101 .

A solutions architect is designing a VPC with public and private subnets.

The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and
one private subnet in each of three Availability Zones (AZs) for high
availability. An internet gateway is used to provide internet access for the
public subnets. The private subnets require access to the internet to allow
Amazon EC2 instances to download software updates.
What should the solutions architect do to enable Internet access for the
private subnets?

 A. Create three NAT gateways, one for each public subnet in each
AZ. Create a private route table for each AZ that forwards non-VPC
traffic to the NAT gateway in its AZ. Most Voted

 B. Create three NAT instances, one for each private subnet in each
AZ. Create a private route table for each AZ that forwards non-VPC
traffic to the NAT instance in its AZ.

 C. Create a second internet gateway on one of the private subnets.

Update the route table for the private subnets that forward non-VPC
traffic to the private internet gateway.

 D. Create an egress-only internet gateway on one of the public

subnets. Update the route table for the private subnets that forward
non-VPC traffic to the egress-only Internet gateway.

102.

A company wants to migrate an on-premises data center to AWS. The

data center hosts an SFTP server that stores its data on an NFS-based file
system. The server holds 200 GB of data that needs to be transferred. The
server must be hosted on an Amazon EC2 instance that uses an Amazon
Elastic File System (Amazon EFS) file system.
Which combination of steps should a solutions architect take to automate
this task? (Choose two.)

 A. Launch the EC2 instance into the same Availability Zone as the
EFS file system. Most Voted

 B. Install an AWS DataSync agent in the on-premises data

center. Most Voted

 C. Create a secondary Amazon Elastic Block Store (Amazon EBS)

volume on the EC2 instance for the data.
  D. Manually use an operating system copy command to push the
data to the EC2 instance.

 E. Use AWS DataSync to create a suitable location configuration for

the on-premises SFTP server.

103.

A company has an AWS Glue extract, transform, and load (ETL) job that
runs every day at the same time. The job processes XML data that is in an
Amazon S3 bucket. New data is added to the S3 bucket every day. A
solutions architect notices that AWS Glue is processing all the data during
each run.
What should the solutions architect do to prevent AWS Glue from
reprocessing old data?

 A. Edit the job to use job bookmarks. Most Voted

 B. Edit the job to delete data after the data is processed.

 C. Edit the job by setting the NumberOfWorkers field to 1.

 D. Use a FindMatches machine learning (ML) transform.

104.
A solutions architect must design a highly available infrastructure for a
website. The website is powered by Windows web servers that run on
Amazon EC2 instances. The solutions architect must implement a solution
that can mitigate a large-scale DDoS attack that originates from
thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website
from such an attack? (Choose two.)

 A. Use AWS Shield Advanced to stop the DDoS attack. Most Voted

 B. Configure Amazon GuardDuty to automatically block the

attackers.

 C. Configure the website to use Amazon CloudFront for both static

and dynamic content. Most Voted

 D. Use an AWS Lambda function to automatically add attacker IP

addresses to VPC network ACLs.

 E. Use EC2 Spot Instances in an Auto Scaling group with a target

tracking scaling policy that is set to 80% CPU utilization.
105.
A company is preparing to deploy a new serverless workload. A solutions
architect must use the principle of least privilege to configure permissions
that will be used to run an AWS Lambda function. An Amazon EventBridge
(Amazon CloudWatch Events) rule will invoke the function.
Which solution meets these requirements?

 A. Add an execution role to the function with lambda:InvokeFunction

as the action and * as the principal.

 B. Add an execution role to the function with lambda:InvokeFunction

as the action and Service: [Link] as the principal.

 C. Add a resource-based policy to the function with lambda:* as the

action and Service: [Link] as the principal.

 D. Add a resource-based policy to the function with

lambda:InvokeFunction as the action and Service:
[Link] as the principal

106.
A company is preparing to store confidential data in Amazon S3. For
compliance reasons, the data must be encrypted at rest. Encryption key
usage must be logged for auditing purposes. Keys must be rotated every
year.
Which solution meets these requirements and is the MOST operationally
efficient?

 A. Server-side encryption with customer-provided keys (SSE-C)

 B. Server-side encryption with Amazon S3 managed keys (SSE-S3)

 C. Server-side encryption with AWS KMS keys (SSE-KMS) with

manual rotation

 D. Server-side encryption with AWS KMS keys (SSE-KMS) with

automatic rotation Most Voted

107.
A bicycle sharing company is developing a multi-tier architecture to track
the location of its bicycles during peak operating hours. The company
wants to use these data points in its existing analytics platform. A
solutions architect must determine the most viable multi-tier option to
support this architecture. The data points must be accessible from the
REST API.
Which action meets these requirements for storing and retrieving location
data?
  A. Use Amazon Athena with Amazon S3.

 B. Use Amazon API Gateway with AWS Lambda. Most Voted

 C. Use Amazon QuickSight with Amazon Redshift.

 D. Use Amazon API Gateway with Amazon Kinesis Data Analytics.

108.
A company has an automobile sales website that stores its listings in a
database on Amazon RDS. When an automobile is sold, the listing needs
to be removed from the website and the data must be sent to multiple
target systems.
Which design should a solutions architect recommend?

 A. Create an AWS Lambda function triggered when the database on

Amazon RDS is updated to send the information to an Amazon
Simple Queue Service (Amazon SQS) queue for the targets to
consume.

 B. Create an AWS Lambda function triggered when the database on

Amazon RDS is updated to send the information to an Amazon
Simple Queue Service (Amazon SQS) FIFO queue for the targets to
consume.

 C. Subscribe to an RDS event notification and send an Amazon

Simple Queue Service (Amazon SQS) queue fanned out to multiple
Amazon Simple Notification Service (Amazon SNS) topics. Use AWS
Lambda functions to update the targets.

 D. Subscribe to an RDS event notification and send an Amazon

Simple Notification Service (Amazon SNS) topic fanned out to
multiple Amazon Simple Queue Service (Amazon SQS) queues. Use
AWS Lambda functions to update the targets. Most Voted

109.

A company needs to store data in Amazon S3 and must prevent the data
from being changed. The company wants new objects that are uploaded
to Amazon S3 to remain unchangeable for a nonspecific amount of time
until the company decides to modify the objects. Only specific users in the
company's AWS account can have the ability 10 delete the objects.
What should a solutions architect do to meet these requirements?

 A. Create an S3 Glacier vault. Apply a write-once, read-many

(WORM) vault lock policy to the objects.
  B. Create an S3 bucket with S3 Object Lock enabled. Enable
versioning. Set a retention period of 100 years. Use governance
mode as the S3 bucket’s default retention mode for new objects.

 C. Create an S3 bucket. Use AWS CloudTrail to track any S3 API

events that modify the objects. Upon notification, restore the
modified objects from any backup versions that the company has.

 D. Create an S3 bucket with S3 Object Lock enabled. Enable

versioning. Add a legal hold to the objects. Add the
s3:PutObjectLegalHold permission to the IAM policies of users who
need to delete the objects. Most Voted

110.

A social media company allows users to upload images to its website. The
website runs on Amazon EC2 instances. During upload requests, the
website resizes the images to a standard size and stores the resized
images in Amazon S3. Users are experiencing slow upload requests to the
website.
The company needs to reduce coupling within the application and improve
website performance. A solutions architect must design the most
operationally efficient process for image uploads.
Which combination of actions should the solutions architect take to meet
these requirements? (Choose two.) --- B & D

 A. Configure the application to upload images to S3 Glacier.

 B. Configure the web server to upload the original images to

Amazon S3. Most Voted

 C. Configure the application to upload images directly from each

user's browser to Amazon S3 through the use of a presigned
URL Most Voted

 D. Configure S3 Event Notifications to invoke an AWS Lambda

function when an image is uploaded. Use the function to resize the
image. Most VotedMost Voted

 E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule

that invokes an AWS Lambda function on a schedule to resize
uploaded images.

111.
A company recently migrated a message processing system to AWS. The
system receives messages into an ActiveMQ queue running on an Amazon
EC2 instance. Messages are processed by a consumer application running
on Amazon EC2. The consumer application processes the messages and
writes results to a MySQL database running on Amazon EC2. The company
wants this application to be highly available with low operational
complexity.
Which architecture offers the HIGHEST availability?

 A. Add a second ActiveMQ server to another Availability Zone. Add

an additional consumer EC2 instance in another Availability Zone.
Replicate the MySQL database to another Availability Zone.

 B. Use Amazon MQ with active/standby brokers configured across

two Availability Zones. Add an additional consumer EC2 instance in
another Availability Zone. Replicate the MySQL database to another
Availability Zone.

 C. Use Amazon MQ with active/standby brokers configured across

two Availability Zones. Add an additional consumer EC2 instance in
another Availability Zone. Use Amazon RDS for MySQL with Multi-AZ
enabled.

 D. Use Amazon MQ with active/standby brokers configured across

two Availability Zones. Add an Auto Scaling group for the consumer
EC2 instances across two Availability Zones. Use Amazon RDS for
MySQL with Multi-AZ enabled. Most Voted

112.
A company hosts a containerized web application on a fleet of on-
premises servers that process incoming requests. The number of requests
is growing quickly. The on-premises servers cannot handle the increased
number of requests. The company wants to move the application to AWS
with minimum code changes and minimum development effort.
Which solution will meet these requirements with the LEAST operational
overhead?

 A. Use AWS Fargate on Amazon Elastic Container Service (Amazon

ECS) to run the containerized web application with Service Auto
Scaling. Use an Application Load Balancer to distribute the incoming
requests. Most Voted

 B. Use two Amazon EC2 instances to host the containerized web

application. Use an Application Load Balancer to distribute the
incoming requests.

 C. Use AWS Lambda with a new code that uses one of the supported
languages. Create multiple Lambda functions to support the load.
Use Amazon API Gateway as an entry point to the Lambda functions.
  D. Use a high performance computing (HPC) solution such as AWS
ParallelCluster to establish an HPC cluster that can process the
incoming requests at the appropriate scale.

113.
A company uses 50 TB of data for reporting. The company wants to move
this data from on premises to AWS. A custom application in the company’s
data center runs a weekly data transformation job. The company plans to
pause the application until the data transfer is complete and needs to
begin the transfer process as soon as possible.
The data center does not have any available network bandwidth for
additional workloads. A solutions architect must transfer the data and
must configure the transformation job to continue to run in the AWS
Cloud.
Which solution will meet these requirements with the LEAST operational
overhead?

 A. Use AWS DataSync to move the data. Create a custom

transformation job by using AWS Glue.

 B. Order an AWS Snowcone device to move the data. Deploy the

transformation application to the device.

 C. Order an AWS Snowball Edge Storage Optimized device. Copy the

data to the device. Create a custom transformation job by using
AWS Glue. Most Voted

 D. Order an AWS Snowball Edge Storage Optimized device that

includes Amazon EC2 compute. Copy the data to the device. Create
a new EC2 instance on AWS to run the transformation application.

114.
A company has created an image analysis application in which users can
upload photos and add photo frames to their images. The users upload
images and metadata to indicate which photo frames they want to add to
their images. The application uses a single Amazon EC2 instance and
Amazon DynamoDB to store the metadata.
The application is becoming more popular, and the number of users is
increasing. The company expects the number of concurrent users to vary
significantly depending on the time of day and day of week. The company
must ensure that the application can scale to meet the needs of the
growing user base.
Which solution meats these requirements?

 A. Use AWS Lambda to process the photos. Store the photos and
metadata in DynamoDB.
 B. Use Amazon Kinesis Data Firehose to process the photos and to
store the photos and metadata.
  C. Use AWS Lambda to process the photos. Store the photos in
Amazon S3. Retain DynamoDB to store the metadata. Most Voted
 D. Increase the number of EC2 instances to three. Use Provisioned
IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volumes to
store the photos and metadata.

115.
A medical records company is hosting an application on Amazon EC2
instances. The application processes customer data files that are stored
on Amazon S3. The EC2 instances are hosted in public subnets. The EC2
instances access Amazon S3 over the internet, but they do not require
any other network access.
A new requirement mandates that the network traffic for file transfers
take a private route and not be sent over the internet.
Which change to the network architecture should a solutions architect
recommend to meet this requirement?

 A. Create a NAT gateway. Configure the route table for the public
subnets to send traffic to Amazon S3 through the NAT gateway.

 B. Configure the security group for the EC2 instances to restrict

outbound traffic so that only traffic to the S3 prefix list is permitted.

 C. Move the EC2 instances to private subnets. Create a VPC

endpoint for Amazon S3, and link the endpoint to the route table for
the private subnets.

 D. Remove the internet gateway from the VPC. Set up an AWS

Direct Connect connection, and route traffic to Amazon S3 over the
Direct Connect connection.

116.
A company uses a popular content management system (CMS) for its
corporate website. However, the required patching and maintenance are
burdensome. The company is redesigning its website and wants anew
solution. The website will be updated four times a year and does not need
to have any dynamic content available. The solution must provide high
scalability and enhanced security.
Which combination of changes will meet these requirements with the
LEAST operational overhead? (Choose two.)

 A. Configure Amazon CloudFront in front of the website to use

HTTPS functionality. Most Voted

 B. Deploy an AWS WAF web ACL in front of the website to provide

HTTPS functionality.
  C. Create and deploy an AWS Lambda function to manage and serve
the website content.

 D. Create the new website and an Amazon S3 bucket. Deploy the

website on the S3 bucket with static website hosting enabled. Most
Voted

 E. Create the new website. Deploy the website by using an Auto

Scaling group of Amazon EC2 instances behind an Application Load
Balancer.

117.
A company stores its application logs in an Amazon CloudWatch Logs log
group. A new policy requires the company to store all application logs in
Amazon OpenSearch Service (Amazon Elasticsearch Service) in near-real
time.
Which solution will meet this requirement with the LEAST operational
overhead?

 A. Configure a CloudWatch Logs subscription to stream the logs to

Amazon OpenSearch Service (Amazon Elasticsearch Service). Most
Voted

 B. Create an AWS Lambda function. Use the log group to invoke the
function to write the logs to Amazon OpenSearch Service (Amazon
Elasticsearch Service).

 C. Create an Amazon Kinesis Data Firehose delivery stream.

Configure the log group as the delivery streams sources. Configure
Amazon OpenSearch Service (Amazon Elasticsearch Service) as the
delivery stream's destination.

 D. Install and configure Amazon Kinesis Agent on each application

server to deliver the logs to Amazon Kinesis Data Streams.
Configure Kinesis Data Streams to deliver the logs to Amazon
OpenSearch Service (Amazon Elasticsearch Service).

118.
A company is building a web-based application running on Amazon EC2
instances in multiple Availability Zones. The web application will provide
access to a repository of text documents totaling about 900 TB in size.
The company anticipates that the web application will experience periods
of high demand. A solutions architect must ensure that the storage
component for the text documents can scale to meet the demand of the
application at all times. The company is concerned about the overall cost
of the solution.
Which storage solution meets these requirements MOST cost-effectively?
  A. Amazon Elastic Block Store (Amazon EBS)
 B. Amazon Elastic File System (Amazon EFS)
 C. Amazon OpenSearch Service (Amazon Elasticsearch Service)
 D. Amazon S3

119.
A global company is using Amazon API Gateway to design REST APIs for its
loyalty club users in the us-east-1 Region and the ap-southeast-2 Region.
A solutions architect must design a solution to protect these API Gateway
managed REST APIs across multiple accounts from SQL injection and
cross-site scripting attacks.
Which solution will meet these requirements with the LEAST amount of
administrative effort?

 A. Set up AWS WAF in both Regions. Associate Regional web ACLs

with an API stage.

 B. Set up AWS Firewall Manager in both Regions. Centrally configure

AWS WAF rules. Most Voted

 C. Set up AWS Shield in bath Regions. Associate Regional web ACLs

with an API stage.

 D. Set up AWS Shield in one of the Regions. Associate Regional web

ACLs with an API stage.

