNFS-based cache,Amazon EFS One Zoneis the most cost-effective and operationally simple solution.

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

Securing the root user account requires setting a strong password and enabling multi-factor authentication (MFA). AWS recommends never sharing the root user credentials, setting up individual IAM users for everyday operations, and always protecting the root user with MFA for maximum security.

Reference Extract:

" AWS recommends securing the root user with a strong password and enabling multi-factor authentication (MFA). Do not use or share root credentials for everyday tasks. "

Source: AWS Certified Solutions Architect – Official Study Guide, IAM and Security Best Practices section.

AWS Shield Advanced provides:

• 24/7 access to the AWS DDoS Response Team (DRT)

• Near real-time attack visibility and metrics

• Protection for CloudFront, ALB, NLB, and Route 53

Shield Standard (Option B) does not include DDoS response team support.

WAF (Option A) provides rules-based filtering, not DDoS assistance.

Macie (Option C) is for PII discovery, not DDoS protection.

=====================================================

Amazon SQS FIFO is the correct answer because the question explicitly requires that every order be processed exactly once and that order state be preserved even during outages or pauses. AWS documentation states that FIFO queues support exactly-once processing and maintain message order. Using a queue also decouples the frontend from the backend so orders are durably stored until workers can process them. That directly protects against lost or incomplete order processing during spikes or temporary failures. The other options improve availability in other ways but do not provide durable exactly-once message handling for the order workflow. Therefore, placing the backend behind an SQS FIFO queue is the strongest design.

============

Option B (Amazon FSx for Lustre): FSx for Lustre is optimized for high-performance file systems required by HPC workloads, scaling to millions of IOPS and supporting parallelized data access.

Option E (Cluster Placement Group with Auto Scaling): A cluster placement group ensures low-latency communication between EC2 instances, critical for HPC workloads. Amazon EMR simplifies running large-scale analytics jobs.

Amazon FSx for Lustre Documentation,AWS Placement Groups Documentation

For secure communication between Lambda and an RDS DB instance, AWS documentation recommends placing the Lambda functions inside the same VPC and controlling traffic using security groups.

Lambda should have a dedicated security group with outbound access to the VPC CIDR range, and the DB instance’s security group should explicitly allow inbound connections from the Lambda security group. This follows the " least privilege " principle while avoiding public exposure.

Options A and B expose the DB to unnecessary risk. Option D is insecure because it bypasses security groups.

HPC workloads require high-throughput, low-latency networking, especially for tightly-coupled applications like weather modeling, genomics, or real-time rendering.

A cluster placement group places instances in the same Availability Zone and on physically connected hardware, reducing network latency and increasing throughput.

Elastic Fabric Adapter (EFA) is a network device for EC2 instances that enables low-latency, high-throughput networking using OS-bypass technology, ideal for tightly-coupled HPC applications.

Each instance can support single-flow 10 Gbps bandwidth using EFA, and collectively, the cluster can achieve up to 100 Gbps aggregate throughput when properly configured.

This solution supports the Performance Efficiency and Resilience design principles and is a standard AWS-recommended pattern for HPC.

???? References:

EC2 Placement Groups

Elastic Fabric Adapter Overview

Best Practices for HPC on AWS

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The key constraint is no application code changes, while the observed failure mode during spikes is heavy write load on the database that makes the site unresponsive. Scaling the web tier alone (Option B) may not help if the database is the bottleneck; in fact, adding more EC2 instances can increase concurrent write pressure and worsen the database overload. Caching (Option A) would require modifying the application to use Redis for query caching, which violates the no-code-change requirement. Option C is not a fit: CloudFront caching is effective for cacheable content, but authenticated, personalized pages are typically not cacheable without application changes, and “write throttle” is not a standard CloudFront feature to protect the database.

Migrating from RDS for MySQL to Amazon Aurora Serverless is a managed approach designed to automatically adjust database capacity to match workload demand, which is well suited to “low baseline traffic with occasional sudden spikes.” By setting an appropriate maximum capacity, Aurora Serverless can scale to handle bursts more gracefully than a fixed-size RDS instance, improving availability during unpredictable demand. This reduces operational overhead because capacity management is largely handled by the service rather than by manual instance resizing or complex scaling scripts.

The final step—configuring EC2 instances to connect to the new Aurora endpoint—is an infrastructure configuration change, not an application code rewrite. The application continues to speak the same MySQL-compatible protocol (Aurora MySQL-compatible), preserving compatibility while improving resilience to spikes.

Therefore, D best meets the requirement to improve availability during sudden traffic increases driven by heavy database writes, with minimal operational effort and no application code changes.

Storage Gateway Volume Gateway (Cached Volumes): This configuration allows you to store your primary data in Amazon S3 while retaining frequently accessed data locally in a cache for low-latency access.

Low-Latency Access: Frequently accessed data is cached locally on-premises, providing low-latency access while the less frequently accessed data is stored cost-effectively in Amazon S3.

Implementation:

Deploy a Storage Gateway appliance on-premises or in a virtual environment.

Configure it as a volume gateway with cached volumes.

Create volumes and configure your applications to use these volumes.

Minimal Infrastructure Changes: This solution integrates seamlessly with existing on-premises infrastructure, requiring minimal changes and reducing dependency on on-premises storage servers.

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

Comprehensive and Detailed Explanation (from AWS Solutions Architect documentation):

Amazon DynamoDB supports two read consistency models: eventually consistent reads and strongly consistent reads. When an application must always receive the most up-to-date data, it must use strongly consistent reads. Eventually consistent reads can return stale data because they provide best-effort propagation across storage nodes.

Since the problem states that requests are “not returning the latest data,” the correct solution is to enable strongly consistent reads, which immediately reflect all successful writes. This is the explicit AWS-recommended method for ensuring clients always receive the most current version of an item.

====================================

To analyze the performance of the web application with granularity of no more than 2 minutes, enablingdetailed monitoringon EC2 instances is the best solution. By default, CloudWatch provides metrics at a 5-minute interval. Enabling detailed monitoring allows you to collect metrics at 1-minute intervals, which will give you the level of granularity you need to analyze performance during peak traffic.

Amazon CloudWatch metrics can then be used to analyze CPU utilization, memory usage, disk I/O, and network throughput, among other performance-related metrics, at the desired granularity.

Option A: Sending CloudWatch logs to Redshift for analysis is unnecessary and overcomplicated for simple performance analysis, which can be done using CloudWatch metrics alone.

Option C: Fetching EC2 logs via Lambda adds complexity, and CloudWatch metrics already provide the required data for performance analysis.

Option D: Sending logs to S3 and using Redshift for analysis is also more complex than necessary for simple performance monitoring.

AWS References:

Monitoring Amazon EC2 with CloudWatch

Amazon CloudWatch Detailed Monitoring

AWS guidance for NAT Gateway recommends deploying “a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.” This provides “zone-independent architecture” and avoids cross-AZ data processing charges and single-AZ failures. Option B creates a single point of failure and incurs cross-AZ egress charges when private subnets in other AZs traverse a centralized NAT. NAT instances (C) are legacy, require manual scaling/failover/patching, and are not recommended for production HA. Option D is not supported (NLB cannot front a NAT Gateway as a target). With steady, uniform load, per-AZ NAT Gateways deliver high availability with predictable cost; routing each private subnet to its local NAT Gateway maintains security (no inbound initiated connections) and resilience. This meets the requirement for cost-effective, secure outbound connectivity across multiple AZs while preserving availability.

Partition Key Issue:

Using " service name " as the partition key results in uneven data distribution. Some shards may become hot due to excessive logs from certain services, leading to throttling errors.

Changing the partition key to " creation timestamp " ensures a more even distribution of records across shards.

Incorrect Options Analysis:

Option A: On-demand capacity mode eliminates throughput management but is more expensive and does not address the root cause.

Option B: Adding more shards does not solve the issue if the partition key still creates hot shards.

Option D: Using separate streams increases complexity and is unnecessary.

CloudWatch can emit alarm state-change events directly to EventBridge, and AWS documents that alarm state changes are delivered to EventBridge. AWS also documents that Systems Manager Run Command can remotely run commands on managed EC2 instances. Combining those two services removes the need for a custom Lambda function and makes the automation lighter operationally than the Lambda-based alternatives. SNS or chat notifications still require humans to reboot the instance and therefore do not meet the automation requirement. Because the goal is the least operational overhead, using the CloudWatch alarm state change as the trigger and EventBridge to invoke Systems Manager Run Command is the cleanest AWS-native pattern.

============

AWSSecrets Manageris the best solution for securely storing and managing sensitive information, such as usernames and passwords. Secrets Manager provides automatic rotation, fine-grained access control, and encryption of credentials. It is designed to integrate easily with other AWS services, such as CloudFormation, to automate the retrieval of secrets via theBatchGetSecretValue API.

Secrets Manager has a lower operational overhead than manually managing credentials, and it offers features like automatic secret rotation that reduce the need for human intervention.

Option A and C (Parameter Store): While Systems Manager Parameter Store can store secrets, Secrets Manager provides more specialized capabilities for securely managing and rotating credentials with less operational overhead.

Option B and C (AWS Batch): Introducing AWS Batch unnecessarily complicates the solution. Secrets Manager already provides simple API calls for retrieving secrets without needing an additional service.

AWS References:

AWS Secrets Manager

Secrets Manager with CloudFormation

The correct answer isAbecause the company needs to rotatedatabase credentials every 30 dayswhile maximizing security and minimizing development effort.AWS Secrets Manageris the AWS service specifically designed to store, manage, and rotate secrets such as database usernames and passwords. It supportsautomatic rotationfor supported databases, includingAmazon Aurora MySQL, which makes it the most secure and operationally efficient solution.

With Secrets Manager, credentials are encrypted at rest, access can be controlled through IAM policies, and applications can retrieve secrets programmatically without embedding them in source code or configuration files. Automatic rotation reduces the risk associated with static credentials and helps meet compliance requirements with minimal manual work. Because rotation is built into the service, the development effort is significantly lower than creating and maintaining custom rotation logic.

Option B can work, but it requires building and operating a customLambda rotation function, which adds complexity compared with the native automation available in Secrets Manager. Options C and D are not best practices because storing credentials in environment files or configuration files increases security risk and does not provide a managed secrets lifecycle.

AWS security best practices recommend centralizing sensitive credentials inAWS Secrets Managerand enablingautomatic rotationwhenever possible. This improves security posture, reduces operational overhead, and aligns directly with compliance requirements for regular credential changes. Therefore, storing Aurora MySQL credentials inSecrets Managerwith30-day automatic rotationis the best solution.

The correct answer isCbecause the company already usesAmazon FSx for NetApp ONTAPand requires a disaster recovery solution in a secondary Region that preserves access through thesame protocols, specificallyCIFS and NFS. The most appropriate solution is to deploy a secondFSx for ONTAPfile system in the secondary Region and useNetApp SnapMirrorto replicate data between Regions. SnapMirror is built for ONTAP-based replication and is the native mechanism for efficient, storage-level disaster recovery.

This option provides the least operational overhead because it uses the capabilities already integrated into FSx for ONTAP rather than introducing another storage platform or custom replication tooling. It also preserves protocol compatibility, so applications in the recovery Region can continue to access data through CIFS and NFS without architectural changes.

Option A is incorrect because replicating data to Amazon S3 does not preserve native CIFS and NFS file shares. Option B can support recovery, but backups and restores are not the best fit for an active DR strategy where the secondary Region needs accessible replicated storage with the same protocols and lower recovery effort. Option D is incorrect because Amazon EFS does not provide CIFS/SMB support in the same way as FSx for ONTAP and would require a platform change.

AWS guidance for FSx for ONTAP disaster recovery favors usingSnapMirror replicationto another FSx for ONTAP deployment. This approach is protocol-compatible, efficient, and operationally simpler than building a custom DR workflow.

To meet the requirements for tagging and preventing instance creation or deletion without proper tags, the company can use a combination of AWS Organizations tag policies and service control policies (SCPs).

Tag Policies: These enforce specific tag values across resources. Creating a tag policy with required values (e.g., sensitive, non-sensitive) and attaching it to the appropriate organizational unit (OU) ensures consistency in tagging.

SCPs: SCPs can be used to enforce compliance by preventing instance creation without a tag and preventing tag deletion. These policies control actions at the account level across the organization.

Key AWS features:

Tag Policieshelp standardize tags across accounts, andSCPsenforce governance by restricting actions that violate the policies.

AWS Documentation: AWS best practices recommend using tag policies and SCPs to enforce compliance across multiple accounts within AWS Organizations​.

This is a classic use case for Amazon Kinesis Data Streams + OpenSearch + QuickSight:

Kinesis Data Streams: For real-time ingestion and processing

OpenSearch Service: For fast full-text search, indexing, and analysis

QuickSight: For rich dashboard visualizations

This stack is fully managed, scalable, and native to AWS, minimizing operational overhead.

AWS Shield Advanced provides:

Advanced DDoS detection and mitigation

24/7 access to the AWS DDoS Response Team (DRT)

Real-time metrics and alerts via CloudWatch

Integrated with CloudFront, ALB, Route 53, and Global Accelerator

“Shield Advanced provides enhanced detection and mitigation for more sophisticated DDoS attacks and gives you access to the AWS DDoS Response Team (DRT).”

— AWS Shield Advanced Overview

Incorrect Options:

A (AWS WAF): For application-layer filtering only.

B (Shield Standard): Basic protection, no DRT or attack visibility.

C (Macie): Used for discovering sensitive data in S3, unrelated to DDoS.

CloudFront Signed Cookies:

CloudFront signed cookies allow the company to provide access to premium users while maintaining a single, consistent URL.

This approach is simpler and more scalable than managing presigned URLs for each file.

Incorrect Options Analysis:

Option A: Using EC2 and EBS increases complexity and cost.

Option B: Managing presigned URLs for each file is not scalable.

Option D: CloudFront signed URLs require unique URLs for each file, which does not meet the requirement for a single URL.

EMR managed scaling dynamically resizes the cluster by adding or removing nodes based on the workload. This feature helps minimize idle time and reduces costs by scaling the cluster to meet processing demands efficiently.

Option A:Increasing the number of core nodes might increase idle time further, as it does not address the root cause of underutilization.

Option C:Migrating the job to Lambda is infeasible for large analytics jobs due to resource and runtime constraints.

Option D:Changing to memory-optimized instances may not necessarily reduce idle time or optimize costs.

AWS Documentation References:

EMR Managed Scaling

The correct answer isBbecause the company already runs the application onKubernetes, and the application usesAMQPto communicate with a message queue. Amazon EKS is the AWS managed Kubernetes service, so migrating the containerized workload toAmazon EKSallows the company to preserve its existing Kubernetes-based deployment model while reducing the operational burden of managing the Kubernetes control plane. This is the most straightforward migration path for a Kubernetes application and avoids the need for significant re-architecture.

The messaging requirement is equally important. Because the application specifically usesAMQP, the best AWS managed service isAmazon MQ, which supports industry-standard messaging protocols including AMQP. This means the company can migrate the application with minimal code changes and without replacing the messaging pattern already built into the application.

Option A is incorrect becauseAmazon SQSdoes not support AMQP and would require application changes. Option C is incorrect because running the application on EC2 instances creates more infrastructure management overhead than using a managed container orchestration service. Option D is incorrect because AWS Lambda is not a natural fit for an existing containerized Kubernetes application that depends on AMQP-based messaging, and SQS again does not satisfy the AMQP requirement.

AWS architectural best practices favor managed services that minimize undifferentiated operational work.Amazon EKSreduces Kubernetes control plane management, andAmazon MQpreserves protocol compatibility. Together, they provide the required scalability on AWS with the least operational overhead while supporting the company’s current architecture.

The requirements specify capturing unpredictable and sudden spikes in customer activity, integrating easily with other web applications, and including authorization.

Amazon API Gateway with Lambda authorizer provides a secure, scalable entry point with flexible authorization mechanisms including token validation.

Amazon Kinesis Data Firehose is a fully managed service to reliably load streaming data into destinations such as Amazon S3, which fits well for capturing streaming customer activity data.

API Gateway integrates natively with Firehose for direct ingestion.

This combination supports unpredictable traffic, smooth scaling, and simple authorization.

Option B uses Kinesis Data Streams, which requires more management than Firehose and is less optimized for direct API integration. Options A and D use Gateway Load Balancer and ECS containers plus EFS, which add complexity and are less suited for unpredictable traffic with integrated authorization.

Amazon FSx for Lustre: Lustre is a high-performance file system designed for workloads that require fast storage with sustained high throughput and low latency. It integrates with Amazon S3, making it suitable for HPC environments.

Persistent File Systems:

Persistent Storage: Suitable for long-term storage and recurrent use, providing durability and availability.

High Throughput and Low Latency: Persistent Lustre file systems can handle large amounts of data with sub-millisecond latency, meeting the needs of high-performance computing workloads.

Simultaneous Access: FSx for Lustre allows thousands of compute instances to access and process large datasets concurrently, ensuring that the high volume of data is handled efficiently.

Highly Available: FSx for Lustre is designed to provide high availability and is managed by AWS, reducing the operational burden.

Amazon Cognitoprovides scalable, serverless authentication, andLambda@Edgeis used for authorization, providing low-latency access control at the edge.Amazon CloudFrontserves the web application globally with reduced latency and ensures secure access for users around the world. This solution minimizes operational overhead while providing scalability and security.

Option B (Directory Service): Directory Service is more suitable for enterprise use cases involving Active Directory, not for web-based applications.

Option C (S3 Transfer Acceleration): S3 Transfer Acceleration helps with file transfers but does not provide authorization features.

Option D (Elastic Beanstalk): Elastic Beanstalk adds unnecessary overhead when CloudFront can handle global delivery efficiently.

AWS References:

Amazon Cognito

Lambda@Edge

Amazon S3 is the most cost-effective storage service for large and growing collections of image files, and Amazon CloudFront is the standard way to deliver those objects globally with low latency. AWS documentation states that CloudFront can use an S3 bucket as an origin and cache the objects at edge locations around the world. This reduces latency for viewers and reduces repeated load on the origin. EBS, EFS, and FSx are not the best fit for large-scale internet-facing object delivery because they are not purpose-built global object distribution services. Therefore, S3 plus CloudFront is the correct and most economical architecture for global image delivery at scale.

============

The issue described is a classic case of read-heavy reporting workloads interfering with transactional application traffic. Although the RDS instance is configured for Multi-AZ, Multi-AZ deployments are designed for high availability and failover, not for scaling read performance. All reads and writes still occur on the primary instance, which explains why reporting queries negatively affect customer-facing performance.

Option C, adding an Amazon RDS read replica, is the most effective and AWS-recommended solution. Read replicas asynchronously replicate data from the primary instance and provide a separate endpoint for read-only workloads such as reporting, analytics, and dashboards. By redirecting the finance team’s reporting queries to the replica endpoint, the primary database is freed to handle transactional workloads, significantly improving overall application performance.

Option A (RDS Proxy) helps manage database connections efficiently, especially for bursty workloads, but it does not offload query execution or isolate heavy read traffic. Option B is invalid because RDS Multi-AZ does not support spreading a single DB instance across three AZs, and even if it did, it would not reduce read contention. Option D increases instance resources but does not solve the root cause; reporting queries would still compete with production traffic and would also increase cost unnecessarily.

Therefore, C is the optimal solution because it isolates reporting workloads, scales read capacity, improves application responsiveness, and aligns with AWS best practices for high-performance database architectures.

This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.

AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS.

Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.

Why Not Other Options?:

Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.

Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.

Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption.

AWS References:

AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.

Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.

Amazon S3 Intelligent-Tiering is designed for data with unknown or changing access patterns. It automatically moves data between frequent and infrequent access tiers based on usage. This tier offers immediate access to all objects, regardless of which tier they are stored in, while optimizing storage costs. S3 Intelligent-Tiering also provides the same high durability, availability, and security as other S3 storage classes and supports access from external resources using standard S3 APIs. Lifecycle policies and Glacier classes are more suitable for archival when infrequent access is predictable, but retrieval from Glacier classes is not immediate and incurs extra charges and delays.

Reference Extract from AWS Documentation / Study Guide:

" S3 Intelligent-Tiering is designed to optimize costs by automatically moving data between two access tiers when access patterns change. Data is always available and immediately accessible, making it ideal for unknown or unpredictable access patterns. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Storage Classes section.

Key Problem:

Delayed Inventory table updates during peak sales.

DynamoDB Streams and Lambda processing require optimization.

Analysis of Options:

Option A:Adding a GSI is unrelated to the issue. It does not address stream processing delays or capacity issues.

Option B:Optimizing batch size reduces latency and allows the Lambda function to process larger chunks of data at once, improving performance during peak load.

Option C:Increasing write capacity for the Inventory table ensures that it can handle the increased volume of updates during peak times.

Option D:Increasing read capacity for the Orders table does not directly resolve the issue since the problem is with updates to the Inventory table.

Option E:Increasing Lambda timeout only addresses longer processing times but does not solve the underlying throughput problem.

AWS References:

DynamoDB Streams Best Practices

Provisioned Throughput in DynamoDB

AWS Batch supports Windows-based jobs and automates provisioning and scaling of compute environments. Paired with AWS Fargate, it removes the need to manage infrastructure. This solution requires the least operational overhead and is cloud-native, providing flexibility and scalability.

Amazon Macie: Detects sensitive data such as PII in S3 buckets using machine learning.

EventBridge Rule: Filters Macie findings for specific sensitive data events (e.g., SensitiveData).

SNS Notification: Provides real-time alerts to the security team for immediate action.

Amazon Macie Documentation,Amazon EventBridge Documentation

SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.

Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.

Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.

Implementation:

Create a KMS key with automatic rotation enabled.

Configure the S3 bucket to use SSE-KMS with the created KMS key.

Ensure CloudTrail is enabled for logging KMS key usage.

Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.

Amazon EFSwithMax I/O performance modeis designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn ' t support the high throughput needed for large, concurrent workloads.

AWS References:

Amazon EFS Performance Modes

AWS documentation states that EC2 Auto Scaling is the recommended, cost-effective, and fault-tolerant method to manage workloads with predictable or varying demand. Auto Scaling automatically adds instances during peak traffic and terminates them when demand is low, reducing compute cost while maintaining availability across multiple Availability Zones.

Reserved Instances (Option B) would force the company to pay for peak capacity all day, which is not cost-effective.

Stopping instances manually (Option C) or vertically scaling instances (Option D) reduces fault tolerance and increases operational overhead.

=====================================================

This is a classic session-persistence problem. AWS Elastic Load Balancing documentation explains thatstickinesslets a load balancer bind a user’s session to a specific target. For an ALB,application-based cookie stickinesscan be enabled at the target group level, which is useful when the application expects a user to continue hitting the same backend instance for the duration of a session. That prevents users from being redirected back to login because of requests landing on different instances. The other options either do not solve the session problem or reduce availability by forcing traffic to one instance. (docs.aws.amazon.com)

============

The medical reports needreal-time accesseven though they are read only about once a year, which matchesS3 Glacier Instant Retrieval. AWS documents that objects in Glacier Instant Retrieval are immediately available with GET, making it the right archival class when access is infrequent but still must be immediate. The medical images are rarely accessed and can tolerate slower retrieval, soS3 Glacier Deep Archiveis the lowest-cost long-term archival choice. AWS recommends Deep Archive for long-lived data that is accessed less than once a year and can wait hours to days for restore completion. That combination optimizes cost while still meeting the very different retrieval requirements for reports and images. (AWS Documentation)

============

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.

AWS Secrets Manager is the managed service for securely storing, rotating, and retrieving database credentials. When you store Aurora credentials in Secrets Manager and enable automatic rotation, Secrets Manager updates the credentials in both the database and the stored secret.

Each Lambda function version or alias can call Secrets Manager at runtime to retrieve the current secret value, so even older deployed Lambda versions that use an alias will always obtain the most recent credentials without redeployment.

Why others are not suitable:

B: Embeds credentials in code, requiring redeployment on every rotation and violating security best practices.

C: Environment variables are version-specific; old aliases would continue using outdated values unless you redeploy or change them.

D: Parameter Store can store and rotate secrets but is less integrated for database credential rotation than Secrets Manager; Secrets Manager is the purpose-built minimal-overhead choice here.

AWS recommends using cost allocation tags to associate costs with owners (e.g., department, project) and AWS Budgets to create cost or usage budgets with alerts at defined thresholds (e.g., 60%). Budgets can send notifications via email or Amazon SNS when “Actual or forecasted” spend exceeds the threshold. Cost Explorer forecasts help visualize trends but do not provide budget alerting or ownership attribution by themselves. Trusted Advisor does not generate budget threshold alerts. Therefore, tagging resources for accountability and setting a budget with a 60% alert provides governance and proactive notifications aligned with cost control best practices for experimentation.

To grant cross-account access to an Amazon S3 bucket, you can use a bucket policy that specifies the AWS account ID of the account you want to grant access to. This method allows Account B to access the S3 bucket in Account A without the need for additional services or configurations.

To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.

Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.

VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.

VPC Endpoint for S3: A gateway endpoint for Amazon S3 enables you to privately connect your VPC to S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Configuration Steps:

In the VPC console, navigate to " Endpoints " and create a new endpoint.

Select the service name for S3 (com.amazonaws.region.s3).

Choose the VPC and the subnets where your EC2 instances are running.

Update the route tables for the selected subnets to include a route pointing to the endpoint.

Security Compliance: By configuring an S3 gateway endpoint, all traffic between the VPC and S3 stays within the AWS network, complying with the company ' s security regulations to avoid internet traversal.

When AWS workloads must resolve DNS names from on-premises systems over a hybrid network (like VPN or Direct Connect), the best solution is to use Amazon Route 53 Resolver outbound endpoints.

The outbound endpoint enables DNS queries to be forwarded from your VPC to on-premises DNS servers.

You must also configure a Route 53 Resolver forwarding rule to define which domain names (e.g., corp.internal) should be forwarded to the specific on-premises DNS IPs.

This setup allows private DNS resolution from AWS to on-premises systems and is fully managed, eliminating the need to run and maintain EC2-based DNS proxies (as in option A).

Options C and D are incorrect:

C is not DNS-specific and doesn’t solve name resolution.

D misuses a public hosted zone for a private DNS domain.

???? Reference:

Route 53 Resolver Outbound Endpoints

End-to-end encryption means TLS is used not only from the client to the ALB, but also from the ALB to the EC2 targets. The least operational effort is achieved by using AWS Certificate Manager (ACM) Amazon-issued certificates where possible, because ACM automates key management, certificate provisioning, and renewal for supported use cases. Associating an ACM certificate with the ALB is a standard managed approach for TLS termination at the load balancer, and using managed certificates reduces the overhead of tracking expiration, renewing, and distributing certificates.

For encryption on the backend connection (ALB to instances), the instances must present a certificate and complete TLS. Using Amazon-issued ACM certificates (via supported mechanisms) reduces manual certificate lifecycle work compared with importing and managing third-party certificates. By avoiding third-party cert procurement and manual renewals, the solution minimizes ongoing operations and reduces the risk of outages due to expired certificates. This aligns with the requirement for the least operational effort while meeting the security requirement.

Option A is far more operationally heavy: CloudHSM is intended for scenarios requiring customer-managed HSMs and adds complexity in deployment, scaling, integration, and operations. Option B introduces self-signed certificates on instances, which increases operational friction (distribution, trust, rotation) and is not as clean for managed operations. Option C works but requires managing third-party certificate lifecycle (renewals, re-import, redeploy to instances), which is more overhead than Amazon-issued managed certificates.

Therefore, D best meets end-to-end encryption needs with the lowest ongoing operational burden by using AWS-managed certificate issuance and lifecycle management capabilities.

The most cost-effective and scalable solution for generating thumbnails when photos are uploaded to an S3 bucket is to useS3 event notificationsto trigger anAWS Lambda function. This approach avoids the need for a long-running EC2 instance or EMR cluster, making it highly cost-effective because Lambda only charges for the time it takes to process each event.

S3 Event Notifications: Automatically triggers the Lambda function when a new photo is uploaded to the S3 bucket.

AWS Lambda: A serverless compute service that scales automatically and only charges for execution time, which makes it the most economical choice when dealing with periodic events like photo uploads.

The Lambda function can generate the thumbnail and upload it to a second S3 bucket, fulfilling the requirement efficiently.

Option AandOption B(EMR or EC2 with scheduled scripts)**: These are less cost-effective as they involve continuously running infrastructure, which incurs unnecessary costs.

Option D (S3 Storage Lens): S3 Storage Lens is a tool for storage analytics and is not designed for event-based photo processing.

AWS References:

Amazon S3 Event Notifications

AWS Lambda Pricing

ECS with Fargate: Allows containerized workloads to scale rapidly without managing underlying servers, handling unpredictable growth effectively.

RDS for Relational Data: Manages large relational datasets efficiently while supporting high availability.

SQS for Decoupling: Ensures message processing occurs in a specific order, decoupling application components and allowing independent evolution.

AWS ECS with Fargate Documentation,AWS SQS Documentation

AWS Shield Advanced is designed to provide enhanced protection against DDoS attacks with proactive engagement and response capabilities, making it the best solution for this scenario.