120.
A company has implemented a self-managed DNS solution on three
Amazon EC2 instances behind a Network Load Balancer (NLB) in the us-
west-2 Region. Most of the company's users are located in the United
States and Europe. The company wants to improve the performance and
availability of the solution. The company launches and configures three
EC2 instances in the eu-west-1 Region and adds the EC2 instances as
targets for a new NLB.
Which solution can the company use to route traffic to all the EC2
instances?

 A. Create an Amazon Route 53 geolocation routing policy to route

requests to one of the two NLBs. Create an Amazon CloudFront
distribution. Use the Route 53 record as the distribution’s origin.

 B. Create a standard accelerator in AWS Global Accelerator. Create

endpoint groups in us-west-2 and eu-west-1. Add the two NLBs as
endpoints for the endpoint groups. Most Voted

 C. Attach Elastic IP addresses to the six EC2 instances. Create an

Amazon Route 53 geolocation routing policy to route requests to
 one of the six EC2 instances. Create an Amazon CloudFront
distribution. Use the Route 53 record as the distribution's origin.

 D. Replace the two NLBs with two Application Load Balancers

(ALBs). Create an Amazon Route 53 latency routing policy to route
requests to one of the two ALBs. Create an Amazon CloudFront
distribution. Use the Route 53 record as the distribution’s origin.

121.
A company is running an online transaction processing (OLTP) workload
on AWS. This workload uses an unencrypted Amazon RDS DB instance in a
Multi-AZ deployment. Daily database snapshots are taken from this
instance.
What should a solutions architect do to ensure the database and
snapshots are always encrypted moving forward?

 A. Encrypt a copy of the latest DB snapshot. Replace existing DB

instance by restoring the encrypted snapshot. Most Voted

 B. Create a new encrypted Amazon Elastic Block Store (Amazon

EBS) volume and copy the snapshots to it. Enable encryption on the
DB instance.

 C. Copy the snapshots and enable encryption using AWS Key

Management Service (AWS KMS) Restore encrypted snapshot to an
existing DB instance.

 D. Copy the snapshots to an Amazon S3 bucket that is encrypted

using server-side encryption with AWS Key Management Service
(AWS KMS) managed keys (SSE-KMS).

122.
A company wants to build a scalable key management infrastructure to
support developers who need to encrypt data in their applications.
What should a solutions architect do to reduce the operational burden?

 A. Use multi-factor authentication (MFA) to protect the encryption

keys.

 B. Use AWS Key Management Service (AWS KMS) to protect the

encryption keys. Most Voted

 C. Use AWS Certificate Manager (ACM) to create, store, and assign

the encryption keys.

 D. Use an IAM policy to limit the scope of users who have access
permissions to protect the encryption keys.
123.
A company has a dynamic web application hosted on two Amazon EC2
instances. The company has its own SSL certificate, which is on each
instance to perform SSL termination.
There has been an increase in traffic recently, and the operations team
determined that SSL encryption and decryption is causing the compute
capacity of the web servers to reach their maximum limit.
What should a solutions architect do to increase the application's
performance?

 A. Create a new SSL certificate using AWS Certificate Manager

(ACM). Install the ACM certificate on each instance.

 B. Create an Amazon S3 bucket Migrate the SSL certificate to the S3

bucket. Configure the EC2 instances to reference the bucket for SSL
termination.

 C. Create another EC2 instance as a proxy server. Migrate the SSL

certificate to the new instance and configure it to direct connections
to the existing EC2 instances.

 D. Import the SSL certificate into AWS Certificate Manager (ACM).

Create an Application Load Balancer with an HTTPS listener that
uses the SSL certificate from ACM. Most Voted

124.
A company has a highly dynamic batch processing job that uses many
Amazon EC2 instances to complete it. The job is stateless in nature, can
be started and stopped at any given time with no negative impact, and
typically takes upwards of 60 minutes total to complete. The company has
asked a solutions architect to design a scalable and cost-effective solution
that meets the requirements of the job.
What should the solutions architect recommend?

 A. Implement EC2 Spot Instances.

 B. Purchase EC2 Reserved Instances.

 C. Implement EC2 On-Demand Instances.

 D. Implement the processing on AWS Lambda.

125.
A company runs its two-tier ecommerce website on AWS. The web tier
consists of a load balancer that sends traffic to Amazon EC2 instances.
The database tier uses an Amazon RDS DB instance. The EC2 instances
and the RDS DB instance should not be exposed to the public internet.
The EC2 instances require internet access to complete payment
processing of orders through a third-party web service. The application
must be highly available.
Which combination of configuration options will meet these requirements?
(Choose two.)

 A. Use an Auto Scaling group to launch the EC2 instances in private

subnets. Deploy an RDS Multi-AZ DB instance in private
subnets. Most Voted

 B. Configure a VPC with two private subnets and two NAT gateways
across two Availability Zones. Deploy an Application Load Balancer
in the private subnets.

 C. Use an Auto Scaling group to launch the EC2 instances in public

subnets across two Availability Zones. Deploy an RDS Multi-AZ DB
instance in private subnets.

 D. Configure a VPC with one public subnet, one private subnet, and
two NAT gateways across two Availability Zones. Deploy an
Application Load Balancer in the public subnet.

 E. Configure a VPC with two public subnets, two private subnets,

and two NAT gateways across two Availability Zones. Deploy an
Application Load Balancer in the public subnets. Most Voted

126.
A solutions architect needs to implement a solution to reduce a company's
storage costs. All the company's data is in the Amazon S3 Standard
storage class. The company must keep all data for at least 25 years. Data
from the most recent 2 years must be highly available and immediately
retrievable.
Which solution will meet these requirements?

 A. Set up an S3 Lifecycle policy to transition objects to S3 Glacier

Deep Archive immediately.

 B. Set up an S3 Lifecycle policy to transition objects to S3 Glacier

Deep Archive after 2 years. Most Voted

 C. Use S3 Intelligent-Tiering. Activate the archiving option to ensure

that data is archived in S3 Glacier Deep Archive.

 D. Set up an S3 Lifecycle policy to transition objects to S3 One Zone-

Infrequent Access (S3 One Zone-IA) immediately and to S3 Glacier
Deep Archive after 2 years.

127.
A media company is evaluating the possibility of moving its systems to
the AWS Cloud. The company needs at least 10 TB of storage with the
maximum possible I/O performance for video processing, 300 TB of very
durable storage for storing media content, and 900 TB of storage to meet
requirements for archival media that is not in use anymore.
Which set of services should a solutions architect recommend to meet
these requirements?

 A. Amazon EBS for maximum performance, Amazon S3 for durable

data storage, and Amazon S3 Glacier for archival storage

 B. Amazon EBS for maximum performance, Amazon EFS for durable

data storage, and Amazon S3 Glacier for archival storage

 C. Amazon EC2 instance store for maximum performance, Amazon

EFS for durable data storage, and Amazon S3 for archival storage

 D. Amazon EC2 instance store for maximum performance, Amazon

S3 for durable data storage, and Amazon S3 Glacier for archival
storage Most Voted

128.
A company wants to run applications in containers in the AWS Cloud.
These applications are stateless and can tolerate disruptions within the
underlying infrastructure. The company needs a solution that minimizes
cost and operational overhead.
What should a solutions architect do to meet these requirements?

 A. Use Spot Instances in an Amazon EC2 Auto Scaling group to run

the application containers.

 B. Use Spot Instances in an Amazon Elastic Kubernetes Service

(Amazon EKS) managed node group. Most Voted

 C. Use On-Demand Instances in an Amazon EC2 Auto Scaling group

to run the application containers.

 D. Use On-Demand Instances in an Amazon Elastic Kubernetes

Service (Amazon EKS) managed node group.

129.
A company is running a multi-tier web application on premises. The web
application is containerized and runs on a number of Linux hosts
connected to a PostgreSQL database that contains user records. The
operational overhead of maintaining the infrastructure and capacity
planning is limiting the company's growth. A solutions architect must
improve the application's infrastructure.
Which combination of actions should the solutions architect take to
accomplish this? (Choose two.)

 A. Migrate the PostgreSQL database to Amazon Aurora.

 B. Migrate the web application to be hosted on Amazon EC2

instances.

 C. Set up an Amazon CloudFront distribution for the web application

content.

 D. Set up Amazon ElastiCache between the web application and the

PostgreSQL database.

 E. Migrate the web application to be hosted on AWS Fargate with

Amazon Elastic Container Service (Amazon ECS).

130.
An application runs on Amazon EC2 instances across multiple Availability
Zonas. The instances run in an Amazon EC2 Auto Scaling group behind an
Application Load Balancer. The application performs best when the CPU
utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance
across all instances in the group?

 A. Use a simple scaling policy to dynamically scale the Auto Scaling

group.

 B. Use a target tracking policy to dynamically scale the Auto Scaling

group.

 C. Use an AWS Lambda function ta update the desired Auto Scaling

group capacity.

 D. Use scheduled scaling actions to scale up and scale down the

Auto Scaling group.

131.
A company is developing a file-sharing application that will use an Amazon
S3 bucket for storage. The company wants to serve all the files through an
Amazon CloudFront distribution. The company does not want the files to
be accessible through direct navigation to the S3 URL.
What should a solutions architect do to meet these requirements?

 A. Write individual policies for each S3 bucket to grant read

permission for only CloudFront access.
  B. Create an IAM user. Grant the user read permission to objects in
the S3 bucket. Assign the user to CloudFront.

 C. Write an S3 bucket policy that assigns the CloudFront distribution

ID as the Principal and assigns the target S3 bucket as the Amazon
Resource Name (ARN).

 D. Create an origin access identity (OAI). Assign the OAI to the

CloudFront distribution. Configure the S3 bucket permissions so that
only the OAI has read permission. Most Voted

132.
A company’s website provides users with downloadable historical
performance reports. The website needs a solution that will scale to meet
the company’s website demands globally. The solution should be cost-
effective, limit the provisioning of infrastructure resources, and provide
the fastest possible response time.
Which combination should a solutions architect recommend to meet these
requirements?

 A. Amazon CloudFront and Amazon S3 Most Voted

 B. AWS Lambda and Amazon DynamoDB

 C. Application Load Balancer with Amazon EC2 Auto Scaling

 D. Amazon Route 53 with internal Application Load Balancers

133.
A company runs an Oracle database on premises. As part of the
company’s migration to AWS, the company wants to upgrade the
database to the most recent available version. The company also wants to
set up disaster recovery (DR) for the database. The company needs to
minimize the operational overhead for normal operations and DR setup.
The company also needs to maintain access to the database's underlying
operating system.
Which solution will meet these requirements?

 A. Migrate the Oracle database to an Amazon EC2 instance. Set up

database replication to a different AWS Region.

 B. Migrate the Oracle database to Amazon RDS for Oracle. Activate

Cross-Region automated backups to replicate the snapshots to
another AWS Region.

 C. Migrate the Oracle database to Amazon RDS Custom for Oracle.

Create a read replica for the database in another AWS Region. Most
Voted
  D. Migrate the Oracle database to Amazon RDS for Oracle. Create a
standby database in another Availability Zone.

134.
A company wants to move its application to a serverless solution. The
serverless solution needs to analyze existing and new data by using SL.
The company stores the data in an Amazon S3 bucket. The data requires
encryption and must be replicated to a different AWS Region.
Which solution will meet these requirements with the LEAST operational
overhead?

 A. Create a new S3 bucket. Load the data into the new S3 bucket.
Use S3 Cross-Region Replication (CRR) to replicate encrypted
objects to an S3 bucket in another Region. Use server-side
encryption with AWS KMS multi-Region kays (SSE-KMS). Use Amazon
Athena to query the data.

 B. Create a new S3 bucket. Load the data into the new S3 bucket.
Use S3 Cross-Region Replication (CRR) to replicate encrypted
objects to an S3 bucket in another Region. Use server-side
encryption with AWS KMS multi-Region keys (SSE-KMS). Use Amazon
RDS to query the data.

 C. Load the data into the existing S3 bucket. Use S3 Cross-Region

Replication (CRR) to replicate encrypted objects to an S3 bucket in
another Region. Use server-side encryption with Amazon S3
managed encryption keys (SSE-S3). Use Amazon Athena to query
the data. Most Voted

 D. Load the data into the existing S3 bucket. Use S3 Cross-Region

Replication (CRR) to replicate encrypted objects to an S3 bucket in
another Region. Use server-side encryption with Amazon S3
managed encryption keys (SSE-S3). Use Amazon RDS to query the
data.

135.
A company runs workloads on AWS. The company needs to connect to a
service from an external provider. The service is hosted in the provider's
VPC. According to the company’s security team, the connectivity must be
private and must be restricted to the target service. The connection must
be initiated only from the company’s VPC.
Which solution will mast these requirements?

 A. Create a VPC peering connection between the company's VPC

and the provider's VPC. Update the route table to connect to the
target service.
  B. Ask the provider to create a virtual private gateway in its VPC.
Use AWS PrivateLink to connect to the target service.

 C. Create a NAT gateway in a public subnet of the company’s

VPUpdate the route table to connect to the target service.

 D. Ask the provider to create a VPC endpoint for the target service.
Use AWS PrivateLink to connect to the target service. Most Voted

136.
A company is migrating its on-premises PostgreSQL database to Amazon
Aurora PostgreSQL. The on-premises database must remain online and
accessible during the migration. The Aurora database must remain
synchronized with the on-premises database.
Which combination of actions must a solutions architect take to meet
these requirements? (Choose two.)

 A. Create an ongoing replication task. Most Voted

 B. Create a database backup of the on-premises database.
 C. Create an AWS Database Migration Service (AWS DMS) replication
server. Most Voted
 D. Convert the database schema by using the AWS Schema
Conversion Tool (AWS SCT).
 E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule
to monitor the database synchronization.

137.
A company uses AWS Organizations to create dedicated AWS accounts for
each business unit to manage each business unit's account independently
upon request. The root email recipient missed a notification that was sent
to the root user email address of one account. The company wants to
ensure that all future notifications are not missed. Future notifications
must be limited to account administrators.
Which solution will meet these requirements?

 A. Configure the company’s email server to forward notification

email messages that are sent to the AWS account root user email
address to all users in the organization.

 B. Configure all AWS account root user email addresses as

distribution lists that go to a few administrators who can respond to
alerts. Configure AWS account alternate contacts in the AWS
Organizations console or programmatically. Most Voted

 C. Configure all AWS account root user email messages to be sent to

one administrator who is responsible for monitoring alerts and
forwarding those alerts to the appropriate groups.
  D. Configure all existing AWS accounts and all newly created
accounts to use the same root user email address. Configure AWS
account alternate contacts in the AWS Organizations console or
programmatically.

138.
A company runs its ecommerce application on AWS. Every new order is
published as a massage in a RabbitMQ queue that runs on an Amazon EC2
instance in a single Availability Zone. These messages are processed by a
different application that runs on a separate EC2 instance. This application
stores the details in a PostgreSQL database on another EC2 instance. All
the EC2 instances are in the same Availability Zone.
The company needs to redesign its architecture to provide the highest
availability with the least operational overhead.
What should a solutions architect do to meet these requirements?

 A. Migrate the queue to a redundant pair (active/standby) of

RabbitMQ instances on Amazon MQ. Create a Multi-AZ Auto Scaling
group for EC2 instances that host the application. Create another
Multi-AZ Auto Scaling group for EC2 instances that host the
PostgreSQL database.

 B. Migrate the queue to a redundant pair (active/standby) of

RabbitMQ instances on Amazon MQ. Create a Multi-AZ Auto Scaling
group for EC2 instances that host the application. Migrate the
database to run on a Multi-AZ deployment of Amazon RDS for
PostgreSQL. Most Voted

 C. Create a Multi-AZ Auto Scaling group for EC2 instances that host
the RabbitMQ queue. Create another Multi-AZ Auto Scaling group for
EC2 instances that host the application. Migrate the database to run
on a Multi-AZ deployment of Amazon RDS for PostgreSQL.