AWS Shield Advanced: This service provides advanced protection against DDoS attacks. It includes detailed attack diagnostics, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection against DDoS-related scaling charges. Shield Advanced also integrates with Route 53 and the Application Load Balancer (ALB) to ensure comprehensive protection for your web applications.

Route 53 and ALB Protection: By adding your Route 53 hosted zones and ALB resources to AWS Shield Advanced, you ensure that these components are covered under the enhanced protection plan. Shield Advanced actively monitors traffic and provides real-time attack mitigation, minimizing the impact of DDoS attacks on your application.

Why Not Other Options?:

Option A (AWS Config): AWS Config is a configuration management service and does not provide DDoS protection or detection capabilities.

Option B (AWS WAF): While AWS WAF can help mitigate some types of attacks, it does not provide the comprehensive DDoS protection and proactive engagement offered by Shield Advanced.

Option C (GuardDuty): GuardDuty is a threat detection service that identifies potentially malicious activity within your AWS environment, but it is not specifically designed to provide DDoS protection.

AWS References:

AWS Shield Advanced- Overview of AWS Shield Advanced and its DDoS protection capabilities.

Integrating AWS Shield Advanced with Route 53 and ALB- Detailed guidance on how to protect Route 53 and ALB with AWS Shield Advanced.

To restrict S3 access to a specific VPC, AWS documentation specifies using a Deny policy with aws:SourceVpc for all unmatched VPCs:

Deny if aws:SourceVpc != vpc-11aabb22

This ensures only that VPC can reach the bucket via a VPC endpoint.

Allow policies (Options B and C) are incorrectly structured or use the wrong condition logic.

Option D limits by account, not VPC, and does not enforce VPC-level access.

=====================================================

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

The best answer isAPI Gateway + SQS + DLQ + Lambdabecause it combines API ingestion with durable queuing and asynchronous processing. AWS guidance for event-driven serverless architectures specifically recommends usingAmazon SQSto decouple components and durably persist messages when downstream processing is slower or bursty. AWS also documents thatdead-letter queueshelp isolate messages that fail processing, which supports the requirement to avoid losing requests. API Gateway can integrate with AWS services, including SQS, to accept requests from mobile and web clients. The ALB options do not provide the same durable buffering, and the SNS option is less appropriate because the key requirement is loose coupling with durable request preservation. Therefore,Bis the strongest design. (AWS Documentation)

Using an Application Load Balancer (ALB) allows for integration with AWS WAF to inspect all incoming traffic. Running the application on Amazon ECS provides a scalable and managed container orchestration service. Utilizing Amazon Aurora Serverless for the PostgreSQL database offers automatic scaling based on application demand, which is cost-effective for workloads with variable traffic patterns, such as higher traffic on weekdays and lower traffic on weekends.

AWS Backup Audit Manager automates auditing and reporting of backup activity and compliance, while AWS Config provides visibility into configuration changes. Together, they provide the simplest, most automated, and compliant backup monitoring solution.

From AWS Documentation:

“AWS Backup Audit Manager automatically audits backup activity across AWS resources. You can use predefined or custom frameworks to monitor backup compliance and encryption status.”

(Source: AWS Backup Audit Manager User Guide)

Why D is correct:

Ensures centralized visibility into all backup jobs.

Verifies encryption status automatically.

Generates ready-to-use reports with minimal operational overhead.

Complies with regulatory requirements for data protection.

Why others are incorrect:

A & C: Custom Lambda automation increases maintenance effort.

B: Manual checking is operationally inefficient and error-prone.

For network-level database access control, AWS recommends usingsecurity groups, which are stateful and can restrict inbound access to a specific on-premises IP address. For credential storage and automatic rotation,AWS Secrets Manageris the correct managed service. AWS documentation states that Secrets Manager helps protect access to applications and services by managing secrets and rotating them automatically for supported databases. KMS is a key-management service, not a secret store for database passwords. Network ACLs are stateless and are less appropriate than security groups for this requirement. Therefore, A combines the correct network control with the correct secret-rotation service. (docs.aws.amazon.com)

============

The application has aknown steady baselineand the processescannot be interrupted, so Spot Instances are not appropriate. For steady-state EC2 usage, AWS cost optimization guidance favors commitment-based pricing such as Reserved Instances or Savings Plans, while EC2 Auto Scaling can still maintain the baseline instance count for the workload. Auto Scaling groups are designed to keep at least the configured minimum number of instances running. Option B does not include a discount strategy for the baseline, and option C introduces Spot capacity, which conflicts with the non-interruptible requirement. Lambda is also not a natural fit for long-running analytics processes. Therefore, using an Auto Scaling group sized for the baseline and applying Reserved Instance pricing to that baseline is the most cost-effective answer among the choices.

============

The Application Load Balancer (ALB) supports sticky sessions (session affinity) using application cookies. AWS WAF integrates natively with ALB to provide Layer 7 protection at the same endpoint.

From AWS Documentation:

“You can enable sticky sessions for your Application Load Balancer target groups to ensure that a user’s requests are consistently routed to the same target. AWS WAF integrates with Application Load Balancer to protect your web applications from common exploits.”

(Source: Elastic Load Balancing User Guide & AWS WAF Developer Guide)

Why C and E are correct:

C: ALB operates at Layer 7 (HTTP/HTTPS), supports sticky sessions, and can serve as a public endpoint.

E: AWS WAF can be directly associated with the ALB to inspect traffic and enforce rules.Together, they fulfill both the security and session affinity requirements.

Why others are incorrect:

A: Network Load Balancer doesn’t support session affinity.

B: Gateway Load Balancer is used for virtual appliances, not web applications.

D: Using EIPs bypasses load balancing and WAF integration.

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS. To scale across Regions and accounts in AWS Organizations, Macie supports delegated administration, automated sensitive data discovery, and multi-account aggregation through a centralized admin account.

Amazon S3 Intelligent-Tiering automatically moves objects between two access tiers based on changing access patterns. Objects not accessed for 30 days move to a lower-cost tier, but are still immediately available with millisecond retrieval. If objects become frequently accessed again, they are moved back to the frequent access tier. There are no retrieval charges and no impact on availability or performance. This storage class is specifically designed for unpredictable access patterns and cost optimization, requiring minimal management.

AWS Documentation Extract:

" S3 Intelligent-Tiering is the only storage class that automatically moves data between frequent and infrequent access tiers when access patterns change, with no retrieval charges and no impact on performance. It is designed to optimize costs automatically when data access patterns are unpredictable. "

(Source: Amazon S3 documentation, Intelligent-Tiering storage class)

B: Glacier Deep Archive is for archival, not for low-latency millisecond access.

C: EFS is not optimized for object storage or global CDN distribution.

D: Cache-Control only affects CloudFront or browser caching, not S3 storage cost.

A Stored Volume Gateway stores the entire dataset locally on-premises while asynchronously and securely backing up the data to AWS. This meets the requirement for full local access and automatic transfer to AWS.

Cached Volume Gateway (Option C) keeps only frequently accessed data locally; the full dataset is stored in AWS, not on-premises.

Snowball and Snowball Edge (Options A and B) are migration tools, not ongoing backup solutions.

=====================================================

Among the listed choices, the best solution is to place an AWS Lambda function in the same VPC and use it as the EventBridge target. EventBridge natively supports Lambda as a target, and a Lambda function that runs in the VPC can call the private API without exposing that API publicly. The internet-facing ALB and NLB options violate the requirement to avoid public IP exposure. The direct-target option is also not expressed correctly for a plain private API endpoint, because modern direct private API targeting in EventBridge requiresconnections and VPC Lattice resource configurations, not simply naming a private VPC endpoint as a raw target. Therefore, Lambda as the bridge component is the correct answer from the provided choices. (AWS Documentation)

============

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

" Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

Amazon OpenSearch Service is the AWS-native service for real-time search, analytics, and visualization. Ingesting streaming data with Amazon Kinesis Data Streams ensures scalable and reliable data ingestion. OpenSearch supports indexing and querying the data in near real time. QuickSight can then be integrated for visualization and reporting. Options A and B involve batch processing and are not optimized for real-time search. Option C (EKS + DynamoDB) is not a fit for search workloads, as DynamoDB does not support advanced text search. Option D provides the closest AWS-native equivalent to the company’s existing search-and-visualization architecture.

To optimize costs for long-term data storage, AWS recommends using S3 Lifecycle policies to automate transitions across storage classes and ultimately expire old data.

S3 Standard-IA is suited for data that is accessed less frequently but requires millisecond retrieval times. It is ideal for 6-month-old data still used in monthly reports.

S3 Glacier Deep Archive is the lowest-cost option, designed for data accessed once or twice a year, such as regulatory audits — perfect for 2+ year-old data.

Lifecycle expiration rules allow S3 to automatically delete objects older than 7 years, aligning with the business retention policy.

These transitions are cost-effective and fully automated, aligning with the Cost Optimization pillar in the AWS Well-Architected Framework.

???? Reference:

S3 Storage Class Comparison

Lifecycle Management

AWS Organizations is the best fit because it providesaccount-level isolationandconsolidated billingacross member accounts. AWS documentation states that the management account receives a single bill that combines usage from all member accounts, which directly supports a consolidated monthly chargeback view. Creating a member account per business unit also satisfies the isolation requirement better than sharing one account with tags. Separate organizations per unit would add unnecessary overhead and remove the simplicity of a single consolidated management structure. Therefore, a single AWS Organization with one member account per business unit is the cleanest and lowest-overhead design. (docs.aws.amazon.com)

============

Amazon Macieis purpose-built for detecting PII in S3.

Option Auses EventBridge to filter SensitiveData findings and notify via SNS, meeting the requirements.

Options B and Dinvolve GuardDuty, which is not designed for PII detection.

Option Cuses SQS, which is less suitable for immediate notifications.

Amazon RDS Proxy: RDS Proxy is a fully managed, highly available database proxy that makes applications more resilient to database failures by pooling and sharing connections, and it can automatically handle database failovers.

Reduced Failover Time: By using RDS Proxy, the connection management between the application and the database is improved, reducing failover times significantly. RDS Proxy maintains connections in a connection pool and reduces the time required to re-establish connections during a failover.

Configuration:

Create an RDS Proxy instance.

Configure the proxy to connect to the RDS for PostgreSQL DB instance.

Modify the application configuration to use the RDS Proxy endpoint instead of the direct database endpoint.

Operational Benefits: This solution provides high availability and reduces application timeouts during failovers with minimal changes to the application code.

AWS guidance for global, highly available, low-latency applications using a relational database recommends:

Amazon CloudFront with Amazon S3 for static content to cache data at edge locations globally and minimize latency for static assets.

A regional application tier deployed close to users using managed container services such as Amazon ECS on AWS Fargate, which removes the need to manage servers and scales automatically, reducing operational overhead.

A relational database tier using Amazon Aurora global database, which is purpose-built for globally distributed applications. Aurora global database provides a primary cluster in one Region with low-latency read replicas in secondary Regions and fast cross-Region replication, enabling low-latency reads and high availability for global users.

Option A uses only a single Region, which does not meet the “global users with low latency” requirement.

Option C uses RDS and DMS-based replication, which requires more management and does not provide Aurora’s integrated global database features.

Option D replaces the relational database with DynamoDB, which violates the requirement that the application interacts with a relational database.

The problem is scale-out latency: when traffic spikes, new instances take time to launch, initialize, and pass health checks. This can temporarily degrade user experience even if Auto Scaling eventually adds enough capacity. The goal is to improve responsiveness to sudden spikes cost-effectively.

A key Auto Scaling feature for this situation is an EC2 Auto Scaling warm pool. A warm pool maintains a set of pre-initialized instances (stopped or running, depending on configuration) that Auto Scaling can rapidly transition into service. This reduces the time needed for instance launch and initialization, enabling faster scale-out during unexpected surges.

Option B is best because it supports the application’s peak needs by ensuring Auto Scaling can scale up to the required maximum capacity and keeps warm capacity ready. While a warm pool has some cost (especially if instances are kept running), it is typically more cost-effective than permanently running peak capacity all the time. It improves user experience by minimizing cold start delays during spikes.

Option A is counterproductive: lowering minimum capacity increases the likelihood of scale-out delays. Option C is illogical as written (“increase maximum to meet normal demand”); maximum should reflect peak potential, and a warm pool without sufficient max headroom will not solve the spike problem. Option D uses scheduled scaling, but the spike is unexpected, and increasing instance sizes increases cost and does not address launch delay; it may also reduce horizontal scaling flexibility.

Therefore, B is the most cost-effective way to improve scale-out performance and protect user experience during unexpected bursts.

For bidirectional communication such as chat applications, Amazon API Gateway WebSocket API is the correct service. WebSocket APIs allow clients to establish long-lived connections and exchange messages with the backend Lambda functions in real time.

HTTP APIs and REST APIs are suitable for request-response models, not continuous two-way communication. CloudFront cannot maintain stateful WebSocket connections, so only Option C fits the requirements for a real-time, bidirectional application.

AWS guidance is to deploy one NAT gateway per Availability Zone for production workloads to improve resiliency and avoid cross-AZ dependency. However, the question explicitly says only production requires high availability. In non-production environments, the company can reduce cost by keeping a single NAT gateway and updating private-subnet route tables to use that remaining gateway. This saves hourly NAT gateway charges while preserving internet egress for private subnets. Reducing Availability Zones would affect more than NAT cost and would also weaken overall environment design. NAT instances add operational overhead compared with a managed NAT gateway. A transit gateway is unrelated to this cost problem. Therefore, keeping one NAT gateway per AZ for production and reducing to one NAT gateway in non-production is the most cost-effective answer.

============

To ensure that log files are immutable and cannot be deleted or overwritten for a specified retention period, Amazon S3 offers Object Lock in Compliance Mode. When enabled:

Compliance Mode: Ensures that a protected object version can ' t be overwritten or deleted by any user, including the root user in your AWS account, for the duration of the retention period. AWS Documentation

S3 Versioning: Must be enabled on the bucket to use Object Lock. This allows multiple versions of an object to be stored, ensuring that previous versions are preserved and protected. Amazon Web Services, Inc.

By enabling S3 Versioning and applying Object Lock in Compliance Mode with a 1-year retention period, the company can meet regulatory requirements to retain log data securely and prevent any modifications or deletions during that time.

AWS best practice for a highly available, resilient web application is:

Run EC2 instances in an Auto Scaling group across multiple Availability Zones.

Put an Application Load Balancer (ALB) in front of the Auto Scaling group.

Use CloudWatch alarms and scaling policies for horizontal scaling based on demand.

Option D implements exactly this: a minimum of three instances spread across AZs (resilience to AZ failure), behind an ALB, with automatic horizontal scaling. This provides both elasticity and high availability with good cost efficiency (instances scale out/in based on traffic).

Option A uses only three fixed instances and relies on vertical scaling, which does not scale as well and is less resilient.

Option B overprovisions to nine instances from the start, which is unnecessarily expensive.

Option C keeps all instances in a single AZ, which does not meet resilience requirements.

You cannot encrypt an existing unencrypted RDS DB instance in place. AWS guidance for encrypting an existing RDS PostgreSQL instance is totake a snapshot, create an encrypted copy of that snapshot, and restore a new DB instance from the encrypted snapshot. AWS also documents that encryption uses AWS KMS keys and that customer managed keys are the appropriate choice when you want explicit control over the key used for the new encrypted instance. That makesBthe required migration step andEthe correct key-management step. Option C is invalid because encryption cannot simply be turned on for the existing instance, and option D is not how you create a new AWS-managed default key.

============

The problem is that documents are stored on instance-local storage, so once the site scales horizontally, users may land on an instance that does not have the requested file. Amazon EFS is the best fit because AWS documents that EFS provides shared file storage with concurrent access from multiple EC2 instances and is accessible from all Availability Zones in the Region. That lets every web server read the same document set without changing to an object-storage pattern. The cron-based answers introduce delay and inconsistency, and S3 would require a bigger application-path change than the shared file system approach. For the least disruptive and most reliable restoration of access across multiple EC2 instances, mounting a single EFS file system on all instances is the right solution.

============

Using API Gateway with API keys provides secure access control. Amazon SQS allows asynchronous decoupling between frontend and backend, ensuring that backend processing can scale independently. AWS Lambda reading from SQS ensures scalable, event-driven processing with minimal operational management. This architecture is resilient and decoupled.

Amazon Timestream: Purpose-built time series database optimized for telemetry and IoT data ingestion and analytics.

Amazon SageMaker: Provides ML capabilities for predictive maintenance workflows.

Amazon QuickSight: Efficiently generates interactive, real-time visual reports from Timestream data.

Optimized for Scale: Timestream efficiently handles large-scale telemetry data with time-series indexing and queries.

Amazon Timestream Documentation

Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D — enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.

AWS documentation states that you can associate a security group with a Network Load Balancer and use it to allow inbound traffic only from specified source IP ranges. AWS also recommends referencing theNLB’s security groupin the target instances’ security groups so the targets accept traffic only from the load balancer. That maps exactly to option B: allow the listed client IPs into the NLB on port 22, then allow port 22 from the NLB security group to the EC2 targets. The network ACL answer is less precise and harder to manage, and options C and D are broader than necessary.

============

Key Requirements:

High availability and automatic recovery.

Separate transactional and analytical queries with minimal performance impact.

Allow up to a 4-hour lag for analytical queries.

Analysis of Options:

Option A:

Multi-AZ deployments provide high availability but do not include read replicas for separating transactional and analytical queries.

Analytical queries on the secondary DB instance would impact the transactional workload.

Incorrect Approach:Does not meet the requirement of query separation.

Option B:

Multi-AZ DB clusters provide high availability and include a reader endpoint. However, these are better suited for Aurora and not RDS for MySQL.

Incorrect Approach:Not applicable to standard RDS for MySQL.

Option C:

Multiple read replicas allow separation of transactional and analytical workloads.

Queries can be pointed to a replica in a different AZ, ensuring no impact on transactional queries.

Correct Approach:Meets all requirements with high availability and query separation.

Option D:

Creating nightly snapshots and read-only databases adds significant operational overhead and does not support the 4-hour lag requirement.

Incorrect Approach:Not practical for dynamic query separation.

AWS Solution Architect References:

Amazon RDS Read Replicas

Multi-AZ Deployments

The Requester Pays feature in Amazon S3 allows the bucket owner to configure the bucket so that the requester, rather than the bucket owner, pays for data transfer and request costs. This is ideal for sharing large datasets with the public or with other AWS accounts when you want to minimize your own data transfer expenses.

Reference Extract from AWS Documentation / Study Guide:

" Requester Pays buckets allow you to configure the bucket so that the requester instead of the bucket owner pays the cost of the request and the data download from the bucket. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Cost Management section.

Amazon CloudFront is a content delivery network (CDN) service that caches copies of your content at edge locations around the world. This helps improve performance by serving content from the edge nearest to the user. However, when the content in Amazon S3 (your origin) is updated, those updates may not immediately reflect on the website if they are cached at the CloudFront edge locations.

The issue described in the question suggests that the CI/CD pipeline is functioning correctly, and updates are being deployed to S3. However, since CloudFront caches this content, the edge locations may still be serving outdated content, causing the updates to not be reflected on the website.

To resolve this issue, you need to invalidate the CloudFront cache. By invalidating the cache, CloudFront will remove the outdated content and retrieve the latest version from the S3 origin.

AWS documentation on this process:

CloudFront cache invalidation allows you to clear items from the cache so that CloudFront retrieves the latest version from the origin. You can create invalidation requests via the AWS Management Console, AWS CLI, or SDKs.

AWS CloudFront Documentation

Why the other options are incorrect:

A. Add an Application Load Balancer: ALBs are used to distribute incoming application traffic and are not relevant to caching or serving content from CloudFront.

B. Add Amazon ElastiCache for Redis or Memcached: This would help in caching database queries but has no relation to static website content hosted on CloudFront and S3.

D. Use AWS Certificate Manager (ACM): ACM is used for managing SSL/TLS certificates and is unrelated to the issue of content not being updated on CloudFront.

AWS Lambda supports functions up to 10 GB of memory and 15 minutes execution time. Each invocation here requires only 1 GB of memory and finishes in 30 seconds, making it an ideal fit for Lambda. Lambda is cost-effective for event-driven, short-duration workloads and requires no infrastructure management. AWS Glue and EMR are better suited for large-scale ETL or distributed processing, which is unnecessary and more costly for this workload.

AWS Documentation Extract:

“AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. You pay only for the compute time you consume. Lambda supports up to 10 GB memory and 15 minutes per invocation.”

(Source: AWS Lambda documentation)

B, D: AWS Glue is intended for ETL on larger datasets or batch jobs, usually with higher operational overhead and cost.

C: EMR is for large-scale distributed processing and is not cost-effective for single, fast, memory-bound jobs.

Key Requirements:

Protect public endpoints (CloudFront distributions and ALBs) frommalicious attacks.

Centralizedmanagementacross multiple accounts in an organization.

Ability tomonitor security configurationseffectively.

Minimizeoperational overhead.

Analysis of Options

Option A:

AWS WAF:Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

AWS Firewall Manager:Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

AWS Config:Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.

Operational Overhead:Centralized management and automated monitoring reduce the operational burden.

Correct Approach:Meets all requirements with the least overhead.

Option B:

This approach involves applying WAF rules in each account manually.

While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

Incorrect Approach:Higher overhead compared to centralized management with AWS Firewall Manager.

Option C:

Similar to Option A but includesAmazon Inspector, which is not designed for monitoring WAF configurations.

AWS Security Hubis appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

Incorrect Approach:Adds unnecessary complexity and does not focus on monitoring WAF specifically.

Option D:

AWS Shield Advanced:Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

AWS Config:Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

Incorrect Approach:Does not address the need for WAF or centralized rule management.

Why Option A is Correct

Protection:

AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

Centralized Management:

AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

Monitoring:

AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

Operational Overhead:

Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

AWS Solution Architect References

AWS WAF Documentation

AWS Firewall Manager Documentation

AWS Config Best Practices

AWS Organizations Documentation

Express Workflows in AWS Step Functions are optimized for high-throughput, short-duration, and low-cost workflows. They are suitable for applications with large volumes of parallel and interdependent tasks. When paired with HTTP APIs from API Gateway, which are more cost-efficient than REST APIs, this setup offers scalability and cost-effectiveness.

The correct answer isAbecause the application processes videos for5–30 minutes, must runmultiple jobs in parallel, and should have theleast operational overhead.Amazon ECS with AWS Fargateis a managed container solution that removes the need to provision and manage EC2 instances while still supporting longer-running parallel jobs. UsingAmazon SQS standard queuesdecouples the upload event from processing and provides a scalable buffer for incoming work.

With this design, Amazon S3 sends object-created notifications to the SQS queue whenever users upload videos. ECS services or tasks on Fargate can then consume messages from the queue and process videos independently. Auto scaling based onSQS queue depthensures the system increases task count when more videos arrive and decreases capacity when demand drops. This provides elasticity and efficient parallel processing with minimal infrastructure management.

Option B is incorrect because EC2-based scaling introduces more operational overhead than Fargate. Option C is incorrect because AWS Lambda has a maximum execution duration and is not appropriate for jobs that can run up to 30 minutes. Option D is also incorrect for the same reason; Lambda is not the best fit for this processing duration, and SNS does not provide the same durable queued work pattern as SQS for controlled parallel processing.

AWS best practices recommend usingevent-driven queues with containerized workersfor medium-duration processing jobs that need concurrency and minimal management. Therefore,S3 + SQS + ECS on Fargate with queue-based scalingis the best solution.

Creating a listener rule on theApplication Load Balancer (ALB)to return a maintenance response during the maintenance window is the most straightforward solution with the least operational overhead. The rule can be configured to match all incoming requests and return a custom response, and it can be easily removed once maintenance is complete.

Option A (Aurora table flag): This adds unnecessary complexity for a temporary maintenance response.

Option B and D (SQS or SNS): These options introduce more components than needed for a simple maintenance message.

AWS References:

ALB Listener Rules

Amazon FSx for NetApp ONTAP fully supports native NetApp SnapMirror replication, making it the most efficient and reliable option for migrating NetApp data from on-premises to AWS.

From AWS Documentation:

“You can use SnapMirror to replicate data from your on-premises NetApp systems to FSx for ONTAP for seamless, block-level, incremental transfers. This provides a highly efficient and performant method for migration, especially for large datasets.”

(Source: Amazon FSx for NetApp ONTAP – Migration Guide)

Why Option C is correct:

SnapMirror offers block-level replication, making it highly efficient for millions of small files.

It supports NFS and SMB file shares, preserving directory structures and permissions.

Reduces cutover time and allows for incremental syncs.

Uses the existing 10 Gbps network for fast transfers.

Why the other options are incorrect:

Option A (DataSync): Suitable for many file-based migrations but less efficient for very large datasets with millions of small files compared to SnapMirror.

Option B (Storage Gateway): Volume Gateway is not used for full-scale file migrations; it ' s for hybrid cloud access.

Option D (Snowball Edge): Useful for offline migrations, but online SnapMirror is more efficient and avoids shipping delays.

The company is already running Kubernetes, soAmazon EKSminimizes application-platform changes while moving to AWS. The application also usesAMQP, and AWS documentation states thatAmazon MQ for RabbitMQsupports AMQP 0-9-1, which preserves the messaging model better than moving to SQS. ECS and Lambda would require a bigger platform or protocol change. Running directly on EC2 adds more operational burden than using managed Kubernetes. Therefore, EKS plus Amazon MQ is the least-overhead migration path that preserves the application’s container and messaging patterns. (docs.aws.amazon.com)

============

AWS Budgets is the correct service because it is built to track AWS costs and usage and to take action when thresholds are reached. In this scenario, the company explicitly doesnotwant automatic resource restriction, so the right pattern is to use budget thresholds and define an action path that supportsmanual review. AWS documentation explains that AWS Budgets can monitor costs and trigger budget actions, and it also supports forecast-based alerts, which help identify likely overruns as early as possible. Daily reports alone are slower and less proactive, while automatic restrictions violate the requirement. Service control policies are not the mechanism used to define spending thresholds themselves. A Budgets-based workflow is therefore the cleanest and most appropriate solution. (AWS Documentation)

============

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

After 180 days, the images become infrequently accessed but still must remain immediately available, which fits S3 Standard-IA better than One Zone-IA because the question requires high availability and redundancy throughout the lifecycle. AWS documents that Standard-IA is for long-lived, infrequently accessed data with millisecond access and multi-AZ resilience, while One Zone-IA stores data in a single AZ. After 360 days, the company still needs instant access, so S3 Glacier Instant Retrieval is the right archival class. AWS states that Glacier Instant Retrieval provides real-time access with lower storage cost than Standard-IA for archive data that still must be immediately retrievable. Glacier Flexible Retrieval would not meet the instant-access requirement.

============

For cost-effectiveness and high availability in Amazon EMR workloads, the best approach is to configure atransient cluster(which runs for the duration of the job and then terminates) withOn-Demand Instancesfor the primary and core nodes, andSpot Instancesfor the task nodes. Here ' s why:

Primary and core nodes on On-Demand Instances: These nodes are critical because they manage the cluster and store data on HDFS. Running them on On-Demand Instances ensures stability and that no data is lost, as Spot Instances can be interrupted.

Task nodes on Spot Instances: Task nodes handle additional processing and can be used with Spot Instances to reduce costs. Spot Instances are much cheaper but can be interrupted, which is fine for non-critical tasks as the framework can handle retries.

Atransient clusteris more cost-effective than a long-running cluster for workloads that only run for 6 hours a day. Transient clusters automatically terminate after the workload completes, saving costs by not keeping the cluster running when it ' s not needed.

Option A: A long-running cluster may result in unnecessary costs when the cluster isn ' t being used.

Option C: Running core nodes on Spot Instances risks data loss if the Spot Instances are interrupted, violating the requirement for zero data loss.

Option D: Running both core and task nodes on Spot Instances is highly risky for data-critical workloads.

AWS References:

Amazon EMR Cluster Management

Using Spot Instances in EMR

The issue in this case is related to the processing tier, where EC2 instances are overwhelmed at peak times, causing delays.Option D, using anAmazon EC2 Auto Scaling target tracking policybased on theApproximateNumberOfMessagesin the SQS queue, is the best solution.

Auto Scaling with Target Tracking:

Target tracking policiesdynamically scale out or in based on a specific metric. For this use case, you can monitor theApproximateNumberOfMessagesin the SQS queue. When the number of messages (orders) in the queue increases, the Auto Scaling group will scale out more EC2 instances to handle the additional load, ensuring that the queue doesn’t build up and cause delays.

This solution is ideal for handling variable and unpredictable peak times, as Auto Scaling can automatically adjust based on real-time load rather than scheduled times.

Why Not the Other Options?:

Option A (Scheduled Scaling): Scheduled scaling works well for predictable peak times, but this company experiencesunpredictable peak usage, making scheduled scaling less effective.

Option B (ElastiCache for Redis): Adding a caching layer would help if DynamoDB were the bottleneck, but in this case, the issue is CPU overload on EC2 instances in the processing tier.

Option C (CloudFront): CloudFront would help cache static content from the web tier, but it wouldn’t resolve the issue of the processing tier’s overloaded EC2 instances.

AWS References:

Amazon EC2 Auto Scaling Target Tracking

Amazon SQS ApproximateNumberOfMessages

To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.

Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.

Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs. Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.

Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.