 D. Create a Multi-AZ Auto Scaling group for EC2 instances that host
the RabbitMQ queue. Create another Multi-AZ Auto Scaling group for
EC2 instances that host the application. Create a third Multi-AZ Auto
Scaling group for EC2 instances that host the PostgreSQL database

139.
A reporting team receives files each day in an Amazon S3 bucket. The
reporting team manually reviews and copies the files from this initial S3
bucket to an analysis S3 bucket each day at the same time to use with
Amazon QuickSight. Additional teams are starting to send more files in
larger sizes to the initial S3 bucket.
The reporting team wants to move the files automatically analysis S3
bucket as the files enter the initial S3 bucket. The reporting team also
wants to use AWS Lambda functions to run pattern-matching code on the
copied data. In addition, the reporting team wants to send the data files to
a pipeline in Amazon SageMaker Pipelines.
What should a solutions architect do to meet these requirements with the
LEAST operational overhead?

 A. Create a Lambda function to copy the files to the analysis S3

bucket. Create an S3 event notification for the analysis S3 bucket.
Configure Lambda and SageMaker Pipelines as destinations of the
event notification. Configure s3:ObjectCreated:Put as the event
type.
 B. Create a Lambda function to copy the files to the analysis S3
bucket. Configure the analysis S3 bucket to send event notifications
to Amazon EventBridge (Amazon CloudWatch Events). Configure an
ObjectCreated rule in EventBridge (CloudWatch Events). Configure
Lambda and SageMaker Pipelines as targets for the rule.
 C. Configure S3 replication between the S3 buckets. Create an S3
event notification for the analysis S3 bucket. Configure Lambda and
SageMaker Pipelines as destinations of the event notification.
Configure s3:ObjectCreated:Put as the event type.
 D. Configure S3 replication between the S3 buckets. Configure the
analysis S3 bucket to send event notifications to Amazon
EventBridge (Amazon CloudWatch Events). Configure an
ObjectCreated rule in EventBridge (CloudWatch Events). Configure
Lambda and SageMaker Pipelines as targets for the rule. Most Voted

140.
A solutions architect needs to help a company optimize the cost of
running an application on AWS. The application will use Amazon EC2
instances, AWS Fargate, and AWS Lambda for compute within the
architecture.
The EC2 instances will run the data ingestion layer of the application. EC2
usage will be sporadic and unpredictable. Workloads that run on EC2
instances can be interrupted at any time. The application front end will
run on Fargate, and Lambda will serve the API layer. The front-end
utilization and API layer utilization will be predictable over the course of
the next year.
Which combination of purchasing options will provide the MOST cost-
effective solution for hosting this application? (Choose two.)

 A. Use Spot Instances for the data ingestion layer Most Voted

 B. Use On-Demand Instances for the data ingestion layer

 C. Purchase a 1-year Compute Savings Plan for the front end and
API layer. Most Voted
  D. Purchase 1-year All Upfront Reserved instances for the data
ingestion layer.

 E. Purchase a 1-year EC2 instance Savings Plan for the front end and
API layer.

141.
A company runs a web-based portal that provides users with global
breaking news, local alerts, and weather updates. The portal delivers each
user a personalized view by using mixture of static and dynamic content.
Content is served over HTTPS through an API server running on an
Amazon EC2 instance behind an Application Load Balancer (ALB). The
company wants the portal to provide this content to its users across the
world as quickly as possible.
How should a solutions architect design the application to ensure the
LEAST amount of latency for all users?

 A. Deploy the application stack in a single AWS Region. Use Amazon

CloudFront to serve all static and dynamic content by specifying the
ALB as an origin. Most Voted

 B. Deploy the application stack in two AWS Regions. Use an Amazon

Route 53 latency routing policy to serve all content from the ALB in
the closest Region.

 C. Deploy the application stack in a single AWS Region. Use Amazon

CloudFront to serve the static content. Serve the dynamic content
directly from the ALB.

 D. Deploy the application stack in two AWS Regions. Use an Amazon

Route 53 geolocation routing policy to serve all content from the
ALB in the closest Region.

142.
A gaming company is designing a highly available architecture. The
application runs on a modified Linux kernel and supports only UDP-based
traffic. The company needs the front-end tier to provide the best possible
user experience. That tier must have low latency, route traffic to the
nearest edge location, and provide static IP addresses for entry into the
application endpoints.
What should a solutions architect do to meet these requirements?

 A. Configure Amazon Route 53 to forward requests to an Application

Load Balancer. Use AWS Lambda for the application in AWS
Application Auto Scaling.
  B. Configure Amazon CloudFront to forward requests to a Network
Load Balancer. Use AWS Lambda for the application in an AWS
Application Auto Scaling group.

 C. Configure AWS Global Accelerator to forward requests to a

Network Load Balancer. Use Amazon EC2 instances for the
application in an EC2 Auto Scaling group.

 D. Configure Amazon API Gateway to forward requests to an

Application Load Balancer. Use Amazon EC2 instances for the
application in an EC2 Auto Scaling group.

143.
A company wants to migrate its existing on-premises monolithic
application to AWS. The company wants to keep as much of the front-end
code and the backend code as possible. However, the company wants to
break the application into smaller applications. A different team will
manage each application. The company needs a highly scalable solution
that minimizes operational overhead.
Which solution will meet these requirements?

 A. Host the application on AWS Lambda. Integrate the application

with Amazon API Gateway.

 B. Host the application with AWS Amplify. Connect the application to

an Amazon API Gateway API that is integrated with AWS Lambda.

 C. Host the application on Amazon EC2 instances. Set up an

Application Load Balancer with EC2 instances in an Auto Scaling
group as targets.

 D. Host the application on Amazon Elastic Container Service

(Amazon ECS). Set up an Application Load Balancer with Amazon
ECS as the target. Most Voted

144.
A company recently started using Amazon Aurora as the data store for its
global ecommerce application. When large reports are run, developers
report that the ecommerce application is performing poorly. After
reviewing metrics in Amazon CloudWatch, a solutions architect finds that
the ReadIOPS and CPUUtilizalion metrics are spiking when monthly reports
run.
What is the MOST cost-effective solution?

 A. Migrate the monthly reporting to Amazon Redshift.

  B. Migrate the monthly reporting to an Aurora Replica.

 C. Migrate the Aurora database to a larger instance class.

 D. Increase the Provisioned IOPS on the Aurora instance.

145.
A company hosts a website analytics application on a single Amazon EC2
On-Demand Instance. The analytics software is written in PHP and uses a
MySQL database. The analytics software, the web server that provides
PHP, and the database server are all hosted on the EC2 instance. The
application is showing signs of performance degradation during busy
times and is presenting 5xx errors. The company needs to make the
application scale seamlessly.
Which solution will meet these requirements MOST cost-effectively?

 A. Migrate the database to an Amazon RDS for MySQL DB instance.

Create an AMI of the web application. Use the AMI to launch a
second EC2 On-Demand Instance. Use an Application Load Balancer
to distribute the load to each EC2 instance.

 B. Migrate the database to an Amazon RDS for MySQL DB instance.

Create an AMI of the web application. Use the AMI to launch a
second EC2 On-Demand Instance. Use Amazon Route 53 weighted
routing to distribute the load across the two EC2 instances.

 C. Migrate the database to an Amazon Aurora MySQL DB instance.

Create an AWS Lambda function to stop the EC2 instance and
change the instance type. Create an Amazon CloudWatch alarm to
invoke the Lambda function when CPU utilization surpasses 75%.

 D. Migrate the database to an Amazon Aurora MySQL DB instance.

Create an AMI of the web application. Apply the AMI to a launch
template. Create an Auto Scaling group with the launch template
Configure the launch template to use a Spot Fleet. Attach an
Application Load Balancer to the Auto Scaling group.

146.
A company runs a stateless web application in production on a group of
Amazon EC2 On-Demand Instances behind an Application Load Balancer.
The application experiences heavy usage during an 8-hour period each
business day. Application usage is moderate and steady overnight.
Application usage is low during weekends.
The company wants to minimize its EC2 costs without affecting the
availability of the application.
Which solution will meet these requirements?

 A. Use Spot Instances for the entire workload.

  B. Use Reserved Instances for the baseline level of usage. Use Spot
instances for any additional capacity that the application
needs. Most Voted

 C. Use On-Demand Instances for the baseline level of usage. Use

Spot Instances for any additional capacity that the application
needs.

 D. Use Dedicated Instances for the baseline level of usage. Use On-
Demand Instances for any additional capacity that the application
needs.

147.
A company needs to retain application log files for a critical application for
10 years. The application team regularly accesses logs from the past
month for troubleshooting, but logs older than 1 month are rarely
accessed. The application generates more than 10 TB of logs per month.
Which storage option meets these requirements MOST cost-effectively?

 A. Store the logs in Amazon S3. Use AWS Backup to move logs more
than 1 month old to S3 Glacier Deep Archive.

 B. Store the logs in Amazon S3. Use S3 Lifecycle policies to move

logs more than 1 month old to S3 Glacier Deep Archive. Most Voted

 C. Store the logs in Amazon CloudWatch Logs. Use AWS Backup to

move logs more than 1 month old to S3 Glacier Deep Archive.

 D. Store the logs in Amazon CloudWatch Logs. Use Amazon S3

Lifecycle policies to move logs more than 1 month old to S3 Glacier
Deep Archive.

148.
A company has a data ingestion workflow that includes the following
components:
An Amazon Simple Notification Service (Amazon SNS) topic that receives
notifications about new data deliveries
An AWS Lambda function that processes and stores the data
The ingestion workflow occasionally fails because of network connectivity
issues. When failure occurs, the corresponding data is not ingested unless
the company manually reruns the job.
What should a solutions architect do to ensure that all notifications are
eventually processed?

 A. Configure the Lambda function for deployment across multiple

Availability Zones.
  B. Modify the Lambda function's configuration to increase the CPU
and memory allocations for the function.

 C. Configure the SNS topic’s retry strategy to increase both the

number of retries and the wait time between retries.

 D. Configure an Amazon Simple Queue Service (Amazon SQS) queue

as the on-failure destination. Modify the Lambda function to process
messages in the queue.

149.
A company has a service that produces event data. The company wants to
use AWS to process the event data as it is received. The data is written in
a specific order that must be maintained throughout processing. The
company wants to implement a solution that minimizes operational
overhead.
How should a solutions architect accomplish this?

 A. Create an Amazon Simple Queue Service (Amazon SQS) FIFO

queue to hold messages. Set up an AWS Lambda function to process
messages from the queue.

 B. Create an Amazon Simple Notification Service (Amazon SNS)

topic to deliver notifications containing payloads to process.
Configure an AWS Lambda function as a subscriber.

 C. Create an Amazon Simple Queue Service (Amazon SQS) standard

queue to hold messages. Set up an AWS Lambda function to process
messages from the queue independently.

 D. Create an Amazon Simple Notification Service (Amazon SNS)

topic to deliver notifications containing payloads to process.
Configure an Amazon Simple Queue Service (Amazon SQS) queue as
a subscriber.

150.
A company is migrating an application from on-premises servers to
Amazon EC2 instances. As part of the migration design requirements, a
solutions architect must implement infrastructure metric alarms. The
company does not need to take action if CPU utilization increases to more
than 50% for a short burst of time. However, if the CPU utilization
increases to more than 50% and read IOPS on the disk are high at the
same time, the company needs to act as soon as possible. The solutions
architect also must reduce false alarms.
What should the solutions architect do to meet these requirements?
  A. Create Amazon CloudWatch composite alarms where
possible. Most Voted

 B. Create Amazon CloudWatch dashboards to visualize the metrics

and react to issues quickly.

 C. Create Amazon CloudWatch Synthetics canaries to monitor the

application and raise an alarm.

 D. Create single Amazon CloudWatch metric alarms with multiple

metric thresholds where possible.

151
A company wants to migrate its on-premises data center to AWS.
According to the company's compliance requirements, the company can
use only the ap-northeast-3 Region. Company administrators are not
permitted to connect VPCs to the internet.
Which solutions will meet these requirements? (Choose two.)

 A. Use AWS Control Tower to implement data residency guardrails to

deny internet access and deny access to all AWS Regions except ap-
northeast-3.

 B. Use rules in AWS WAF to prevent internet access. Deny access to

all AWS Regions except ap-northeast-3 in the AWS account settings.

 C. Use AWS Organizations to configure service control policies

(SCPS) that prevent VPCs from gaining internet access. Deny access
to all AWS Regions except ap-northeast-3.

 D. Create an outbound rule for the network ACL in each VPC to deny
all traffic from [Link]/0. Create an IAM policy for each user to
prevent the use of any AWS Region other than ap-northeast-3.

 E. Use AWS Config to activate managed rules to detect and alert for
internet gateways and to detect and alert for new resources
deployed outside of ap-northeast-3.

152
A company uses a three-tier web application to provide training to new
employees. The application is accessed for only 12 hours every day. The
company is using an Amazon RDS for MySQL DB instance to store
information and wants to minimize costs.
What should a solutions architect do to meet these requirements?
  A. Configure an IAM policy for AWS Systems Manager Session
Manager. Create an IAM role for the policy. Update the trust
relationship of the role. Set up automatic start and stop for the DB
instance.

 B. Create an Amazon ElastiCache for Redis cache cluster that gives

users the ability to access the data from the cache when the DB
instance is stopped. Invalidate the cache after the DB instance is
started.

 C. Launch an Amazon EC2 instance. Create an IAM role that grants

access to Amazon RDS. Attach the role to the EC2 instance.
Configure a cron job to start and stop the EC2 instance on the
desired schedule.

 D. Create AWS Lambda functions to start and stop the DB instance.

Create Amazon EventBridge (Amazon CloudWatch Events)
scheduled rules to invoke the Lambda functions. Configure the
Lambda functions as event targets for the rules. Most Voted

153.
A company sells ringtones created from clips of popular songs. The files
containing the ringtones are stored in Amazon S3 Standard and are at
least 128 KB in size. The company has millions of files, but downloads are
infrequent for ringtones older than 90 days. The company needs to save
money on storage while keeping the most accessed files readily available
for its users.
Which action should the company take to meet these requirements MOST
cost-effectively?

 A. Configure S3 Standard-Infrequent Access (S3 Standard-IA)

storage for the initial storage tier of the objects.

 B. Move the files to S3 Intelligent-Tiering and configure it to move

objects to a less expensive storage tier after 90 days.

 C. Configure S3 inventory to manage objects and move them to S3

Standard-Infrequent Access (S3 Standard-1A) after 90 days.

 D. Implement an S3 Lifecycle policy that moves the objects from S3

Standard to S3 Standard-Infrequent Access (S3 Standard-1A) after
90 days. Most Voted

154.
A company needs to save the results from a medical trial to an Amazon S3
repository. The repository must allow a few scientists to add new files and
must restrict all other users to read-only access. No users can have the
ability to modify or delete any files in the repository. The company must
keep every file in the repository for a minimum of 1 year after its creation
date.
Which solution will meet these requirements?

 A. Use S3 Object Lock in governance mode with a legal hold of 1

year.

 B. Use S3 Object Lock in compliance mode with a retention period of

365 days. Most Voted

 C. Use an IAM role to restrict all users from deleting or changing

objects in the S3 bucket. Use an S3 bucket policy to only allow the
IAM role.

 D. Configure the S3 bucket to invoke an AWS Lambda function every

time an object is added. Configure the function to track the hash of
the saved object so that modified objects can be marked
accordingly.

155.
A large media company hosts a web application on AWS. The company
wants to start caching confidential media files so that users around the
world will have reliable access to the files. The content is stored in
Amazon S3 buckets. The company must deliver the content quickly,
regardless of where the requests originate geographically.
Which solution will meet these requirements?

 A. Use AWS DataSync to connect the S3 buckets to the web

application.

 B. Deploy AWS Global Accelerator to connect the S3 buckets to the

web application.

 C. Deploy Amazon CloudFront to connect the S3 buckets to

CloudFront edge servers.

 D. Use Amazon Simple Queue Service (Amazon SQS) to connect the

S3 buckets to the web application.

156.
A company produces batch data that comes from different databases. The
company also produces live stream data from network sensors and
application APIs. The company needs to consolidate all the data into one
place for business analytics. The company needs to process the incoming
data and then stage the data in different Amazon S3 buckets. Teams will
later run one-time queries and import the data into a business intelligence
tool to show key performance indicators (KPIs).
Which combination of steps will meet these requirements with the LEAST
operational overhead? (Choose two.)