AWS Lake Formation provides centralized data access control, including fine-grained (column-level) permissions for data stored in S3 and accessed through services like Amazon Athena.

Using a Lake Formation blueprint to ingest data from Aurora MySQL into the data lake keeps ingestion and governance integrated. When QuickSight uses Athena as the data source, Athena enforces Lake Formation’s column-level permissions automatically. This allows the marketing team to see only the authorized subset of columns without custom access-control logic.

Options A, B, and C rely on manually limiting columns at ingestion time or using IAM or S3 bucket policies, which do not provide true column-level authorization for SQL queries and require significantly more manual work and maintenance.

Amazon DynamoDB supports TTL (Time To Live) for automated, scheduled deletion of expired items. It also offers point-in-time recovery (PITR) to restore the table to any second within the retention window (typically up to 35 days), providing full data durability and protection. DynamoDB can efficiently handle frequent updates and offers predictable performance. MemoryDB is an in-memory store, not designed for durable recovery. S3 with lifecycle policies does not handle updates as efficiently for small, frequent writes and is not as optimal for session data.

Reference Extract:

" DynamoDB supports TTL for automated expiration and deletion of items and PITR for continuous backups and restoration of data. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB section.

Because the application is public and serves global customers with dynamic IP addresses, the web tier must allow HTTPS traffic from0.0.0.0/0on port 443. For the database tier, the secure design is to allow MySQL access only from theweb tier’s security group, not from the internet. AWS RDS documentation explains that you can specify another VPC security group as the source for the DB security group, which allows application servers to connect without exposing the database publicly. That makes A the correct configuration. Options B and C do not work well for global dynamic users, and D exposes the database to the internet.

============

To ensure ALB access only via CloudFront, AWS prescribes restricting the origin to traffic from CloudFront. For ALB origins, the standard pattern is to allow inbound to the ALB only from CloudFront edge IP ranges using security groups or ALB listener rules. Network ACLs are coarse and stateless and add operational burden. CloudFront does not have a “VPC origin” object; instead, CloudFront references the ALB DNS name. By limiting the ALB’s security group to CloudFront IP ranges, direct client access to the ALB is blocked while CloudFront remains permitted. This aligns with security best practices to “restrict origin access to only CloudFront” and use SGs for instance/ALB layer controls.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

Amazon Macie is the AWS managed service specifically built to discover, classify, and protect sensitive data in Amazon S3, including many common types of personally identifiable information (PII). Macie uses automated analysis and machine learning to identify sensitive data patterns at scale and produces findings that can be reviewed, prioritized, and integrated into security workflows. Because the environment spans hundreds of buckets, millions of objects, and multiple Regions, the key requirement is to minimize operational overhead while achieving broad coverage.

Option C is therefore the best fit: enabling Macie and configuring it to evaluate the targeted buckets provides a centralized, managed approach without building custom scanners, maintaining parsing logic, or operating distributed processing pipelines. Macie is designed for large-scale S3 estates and reduces ongoing maintenance compared with bespoke solutions.

Option A is incorrect because Amazon Detective is used to investigate and analyze security findings and relationships, not to classify S3 object content for PII. Option B is incorrect because Trusted Advisor provides best-practice checks (cost, security posture items, limits), but it does not inspect S3 object contents to detect PII. Option D would require building and operating custom Lambda scanning across millions of objects, handling pagination, retries, file types, performance tuning, and cost controls—high operational overhead and ongoing maintenance, which the company wants to avoid.

Therefore, C meets the requirement most directly and with the least operational burden by using the AWS service purpose-built for PII discovery in S3.

Amazon EKS Anywhere is the best fit because it is specifically designed to run Kubernetes on customer-managed infrastructure in on-premises and edge environments while simplifying cluster lifecycle management. AWS states that EKS Anywhere helps automate cluster management on your own infrastructure, which matches the requirement to keep network connectivity and underlying infrastructure on premises. By contrast, EKS on Outposts moves the platform to AWS Outposts hardware, and the self-hosted options increase operational burden because the company would still manage the Kubernetes platform itself. The key distinction here is that the company wants simpler management without giving up control of its current on-premises environment. EKS Anywhere is the AWS service built for exactly that balance.

============

Amazon S3 File Gateway provides a local NFS mount point, which can be used with minimal changes by the legacy application. Files are transparently uploaded to Amazon S3, allowing the web application to access them directly from S3. This is the most cost-effective and operationally simple way to bridge legacy on-premises NFS output with S3, requiring no changes to the batch process.

AWS Documentation Extract:

“With S3 File Gateway, you can provide applications a local file interface to Amazon S3. S3 File Gateway presents a file-based interface (NFS or SMB), allowing you to use S3 as your scalable, durable storage while making files available to legacy applications.”

(Source: AWS Storage Gateway documentation)

A: Outposts is far more costly and complex than needed.

B: Volume Gateway presents iSCSI block storage, not NFS.

C: Requires re-coding the legacy app to use S3 APIs, not NFS.

The requirement has two parts: (1) continuously or regularly evaluate IAM access key age against a 90-day policy, and (2) remediate noncompliant keys by disabling and deleting them. The least operational effort generally comes from using managed compliance evaluation and lightweight serverless remediation.

AWS Config is designed to assess resource configuration compliance over time. Using an AWS Config rule to check access key age fits the governance model because Config maintains a compliance history, supports central reporting, and can evaluate keys across an account (and commonly across an organization with aggregation patterns). After detection, remediation should be automated with minimal infrastructure, and AWS Lambda is the lightest operational tool for directly calling IAM APIs (UpdateAccessKey to Inactive, then DeleteAccessKey) on a schedule.

Option C pairs these appropriately: Config performs compliance evaluation, and an EventBridge scheduled rule triggers a Lambda function to remediate keys older than 90 days. This avoids running and maintaining compute fleets or batch infrastructure. It also provides clear separation of duties: Config for detection and evidence, Lambda for corrective action.

Options A, B, and D rely on AWS Batch, which introduces additional operational overhead (compute environments, job definitions, queues, scaling, and monitoring) that is unnecessary for a simple IAM housekeeping task. Also, EventBridge by itself is not a compliance evaluation service; it can schedule a job, but it does not inherently track “key age” state or compliance posture the way Config does.

Therefore, C best meets the requirement with the least operational effort by using Config for continuous compliance visibility and a scheduled Lambda for automated key deactivation and deletion.

A. Kinesis Data Streams:Supports high throughput, strict ordering, multiple consumers, and data retention for 365 days.

B. SNS + SQS FIFO:Can enforce ordering but lacks native support for 500 KB messages and retention requirements.

C. EventBridge:Lacks strict ordering and message size compatibility.

D. SNS + Firehose:Not designed for strict ordering or large message sizes.

AWS Key Management Service (AWS KMS) provides multi-Region keys, allowing the same key to be used across Regions without managing your own hardware or key replication.

Multi-Region keys are fully managed and support attribute-based access control (ABAC) using tags and condition keys.

CloudHSM (Options C and D) requires full key lifecycle management, synchronization, and hardware operations, resulting in significantly higher overhead.

Imported key material (Option B) increases key-management responsibility.

=====================================================

AWS Lambda for Operational Efficiency:

AWS Lambdais a serverless compute service that allows you to run code without provisioning or managing servers. It automatically scales based on the number of invocations and eliminates the need to maintain and monitor EC2 instances, making it far more operationally efficient compared to running a cron job on EC2.

By using Lambda, you pay only for the compute time that your function uses. This is especially beneficial when dealing with lightweight tasks, such as scanning a DynamoDB table and sending email messages once a day.

Amazon DynamoDB:

DynamoDBis a highly scalable, fully managed NoSQL database. The table stores employee start dates, and scanning the table to find the employees who have a work anniversary on the current day is a lightweight operation. Lambda can easily perform this operation using theDynamoDB Scan APIor queries, depending on how the data is structured.

Amazon SNS for Email Notifications:

Amazon Simple Notification Service (SNS)is a fully managed messaging service that supports sending notifications to a variety of endpoints, including email. SNS is well-suited for sendingout email messages to employees, as it can handle the fan-out messaging pattern (sending the same message to multiple recipients).

In this scenario, once Lambda identifies employees who have their work anniversaries, it can use SNS to send the email notifications efficiently. SNS integrates seamlessly with Lambda, and sending emails via SNS is a common pattern for this type of use case.

Event Scheduling:

To automate this daily task, you can schedule the Lambda function usingAmazon EventBridge (formerly CloudWatch Events). EventBridge can trigger the Lambda function on a daily schedule (cron-like scheduling). This avoids the complexity and operational overhead of manually setting up cron jobs on EC2 instances.

Why Not EC2 or SQS?:

Option A & Bsuggest running a cron job on anAmazon EC2instance. This approach requires you to manage, scale, and patch the EC2 instance, which increases operational overhead. Lambda is a better choice because it automatically scales and doesn’t require server management.

Amazon Simple Queue Service (SQS)is ideal for decoupling distributed systems but isn’t necessary in this context because the goal is to send notifications to employees on their work anniversaries. SQS adds unnecessary complexity for this straightforward use case, whereSNSis the simpler and more efficient solution.

AWS References:

AWS Lambda

Amazon SNS

Amazon DynamoDB

Amazon EventBridge

Summary:

UsingAWS Lambdacombined withAmazon SNSto send notifications, and scheduling the function withAmazon EventBridgeto run daily, is the most operationally efficient solution. It leverages AWS serverless technologies, which reduce the need for infrastructure management and provide automatic scaling. Therefore,Option Cis the correct and optimal choice.

The requirements focus on cost optimization, automatic lifecycle management, and throughput scaling based on file system size. Amazon EFS provides two throughput modes: bursting and provisioned. Bursting throughput automatically scales with the size of the file system, which directly aligns with the company’s needs.

Option C is correct because it combines two essential features. First, configuring lifecycle management to transition files from Standard to Infrequent Access (IA) after 30 days reduces storage costs for infrequently accessed data. Second, enabling automatic transition back to Standard storage upon access ensures that performance-sensitive reporting workloads are not negatively affected when older files are read.

Using bursting throughput mode allows throughput to grow naturally as the file system size increases, eliminating the need to manually manage or pay for fixed throughput levels. This is ideal for workloads with variable access patterns.

Option A incorrectly specifies provisioned throughput, which is designed for predictable, high-throughput workloads and incurs additional cost. Option B ignores lifecycle transitions. Option D does not account for automatic return to Standard storage, which could lead to suboptimal performance for accessed files.

Therefore, C provides the best balance of performance, cost efficiency, and minimal operational overhead.

Explanation (AWS Docs):

Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.

“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”

— Protecting Data Using Server-Side Encryption

Why not D?

Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.

AWS documentation states that for API Gateway REST APIs, AWS WAF must be deployed in the same Region to apply web access control lists. WAF geographic match rules can block requests from non-US Regions. Deploying the WAF and API Gateway in the same Region ensures minimal latency because the traffic does not traverse Regions.

Options B and C violate the requirement that WAF and API Gateway must be in the same Region. Option D uses HTTP API, which supports WAF only indirectly via regional ALBs, not directly as REST API does.

=====================================================

EBS Elastic Volumes allow you to dynamically increase storage size, adjust performance, and change volume types without downtime, supporting operational efficiency and scalability for SaaS applications that need to allocate varying storage amounts to customers.

Migrating from EBS to S3 (Option A) is not suitable since S3 is object storage, not block storage, and does not support block-level I/O required by many applications. EFS (Option B) and FSx (Option C) are shared file systems, which might add unnecessary complexity and cost, especially if the application depends on block storage semantics.

Using Lambda to automate Elastic Volumes resizing provides cost efficiency by allocating resources on demand and reduces operational overhead, aligning with AWS operational excellence and cost optimization best practices.

Creating aVPC endpointfor S3 and configuring abucket policyto allow access only from the endpoint ensures that only EC2 instances within the VPC can access the S3 bucket. This solutionimproves security by restricting access at the network level without the need for public internet access.

Option A (IAM policies): IAM policies alone cannot restrict access based on the network location.

Option B and D (Encryption): Encryption secures data at rest but does not restrict network access to the bucket.

AWS References:

Amazon S3 VPC Endpoints

Amazon EFS provides a fully managed, highly available, and shared file system that can be mounted by instances across multiple Availability Zones. This ensures consistency of files between EC2 instances and avoids replication issues. EBS volumes, in contrast, are AZ-scoped and not designed for multi-instance sharing. Options A and B rely on custom replication or manual file handling, which increases operational overhead and risks inconsistencies. Option D does not solve the shared access and consistency requirement. By migrating storage to EFS, both EC2 instances will read and write to the same storage system, ensuring that users always access the latest files without 404 errors.

Amazon API Gateway with CloudFront: API Gateway allows you to create, deploy, and manage APIs, while CloudFront provides a CDN to deliver content with low latency and high transfer speeds.

AWS WAF (Web Application Firewall):

AWS WAF can be configured in CloudFront to protect against common web exploits, including SQL injection and cross-site scripting (XSS).

WAF allows you to create custom rules to block specific attack patterns and can be managed centrally.

Configuration:

Deploy your APIs using Amazon API Gateway.

Set up an Amazon CloudFront distribution in front of the API Gateway.

Configure AWS WAF on the CloudFront distribution to apply security rules.

Operational Efficiency: This solution provides robust protection with minimal operational overhead by leveraging managed AWS services, ensuring that your APIs are secure without extensive custom implementation.

The most resilient and scalable architecture for handling millions of high-resolution images with frequent updates is to store the binary images in Amazon S3 and store their metadata or reference (geographic code and S3 URL) in Amazon DynamoDB.

From AWS Documentation:

“Store large objects like images in Amazon S3 and use Amazon DynamoDB to store metadata and references. This design pattern is scalable, highly available, and cost-effective.”

(Source: AWS Architecture Blog – Best Practices for Handling Large Objects)

Why B is correct:

Amazon S3 is designed for storing large volumes of binary data (images).

DynamoDB provides low-latency reads/writes using the geographic code as the partition key.

Highly available, serverless, and auto-scaling, suitable for disaster scenarios with bursts of activity.

Reduces pressure on the database layer by separating metadata from image storage.

Why the others are incorrect:

Option A and D: Storing images directly in RDS is expensive, unscalable, and not optimal for binary storage.

Option C: DynamoDB is suitable, but storing actual binary image data in DynamoDB is not best practice due to item size limits (400 KB) and performance concerns.

AWS Fargate runs containers without managing servers, and ECS Service Auto Scaling adjusts the number of tasks based on demand. Behind an Application Load Balancer, ECS services elastically scale out to handle concurrent long-running requests. This fits workloads with processing times of 5–20 minutes per request. Lambda (C, D) has a maximum 15-minute timeout, so a portion of requests would fail or require complex refactoring and orchestration. Option B relies on vertical scaling and manual intervention, leaving capacity idle and failing to scale automatically with spikes. By containerizing the app and running on ECS with Fargate, the company gains automatic scaling, isolation per task, and no instance management, ensuring reliable throughput as request volume grows while keeping operations minimal.