 A. Use Amazon Athena for one-time queries. Use Amazon QuickSight

to create dashboards for KPIs. Most Voted

 B. Use Amazon Kinesis Data Analytics for one-time queries. Use

Amazon QuickSight to create dashboards for KPIs.

 C. Create custom AWS Lambda functions to move the individual

records from the databases to an Amazon Redshift cluster.

 D. Use an AWS Glue extract, transform, and load (ETL) job to

convert the data into JSON format. Load the data into multiple
Amazon OpenSearch Service (Amazon Elasticsearch Service)
clusters.

 E. Use blueprints in AWS Lake Formation to identify the data that

can be ingested into a data lake. Use AWS Glue to crawl the source,
extract the data, and load the data into Amazon S3 in Apache
Parquet format. Most Voted

157
A company stores data in an Amazon Aurora PostgreSQL DB cluster. The
company must store all the data for 5 years and must delete all the data
after 5 years. The company also must indefinitely keep audit logs of
actions that are performed within the database. Currently, the company
has automated backups configured for Aurora.

Which combination of steps should a solutions architect take to meet

these requirements? (Choose two.)

 A. Take a manual snapshot of the DB cluster.

 B. Create a lifecycle policy for the automated backups.

 C. Configure automated backup retention for 5 years.

 D. Configure an Amazon CloudWatch Logs export for the DB

cluster. Most VotedMost Voted

 E. Use AWS Backup to take the backups and to keep the backups for
5 years. Most Voted

158
A solutions architect is optimizing a website for an upcoming musical
event. Videos of the performances will be streamed in real time and then
will be available on demand. The event is expected to attract a global
online audience.

Which service will improve the performance of both the real-time and on-
demand streaming?

 A. Amazon CloudFront

 B. AWS Global Accelerator

 C. Amazon Route 53

 D. Amazon S3 Transfer Acceleration

159
A company is running a publicly accessible serverless application that
uses Amazon API Gateway and AWS Lambda. The application’s traffic
recently spiked due to fraudulent requests from botnets.

Which steps should a solutions architect take to block requests from

unauthorized users? (Choose two.)

 A. Create a usage plan with an API key that is shared with genuine
users only. Most Voted

 B. Integrate logic within the Lambda function to ignore the requests

from fraudulent IP addresses.

 C. Implement an AWS WAF rule to target malicious requests and

trigger actions to filter them out. Most Voted

 D. Convert the existing public API to a private API. Update the DNS
records to redirect users to the new API endpoint.

 E. Create an IAM role for each user attempting to access the API. A
user will assume the role when making the API call.

160
An ecommerce company hosts its analytics application in the AWS Cloud.
The application generates about 300 MB of data each month. The data is
stored in JSON format. The company is evaluating a disaster recovery
solution to back up the data. The data must be accessible in milliseconds
if it is needed, and the data must be kept for 30 days.

Which solution meets these requirements MOST cost-effectively?

 A. Amazon OpenSearch Service (Amazon Elasticsearch Service)

  B. Amazon S3 Glacier

 C. Amazon S3 Standard Most Voted

 D. Amazon RDS for PostgreSQL

161
A company has a small Python application that processes JSON documents
and outputs the results to an on-premises SQL database. The application
runs thousands of times each day. The company wants to move the
application to the AWS Cloud. The company needs a highly available
solution that maximizes scalability and minimizes operational overhead.

Which solution will meet these requirements?

 A. Place the JSON documents in an Amazon S3 bucket. Run the

Python code on multiple Amazon EC2 instances to process the
documents. Store the results in an Amazon Aurora DB cluster.

 B. Place the JSON documents in an Amazon S3 bucket. Create an

AWS Lambda function that runs the Python code to process the
documents as they arrive in the S3 bucket. Store the results in an
Amazon Aurora DB cluster. Most Voted

 C. Place the JSON documents in an Amazon Elastic Block Store

(Amazon EBS) volume. Use the EBS Multi-Attach feature to attach
the volume to multiple Amazon EC2 instances. Run the Python code
on the EC2 instances to process the documents. Store the results on
an Amazon RDS DB instance.

 D. Place the JSON documents in an Amazon Simple Queue Service

(Amazon SQS) queue as messages. Deploy the Python code as a
container on an Amazon Elastic Container Service (Amazon ECS)
cluster that is configured with the Amazon EC2 launch type. Use the
container to process the SQS messages. Store the results on an
Amazon RDS DB instance.

162
A company wants to use high performance computing (HPC) infrastructure
on AWS for financial risk modeling. The company’s HPC workloads run on
Linux. Each HPC workflow runs on hundreds of Amazon EC2 Spot
Instances, is short-lived, and generates thousands of output files that are
ultimately stored in persistent storage for analytics and long-term future
use.

The company seeks a cloud storage solution that permits the copying of
on-premises data to long-term persistent storage to make data available
for processing by all EC2 instances. The solution should also be a high
performance file system that is integrated with persistent storage to read
and write datasets and output files.

Which combination of AWS services meets these requirements?

 A. Amazon FSx for Lustre integrated with Amazon S3

 B. Amazon FSx for Windows File Server integrated with Amazon S3

 C. Amazon S3 Glacier integrated with Amazon Elastic Block Store

(Amazon EBS)

 D. Amazon S3 bucket with a VPC endpoint integrated with an

Amazon Elastic Block Store (Amazon EBS) General Purpose SSD
(gp2) volume

163
A company is building a containerized application on premises and
decides to move the application to AWS. The application will have
thousands of users soon after it is deployed. The company is unsure how
to manage the deployment of containers at scale. The company needs to
deploy the containerized application in a highly available architecture that
minimizes operational overhead.

Which solution will meet these requirements?

 A. Store container images in an Amazon Elastic Container Registry

(Amazon ECR) repository. Use an Amazon Elastic Container Service
(Amazon ECS) cluster with the AWS Fargate launch type to run the
containers. Use target tracking to scale automatically based on
demand. Most Voted

 B. Store container images in an Amazon Elastic Container Registry

(Amazon ECR) repository. Use an Amazon Elastic Container Service
(Amazon ECS) cluster with the Amazon EC2 launch type to run the
containers. Use target tracking to scale automatically based on
demand.

 C. Store container images in a repository that runs on an Amazon

EC2 instance. Run the containers on EC2 instances that are spread
across multiple Availability Zones. Monitor the average CPU
utilization in Amazon CloudWatch. Launch new EC2 instances as
needed.

 D. Create an Amazon EC2 Amazon Machine Image (AMI) that

contains the container image. Launch EC2 instances in an Auto
Scaling group across multiple Availability Zones. Use an Amazon
 CloudWatch alarm to scale out EC2 instances when the average CPU
utilization threshold is breached.

164
A company has two applications: a sender application that sends
messages with payloads to be processed and a processing application
intended to receive the messages with payloads. The company wants to
implement an AWS service to handle messages between the two
applications. The sender application can send about 1,000 messages each
hour. The messages may take up to 2 days to be processed: If the
messages fail to process, they must be retained so that they do not
impact the processing of any remaining messages.

Which solution meets these requirements and is the MOST operationally

efficient?

 A. Set up an Amazon EC2 instance running a Redis database.

Configure both applications to use the instance. Store, process, and
delete the messages, respectively.

 B. Use an Amazon Kinesis data stream to receive the messages

from the sender application. Integrate the processing application
with the Kinesis Client Library (KCL).

 C. Integrate the sender and processor applications with an Amazon

Simple Queue Service (Amazon SQS) queue. Configure a dead-letter
queue to collect the messages that failed to process. Most Voted

 D. Subscribe the processing application to an Amazon Simple

Notification Service (Amazon SNS) topic to receive notifications to
process. Integrate the sender application to write to the SNS topic.

165
A solutions architect must design a solution that uses Amazon CloudFront
with an Amazon S3 origin to store a static website. The company’s
security policy requires that all website traffic be inspected by AWS WAF.

How should the solutions architect comply with these requirements?

 A. Configure an S3 bucket policy to accept requests coming from

the AWS WAF Amazon Resource Name (ARN) only.

 B. Configure Amazon CloudFront to forward all incoming requests to

AWS WAF before requesting content from the S3 origin.

 C. Configure a security group that allows Amazon CloudFront IP

addresses to access Amazon S3 only. Associate AWS WAF to
CloudFront.
  D. Configure Amazon CloudFront and Amazon S3 to use an origin
access identity (OAI) to restrict access to the S3 bucket. Enable AWS
WAF on the distribution.

166
Organizers for a global event want to put daily reports online as static
HTML pages. The pages are expected to generate millions of views from
users around the world. The files are stored in an Amazon S3 bucket. A
solutions architect has been asked to design an efficient and effective
solution.

Which action should the solutions architect take to accomplish this?

 A. Generate presigned URLs for the files.

 B. Use cross-Region replication to all Regions.

 C. Use the geoproximity feature of Amazon Route 53.

 D. Use Amazon CloudFront with the S3 bucket as its origin.

167
A company runs a production application on a fleet of Amazon EC2
instances. The application reads the data from an Amazon SQS queue and
processes the messages in parallel. The message volume is unpredictable
and often has intermittent traffic. This application should continually
process messages without any downtime.

Which solution meets these requirements MOST cost-effectively?

 A. Use Spot Instances exclusively to handle the maximum capacity

required.

 B. Use Reserved Instances exclusively to handle the maximum

capacity required.

 C. Use Reserved Instances for the baseline capacity and use Spot
Instances to handle additional capacity.

 D. Use Reserved Instances for the baseline capacity and use On-
Demand Instances to handle additional capacity. Most Voted

168
A security team wants to limit access to specific services or actions in all
of the team’s AWS accounts. All accounts belong to a large organization in
AWS Organizations. The solution must be scalable and there must be a
single point where permissions can be maintained.
What should a solutions architect do to accomplish this?

 A. Create an ACL to provide access to the services or actions.

 B. Create a security group to allow accounts and attach it to user

groups.

 C. Create cross-account roles in each account to deny access to the

services or actions.

 D. Create a service control policy in the root organizational unit to

deny access to the services or actions.

169
A company is concerned about the security of its public web application
due to recent web attacks. The application uses an Application Load
Balancer (ALB). A solutions architect must reduce the risk of DDoS attacks
against the application.

What should the solutions architect do to meet this requirement?

 A. Add an Amazon Inspector agent to the ALB.

 B. Configure Amazon Macie to prevent attacks.

 C. Enable AWS Shield Advanced to prevent attacks.

 D. Configure Amazon GuardDuty to monitor the ALB.

170
A company’s web application is running on Amazon EC2 instances behind
an Application Load Balancer. The company recently changed its policy,
which now requires the application to be accessed from one specific
country only.

Which configuration will meet this requirement?

 A. Configure the security group for the EC2 instances.

 B. Configure the security group on the Application Load Balancer.

 C. Configure AWS WAF on the Application Load Balancer in a VPC.

 D. Configure the network ACL for the subnet that contains the EC2
instances.
171
A company provides an API to its users that automates inquiries for tax
computations based on item prices. The company experiences a larger
number of inquiries during the holiday season only that cause slower
response times. A solutions architect needs to design a solution that is
scalable and elastic.

What should the solutions architect do to accomplish this?

 A. Provide an API hosted on an Amazon EC2 instance. The EC2

instance performs the required computations when the API request
is made.
 B. Design a REST API using Amazon API Gateway that accepts the
item names. API Gateway passes item names to AWS Lambda for
tax computations. Most Voted
 C. Create an Application Load Balancer that has two Amazon EC2
instances behind it. The EC2 instances will compute the tax on the
received item names.
 D. Design a REST API using Amazon API Gateway that connects with
an API hosted on an Amazon EC2 instance. API Gateway accepts and
passes the item names to the EC2 instance for tax computations.

172
A solutions architect is creating a new Amazon CloudFront distribution for
an application. Some of the information submitted by users is sensitive.
The application uses HTTPS but needs another layer of security. The
sensitive information [Link] protected throughout the entire
application stack, and access to the information should be restricted to
certain applications.

Which action should the solutions architect take?

 A. Configure a CloudFront signed URL.

 B. Configure a CloudFront signed cookie.

 C. Configure a CloudFront field-level encryption profile. Most Voted

 D. Configure CloudFront and set the Origin Protocol Policy setting to

HTTPS Only for the Viewer Protocol Policy.

173
A gaming company hosts a browser-based application on AWS. The users
of the application consume a large number of videos and images that are
stored in Amazon S3. This content is the same for all users.

The application has increased in popularity, and millions of users

worldwide accessing these media files. The company wants to provide the
files to the users while reducing the load on the origin.

Which solution meets these requirements MOST cost-effectively?

 A. Deploy an AWS Global Accelerator accelerator in front of the web

servers.

 B. Deploy an Amazon CloudFront web distribution in front of the S3

bucket.

 C. Deploy an Amazon ElastiCache for Redis instance in front of the

web servers.

 D. Deploy an Amazon ElastiCache for Memcached instance in front

of the web servers.

174
A company has a multi-tier application that runs six front-end web servers
in an Amazon EC2 Auto Scaling group in a single Availability Zone behind
an Application Load Balancer (ALB). A solutions architect needs to modify
the infrastructure to be highly available without modifying the application.

Which architecture should the solutions architect choose that provides

high availability?

 A. Create an Auto Scaling group that uses three instances across

each of two Regions.

 B. Modify the Auto Scaling group to use three instances across each
of two Availability Zones.

 C. Create an Auto Scaling template that can be used to quickly

create more instances in another Region.

 D. Change the ALB in front of the Amazon EC2 instances in a round-

robin configuration to balance traffic to the web tier.

175
An ecommerce company has an order-processing application that uses
Amazon API Gateway and an AWS Lambda function. The application stores
data in an Amazon Aurora PostgreSQL database. During a recent sales
event, a sudden surge in customer orders occurred. Some customers
experienced timeouts, and the application did not process the orders of
those customers.

A solutions architect determined that the CPU utilization and memory

utilization were high on the database because of a large number of open
connections. The solutions architect needs to prevent the timeout errors
while making the least possible changes to the application.

Which solution will meet these requirements?

 A. Configure provisioned concurrency for the Lambda function.

Modify the database to be a global database in multiple AWS
Regions.

 B. Use Amazon RDS Proxy to create a proxy for the database. Modify
the Lambda function to use the RDS Proxy endpoint instead of the
database endpoint. Most Voted

 C. Create a read replica for the database in a different AWS Region.

Use query string parameters in API Gateway to route traffic to the
read replica.

 D. Migrate the data from Aurora PostgreSQL to Amazon DynamoDB

by using AWS Database Migration Service (AWS DMS). Modify the
Lambda function to use the DynamoDB table.

176
An application runs on Amazon EC2 instances in private subnets. The
application needs to access an Amazon DynamoDB table.

What is the MOST secure way to access the table while ensuring that the
traffic does not leave the AWS network?

 A. Use a VPC endpoint for DynamoDB. Most Voted

 B. Use a NAT gateway in a public subnet.

 C. Use a NAT instance in a private subnet.

 D. Use the internet gateway attached to the VPC.

177
An entertainment company is using Amazon DynamoDB to store media
metadata. The application is read intensive and experiencing delays. The
company does not have staff to handle additional operational overhead
and needs to improve the performance efficiency of DynamoDB without
reconfiguring the application.

What should a solutions architect recommend to meet this requirement?

 A. Use Amazon ElastiCache for Redis.

  B. Use Amazon DynamoDB Accelerator (DAX).

 C. Replicate data by using DynamoDB global tables.

 D. Use Amazon ElastiCache for Memcached with Auto Discovery

enabled.

178
A company’s infrastructure consists of Amazon EC2 instances and an
Amazon RDS DB instance in a single AWS Region. The company wants to
back up its data in a separate Region.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Use AWS Backup to copy EC2 backups and RDS backups to the
separate Region.

 B. Use Amazon Data Lifecycle Manager (Amazon DLM) to copy EC2

backups and RDS backups to the separate Region.

 C. Create Amazon Machine Images (AMIs) of the EC2 instances.

Copy the AMIs to the separate Region. Create a read replica for the
RDS DB instance in the separate Region.

 D. Create Amazon Elastic Block Store (Amazon EBS) snapshots.

Copy the EBS snapshots to the separate Region. Create RDS
snapshots. Export the RDS snapshots to Amazon S3. Configure S3
Cross-Region Replication (CRR) to the separate Region.

179
A solutions architect needs to securely store a database user name and
password that an application uses to access an Amazon RDS DB instance.
The application that accesses the database runs on an Amazon EC2
instance. The solutions architect wants to create a secure parameter in
AWS Systems Manager Parameter Store.

What should the solutions architect do to meet this requirement?

 A. Create an IAM role that has read access to the Parameter Store
parameter. Allow Decrypt access to an AWS Key Management
Service (AWS KMS) key that is used to encrypt the parameter.
Assign this IAM role to the EC2 instance. Most Voted

 B. Create an IAM policy that allows read access to the Parameter

Store parameter. Allow Decrypt access to an AWS Key Management
 Service (AWS KMS) key that is used to encrypt the parameter.
Assign this IAM policy to the EC2 instance.

 C. Create an IAM trust relationship between the Parameter Store

parameter and the EC2 instance. Specify Amazon RDS as a principal
in the trust policy.

 D. Create an IAM trust relationship between the DB instance and the

EC2 instance. Specify Systems Manager as a principal in the trust
policy.

180
A company is designing a cloud communications platform that is driven by
APIs. The application is hosted on Amazon EC2 instances behind a
Network Load Balancer (NLB). The company uses Amazon API Gateway to
provide external users with access to the application through APIs. The
company wants to protect the platform against web exploits like SQL
injection and also wants to detect and mitigate large, sophisticated DDoS
attacks.

Which combination of solutions provides the MOST protection? (Choose

two.)

 A. Use AWS WAF to protect the NLB.

 B. Use AWS Shield Advanced with the NLB. Most Voted

 C. Use AWS WAF to protect Amazon API Gateway. Most Voted

 D. Use Amazon GuardDuty with AWS Shield Standard

 E. Use AWS Shield Standard with Amazon API Gateway.

181
A company has a legacy data processing application that runs on Amazon
EC2 instances. Data is processed sequentially, but the order of results
does not matter. The application uses a monolithic architecture. The only
way that the company can scale the application to meet increased
demand is to increase the size of the instances.

The company’s developers have decided to rewrite the application to use

a microservices architecture on Amazon Elastic Container Service
(Amazon ECS).

What should a solutions architect recommend for communication between

the microservices?
  A. Create an Amazon Simple Queue Service (Amazon SQS) queue.
Add code to the data producers, and send data to the queue. Add
code to the data consumers to process data from the queue.

 B. Create an Amazon Simple Notification Service (Amazon SNS)

topic. Add code to the data producers, and publish notifications to
the topic. Add code to the data consumers to subscribe to the topic.

 C. Create an AWS Lambda function to pass messages. Add code to

the data producers to call the Lambda function with a data object.
Add code to the data consumers to receive a data object that is
passed from the Lambda function.

 D. Create an Amazon DynamoDB table. Enable DynamoDB Streams.

Add code to the data producers to insert data into the table. Add
code to the data consumers to use the DynamoDB Streams API to
detect new table entries and retrieve the data.

182

A company wants to migrate its MySQL database from on premises to

AWS. The company recently experienced a database outage that
significantly impacted the business. To ensure this does not happen again,
the company wants a reliable database solution on AWS that minimizes
data loss and stores every transaction on at least two nodes.

Which solution meets these requirements?

 A. Create an Amazon RDS DB instance with synchronous replication

to three nodes in three Availability Zones.

 B. Create an Amazon RDS MySQL DB instance with Multi-AZ

functionality enabled to synchronously replicate the data. Most Voted

 C. Create an Amazon RDS MySQL DB instance and then create a

read replica in a separate AWS Region that synchronously replicates
the data.

 D. Create an Amazon EC2 instance with a MySQL engine installed

that triggers an AWS Lambda function to synchronously replicate
the data to an Amazon RDS MySQL DB instance.

183
A company is building a new dynamic ordering website. The company
wants to minimize server maintenance and patching. The website must be
highly available and must scale read and write capacity as quickly as
possible to meet changes in user demand.

Which solution will meet these requirements?

 A. Host static content in Amazon S3. Host dynamic content by using

Amazon API Gateway and AWS Lambda. Use Amazon DynamoDB
with on-demand capacity for the database. Configure Amazon
CloudFront to deliver the website content. Most Voted

 B. Host static content in Amazon S3. Host dynamic content by using

Amazon API Gateway and AWS Lambda. Use Amazon Aurora with
Aurora Auto Scaling for the database. Configure Amazon CloudFront
to deliver the website content.

 C. Host all the website content on Amazon EC2 instances. Create an

Auto Scaling group to scale the EC2 instances. Use an Application
Load Balancer to distribute traffic. Use Amazon DynamoDB with
provisioned write capacity for the database.

 D. Host all the website content on Amazon EC2 instances. Create an

Auto Scaling group to scale the EC2 instances. Use an Application
Load Balancer to distribute traffic. Use Amazon Aurora with Aurora
Auto Scaling for the database.

184
A company has an AWS account used for software engineering. The AWS
account has access to the company’s on-premises data center through a
pair of AWS Direct Connect connections. All non-VPC traffic routes to the
virtual private gateway.

A development team recently created an AWS Lambda function through

the console. The development team needs to allow the function to access
a database that runs in a private subnet in the company’s data center.

Which solution will meet these requirements?

 A. Configure the Lambda function to run in the VPC with the

appropriate security group. Most Voted
 B. Set up a VPN connection from AWS to the data center. Route the
traffic from the Lambda function through the VPN.
 C. Update the route tables in the VPC to allow the Lambda function
to access the on-premises data center through Direct Connect.
 D. Create an Elastic IP address. Configure the Lambda function to
send traffic through the Elastic IP address without an elastic network
interface.

185
A company runs an application using Amazon ECS. The application creates
resized versions of an original image and then makes Amazon S3 API calls
to store the resized images in Amazon S3.

How can a solutions architect ensure that the application has permission
to access Amazon S3?

 A. Update the S3 role in AWS IAM to allow read/write access from

Amazon ECS, and then relaunch the container.

 B. Create an IAM role with S3 permissions, and then specify that role
as the taskRoleArn in the task definition.

 C. Create a security group that allows access from Amazon ECS to

Amazon S3, and update the launch configuration used by the ECS
cluster.

 D. Create an IAM user with S3 permissions, and then relaunch the

Amazon EC2 instances for the ECS cluster while logged in as this
account.

186
A company has a Windows-based application that must be migrated to
AWS. The application requires the use of a shared Windows file system
attached to multiple Amazon EC2 Windows instances that are deployed
across multiple Availability Zone:

What should a solutions architect do to meet this requirement?

 A. Configure AWS Storage Gateway in volume gateway mode. Mount

the volume to each Windows instance.

 B. Configure Amazon FSx for Windows File Server. Mount the

Amazon FSx file system to each Windows instance.

 C. Configure a file system by using Amazon Elastic File System

(Amazon EFS). Mount the EFS file system to each Windows instance.

 D. Configure an Amazon Elastic Block Store (Amazon EBS) volume

with the required size. Attach each EC2 instance to the volume.
Mount the file system within the volume to each Windows instance.

187
A company is developing an ecommerce application that will consist of a
load-balanced front end, a container-based application, and a relational
database. A solutions architect needs to create a highly available solution
that operates with as little manual intervention as possible.

Which solutions meet these requirements? (Choose two.)

 A. Create an Amazon RDS DB instance in Multi-AZ mode.

 B. Create an Amazon RDS DB instance and one or more replicas in

another Availability Zone.

 C. Create an Amazon EC2 instance-based Docker cluster to handle

the dynamic application load.

 D. Create an Amazon Elastic Container Service (Amazon ECS)

cluster with a Fargate launch type to handle the dynamic application
load.

 E. Create an Amazon Elastic Container Service (Amazon ECS) cluster

with an Amazon EC2 launch type to handle the dynamic application
load.

188
A company uses Amazon S3 as its data lake. The company has a new
partner that must use SFTP to upload data files. A solutions architect
needs to implement a highly available SFTP solution that minimizes
operational overhead.

Which solution will meet these requirements?

 A. Use AWS Transfer Family to configure an SFTP-enabled server

with a publicly accessible endpoint. Choose the S3 data lake as the
destination. Most Voted

 B. Use Amazon S3 File Gateway as an SFTP server. Expose the S3

File Gateway endpoint URL to the new partner. Share the S3 File
Gateway endpoint with the new partner.

 C. Launch an Amazon EC2 instance in a private subnet in a

VPInstruct the new partner to upload files to the EC2 instance by
using a VPN. Run a cron job script, on the EC2 instance to upload
files to the S3 data lake.

 D. Launch Amazon EC2 instances in a private subnet in a VPC. Place

a Network Load Balancer (NLB) in front of the EC2 instances. Create
an SFTP listener port for the NLB. Share the NLB hostname with the
new partner. Run a cron job script on the EC2 instances to upload
files to the S3 data lake.
189
A company needs to store contract documents. A contract lasts for 5
years. During the 5-year period, the company must ensure that the
documents cannot be overwritten or deleted. The company needs to
encrypt the documents at rest and rotate the encryption keys
automatically every year.

Which combination of steps should a solutions architect take to meet

these requirements with the LEAST operational overhead? (Choose two.)

 A. Store the documents in Amazon S3. Use S3 Object Lock in

governance mode.

 B. Store the documents in Amazon S3. Use S3 Object Lock in

compliance mode. Most VotedMost Voted

 C. Use server-side encryption with Amazon S3 managed encryption

keys (SSE-S3). Configure key rotation. Most Voted

 D. Use server-side encryption with AWS Key Management Service

(AWS KMS) customer managed keys. Configure key rotation.

 E. Use server-side encryption with AWS Key Management Service

(AWS KMS) customer provided (imported) keys. Configure key
rotation.

190
A company has a web application that is based on Java and PHP. The
company plans to move the application from on premises to AWS. The
company needs the ability to test new site features frequently. The
company also needs a highly available and managed solution that
requires minimum operational overhead.

Which solution will meet these requirements?

 A. Create an Amazon S3 bucket. Enable static web hosting on the S3

bucket. Upload the static content to the S3 bucket. Use AWS
Lambda to process all dynamic content.

 B. Deploy the web application to an AWS Elastic Beanstalk

environment. Use URL swapping to switch between multiple Elastic
Beanstalk environments for feature testing. Most Voted

 C. Deploy the web application to Amazon EC2 instances that are

configured with Java and PHP. Use Auto Scaling groups and an
Application Load Balancer to manage the website’s availability.
  D. Containerize the web application. Deploy the web application to
Amazon EC2 instances. Use the AWS Load Balancer Controller to
dynamically route traffic between containers that contain the new
site features for testing.

192
A hospital wants to create digital copies for its large collection of historical
written records. The hospital will continue to add hundreds of new
documents each day. The hospital’s data team will scan the documents
and will upload the documents to the AWS Cloud.

A solutions architect must implement a solution to analyze the

documents, extract the medical information, and store the documents so
that an application can run SQL queries on the data. The solution must
maximize scalability and operational efficiency.

Which combination of steps should the solutions architect take to meet

these requirements? (Choose two.)

 A. Write the document information to an Amazon EC2 instance that

runs a MySQL database.

 B. Write the document information to an Amazon S3 bucket. Use

Amazon Athena to query the data. Most Voted

 C. Create an Auto Scaling group of Amazon EC2 instances to run a

custom application that processes the scanned files and extracts the
medical information.

 D. Create an AWS Lambda function that runs when new documents

are uploaded. Use Amazon Rekognition to convert the documents to
raw text. Use Amazon Transcribe Medical to detect and extract
relevant medical information from the text.

 E. Create an AWS Lambda function that runs when new documents

are uploaded. Use Amazon Textract to convert the documents to
raw text. Use Amazon Comprehend Medical to detect and extract
relevant medical information from the text. Most Voted

193
A company is running a batch application on Amazon EC2 instances. The
application consists of a backend with multiple Amazon RDS databases.
The application is causing a high number of reads on the databases. A
solutions architect must reduce the number of database reads while
ensuring high availability.
What should the solutions architect do to meet this requirement?

 A. Add Amazon RDS read replicas.

 B. Use Amazon ElastiCache for Redis. Most Voted

 C. Use Amazon Route 53 DNS caching

 D. Use Amazon ElastiCache for Memcached.

194
A company needs to run a critical application on AWS. The company
needs to use Amazon EC2 for the application’s database. The database
must be highly available and must fail over automatically if a disruptive
event occurs.

Which solution will meet these requirements?

 A. Launch two EC2 instances, each in a different Availability Zone in

the same AWS Region. Install the database on both EC2 instances.
Configure the EC2 instances as a cluster. Set up database
replication. Most Voted

 B. Launch an EC2 instance in an Availability Zone. Install the

database on the EC2 instance. Use an Amazon Machine Image (AMI)
to back up the data. Use AWS CloudFormation to automate
provisioning of the EC2 instance if a disruptive event occurs.

 C. Launch two EC2 instances, each in a different AWS Region. Install

the database on both EC2 instances. Set up database replication.
Fail over the database to a second Region.

 D. Launch an EC2 instance in an Availability Zone. Install the

database on the EC2 instance. Use an Amazon Machine Image (AMI)
to back up the data. Use EC2 automatic recovery to recover the
instance if a disruptive event occurs.

195
A company’s order system sends requests from clients to Amazon EC2
instances. The EC2 instances process the orders and then store the orders
in a database on Amazon RDS. Users report that they must reprocess
orders when the system fails. The company wants a resilient solution that
can process orders automatically if a system outage occurs.

What should a solutions architect do to meet these requirements?

  A. Move the EC2 instances into an Auto Scaling group. Create an
Amazon EventBridge (Amazon CloudWatch Events) rule to target an
Amazon Elastic Container Service (Amazon ECS) task.

 B. Move the EC2 instances into an Auto Scaling group behind an

Application Load Balancer (ALB). Update the order system to send
messages to the ALB endpoint.

 C. Move the EC2 instances into an Auto Scaling group. Configure the
order system to send messages to an Amazon Simple Queue Service
(Amazon SQS) queue. Configure the EC2 instances to consume
messages from the queue. Most Voted

 D. Create an Amazon Simple Notification Service (Amazon SNS)

topic. Create an AWS Lambda function, and subscribe the function
to the SNS topic. Configure the order system to send messages to
the SNS topic. Send a command to the EC2 instances to process the
messages by using AWS Systems Manager Run Command.

196
A company runs an application on a large fleet of Amazon EC2 instances.
The application reads and writes entries into an Amazon DynamoDB table.
The size of the DynamoDB table continuously grows, but the application
needs only data from the last 30 days. The company needs a solution that
minimizes cost and development effort.

Which solution meets these requirements?

 A. Use an AWS CloudFormation template to deploy the complete

solution. Redeploy the CloudFormation stack every 30 days, and
delete the original stack.

 B. Use an EC2 instance that runs a monitoring application from AWS

Marketplace. Configure the monitoring application to use Amazon
DynamoDB Streams to store the timestamp when a new item is
created in the table. Use a script that runs on the EC2 instance to
delete items that have a timestamp that is older than 30 days.

 C. Configure Amazon DynamoDB Streams to invoke an AWS Lambda

function when a new item is created in the table. Configure the
Lambda function to delete items in the table that are older than 30
days. Most Voted

 D. Extend the application to add an attribute that has a value of the

current timestamp plus 30 days to each new item that is created in
the table. Configure DynamoDB to use the attribute as the TTL
attribute.
197
A company has a Microsoft .NET application that runs on an on-premises
Windows Server. The application stores data by using an Oracle Database
Standard Edition server. The company is planning a migration to AWS and
wants to minimize development changes while moving the application.
The AWS application environment should be highly available.