AWS Step Functions can orchestrate Lambda executions without modifying the Lambda code, and the Map state is designed to run a Lambda function once per item in a list—perfect for activating many devices in parallel or controlled batches.

This eliminates the loop inside the Retrieve function and prevents timeouts.

EventBridge (Option A) only changes the schedule. DynamoDB Streams (Option B) is unrelated to the activation workflow. EC2 (Option D) increases operational overhead.

The correct answer isCbecause the workload is abatch processing jobthat runs during a limited time window each night and can tolerate interruptions. The key statement is thatif a job fails on one instance, another instance will reprocess the job. That means the workload is fault-tolerant and well suited forAmazon EC2 Spot Instances, which provide unused EC2 capacity at a much lower cost than On-Demand Instances.

Batch jobs, big data processing, background analytics, and other interruptible workloads are classic use cases for Spot Instances. Because the instances run only from12:00 AM to 06:00 AMand do not need to be available continuously, committing to a 1-year Savings Plan or Reserved Instances would not be the most cost-effective approach. Those options are better for steady and predictable long-running usage, not for short-duration nightly workloads.

Using a new launch template configured for Spot Instances allows the Auto Scaling group to launch lower-cost capacity for the processing window. Scaling based on CPU usage can help the group add or remove instances according to processing demand, improving both elasticity and cost efficiency.

Option A is less cost-effective because Savings Plans are more suitable for consistent usage over time. Option B is also less cost-effective because Reserved Instances lock in a commitment for capacity that is used only a few hours each day. Option D does not address the cost model and could even increase cost by using larger instances.

AWS cost optimization guidance recommendsSpot Instances for fault-tolerant, flexible, interruption-tolerant workloads, making optionCthe best answer.

Amazon RDS Blue/Green Deployments provide a safe and straightforward way to make database changes with minimal downtime and risk. Blue/Green deployments create an exact copy ( " green " ) of your production environment ( " blue " ) where you can make schema changes and run tests. After validation, you can promote the green environment to production with a single click or API call, achieving near-zero downtime and maximum availability. This is the AWS-recommended method for deploying major database changes in a way that minimizes impact to users and maximizes uptime.

Reference Extract from AWS Documentation / Study Guide:

" Amazon RDS Blue/Green Deployments enable you to make changes to your database environment safely. You can perform schema updates and feature testing in a fully managed staging environment and switch over with minimal downtime, ensuring the highest availability. "

Source: AWS Certified Solutions Architect – Official Study Guide, Database and Migration section; Amazon RDS Blue/Green Deployments Documentation.

As the number of VPCs grows, managing individual VPC connections becomes complex and unscalable. AWS Transit Gateway is specifically designed to act as a central hub that connects multiple VPCs and on-premises networks through Direct Connect.

Option B simplifies network architecture by allowing hundreds or thousands of VPCs to connect through a single gateway, reducing routing complexity and operational overhead. Transit Gateway supports scalable routing, centralized inspection, and simplified expansion.

The other options do not address network connectivity or scaling challenges. Therefore, B is the correct solution.

Amazon Route 53 Resolver endpoints allow you to integrate DNS between AWS and on-premises environments easily. By creating inbound and outbound resolver endpoints, you can configure conditional forwarding rules so that DNS queries for your on-premises AD domain are forwarded to the on-premises DNS servers. This approach is fully managed, scales automatically, and requires the least administrative overhead.

AWS Documentation Extract:

" Route 53 Resolver provides DNS resolution between AWS and on-premises environments, using endpoints and forwarding rules to manage DNS query routing seamlessly. "

(Source: Route 53 Resolver documentation)

A, D: Require provisioning, managing, and patching EC2 servers or domain controllers.

B: NS records in a private hosted zone do not provide true DNS forwarding.

AWS Transit Gateway is purpose-built for large-scale, hub-and-spoke network architectures. It simplifies connectivity between multiple VPCs and on-premises environments, which is ideal for managing hundreds of VPCs.

“AWS Transit Gateway enables you to connect your VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships.”

— Transit Gateway Documentation

Features:

Scales to thousands of VPCs.

Integrates with AWS Direct Connect via Direct Connect Gateway.

Centralized routing control.

Incorrect Options:

A: VPC endpoints are for private access to AWS services—not VPC-to-VPC connectivity.

C: Route 53 is DNS, not a network transport layer.

D: Secrets Manager is for secret storage, not networking.

ElastiCache for Redis OSS supportsMulti-AZ with automatic failover, which is exactly the feature required here. AWS documentation states that when Multi-AZ is enabled and the primary node fails, ElastiCache automatically promotes a read replica to primary, minimizing downtime and restoring write capability without requiring manual promotion steps. Backups are useful for recovery, but they do not provide automatic operational failover. A design that depends on manual promotion is also weaker than native automatic failover. Since the question explicitly asks for a solution that canautomatically fail over, the correct answer is to enableMulti-AZfor the replication group.

============

Amazon EMR provides a managed big data framework that supports Apache Spark, which is ideal for distributed and compute-intensive data transformations. Managed scaling dynamically adjusts cluster resources, ensuring high performance with minimal management.

From AWS Documentation:

“Amazon EMR provides a managed environment for big data frameworks such as Apache Spark and Hadoop. With managed scaling, EMR automatically resizes clusters to meet workload demands.”

(Source: Amazon EMR Developer Guide)

Why B is correct:

Provides distributed parallel processing for large datasets.

Reduces operational overhead with managed scaling and auto-termination.

Integrates easily with S3, Glue, and ML pipelines.

Optimized for heavy ETL and analytics workloads.

Why others are incorrect:

A: Manual scaling and limited processing capacity.

C & D: Lambda has execution time and memory limits unsuitable for 30-minute compute-intensive tasks.

AWS Outposts extends AWS infrastructure and services to on-premises locations. Running Amazon EMR on Outposts allows for processing data that resides locally while benefiting from the managed services of EMR. This enables compliance with data residency requirements and provides scalability and manageability for analytics.

The application experiences unpredictable traffic spikes, which exceed the provisioned read and write capacity of the DynamoDB table, resulting in throttling errors. This is a classic scenario where on-demand capacity mode is the most appropriate solution.

Option A is correct because DynamoDB on-demand capacity automatically scales to handle sudden increases in traffic without requiring capacity planning. This eliminates throttling during unpredictable spikes and removes the operational burden of managing RCUs and WCUs. On-demand mode is particularly well-suited for workloads with variable or spiky access patterns.

Option B is incorrect because DynamoDB does not support read replicas in the same way as relational databases. Option C reduces cost for predictable workloads but does not prevent throttling if capacity limits are exceeded. Option D increases read cost and does not address capacity constraints.

Therefore, A is the best solution to improve resilience, eliminate throttling errors, and ensure a smooth user experience during traffic surges.

To capture DNS query and response data, including response codes, Amazon Route 53 provides query logging, which is the most precise and AWS-supported solution for this requirement.

Option A enables Route 53 query logging, which records detailed information about DNS queries, such as the queried domain, record type, source IP, and DNS response code. These logs are delivered to Amazon CloudWatch Logs, where administrators can search, analyze, and retain them for forensic investigation and root cause analysis.

Option B is incorrect because AWS CloudTrail records API calls to AWS services, not DNS query traffic. Option C provides aggregated metrics (such as query counts and health checks) but does not include per-query response codes. Option D offers best-practice recommendations but does not collect or analyze DNS query data.

Therefore, A is the correct solution because Route 53 query logging provides the detailed, low-level DNS visibility required for troubleshooting and operational analysis.

A. Mutual TLS:Provides secure communication but does not integrate with AWS credential exchange.

B. AWS Signature v4:Requires direct integration with AWS and is less secure for external systems.

C. Kerberos:Not natively supported for AWS API authentication.

D. IAM Roles Anywhere:Enables AWS API access using X.509 certificates without long-term credentials.

The issue described in the question, where incoming traffic seems to favor one EC2 instance, is often caused by session affinity (also known as sticky sessions) being enabled on the Application Load Balancer (ALB). When session affinity is enabled, the ALB routes requests from the same client to the same EC2 instance. This can cause an imbalance in traffic distribution, leading to performance bottlenecks on certain instances while others remain underutilized.

To resolve this issue, disabling session affinity ensures that the ALB distributes incoming traffic evenly across all EC2 instances, allowing better load distribution and reducing latency. The ALB will rely on its round-robin or least outstanding requests algorithm (depending on the configuration) to distribute traffic more evenly across instances.

Option B (Network Load Balancer): The NLB is designed for Layer 4 (TCP) traffic and low latency use cases, but it is not needed here as the problem is with load balancing logic at the application layer (Layer 7). The ALB is more appropriate for HTTP/HTTPS traffic.

Option C (Increase EC2 Instances): Adding more EC2 instances does not solve the root issue of uneven traffic distribution.

Option D (Health Check Frequency): Adjusting health check frequency won ' t address the imbalance caused by session affinity.

AWS References:

Application Load Balancer Sticky Sessions

The requirement is to restrict actions by Region to prevent accidental cross-Region operations that could violate data residency rules. The most direct and flexible way to enforce Region-based restrictions in AWS is to use IAM condition keys, specifically aws:RequestedRegion, in identity-based policies (and commonly in permission boundaries or SCPs when managing an organization).

Option B is correct because it applies Region constraints at authorization time. By adding conditions that allow actions only when aws:RequestedRegion matches an approved list (or denies when it matches disallowed Regions), the company can prevent users and roles from creating, modifying, or accessing resources in the wrong Region. This approach is broad and can be applied across many services, not just EC2, making it suitable for enforcing data residency boundaries across a multi-Region footprint.

Option A is too narrow because it restricts only ec2:RunInstances. Data residency concerns typically apply to many services (S3, RDS, DynamoDB, KMS, etc.), and limiting only EC2 does not prevent accidental data operations elsewhere. Option C controls where requests come from (source IP), not which Region is targeted. Option D (AWS Config) is detective, not preventative; it can alert after noncompliant actions occur, which does not meet the requirement to prevent accidental operations.

Therefore, B best meets the requirement by enforcing Region-level guardrails through IAM authorization conditions, helping ensure workloads remain within approved geographic boundaries.

The best answer ismessage batching. AWS documentation explains that SQS batch actions let applications send, receive, or delete up to 10 messages at a time. AWS also notes that batching can be combined with horizontal scaling to improve throughput with fewer requests and connections. That makes batching the most relevant feature for handling sudden traffic increases efficiently. FIFO queues address strict ordering and deduplication, visibility timeout controls how long a received message stays hidden from other consumers, and long polling reduces empty responses and unnecessary polling cost. None of those features directly improve throughput as effectively as batching for traffic spikes.

============

When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution. Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities. Therefore, option D is the correct design.

Amazon S3 is suitable for storing data that needs to be accessed weekly and integrates with AWS Key Management Service (KMS) to provide encryption at rest with server-side encryption using KMS-managed keys (SSE-KMS).

SSE-KMS uses envelope encryption and allows automatic key rotation and logging through AWS CloudTrail, satisfying the requirements for audit trails and compliance.

S3 Glacier Deep Archive is unsuitable due to its high retrieval latency. SSE-C requires customer-side management of encryption keys, with no support for automatic rotation or audit. SSE-S3 does not use customer-managed keys and lacks fine-grained control and auditing.

To secure data in transit, the company should use AWS Certificate Manager (ACM) to provide SSL/TLS certificates for the Application Load Balancer. ACM allows easy provisioning, management, and renewal of public and private certificates, ensuring secure communication between users and applications.

To secure data at rest, AWS Key Management Service (KMS) is used to manage encryption keys for Amazon EBS volumes. EBS integrates with AWS KMS, allowing for server-side encryption using KMS-managed keys (SSE-KMS), thus meeting the encryption at rest requirement.

Other options:

GuardDuty (A) is for threat detection, not encryption.

AWS Shield (B) protects against DDoS attacks, not encryption.

Secrets Manager (D) manages credentials, not general data encryption.

This solution follows the AWS Well-Architected Framework – Security Pillar.

???? References:

Encrypting EBS volumes with KMS

Using ACM with ALB

The correct answer isBbecause the company needs order processing to beginimmediatelywhen new orders arrive and also needs ahistory of all order processing attemptsin themost cost-effectiveway. Amazon EventBridge is a serverless event bus that can respond to events as they occur, which makes it a strong fit for near real-time order processing. By using anEventBridge event patternand a rule that invokesAWS Lambdawhen a new order event is received, the solution avoids polling and processes orders only when there is actual work to perform.

This event-driven design is more cost-effective than running scheduled checks or maintaining EC2 instances.AWS Lambdaprovides fully managed compute with automatic scaling and charges based on actual execution time.Amazon DynamoDBis a highly scalable and fully managed NoSQL database that is well suited for storing order-processing results and maintaining a durable history of processing attempts with low operational overhead.

Option A is incorrect because invoking Lambda every minute to check for new orders is a polling model, which introduces delay and unnecessary invocations. Option C is incorrect because using an EC2 instance to poll for events creates higher operational cost and overhead. Option D is less appropriate becauseAmazon EFSis not the best storage choice for durable event history or structured tracking of order-processing attempts.

AWS architectural guidance favorsevent-driven, serverless patternsfor asynchronous order processing when immediate response, scalability, and low cost are required. Therefore,EventBridge + Lambda + DynamoDBis the best solution.

EBS gp3 volumes allow you to independently configure IOPS and throughput, up to 16,000 IOPS, regardless of the volume size, and at a lower cost compared to io1/io2 provisioned IOPS volumes. This meets the requirement for cost-effective, predictable IOPS performance for Amazon RDS for PostgreSQL.

AWS Documentation Extract:

" With gp3 volumes, you can provision performance independent of storage capacity, up to 16,000 IOPS. This allows for cost-effective scaling for applications that require high performance at a lower price point compared to io1. "

(Source: Amazon EBS documentation, gp3 Volumes)

A: gp2 ties IOPS to volume size; 5 TiB is wasteful if only 15,000 IOPS are needed.

B: io1 works but is significantly more expensive than gp3 for most workloads.

D: Magnetic volumes do not support high IOPS.

For SQS-backed worker architectures, AWS recommends scaling consumers based on queue metrics (e.g., ApproximateNumberOfMessagesVisible, AgeOfOldestMessage). EC2 Auto Scaling can “scale out based on Amazon CloudWatch alarms” tied to SQS backlog, increasing worker capacity to reduce latency as demand grows. DAX (A) accelerates DynamoDB reads, not message processing. API Gateway (B) and CloudFront (C) optimize request ingress and content delivery, not the asynchronous email-sending application. The bottleneck is consumer throughput; scaling workers with an SQS-driven policy restores timely processing without downtime and follows Well-Architected patterns for decoupled, elastic systems.