Which combination of actions should the company take to meet these

requirements? (Choose two.)

 A. Refactor the application as serverless with AWS Lambda functions

running .NET Core.

 B. Rehost the application in AWS Elastic Beanstalk with the .NET

platform in a Multi-AZ deployment. Most Voted

 C. Replatform the application to run on Amazon EC2 with the

Amazon Linux Amazon Machine Image (AMI).

 D. Use AWS Database Migration Service (AWS DMS) to migrate from

the Oracle database to Amazon DynamoDB in a Multi-AZ
deployment.

 E. Use AWS Database Migration Service (AWS DMS) to migrate from

the Oracle database to Oracle on Amazon RDS in a Multi-AZ
deployment. Most Vote

198
A company runs a containerized application on a Kubernetes cluster in an
on-premises data center. The company is using a MongoDB database for
data storage. The company wants to migrate some of these environments
to AWS, but no code changes or deployment method changes are possible
at this time. The company needs a solution that minimizes operational
overhead.

Which solution meets these requirements?

 A. Use Amazon Elastic Container Service (Amazon ECS) with Amazon

EC2 worker nodes for compute and MongoDB on EC2 for data
storage.

 B. Use Amazon Elastic Container Service (Amazon ECS) with AWS

Fargate for compute and Amazon DynamoDB for data storage

 C. Use Amazon Elastic Kubernetes Service (Amazon EKS) with

Amazon EC2 worker nodes for compute and Amazon DynamoDB for
data storage.
  D. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS
Fargate for compute and Amazon DocumentDB (with MongoDB
compatibility) for data storage.

199
A telemarketing company is designing its customer call center
functionality on AWS. The company needs a solution that provides
multiple speaker recognition and generates transcript files. The company
wants to query the transcript files to analyze the business patterns. The
transcript files must be stored for 7 years for auditing purposes.

Which solution will meet these requirements?

 A. Use Amazon Rekognition for multiple speaker recognition. Store

the transcript files in Amazon S3. Use machine learning models for
transcript file analysis.

 B. Use Amazon Transcribe for multiple speaker recognition. Use

Amazon Athena for transcript file analysis. Most Voted

 C. Use Amazon Translate for multiple speaker recognition. Store the

transcript files in Amazon Redshift. Use SQL queries for transcript
file analysis.

 D. Use Amazon Rekognition for multiple speaker recognition. Store

the transcript files in Amazon S3. Use Amazon Textract for transcript
file analysis.

200
A company hosts its application on AWS. The company uses Amazon
Cognito to manage users. When users log in to the application, the
application fetches required data from Amazon DynamoDB by using a
REST API that is hosted in Amazon API Gateway. The company wants an
AWS managed solution that will control access to the REST API to reduce
development efforts.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Configure an AWS Lambda function to be an authorizer in API

Gateway to validate which user made the request.

 B. For each user, create and assign an API key that must be sent
with each request. Validate the key by using an AWS Lambda
function.
  C. Send the user’s email address in the header with every request.
Invoke an AWS Lambda function to validate that the user with that
email address has proper access.

 D. Configure an Amazon Cognito user pool authorizer in API

Gateway to allow Amazon Cognito to validate each request. Most
Voted

201
A company is developing a marketing communications service that
targets mobile app users. The company needs to send confirmation
messages with Short Message Service (SMS) to its users. The users must
be able to reply to the SMS messages. The company must store the
responses for a year for analysis.

What should a solutions architect do to meet these requirements?

 A. Create an Amazon Connect contact flow to send the SMS

messages. Use AWS Lambda to process the responses.

 B. Build an Amazon Pinpoint journey. Configure Amazon Pinpoint to

send events to an Amazon Kinesis data stream for analysis and
archiving. Most Voted

 C. Use Amazon Simple Queue Service (Amazon SQS) to distribute

the SMS messages. Use AWS Lambda to process the responses.

 D. Create an Amazon Simple Notification Service (Amazon SNS) FIFO

topic. Subscribe an Amazon Kinesis data stream to the SNS topic for
analysis and archiving.

202
A company is planning to move its data to an Amazon S3 bucket. The data
must be encrypted when it is stored in the S3 bucket. Additionally, the
encryption key must be automatically rotated every year.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Move the data to the S3 bucket. Use server-side encryption with

Amazon S3 managed encryption keys (SSE-S3). Use the built-in key
rotation behavior of SSE-S3 encryption keys.

 B. Create an AWS Key Management Service (AWS KMS) customer

managed key. Enable automatic key rotation. Set the S3 bucket’s
default encryption behavior to use the customer managed KMS key.
Move the data to the S3 bucket.
  C. Create an AWS Key Management Service (AWS KMS) customer
managed key. Set the S3 bucket’s default encryption behavior to
use the customer managed KMS key. Move the data to the S3
bucket. Manually rotate the KMS key every year.

 D. Encrypt the data with customer key material before moving the
data to the S3 bucket. Create an AWS Key Management Service
(AWS KMS) key without key material. Import the customer key
material into the KMS key. Enable automatic key rotation.

203
The customers of a finance company request appointments with financial
advisors by sending text messages. A web application that runs on
Amazon EC2 instances accepts the appointment requests. The text
messages are published to an Amazon Simple Queue Service (Amazon
SQS) queue through the web application. Another application that runs on
EC2 instances then sends meeting invitations and meeting confirmation
email messages to the customers. After successful scheduling, this
application stores the meeting information in an Amazon DynamoDB
database.

As the company expands, customers report that their meeting invitations

are taking longer to arrive.

What should a solutions architect recommend to resolve this issue?

 A. Add a DynamoDB Accelerator (DAX) cluster in front of the

DynamoDB database.

 B. Add an Amazon API Gateway API in front of the web application

that accepts the appointment requests.

 C. Add an Amazon CloudFront distribution. Set the origin as the web

application that accepts the appointment requests.

 D. Add an Auto Scaling group for the application that sends meeting
invitations. Configure the Auto Scaling group to scale based on the
depth of the SQS queue.

204
An online retail company has more than 50 million active customers and
receives more than 25,000 orders each day. The company collects
purchase data for customers and stores this data in Amazon S3. Additional
customer data is stored in Amazon RDS.

The company wants to make all the data available to various teams so
that the teams can perform analytics. The solution must provide the
ability to manage fine-grained permissions for the data and must
minimize operational overhead.

Which solution will meet these requirements?

 A. Migrate the purchase data to write directly to Amazon RDS. Use

RDS access controls to limit access.

 B. Schedule an AWS Lambda function to periodically copy data from

Amazon RDS to Amazon S3. Create an AWS Glue crawler. Use
Amazon Athena to query the data. Use S3 policies to limit access.

 C. Create a data lake by using AWS Lake Formation. Create an AWS

Glue JDBC connection to Amazon RDS. Register the S3 bucket in
Lake Formation. Use Lake Formation access controls to limit access.
Most Voted

 D. Create an Amazon Redshift cluster. Schedule an AWS Lambda

function to periodically copy data from Amazon S3 and Amazon RDS
to Amazon Redshift. Use Amazon Redshift access controls to limit
access.

205
A company hosts a marketing website in an on-premises data center. The
website consists of static documents and runs on a single server. An
administrator updates the website content infrequently and uses an SFTP
client to upload new documents.

The company decides to host its website on AWS and to use Amazon
CloudFront. The company’s solutions architect creates a CloudFront
distribution. The solutions architect must design the most cost-effective
and resilient architecture for website hosting to serve as the CloudFront
origin.

Which solution will meet these requirements?

 A. Create a virtual server by using Amazon Lightsail. Configure the

web server in the Lightsail instance. Upload website content by
using an SFTP client.

 B. Create an AWS Auto Scaling group for Amazon EC2 instances. Use
an Application Load Balancer. Upload website content by using an
SFTP client.

 C. Create a private Amazon S3 bucket. Use an S3 bucket policy to

allow access from a CloudFront origin access identity (OAI). Upload
website content by using the AWS CLI.
  D. Create a public Amazon S3 bucket. Configure AWS Transfer for
SFTP. Configure the S3 bucket for website hosting. Upload website
content by using the SFTP client.

206
A company wants to manage Amazon Machine Images (AMIs). The
company currently copies AMIs to the same AWS Region where the AMIs
were created. The company needs to design an application that captures
AWS API calls and sends alerts whenever the Amazon EC2 CreateImage
API operation is called within the company’s account.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Create an AWS Lambda function to query AWS CloudTrail logs

and to send an alert when a CreateImage API call is detected.

 B. Configure AWS CloudTrail with an Amazon Simple Notification

Service (Amazon SNS) notification that occurs when updated logs
are sent to Amazon S3. Use Amazon Athena to create a new table
and to query on CreateImage when an API call is detected.

 C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule

for the CreateImage API call. Configure the target as an Amazon
Simple Notification Service (Amazon SNS) topic to send an alert
when a CreateImage API call is detected. Most Voted

 D. Configure an Amazon Simple Queue Service (Amazon SQS) FIFO

queue as a target for AWS CloudTrail logs. Create an AWS Lambda
function to send an alert to an Amazon Simple Notification Service
(Amazon SNS) topic when a CreateImage API call is detected.

207
A company owns an asynchronous API that is used to ingest user requests
and, based on the request type, dispatch requests to the appropriate
microservice for processing. The company is using Amazon API Gateway
to deploy the API front end, and an AWS Lambda function that invokes
Amazon DynamoDB to store user requests before dispatching them to the
processing microservices.

The company provisioned as much DynamoDB throughput as its budget

allows, but the company is still experiencing availability issues and is
losing user requests.

What should a solutions architect do to address this issue without

impacting existing users?
  A. Add throttling on the API Gateway with server-side throttling
limits.

 B. Use DynamoDB Accelerator (DAX) and Lambda to buffer writes to

DynamoDB.

 C. Create a secondary index in DynamoDB for the table with the

user requests.

 D. Use the Amazon Simple Queue Service (Amazon SQS) queue and
Lambda to buffer writes to DynamoDB.

208
A company needs to move data from an Amazon EC2 instance to an
Amazon S3 bucket. The company must ensure that no API calls and no
data are routed through public internet routes. Only the EC2 instance can
have access to upload data to the S3 bucket.

Which solution will meet these requirements?

 A. Create an interface VPC endpoint for Amazon S3 in the subnet

where the EC2 instance is located. Attach a resource policy to the
S3 bucket to only allow the EC2 instance’s IAM role for access. Most
Voted

 B. Create a gateway VPC endpoint for Amazon S3 in the Availability

Zone where the EC2 instance is located. Attach appropriate security
groups to the endpoint. Attach a resource policy to the S3 bucket to
only allow the EC2 instance’s IAM role for access.

 C. Run the nslookup tool from inside the EC2 instance to obtain the
private IP address of the S3 bucket’s service API endpoint. Create a
route in the VPC route table to provide the EC2 instance with access
to the S3 bucket. Attach a resource policy to the S3 bucket to only
allow the EC2 instance’s IAM role for access.

 D. Use the AWS provided, publicly available [Link] file to

obtain the private IP address of the S3 bucket’s service API
endpoint. Create a route in the VPC route table to provide the EC2
instance with access to the S3 bucket. Attach a resource policy to
the S3 bucket to only allow the EC2 instance’s IAM role for access.

209
A solutions architect is designing the architecture of a new application
being deployed to the AWS Cloud. The application will run on Amazon EC2
On-Demand Instances and will automatically scale across multiple
Availability Zones. The EC2 instances will scale up and down frequently
throughout the day. An Application Load Balancer (ALB) will handle the
load distribution. The architecture needs to support distributed session
data management. The company is willing to make changes to code if
needed.

What should the solutions architect do to ensure that the architecture

supports distributed session data management?

 A. Use Amazon ElastiCache to manage and store session data.

 B. Use session affinity (sticky sessions) of the ALB to manage

session data.

 C. Use Session Manager from AWS Systems Manager to manage the

session.

 D. Use the GetSessionToken API operation in AWS Security Token

Service (AWS STS) to manage the session.

210
A company offers a food delivery service that is growing rapidly. Because
of the growth, the company’s order processing system is experiencing
scaling problems during peak traffic hours. The current architecture
includes the following:

• A group of Amazon EC2 instances that run in an Amazon EC2 Auto

Scaling group to collect orders from the application
• Another group of EC2 instances that run in an Amazon EC2 Auto Scaling
group to fulfill orders

The order collection process occurs quickly, but the order fulfillment
process can take longer. Data must not be lost because of a scaling event.

A solutions architect must ensure that the order collection process and the
order fulfillment process can both scale properly during peak traffic hours.
The solution must optimize utilization of the company’s AWS resources.

Which solution meets these requirements?

 A. Use Amazon CloudWatch metrics to monitor the CPU of each

instance in the Auto Scaling groups. Configure each Auto Scaling
group’s minimum capacity according to peak workload values.

 B. Use Amazon CloudWatch metrics to monitor the CPU of each

instance in the Auto Scaling groups. Configure a CloudWatch alarm
to invoke an Amazon Simple Notification Service (Amazon SNS)
topic that creates additional Auto Scaling groups on demand.

 C. Provision two Amazon Simple Queue Service (Amazon SQS)

queues: one for order collection and another for order fulfillment.
Configure the EC2 instances to poll their respective queue. Scale the
Auto Scaling groups based on notifications that the queues send.

 D. Provision two Amazon Simple Queue Service (Amazon SQS)

queues: one for order collection and another for order fulfillment.
Configure the EC2 instances to poll their respective queue. Create a
metric based on a backlog per instance calculation. Scale the Auto
Scaling groups based on this metric. Most Voted

211
A company hosts multiple production applications. One of the applications
consists of resources from Amazon EC2, AWS Lambda, Amazon RDS,
Amazon Simple Notification Service (Amazon SNS), and Amazon Simple
Queue Service (Amazon SQS) across multiple AWS Regions. All company
resources are tagged with a tag name of “application” and a value that
corresponds to each application. A solutions architect must provide the
quickest solution for identifying all of the tagged components.

Which solution meets these requirements?

 A. Use AWS CloudTrail to generate a list of resources with the

application tag.

 B. Use the AWS CLI to query each service across all Regions to
report the tagged components.

 C. Run a query in Amazon CloudWatch Logs Insights to report on the

components with the application tag.

 D. Run a query with the AWS Resource Groups Tag Editor to report
on the resources globally with the application tag. Most Voted

212
A company needs to export its database once a day to Amazon S3 for
other teams to access. The exported object size varies between 2 GB and
5 GB. The S3 access pattern for the data is variable and changes rapidly.
The data must be immediately available and must remain accessible for
up to 3 months. The company needs the most cost-effective solution that
will not increase retrieval time.

Which S3 storage class should the company use to meet these

requirements?

 A. S3 Intelligent-Tiering Most Voted

 B. S3 Glacier Instant Retrieval

 C. S3 Standard

 D. S3 Standard-Infrequent Access (S3 Standard-IA)

213
A company is developing a new mobile app. The company must
implement proper traffic filtering to protect its Application Load Balancer
(ALB) against common application-level attacks, such as cross-site
scripting or SQL injection. The company has minimal infrastructure and
operational staff. The company needs to reduce its share of the
responsibility in managing, updating, and securing servers for its AWS
environment. (Answer C)

What should a solutions architect recommend to meet these

requirements?

 A. Configure AWS WAF rules and associate them with the ALB. Most
Voted

 B. Deploy the application using Amazon S3 with public hosting

enabled.

 C. Deploy AWS Shield Advanced and add the ALB as a protected

resource. Most Voted

 D. Create a new ALB that directs traffic to an Amazon EC2 instance

running a third-party firewall, which then passes the traffic to the
current ALB.

214
A company’s reporting system delivers hundreds of .csv files to an
Amazon S3 bucket each day. The company must convert these files to
Apache Parquet format and must store the files in a transformed data
bucket.

Which solution will meet these requirements with the LEAST development
effort?

 A. Create an Amazon EMR cluster with Apache Spark installed. Write

a Spark application to transform the data. Use EMR File System
(EMRFS) to write files to the transformed data bucket.