AWS Transfer Family (SFTP) allows clients to use standard SFTP clients and SSH keys without changes. By enabling service-managed users, clients can continue uploading files with their existing tools.

The service delivers the files directly into S3, reducing latency between upload and processing. This removes the need for EC2, custom scripts, and periodic transfers. It fully meets the requirement for a managed solution with minimal disruption to client processes.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

D is the best match because AWS Lambda is a serverless compute service that runs code without provisioning or managing servers, which directly aligns with the requirement for minimal infrastructure and minimal operational support. Lambda supports Python runtimes, so the team can deploy the selected component as a microservice using the same language. For workloads with hundreds of requests per second, Lambda is designed to handle request-driven execution and automatically scales by running more concurrent instances of the function in response to incoming traffic, without the customer needing to pre-size or manage capacity.

The other options introduce significantly more operational responsibility. Option A still requires managing EC2 instances (AMI lifecycle, patching, capacity planning, scaling policies) and Spot interruptions can add complexity for a web microservice test. Option B (Elastic Beanstalk) reduces some management overhead but still relies on underlying instances and environment management (platform updates, scaling configuration, health monitoring), and it is not a serverless model. Option C (EKS with self-managed nodes) has the highest operational burden here: cluster and node management, scaling node groups, patching, and Kubernetes operations—this conflicts with “minimal operational support.”

Lambda fits the serverless microservices goal: deploy code as small independent services, integrate with other managed services (commonly API-driven invocation patterns), and rely on AWS-managed scaling and availability mechanisms rather than administering fleets or clusters.

The most cost-effective general solution isDynamoDB auto scaling. AWS recommends atarget utilization of 70%for provisioned throughput with auto scaling, which lets DynamoDB adjust capacity up or down based on sustained workload patterns. That improves both read and write performance while controlling cost better than manual scaling. A GSI is only useful for specific alternate query patterns and does not solve overall throughput management by itself. DAX helps only with read-heavy caching, not writes. A custom CloudWatch-plus-Lambda scaling solution adds unnecessary operational work compared to native auto scaling. Because the question asks broadly for read and write performance at the best cost, auto scaling with the recommended 70% target is the strongest answer.

============

Provisioned IOPS SSD (io1 or io2) is designed for I/O-intensive workloads that require low latency and consistent throughput, which is critical for transactional and production databases. It provides predictable performance, unlike General Purpose SSD, which is burst-based.

CloudFront geographic restrictions (also known as geo-blocking) allow you to allow or deny content delivery to specific countries with minimal configuration.

“You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you ' re distributing through a CloudFront web distribution.”

— CloudFront Geo Restriction

This is the most operationally efficient approach — no code, no signed URL logic.

Incorrect Options:

A/C: Signed URLs/cookies are for individual access control, not geo-blocking.

D: OAC controls access between CloudFront and S3, not to block specific countries.

Amazon SQS FIFO queues are built for workloads that require both message ordering and exactly-once processing behavior. AWS documentation states that FIFO queues preserve first-in, first-out order and support deduplication so duplicate messages are not introduced within the deduplication interval. That directly satisfies the requirement for exact order and exactly-once semantics. SNS alone is a pub/sub notification service, but it does not by itself provide this exact combination as simply as an SQS FIFO queue. Standard queues allow at-least-once delivery and can deliver messages out of order, so they do not meet the requirement. MSK could be engineered to solve the problem, but it introduces far more operational overhead than a managed queue service. For the most operationally efficient serverless design, SQS FIFO is the correct answer.

============

AWS Security Hub provides a centralized view of security findings across AWS accounts and services. It integrates natively with AWS Config conformance packs, which evaluate compliance against industry standards such as CIS and PCI-DSS.

From AWS Documentation:

“AWS Security Hub aggregates, organizes, and prioritizes security alerts and compliance status across AWS accounts. Use AWS Config conformance packs to assess compliance with security frameworks.”

(Source: AWS Security Hub User Guide – Managing Findings and Compliance)

Why C is correct:

Security Hub provides a centralized dashboard for compliance visibility.

Conformance packs in AWS Config automate compliance checks across accounts.

Fully managed, minimal maintenance, and integrates natively with AWS services.

Why others are incorrect:

A: Conformance packs are not a feature of Amazon Inspector.

B: Third-party tools on EC2 require management and add operational overhead.

D: Systems Manager is not designed for compliance aggregation.

Amazon EFS is the correct answer because it provides aPOSIX-compliant, shared file systemthat multiple ECS tasks and instances can mount concurrently. AWS documents EFS as a managed NFS file system built for shared access and elastic growth, which fits the requirement for log and configuration sharing across Linux containers.Elastic throughputis the best cost-conscious choice when access patterns can vary, because throughput scales automatically without manual provisioning. S3 is object storage and does not provide native POSIX file system behavior. EBS is block storage and is not the right answer for shared, highly available multi-container access across a distributed environment. FSx for Lustre is optimized for specialized high-performance workloads, not general shared configuration and log storage.

============

AWS Lake Formation provides fine-grained (column-level) access control for data stored in S3. Using a Lake Formation blueprint ensures database ingestion is automated and governed.

QuickSight can query Athena, and Athena honors Lake Formation permissions, enforcing column-level controls automatically.

Options A, B, and C rely on manual filtering or IAM policies, which cannot enforce column-level authorization for SQL queries.

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

Amazon ECS on AWS Fargate with Amazon EFS is the best match because it combines managed container orchestration with shared persistent storage. AWS documentation explains that Amazon EFS volumes can be used with Amazon ECS so tasks can access the same persistent file system regardless of where they run. AWS also notes that EFS volumes are useful for horizontally scaled containerized applications that need shared storage, low latency, and high throughput. Lambda is a poor fit here because Lambda invocations have a maximum timeout of 15 minutes, while the question states processing can take up to 1 hour. Instance store volumes on ECS EC2 are local to the host and do not provide the centralized persistent repository the workload needs. Fargate plus EFS best satisfies performance, duration, and operational efficiency.

============

The requirements include:

Scalability: The solution must scale as video files are uploaded.

Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

Analysis of Options:

Option A:

AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

Option B:

AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

Option C:

Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

Option D:

Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

AWS References:

Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

AWS Step Functions:AWS Documentation - Step Functions

AWS Fargate:AWS Documentation - Fargate

Comparison of Storage Services:AWS Storage Options

By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

For application access to AWS services from ECS tasks, the correct identity is the ECS task role. AWS separates the task execution role, which is mainly for pulling images and sending logs, from the task role, which is used by the application code running inside the container. Because the application itself needs to read from S3, the least-effort and most secure design is to grant the necessary S3 permissions directly to the task role. Using IAM users and access keys would introduce unnecessary credential management and reduce security. Therefore, assigning the required S3 permissions to the task role is the proper AWS best-practice solution.

============

The correct answer isProvisioned IOPS SSD io2 Block Express. AWS documents that io2 Block Express is recommended for I/O-intensive, latency-sensitive workloads and is designed for consistent sub-millisecond latency with very high IOPS limits. AWS also notes that many instance types can achieve up to32,000 IOPS, which matches the baseline requirement in the question. S3 is object storage and not suitable for a transactional MySQL database. EFS is a shared file system, not the preferred low-latency block storage for this database pattern. gp3 is versatile and cost-effective, but it is not the targeted choice when the requirement explicitly emphasizes sustained, low-latency 32,000 IOPS performance. (AWS Documentation)

Amazon S3 Access Grantsis designed to providefine-grained, prefix-level accessto S3 data for users and groups, including identities coming from a corporate directory or IAM Identity Center. AWS documentation explains that S3 Access Grants can map users or groups to specific S3 locations and vend temporary credentials, which makes it far more scalable than building separate IAM users, role-sharing workflows, or presigned URLs for every vendor. IAM Identity Center adds centralized user lifecycle and identity administration. This combination is especially strong when different vendors need access todifferent datasetsin the same data lake. It is also more maintainable and secure than issuing permanent IAM credentials. For auditing, the environment can still rely on AWS logging controls while using Access Grants for access distribution.

============

AWS Step Functions is designed to coordinate multiple AWS services into serverless workflows, handling errors, retries, and complex logic. By configuring Amazon S3 Event Notifications to trigger an Amazon EventBridge rule, you can automatically start a Step Functions workflow when a new object is uploaded to S3. Step Functions can manage retries for failed uploads and orchestrate calls to various AWS services with minimal operational effort.

AWS Documentation Extract:

“You can use Amazon EventBridge to initiate AWS Step Functions workflows in response to events from S3 buckets. Step Functions can orchestrate the sequence of AWS service calls and automatically handle retries and errors, making it ideal for automating and managing complex workflows.”

(Source: AWS Step Functions documentation, Using Step Functions with EventBridge and S3)

Other options:

A: Requires manual implementation of orchestration and error handling.

B & C: Involve additional infrastructure management and custom logic for workflow orchestration and error handling, increasing operational effort.

A: Amazon Macie can scan S3 buckets for sensitive data and identify PII.

C: S3 Object Lock legal hold prevents object deletion until a review is complete, meeting compliance requirements.

E: EventBridge can trigger the Lambda function automatically when Macie detects sensitive data, creating an automated workflow.

AWS Documentation Extract:

" Amazon Macie automatically discovers, classifies, and protects sensitive data in AWS. You can use EventBridge to invoke a Lambda function for post-processing, such as applying Object Lock legal hold to flagged objects. "

(Source: AWS Macie and S3 Object Lock documentation)

B, D: Moving to Glacier Deep Archive or applying retention in governance mode is not specific to deletion prevention pending review.

F: MFA Delete adds a security layer but does not automate object retention for flagged PII.

Amazon Elastic File System (Amazon EFS) is a fully managed, elastic, shared file system that can be mounted concurrently by multiple EC2 instances across multiple Availability Zones. EFS automatically grows and shrinks as files are added or removed, providing seamless scalability for unpredictable and growing storage needs. It supports simultaneous access from multiple compute resources, making it ideal for applications where several EC2 instances must read and write to the same data set concurrently. EBS volumes cannot be shared across multiple Availability Zones, and S3 Glacier is intended for archival and infrequent access, not for active, hourly data analysis.

Reference Extract from AWS Documentation / Study Guide:

" Amazon EFS provides a scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It can be mounted to many EC2 instances across multiple Availability Zones and is ideal for shared data scenarios. "

Source: AWS Certified Solutions Architect – Official Study Guide, Storage Solutions section; Amazon EFS User Guide.

AWS documentation states that Amazon Macie is the managed service designed to automatically identify and classify sensitive data stored in Amazon S3, including PII and healthcare-related identifiers.

Storing logs in Amazon S3 provides scalable, durable storage, and Amazon Athena can directly query JSON data stored in S3 using SQL.

Amazon Inspector (Option D) is for vulnerability scanning and does not identify sensitive data. DynamoDB with KMS (Option C) cannot detect sensitive information. EBS (Option B) requires custom tooling and does not support serverless SQL querying.

=====================================================

Predictive scaling in EC2 Auto Scaling uses machine learning to analyze historical load and forecast future capacity needs, then pre-scales capacity before the demand occurs. It is specifically designed for recurring, cyclical workloads such as weekly batch jobs.

In this scenario:

The workload pattern is known and recurring (weekly scripted jobs).

The company explicitly does not want to manually analyze trends.

They need capacity to be ready 30 minutes before jobs start.

Predictive scaling lets you:

Set the metric (CPU utilization) and target (60%).

Configure the policy to pre-launch instances 30 minutes in advance, satisfying the requirement automatically with minimal operational overhead.

Dynamic scaling (Option A) reacts after CPU increases, not before.

Scheduled scaling (Option B) requires manual analysis and ongoing adjustment of capacity values.

EventBridge + Lambda (Option D) introduces unnecessary custom logic and still reacts after CPU reaches 60%, not 30 minutes before.

AWS Budgets supports budget actions that can automatically apply controls when a threshold is reached. In this case, because the accounts are non-production, it is appropriate to enforce a hard control by applying an SCP to the OU to deny additional usage and to stop running EC2 instances through a notification-driven workflow. AWS documentation describes AWS Budgets as the service for setting cost thresholds and taking automated actions, which makes it more appropriate than Cost Explorer reporting, CloudWatch alarms, or Cost Anomaly Detection for direct budget enforcement. Since the requirement is to prevent the team from exceeding the project budget, the budget-action-based control is the strongest solution.

AWS CloudFormationallows for the automated, repeatable setup of infrastructure, reducing human error and ensuring consistency.AWS Configprovides the ability to track changes in the infrastructure, ensuring that all changes are logged and auditable, which satisfies the requirement for tracking incremental changes.

Option A and C (AWS Organizations): AWS Organizations manage multiple accounts, but they are not designed for infrastructure setup or change tracking.

Option D (Service Catalog): Service Catalog is used for deploying products, not for setting up infrastructure or tracking changes.

AWS References:

AWS Config

AWS CloudFormation

Amazon API Gateway supports multiple API types: REST, HTTP, WebSocket, and gRPC. HTTP APIs are a newer, lightweight option that support JWT authorizers natively, enabling secure, scalable authentication for APIs with JSON Web Tokens.

HTTP APIs can integrate with ALBs as a backend target, providing direct connectivity and simplified API management with JWT authentication built in.

REST APIs support JWT but are more feature-rich and complex, often used for legacy or more complex use cases, and have higher costs and latency. WebSocket APIs are for real-time, bidirectional communication, which is not requested here. gRPC APIs support RPC calls but are less common for public HTTP-based APIs with JWT auth.

Therefore, HTTP API with JWT authorizers is the best fit for this use case.

The lowest-overhead centralized access model is to connect the existingon-premises Active Directoryby usingAD Connectorand then manage AWS account access throughIAM Identity Center permission sets. AWS documentation explains that IAM Identity Center providesone place to assign permissions to multiple AWS accounts, and AD Connector is specifically designed to let AWS services use an existing directory without storing directory information in AWS. This approach preserves the company’s current authentication source and adds centralized authorization across the organization. Creating IAM users or scripting cross-account role assignments would add significant administrative work and weaken the identity model.

============

TooManyRequestsException errors occur when Lambda exceeds concurrency limits. The recommended pattern is to use Amazon SQS with Lambda to decouple and buffer traffic, ensuring that bursts of requests are queued and processed smoothly. Enabling provisioned concurrency for Lambda ensures that functions are pre-initialized and ready to handle spikes in load with low latency. Step Functions (B) is designed for workflow orchestration, not high-throughput request buffering. SNS with Lambda (C) does not provide buffering and may overwhelm Lambda during bursts. Reserved concurrency (D) limits function scaling instead of improving resilience. Therefore, option A provides a scalable and resilient solution, minimizing errors during traffic surges.