 B. Create an AWS Glue crawler to discover the data. Create an AWS

Glue extract, transform, and load (ETL) job to transform the data.
Specify the transformed data bucket in the output step. Most Voted

 C. Use AWS Batch to create a job definition with Bash syntax to

transform the data and output the data to the transformed data
 bucket. Use the job definition to submit a job. Specify an array job
as the job type.

 D. Create an AWS Lambda function to transform the data and output

the data to the transformed data bucket. Configure an event
notification for the S3 bucket. Specify the Lambda function as the
destination for the event notification.

215
A company has 700 TB of backup data stored in network attached storage
(NAS) in its data center. This backup data need to be accessible for
infrequent regulatory requests and must be retained 7 years. The
company has decided to migrate this backup data from its data center to
AWS. The migration must be complete within 1 month. The company has
500 Mbps of dedicated bandwidth on its public internet connection
available for data transfer.

What should a solutions architect do to migrate and store the data at the
LOWEST cost?

 A. Order AWS Snowball devices to transfer the data. Use a lifecycle

policy to transition the files to Amazon S3 Glacier Deep Archive.

 B. Deploy a VPN connection between the data center and Amazon

VPC. Use the AWS CLI to copy the data from on premises to Amazon
S3 Glacier.

 C. Provision a 500 Mbps AWS Direct Connect connection and

transfer the data to Amazon S3. Use a lifecycle policy to transition
the files to Amazon S3 Glacier Deep Archive.

 D. Use AWS DataSync to transfer the data and deploy a DataSync

agent on premises. Use the DataSync task to copy files from the on-
premises NAS storage to Amazon S3 Glacier.
216
A company has a serverless website with millions of objects in an Amazon
S3 bucket. The company uses the S3 bucket as the origin for an Amazon
CloudFront distribution. The company did not set encryption on the S3
bucket before the objects were loaded. A solutions architect needs to
enable encryption for all existing objects and for all objects that are added
to the S3 bucket in the future.

Which solution will meet these requirements with the LEAST amount of
effort?

 A. Create a new S3 bucket. Turn on the default encryption settings

for the new S3 bucket. Download all existing objects to temporary
local storage. Upload the objects to the new S3 bucket.

 B. Turn on the default encryption settings for the S3 bucket. Use the
S3 Inventory feature to create a .csv file that lists the unencrypted
objects. Run an S3 Batch Operations job that uses the copy
command to encrypt those objects. Most Voted

 C. Create a new encryption key by using AWS Key Management

Service (AWS KMS). Change the settings on the S3 bucket to use
server-side encryption with AWS KMS managed encryption keys
(SSE-KMS). Turn on versioning for the S3 bucket.

 D. Navigate to Amazon S3 in the AWS Management Console. Browse

the S3 bucket’s objects. Sort by the encryption field. Select each
unencrypted object. Use the Modify button to apply default
encryption settings to every unencrypted object in the S3 bucket.

217
A company runs a global web application on Amazon EC2 instances
behind an Application Load Balancer. The application stores data in
Amazon Aurora. The company needs to create a disaster recovery solution
and can tolerate up to 30 minutes of downtime and potential data loss.
The solution does not need to handle the load when the primary
infrastructure is healthy.

What should a solutions architect do to meet these requirements?

 A. Deploy the application with the required infrastructure elements

in place. Use Amazon Route 53 to configure active-passive failover.
Create an Aurora Replica in a second AWS Region. Most Voted
  B. Host a scaled-down deployment of the application in a second
AWS Region. Use Amazon Route 53 to configure active-active
failover. Create an Aurora Replica in the second Region.

 C. Replicate the primary infrastructure in a second AWS Region. Use

Amazon Route 53 to configure active-active failover. Create an
Aurora database that is restored from the latest snapshot.

 D. Back up data with AWS Backup. Use the backup to create the
required infrastructure in a second AWS Region. Use Amazon Route
53 to configure active-passive failover. Create an Aurora second
primary instance in the second Region.

218
A company has a web server running on an Amazon EC2 instance in a
public subnet with an Elastic IP address. The default security group is
assigned to the EC2 instance. The default network ACL has been modified
to block all traffic. A solutions architect needs to make the web server
accessible from everywhere on port 443.

Which combination of steps will accomplish this task? (Choose two.)

 A. Create a security group with a rule to allow TCP port 443 from
source [Link]/0. Most Voted

 B. Create a security group with a rule to allow TCP port 443 to

destination [Link]/0.

 C. Update the network ACL to allow TCP port 443 from source
[Link]/0.

 D. Update the network ACL to allow inbound/outbound TCP port 443

from source [Link]/0 and to destination [Link]/0.

 E. Update the network ACL to allow inbound TCP port 443 from
source [Link]/0 and outbound TCP port 32768-65535 to destination
[Link]/0. Most Voted

219
A solutions architect is implementing a document review application using
an Amazon S3 bucket for storage. The solution must prevent accidental
deletion of the documents and ensure that all versions of the documents
are available. Users must be able to download, modify, and upload
documents.

Which combination of actions should be taken to meet these

requirements? (Choose two.)

 A. Enable a read-only bucket ACL.

 B. Enable versioning on the bucket. Most Voted

 C. Attach an IAM policy to the bucket.

 D. Enable MFA Delete on the bucket. Most Voted

 E. Encrypt the bucket using AWS KMS.

220
A solutions architect is designing a new API using Amazon API Gateway
that will receive requests from users. The volume of requests is highly
variable; several hours can pass without receiving a single request. The
data processing will take place asynchronously, but should be completed
within a few seconds after a request is made.

Which compute service should the solutions architect have the API invoke
to deliver the requirements at the lowest cost?

 A. An AWS Glue job

 B. An AWS Lambda function Most Voted

 C. A containerized service hosted in Amazon Elastic Kubernetes

Service (Amazon EKS)

 D. A containerized service hosted in Amazon ECS with Amazon EC2

221
A company runs an application on a group of Amazon Linux EC2 instances.
For compliance reasons, the company must retain all application log files
for 7 years. The log files will be analyzed by a reporting tool that must be
able to access all the files concurrently.

Which storage solution meets these requirements MOST cost-effectively?

 A. Amazon Elastic Block Store (Amazon EBS)

  B. Amazon Elastic File System (Amazon EFS)

 C. Amazon EC2 instance store

 D. Amazon S3

222
A company has hired an external vendor to perform work in the
company’s AWS account. The vendor uses an automated tool that is
hosted in an AWS account that the vendor owns. The vendor does not
have IAM access to the company’s AWS account.

How should a solutions architect grant this access to the vendor?

 A. Create an IAM role in the company’s account to delegate access

to the vendor’s IAM role. Attach the appropriate IAM policies to the
role for the permissions that the vendor requires. Most Voted

 B. Create an IAM user in the company’s account with a password

that meets the password complexity requirements. Attach the
appropriate IAM policies to the user for the permissions that the
vendor requires.

 C. Create an IAM group in the company’s account. Add the tool’s

IAM user from the vendor account to the group. Attach the
appropriate IAM policies to the group for the permissions that the
vendor requires.

 D. Create a new identity provider by choosing “AWS account” as the

provider type in the IAM console. Supply the vendor’s AWS account
ID and user name. Attach the appropriate IAM policies to the new
provider for the permissions that the vendor requires.

223
A company has deployed a Java Spring Boot application as a pod that runs
on Amazon Elastic Kubernetes Service (Amazon EKS) in private subnets.
The application needs to write data to an Amazon DynamoDB table. A
solutions architect must ensure that the application can interact with the
DynamoDB table without exposing traffic to the internet.

Which combination of steps should the solutions architect take to

accomplish this goal? (Choose two.)
  A. Attach an IAM role that has sufficient privileges to the EKS
pod. Most Voted

 B. Attach an IAM user that has sufficient privileges to the EKS pod.

 C. Allow outbound connectivity to the DynamoDB table through the

private subnets’ network ACLs.

 D. Create a VPC endpoint for DynamoDB. Most Voted

 E. Embed the access keys in the Java Spring Boot code.

224
A company recently migrated its web application to AWS by rehosting the
application on Amazon EC2 instances in a single AWS Region. The
company wants to redesign its application architecture to be highly
available and fault tolerant. Traffic must reach all running EC2 instances
randomly.

Which combination of steps should the company take to meet these

requirements? (Choose two.)

 A. Create an Amazon Route 53 failover routing policy.

 B. Create an Amazon Route 53 weighted routing policy.

 C. Create an Amazon Route 53 multivalue answer routing

policy. Most Voted

 D. Launch three EC2 instances: two instances in one Availability

Zone and one instance in another Availability Zone.

 E. Launch four EC2 instances: two instances in one Availability Zone

and two instances in another Availability Zone. Most Voted

225
A media company collects and analyzes user activity data on premises.
The company wants to migrate this capability to AWS. The user activity
data store will continue to grow and will be petabytes in size. The
company needs to build a highly available data ingestion solution that
facilitates on-demand analytics of existing data and new data with SQL.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Send activity data to an Amazon Kinesis data stream. Configure

the stream to deliver the data to an Amazon S3 bucket.

 B. Send activity data to an Amazon Kinesis Data Firehose delivery

stream. Configure the stream to deliver the data to an Amazon
Redshift cluster. Most Voted

 C. Place activity data in an Amazon S3 bucket. Configure Amazon S3

to run an AWS Lambda function on the data as the data arrives in
the S3 bucket.

 D. Create an ingestion service on Amazon EC2 instances that are

spread across multiple Availability Zones. Configure the service to
forward data to an Amazon RDS Multi-AZ database.

226
A company's near-real-time streaming application is running on AWS. As
the data is ingested, a job runs on the data and takes 30 minutes to
complete. The workload frequently experiences high latency due to large
amounts of incoming data. A solutions architect needs to design a
scalable and serverless solution to enhance performance.
Which combination of steps should the solutions architect take? (Choose
two.)

 A. Use Amazon Kinesis Data Firehose to ingest the data. Most Voted

 B. Use AWS Lambda with AWS Step Functions to process the data.
  C. Use AWS Database Migration Service (AWS DMS) to ingest the
data.

 D. Use Amazon EC2 instances in an Auto Scaling group to process

the data.

 E. Use AWS Fargate with Amazon Elastic Container Service (Amazon

ECS) to process the data. Most Voted

227
A company needs to retain its AWS CloudTrail logs for 3 years. The
company is enforcing CloudTrail across a set of AWS accounts by using
AWS Organizations from the parent account. The CloudTrail target S3
bucket is configured with S3 Versioning enabled. An S3 Lifecycle policy is
in place to delete current objects after 3 years.

After the fourth year of use of the S3 bucket, the S3 bucket metrics show
that the number of objects has continued to rise. However, the number of
new CloudTrail logs that are delivered to the S3 bucket has remained
consistent.

Which solution will delete objects that are older than 3 years in the MOST
cost-effective manner?

 A. Configure the organization’s centralized CloudTrail trail to expire

objects after 3 years.

 B. Configure the S3 Lifecycle policy to delete previous versions as

well as current versions. Most Voted

 C. Create an AWS Lambda function to enumerate and delete objects

from Amazon S3 that are older than 3 years.

 D. Configure the parent account as the owner of all objects that are
delivered to the S3 bucket.

228
A company has an API that receives real-time data from a fleet of
monitoring devices. The API stores this data in an Amazon RDS DB
instance for later analysis. The amount of data that the monitoring
devices send to the API fluctuates. During periods of heavy traffic, the API
often returns timeout errors.

After an inspection of the logs, the company determines that the database
is not capable of processing the volume of write traffic that comes from
the API. A solutions architect must minimize the number of connections to
the database and must ensure that data is not lost during periods of
heavy traffic.

Which solution will meet these requirements?

 A. Increase the size of the DB instance to an instance type that has

more available memory.

 B. Modify the DB instance to be a Multi-AZ DB instance. Configure

the application to write to all active RDS DB instances.

 C. Modify the API to write incoming data to an Amazon Simple

Queue Service (Amazon SQS) queue. Use an AWS Lambda function
that Amazon SQS invokes to write data from the queue to the
database.

 D. Modify the API to write incoming data to an Amazon Simple

Notification Service (Amazon SNS) topic. Use an AWS Lambda
function that Amazon SNS invokes to write data from the topic to
the database.

229
A company manages its own Amazon EC2 instances that run MySQL
databases. The company is manually managing replication and scaling as
demand increases or decreases. The company needs a new solution that
simplifies the process of adding or removing compute capacity to or from
its database tier as needed. The solution also must offer improved
performance, scaling, and durability with minimal effort from operations.

Which solution meets these requirements?

 A. Migrate the databases to Amazon Aurora Serverless for Aurora

MySQL.

 B. Migrate the databases to Amazon Aurora Serverless for Aurora

PostgreSQL.

 C. Combine the databases into one larger MySQL database. Run the
larger database on larger EC2 instances.
  D. Create an EC2 Auto Scaling group for the database tier. Migrate
the existing databases to the new environment.

230
A company is concerned that two NAT instances in use will no longer be
able to support the traffic needed for the company’s application. A
solutions architect wants to implement a solution that is highly available,
fault tolerant, and automatically scalable.

What should the solutions architect recommend?

 A. Remove the two NAT instances and replace them with two NAT
gateways in the same Availability Zone.

 B. Use Auto Scaling groups with Network Load Balancers for the NAT
instances in different Availability Zones.

 C. Remove the two NAT instances and replace them with two NAT
gateways in different Availability Zones.

 D. Replace the two NAT instances with Spot Instances in different

Availability Zones and deploy a Network Load Balancer.

231
An application runs on an Amazon EC2 instance that has an Elastic IP
address in VPC A. The application requires access to a database in VPC B.
Both VPCs are in the same AWS account.

Which solution will provide the required access MOST securely?

 A. Create a DB instance security group that allows all traffic from

the public IP address of the application server in VPC A.

 B. Configure a VPC peering connection between VPC A and VPC

B. Most Voted

 C. Make the DB instance publicly accessible. Assign a public IP

address to the DB instance.

 D. Launch an EC2 instance with an Elastic IP address into VPC B.

Proxy all requests through the new EC2 instance.
232
A company runs demonstration environments for its customers on
Amazon EC2 instances. Each environment is isolated in its own VPC. The
company’s operations team needs to be notified when RDP or SSH access
to an environment has been established.

 A. Configure Amazon CloudWatch Application Insights to create AWS

Systems Manager OpsItems when RDP or SSH access is detected.

 B. Configure the EC2 instances with an IAM instance profile that has
an IAM role with the AmazonSSMManagedInstanceCore policy
attached.

 C. Publish VPC flow logs to Amazon CloudWatch Logs. Create

required metric filters. Create an Amazon CloudWatch metric alarm
with a notification action for when the alarm is in the ALARM
state. Most Voted

 D. Configure an Amazon EventBridge rule to listen for events of type

EC2 Instance State-change Notification. Configure an Amazon
Simple Notification Service (Amazon SNS) topic as a target.
Subscribe the operations team to the topic.

233
A solutions architect has created a new AWS account and must secure
AWS account root user access.

Which combination of actions will accomplish this? (Choose two.)

 A. Ensure the root user uses a strong password. Most Voted

 B. Enable multi-factor authentication to the root user. Most Voted

 C. Store root user access keys in an encrypted Amazon S3 bucket.

 D. Add the root user to a group containing administrative

permissions.

 E. Apply the required permissions to the root user with an inline

policy document.

234
A company is building a new web-based customer relationship
management application. The application will use several Amazon EC2
instances that are backed by Amazon Elastic Block Store (Amazon EBS)
volumes behind an Application Load Balancer (ALB). The application will
also use an Amazon Aurora database. All data for the application must be
encrypted at rest and in transit.
Which solution will meet these requirements?

 A. Use AWS Key Management Service (AWS KMS) certificates on the

ALB to encrypt data in transit. Use AWS Certificate Manager (ACM)
to encrypt the EBS volumes and Aurora database storage at rest.

 B. Use the AWS root account to log in to the AWS Management

Console. Upload the company’s encryption certificates. While in the
root account, select the option to turn on encryption for all data at
rest and in transit for the account.