Amazon S3 Intelligent-Tiering automatically moves objects between frequent and infrequent access tiers based on access patterns, which minimizes cost without performance impact. Storing photo metadata in Amazon DynamoDB provides fast and scalable lookup by user or tag.

From AWS Documentation:

“The S3 Intelligent-Tiering storage class automatically optimizes storage costs by moving data between frequent and infrequent access tiers when access patterns change.”

(Source: Amazon S3 User Guide – Intelligent-Tiering)

Why B is correct:

S3 Intelligent-Tiering optimizes storage automatically for cost without lifecycle management overhead.

DynamoDB stores small metadata items and S3 URLs, enabling efficient queries and photo lookups.

This architecture scales globally, integrates seamlessly with applications, and minimizes operational cost.

Why other options are incorrect:

A & D: DynamoDB is not intended for storing binary objects like images.

C: Lifecycle rules are static and don’t adapt dynamically to unpredictable access patterns.

The best practice for granting AWS resource access to EC2 instances is to use IAM roles, not users or long-lived access keys. You create an IAM role with a policy that grants the minimum permissions required, then attach that role to an instance profile associated with the EC2 instance. The instance then automatically receives temporary credentials for AWS service access.

AWS Documentation Extract:

" Attach an IAM role to your EC2 instances to securely grant permissions to AWS services according to the principle of least privilege. Never embed access keys in EC2 instances. "

(Source: AWS EC2 documentation, IAM Roles for EC2)

A, B: Using IAM users and embedding keys violates security best practices.

C: IAM role credentials are automatically managed and never need to be manually attached as keys.

This solution usesCloudFrontto serve the website securely over HTTPS usingAWS Certificate Manager (ACM)for SSL certificates.Origin Access Control (OAC)ensures that only CloudFront can access the S3 bucket directly.AWS WAFwith an IP set rule restricts access to the website, allowing only the on-premises IP address.Route 53is used to create an alias record pointing to the CloudFront distribution. This setup ensures secure, private access to the website with low administrative overhead.

Option A and B: S3 bucket policies and access points do not provide HTTPS support, nor do they offer the same level of security as CloudFront with WAF.

Option D: Signed URLs are more suitable for temporary, expiring access rather than a permanent solution for on-premises employees.

AWS References:

Amazon CloudFront with Origin Access Control

To provide unique, secure URLs efficiently:

A: Create a wildcard custom domain in Route 53 as an alias for the API Gateway endpoint.

D: Request a wildcard certificate in ACM in the same Region as API Gateway (certificates must be in the same Region as the API).

F: Create a custom domain name in API Gateway and attach the certificate.

“You can configure a custom domain name for your API Gateway API. To use a wildcard certificate, request it from ACM in the same Region as your API.”

— API Gateway Custom Domain Names

This combination provides secure wildcard URLs without creating separate endpoints or hosted zones per user.

Step A:AWS WAF with managed rules protects the API against application-layer attacks, such as SQL injection and cross-site scripting (XSS).

Step C:Amazon Cognito provides secure authentication and supports federation with social IdPs using OIDC or SAML. It integrates seamlessly with API Gateway.

Option B:AWS Shield Advanced provides DDoS protection, which is not explicitly required in this scenario.

Option D:API keys provide identification, not authentication, and are insufficient for this use case.

Option E:IP filters in WAF are overly restrictive for federated authentication scenarios.

AWS Documentation References:

Amazon Cognito Federation

AWS WAF Managed Rules

Detailed Explanation:

A. RDS:Suitable for relational databases but does not provide native support for data lakes or row-level access.

B. Redshift:Primarily for analytics, not designed for large-scale data lake governance.

C. S3 + Lake Formation:Provides native support for data lakes with granular access control, including row-level permissions.

D. Glue Catalog + DataBrew:Focused on data preparation and metadata management, not row-level access control.

The most secure way to grant an external vendor’s AWS-hosted automation tool access into a company AWS account is to use cross-account IAM role assumption. Option A follows the standard AWS pattern: the company creates an IAM role in its own account that has only the permissions the vendor needs, and the role’s trust policy allows the vendor’s IAM role (in the vendor’s AWS account) to assume it. This approach avoids creating long-lived credentials in the company account and supports least privilege, auditing, and easy revocation.

With role assumption, the vendor continues to authenticate in its own AWS account and uses AWS STS to obtain temporary credentials when accessing the company account. Temporary credentials reduce exposure compared to access keys because they expire automatically and can be constrained with session duration, external IDs (where appropriate), and conditions. The company retains full control over permissions through the role policy, and CloudTrail can record AssumeRole events and subsequent API activity for auditing.

Option B is less secure because it creates an IAM user in the company account and would typically require managing long-lived credentials for the vendor tool, increasing the risk of leakage and ongoing operational overhead. Option C is not valid because IAM users are not shared across accounts; you cannot “add” a user from another account into an IAM group in your account. Option D is incorrect because “AWS account” is not a typical IAM identity provider type for this purpose; cross-account access is done through role trust policies, not by creating an IdP with an AWS account ID and username.

Therefore, A is the most secure solution because it uses short-lived credentials, enforces least privilege, centralizes control in the company account, and provides strong auditability without issuing permanent access keys.

AWS Global Accelerator: This service provides a global fixed entry point to your applications and optimizes the path to your application through the AWS global network, reducing latency and improving performance.

Accelerated TCP Connections:

Global Accelerator uses the AWS global network to route traffic to the nearest edge location, improving the performance and reliability of your live streams.

It provides static IP addresses that act as a fixed entry point to your application, simplifying DNS management.

High-Quality Streams:

By leveraging Global Accelerator, reporters can send live streams with the highest quality and low latency.

This service automatically reroutes traffic to the nearest available AWS Region, ensuring consistent performance even during traffic spikes or failures.

Operational Efficiency: Using Global Accelerator simplifies the network setup and provides an optimized path for live streams without the need for complex configurations, making it an efficient solution for real-time streaming applications.

Spot Instances are the best pricing model because the jobscan tolerate interruptions, and the company wants the most cost-effective option. AWS recommends theprice-capacity-optimizedstrategy for Spot because it selects pools that balancelow pricewithlower interruption risk. Using multiple instance types in the Auto Scaling group also helps the company stay flexible enough to adopt newer generations over time. Reserved Instances do not fit as well because they reduce flexibility and do not align with the requirement to keep shifting toward the latest instance generations each year. Capacity-optimized alone minimizes interruption risk, but AWS recommends price-capacity-optimized when you want both lower interruption rates and better prices. Therefore, Spot with price-capacity-optimized allocation is the strongest answer.

============

AWS WAF (Web Application Firewall) is designed to protect public-facing web applications from common web exploits and allows for deep inspection of HTTP and HTTPS requests. By enabling logging on AWS WAF, you can gain insights into traffic flow, request sources, and blocked requests, which improves both security visibility and posture. Integrating AWS WAF logging with Amazon Kinesis Data Firehose allows automatic, near-real-time delivery of log data to Amazon S3 for analysis, reporting, or integration with analytics tools. This solution not only secures the website but also enables comprehensive traffic analysis, satisfying both requirements efficiently.

Reference Extract from AWS Documentation / Study Guide:

" AWS WAF provides detailed logs of web requests, which can be delivered to Amazon S3 via Amazon Kinesis Data Firehose. This logging enables analysis of web traffic and sources, supporting both security and operational monitoring. "

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Compliance section; AWS WAF Developer Guide (Logging and Monitoring).

A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

AWS Documentation Extract:

" A gateway VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring a NAT gateway or internet gateway. "

(Source: Amazon VPC documentation, Gateway Endpoints)

A: NAT instances still incur operational overhead and costs.

B: Internet gateway exposes resources and does not provide private access.

D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

The correct answer isDbecause the company needsNFS supportfor its on-premises environment and wants to back up files intoAmazon S3in themost cost-effectiveway.AWS Storage Gateway File Gatewayis the AWS service designed to present a file interface usingNFS(and SMB) while storing the files as objects in Amazon S3. This allows the company to keep using NFS-based workflows without redesigning the backup process.

The company also wants toarchive the backup files after 5 daysand is willing to waita few daysto retrieve archived data for disaster recovery. That retrieval tolerance aligns well withAmazon S3 Glacier Deep Archive, which is the lowest-cost S3 archival storage class for long-term retention when fast retrieval is not required. By applying anS3 Lifecycle ruleto transition files to Glacier Deep Archive after 5 days, the company can minimize storage cost while still retaining the backups durably in S3.

Option A is incorrect becauseS3 Standard-IAis cheaper than Standard for infrequent access, but it is not archival storage and is more expensive than Glacier Deep Archive for long-term backup retention. Option B is incorrect becauseVolume Gatewayprovides block storage interfaces, not NFS file access. Option C is incorrect becauseTape Gatewayis intended for virtual tape backup workflows, not direct NFS file storage access.

AWS best practices recommendFile Gatewaywhen on-premises applications need file-based access to Amazon S3, andS3 Glacier Deep Archivewhen the lowest-cost archival tier is acceptable. Therefore,File Gateway with a lifecycle transition to S3 Glacier Deep Archiveis the best solution.

The question focuses on minimizing costs while serving static content to users in the US and Europe.

Option Auses a single S3 bucket and configures CloudFront to limit edge locations, reducing costs by using fewer edge locations while still improving performance.

Option Bmaximizes edge locations, which increases costs unnecessarily.

Options C and Dinvolve storing data in multiple regions, which increases storage and operational costs.Thus, Option A is the most cost-effective solution.

A & B. GuardDuty:Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets.

C. Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.

D. Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.

Application Load Balancer (ALB) supports HTTP/HTTPS layer 7 routing, including header-based routing, path-based routing, and host-based routing.

AWS WAF is designed to provide rules-based filtering (block, allow, count) of HTTP(S) requests to protect applications from common exploits and malicious traffic.

ALB integrates directly with AWS WAF, so you can attach a web ACL with custom rules defined by the security team to block specific patterns while still using header-based routing.

Why the others are not correct:

A: Mutual TLS adds client certificate authentication but does not provide rules-based blocking or WAF-style inspection.

C: AWS Config is for configuration compliance and auditing, not request filtering.

D: NLB operates at layer 4 (TCP/UDP); it does not support HTTP header-based routing.

To improve scalability and availability, EC2 Auto Scaling across multiple Availability Zones with an Application Load Balancer ensures resilient infrastructure. Migrating to Amazon Aurora MySQL with reader endpoints reduces read latency by offloading read traffic to replicas in otherAZs, while also increasing high availability.

A. API Gateway + DynamoDB:Provides high scalability, low latency, and seamless integration with Amazon Comprehend for NLP tasks.

B. HTTP API + Translate + ElastiCache:Translate is not relevant for NLP tasks like sentiment analysis or entity recognition. ElastiCache is unsuitable for permanent storage.

C. SQS + EC2 + RDS:Increases complexity and operational overhead. RDS may not scale effectively for high concurrent loads.

D. WebSocket API + Textract:Textract is irrelevant for NLP tasks. WebSocket API is not the optimal choice for this use case.

Option B: FSx for Lustre is designed for HPC workloads with high IOPS.

Option E: A cluster placement group ensures low-latency networking for HPC analytics workloads.

Option A: Amazon EFS is not optimized for HPC.

Option D: Mountpoint for S3 does not meet high IOPS needs.

To decouple the monolith and enhance scalability, AWS best practice is to introduce an asynchronous message queue, such as Amazon SQS, between the web/API tier and the order-processing logic.

AWS Lambda functions consuming from the SQS queue provide serverless, auto-scaling processing without managing servers.

To track and reprocess failed orders, SQS supports dead-letter queues (DLQs). Messages that cannot be processed successfully after a configurable number of attempts are automatically moved to the DLQ, where operations teams or automated processes can inspect and reprocess them.

Why others are not correct:

B: ECS tasks can consume an SQS queue, but this requires managing container infrastructure and does not inherently provide as simple reprocessing/visibility as combining Lambda with a DLQ. Visibility timeout is not a tracking or archival mechanism.

C: Kinesis is a streaming service designed for ordered event streams, not primarily for order-queue semantics and DLQs; SQS is simpler and purpose-built for this pattern.

D: Long polling reduces empty responses and API calls but does nothing for tracking or reprocessing failed messages; without a DLQ, failed orders are harder to manage

Amazon DynamoDB is a serverless, NoSQL database that is fully managed, highly available, and scales automatically. It is ideal for data without a fixed schema and for use cases where fields can vary by user. DynamoDB Streams enables the capture of changes to table items in real time, which is ideal for triggering additional processing or workflows on data modifications.

Reference Extract from AWS Documentation / Study Guide:

" DynamoDB provides a scalable, highly available NoSQL database service for applications requiring flexible schema. DynamoDB Streams captures table activity for processing changes in real time. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Serverless section.

Amazon GuardDuty includes RDS Protection that “monitors and profiles access to your Amazon Aurora and Amazon RDS databases” to detect threats such as suspicious login attempts, brute-force activity, and anomalous authentication patterns. GuardDuty can be enabled organization-wide in AWS Organizations with a delegated administrator to centralize findings for all member accounts, minimizing operational overhead. Findings include context like source IP, user, and DB instance, and integrate with Amazon EventBridge for alerting and automated response. SCPs (A) enforce or deny API permissions but do not provide detection/analytics. Exporting general logs (C) requires building and maintaining custom parsing/analytics pipelines. CloudTrail (D) records AWS control-plane API calls and does not log database-level login attempts. Therefore, enabling GuardDuty RDS Protection across the org provides the most operationally efficient, managed detection of abnormal failed and incomplete login attempts.

The requirement is for workloads inside a VPC to resolve private DNS names that are hosted on-premises over a VPN connection. The most secure and AWS-recommended method to achieve this is to use Amazon Route 53 Resolver outbound endpoints with forwarding rules.

Option A enables DNS queries that originate in the VPC to be securely forwarded to on-premises DNS servers through the VPN connection. A Route 53 Resolver outbound endpoint provides elastic, managed DNS forwarding capability without exposing DNS services to the public internet. By creating a Resolver rule, the company can define which domain names (for example, internal corporate domains) should be forwarded to specific on-premises DNS IP addresses. Associating the rule with the VPC ensures only authorized VPCs can use this resolution path.

Option B is used for the opposite scenario: when on-premises systems need to resolve private DNS names hosted in AWS, not when AWS needs to resolve on-premises names. Option C is invalid because Route 53 private hosted zones can only be associated with VPCs, not directly with on-premises networks. Option D is insecure because it exposes internal service records publicly and violates the requirement for private DNS.

Therefore, A is the most secure solution because it keeps DNS resolution private, uses managed AWS infrastructure, integrates cleanly with VPN connectivity, and follows AWS hybrid DNS best practices.