 C. Use AWS Key Management Service (AWS KMS) to encrypt the EBS
volumes and Aurora database storage at rest. Attach an AWS
Certificate Manager (ACM) certificate to the ALB to encrypt data in
transit.

 D. Use BitLocker to encrypt all data at rest. Import the company’s

TLS certificate keys to AWS Key Management Service (AWS KMS)
Attach the KMS keys to the ALB to encrypt data in transit.

235
A company is moving its on-premises Oracle database to Amazon Aurora
PostgreSQL. The database has several applications that write to the same
tables. The applications need to be migrated one by one with a month in
between each migration. Management has expressed concerns that the
database has a high number of reads and writes. The data must be kept in
sync across both databases throughout the migration.

What should a solutions architect recommend?

 A. Use AWS DataSync for the initial migration. Use AWS Database
Migration Service (AWS DMS) to create a change data capture (CDC)
replication task and a table mapping to select all tables.
  B. Use AWS DataSync for the initial migration. Use AWS Database
Migration Service (AWS DMS) to create a full load plus change data
capture (CDC) replication task and a table mapping to select all
tables.

 C. Use the AWS Schema Conversion Tool with AWS Database

Migration Service (AWS DMS) using a memory optimized replication
instance. Create a full load plus change data capture (CDC)
replication task and a table mapping to select all tables. Most Voted

 D. Use the AWS Schema Conversion Tool with AWS Database

Migration Service (AWS DMS) using a compute optimized replication
instance. Create a full load plus change data capture (CDC)
replication task and a table mapping to select the largest tables.

236
A company has a three-tier application for image sharing. The application
uses an Amazon EC2 instance for the front-end layer, another EC2
instance for the application layer, and a third EC2 instance for a MySQL
database. A solutions architect must design a scalable and highly
available solution that requires the least amount of change to the
application.

Which solution meets these requirements?

 A. Use Amazon S3 to host the front-end layer. Use AWS Lambda

functions for the application layer. Move the database to an Amazon
DynamoDB table. Use Amazon S3 to store and serve users’ images.

 B. Use load-balanced Multi-AZ AWS Elastic Beanstalk environments

for the front-end layer and the application layer. Move the database
to an Amazon RDS DB instance with multiple read replicas to serve
users’ images.

 C. Use Amazon S3 to host the front-end layer. Use a fleet of EC2

instances in an Auto Scaling group for the application layer. Move
the database to a memory optimized instance type to store and
serve users’ images.

 D. Use load-balanced Multi-AZ AWS Elastic Beanstalk environments

for the front-end layer and the application layer. Move the database
to an Amazon RDS Multi-AZ DB instance. Use Amazon S3 to store
and serve users’ images. Most Voted
237
An application running on an Amazon EC2 instance in VPC-A needs to
access files in another EC2 instance in VPC-B. Both VPCs are in separate
AWS accounts. The network administrator needs to design a solution to
configure secure access to EC2 instance in VPC-B from VPC-A. The
connectivity should not have a single point of failure or bandwidth
concerns.

Which solution will meet these requirements?

 A. Set up a VPC peering connection between VPC-A and VPC-B. Most

Voted

 B. Set up VPC gateway endpoints for the EC2 instance running in

VPC-B.

 C. Attach a virtual private gateway to VPC-B and set up routing from

VPC-A.

 D. Create a private virtual interface (VIF) for the EC2 instance

running in VPC-B and add appropriate routes from VPC-A.

238
A company wants to experiment with individual AWS accounts for its
engineer team. The company wants to be notified as soon as the Amazon
EC2 instance usage for a given month exceeds a specific threshold for
each account.

What should a solutions architect do to meet this requirement MOST cost-

effectively?

 A. Use Cost Explorer to create a daily report of costs by service.

Filter the report by EC2 instances. Configure Cost Explorer to send
an Amazon Simple Email Service (Amazon SES) notification when a
threshold is exceeded.

 B. Use Cost Explorer to create a monthly report of costs by service.

Filter the report by EC2 instances. Configure Cost Explorer to send
an Amazon Simple Email Service (Amazon SES) notification when a
threshold is exceeded.

 C. Use AWS Budgets to create a cost budget for each account. Set
the period to monthly. Set the scope to EC2 instances. Set an alert
threshold for the budget. Configure an Amazon Simple Notification
Service (Amazon SNS) topic to receive a notification when a
threshold is exceeded. Most Voted
  D. Use AWS Cost and Usage Reports to create a report with hourly
granularity. Integrate the report data with Amazon Athena. Use
Amazon EventBridge to schedule an Athena query. Configure an
Amazon Simple Notification Service (Amazon SNS) topic to receive a
notification when a threshold is exceeded.

239
A solutions architect needs to design a new microservice for a company’s
application. Clients must be able to call an HTTPS endpoint to reach the
microservice. The microservice also must use AWS Identity and Access
Management (IAM) to authenticate calls. The solutions architect will write
the logic for this microservice by using a single AWS Lambda function that
is written in Go 1.x.

Which solution will deploy the function in the MOST operationally efficient
way?

 A. Create an Amazon API Gateway REST API. Configure the method

to use the Lambda function. Enable IAM authentication on the
API. Most Voted

 B. Create a Lambda function URL for the function. Specify AWS_IAM

as the authentication type.

 C. Create an Amazon CloudFront distribution. Deploy the function

to Lambda@Edge. Integrate IAM authentication logic into
the Lambda@Edge function.

 D. Create an Amazon CloudFront distribution. Deploy the function to

CloudFront Functions. Specify AWS_IAM as the authentication type.

240
A company previously migrated its data warehouse solution to AWS. The
company also has an AWS Direct Connect connection. Corporate office
users query the data warehouse using a visualization tool. The average
size of a query returned by the data warehouse is 50 MB and each
webpage sent by the visualization tool is approximately 500 KB. Result
sets returned by the data warehouse are not cached.
Which solution provides the LOWEST data transfer egress cost for the
company?

 A. Host the visualization tool on premises and query the data

warehouse directly over the internet.

 B. Host the visualization tool in the same AWS Region as the data
warehouse. Access it over the internet.

 C. Host the visualization tool on premises and query the data

warehouse directly over a Direct Connect connection at a location in
the same AWS Region.

 D. Host the visualization tool in the same AWS Region as the data
warehouse and access it over a Direct Connect connection at a
location in the same Region. Most Voted

241
An online learning company is migrating to the AWS Cloud. The company
maintains its student records in a PostgreSQL database. The company
needs a solution in which its data is available and online across multiple
AWS Regions at all times.

Which solution will meet these requirements with the LEAST amount of
operational overhead?

 A. Migrate the PostgreSQL database to a PostgreSQL cluster on

Amazon EC2 instances.

 B. Migrate the PostgreSQL database to an Amazon RDS for

PostgreSQL DB instance with the Multi-AZ feature turned on. Most
Voted

 C. Migrate the PostgreSQL database to an Amazon RDS for

PostgreSQL DB instance. Create a read replica in another
Region. Most Voted
  D. Migrate the PostgreSQL database to an Amazon RDS for
PostgreSQL DB instance. Set up DB snapshots to be copied to
another Region.

242
A company hosts its web application on AWS using seven Amazon EC2
instances. The company requires that the IP addresses of all healthy EC2
instances be returned in response to DNS queries.

Which policy should be used to meet this requirement?

 A. Simple routing policy

 B. Latency routing policy

 C. Multivalue routing policy Most Voted

 D. Geolocation routing policy

243
A medical research lab produces data that is related to a new study. The
lab wants to make the data available with minimum latency to clinics
across the country for their on-premises, file-based applications. The data
files are stored in an Amazon S3 bucket that has read-only permissions for
each clinic.

What should a solutions architect recommend to meet these

requirements?

 A. Deploy an AWS Storage Gateway file gateway as a virtual

machine (VM) on premises at each clinic Most Voted

 B. Migrate the files to each clinic’s on-premises applications by

using AWS DataSync for processing.

 C. Deploy an AWS Storage Gateway volume gateway as a virtual

machine (VM) on premises at each clinic.

 D. Attach an Amazon Elastic File System (Amazon EFS) file system

to each clinic’s on-premises servers.

244
A company is using a content management system that runs on a single
Amazon EC2 instance. The EC2 instance contains both the web server and
the database software. The company must make its website platform
highly available and must enable the website to scale to meet user
demand.
What should a solutions architect recommend to meet these
requirements?

 A. Move the database to Amazon RDS, and enable automatic

backups. Manually launch another EC2 instance in the same
Availability Zone. Configure an Application Load Balancer in the
Availability Zone, and set the two instances as targets.

 B. Migrate the database to an Amazon Aurora instance with a read

replica in the same Availability Zone as the existing EC2 instance.
Manually launch another EC2 instance in the same Availability Zone.
Configure an Application Load Balancer, and set the two EC2
instances as targets.

 C. Move the database to Amazon Aurora with a read replica in

another Availability Zone. Create an Amazon Machine Image (AMI)
from the EC2 instance. Configure an Application Load Balancer in
two Availability Zones. Attach an Auto Scaling group that uses the
AMI across two Availability Zones. Most Voted

 D. Move the database to a separate EC2 instance, and schedule

backups to Amazon S3. Create an Amazon Machine Image (AMI)
from the original EC2 instance. Configure an Application Load
Balancer in two Availability Zones. Attach an Auto Scaling group
that uses the AMI across two Availability Zones.

245
A company is launching an application on AWS. The application uses an
Application Load Balancer (ALB) to direct traffic to at least two Amazon
EC2 instances in a single target group. The instances are in an Auto
Scaling group for each environment. The company requires a
development environment and a production environment. The production
environment will have periods of high traffic.

Which solution will configure the development environment MOST cost-

effectively?

 A. Reconfigure the target group in the development environment to

have only one EC2 instance as a target.

 B. Change the ALB balancing algorithm to least outstanding

requests.

 C. Reduce the size of the EC2 instances in both environments.

 D. Reduce the maximum number of EC2 instances in the

development environment’s Auto Scaling group. Most Voted
246
A company runs a web application on Amazon EC2 instances in multiple
Availability Zones. The EC2 instances are in private subnets. A solutions
architect implements an internet-facing Application Load Balancer (ALB)
and specifies the EC2 instances as the target group. However, the internet
traffic is not reaching the EC2 instances.

How should the solutions architect reconfigure the architecture to resolve

this issue?

 A. Replace the ALB with a Network Load Balancer. Configure a NAT

gateway in a public subnet to allow internet traffic.

 B. Move the EC2 instances to public subnets. Add a rule to the EC2
instances’ security groups to allow outbound traffic to [Link]/0.

 C. Update the route tables for the EC2 instances’ subnets to send
[Link]/0 traffic through the internet gateway route. Add a rule to
the EC2 instances’ security groups to allow outbound traffic to
[Link]/0.

 D. Create public subnets in each Availability Zone. Associate the

public subnets with the ALB. Update the route tables for the public
subnets with a route to the private subnets. Most Voted

247
A company has deployed a database in Amazon RDS for MySQL. Due to
increased transactions, the database support team is reporting slow reads
against the DB instance and recommends adding a read replica.

Which combination of actions should a solutions architect take before

implementing this change? (Choose two.)

 A. Enable binlog replication on the RDS primary node.

 B. Choose a failover priority for the source DB instance.

 C. Allow long-running transactions to complete on the source DB

instance. Most Voted
  D. Create a global table and specify the AWS Regions where the
table will be available.

 E. Enable automatic backups on the source instance by setting the

backup retention period to a value other than 0. Most Voted

248
A company runs analytics software on Amazon EC2 instances. The
software accepts job requests from users to process data that has been
uploaded to Amazon S3. Users report that some submitted data is not
being processed Amazon CloudWatch reveals that the EC2 instances have
a consistent CPU utilization at or near 100%. The company wants to
improve system performance and scale the system based on user load.

What should a solutions architect do to meet these requirements?

 A. Create a copy of the instance. Place all instances behind an

Application Load Balancer.

 B. Create an S3 VPC endpoint for Amazon S3. Update the software

to reference the endpoint.

 C. Stop the EC2 instances. Modify the instance type to one with a
more powerful CPU and more memory. Restart the instances.

 D. Route incoming requests to Amazon Simple Queue Service

(Amazon SQS). Configure an EC2 Auto Scaling group based on
queue size. Update the software to read from the queue.

249
A company is implementing a shared storage solution for a media
application that is hosted in the AWS Cloud. The company needs the
ability to use SMB clients to access data. The solution must be fully
managed.

Which AWS solution meets these requirements?

  A. Create an AWS Storage Gateway volume gateway. Create a file
share that uses the required client protocol. Connect the application
server to the file share.

 B. Create an AWS Storage Gateway tape gateway. Configure tapes

to use Amazon S3. Connect the application server to the tape
gateway.

 C. Create an Amazon EC2 Windows instance. Install and configure a

Windows file share role on the instance. Connect the application
server to the file share.

 D. Create an Amazon FSx for Windows File Server file system.

Attach the file system to the origin server. Connect the application
server to the file system. Most Voted

250
A company’s security team requests that network traffic be captured in
VPC Flow Logs. The logs will be frequently accessed for 90 days and then
accessed intermittently.

What should a solutions architect do to meet these requirements when

configuring the logs?

 A. Use Amazon CloudWatch as the target. Set the CloudWatch log

group with an expiration of 90 days

 B. Use Amazon Kinesis as the target. Configure the Kinesis stream to

always retain the logs for 90 days.

 C. Use AWS CloudTrail as the target. Configure CloudTrail to save to

an Amazon S3 bucket, and enable S3 Intelligent-Tiering.

 D. Use Amazon S3 as the target. Enable an S3 Lifecycle policy to

transition the logs to S3 Standard-Infrequent Access (S3 Standard-
IA) after 90 days. Most Voted
251
An Amazon EC2 instance is located in a private subnet in a new VPC. This
subnet does not have outbound internet access, but the EC2 instance
needs the ability to download monthly security updates from an outside
vendor.

What should a solutions architect do to meet these requirements?

 A. Create an internet gateway, and attach it to the VPC. Configure

the private subnet route table to use the internet gateway as the
default route.

 B. Create a NAT gateway, and place it in a public subnet. Configure

the private subnet route table to use the NAT gateway as the
default route. Most Voted

 C. Create a NAT instance, and place it in the same subnet where the
EC2 instance is located. Configure the private subnet route table to
use the NAT instance as the default route.

 D. Create an internet gateway, and attach it to the VPC. Create a

NAT instance, and place it in the same subnet where the EC2
instance is located. Configure the private subnet route table to use
the internet gateway as the default route.

252
A solutions architect needs to design a system to store client case files.
The files are core company assets and are important. The number of files
will grow over time.

The files must be simultaneously accessible from multiple application

servers that run on Amazon EC2 instances. The solution must have built-in
redundancy.

Which solution meets these requirements?

 A. Amazon Elastic File System (Amazon EFS) Most Voted

 B. Amazon Elastic Block Store (Amazon EBS)

 C. Amazon S3 Glacier Deep Archive

 D. AWS Backup

253
A solutions architect has created two IAM policies: Policy1 and Policy2.
Both policies are attached to an IAM group.
A cloud engineer is added as an IAM user to the IAM group. Which action
will the cloud engineer be able to perform?

 A. Deleting IAM users

 B. Deleting directories

 C. Deleting Amazon EC2 instances Most Voted

 D. Deleting logs from Amazon CloudWatch Logs

254
A company is reviewing a recent migration of a three-tier application to a
VPC. The security team discovers that the principle of least privilege is not
being applied to Amazon EC2 security group ingress and egress rules
between the application tiers.

What should a solutions architect do to correct this issue?

 A. Create security group rules using the instance ID as the source or

destination.

 B. Create security group rules using the security group ID as the

source or destination. Most Voted

 C. Create security group rules using the VPC CIDR blocks as the
source or destination.

 D. Create security group rules using the subnet CIDR blocks as the
source or destination.

255
A company has an ecommerce checkout workflow that writes an order to
a database and calls a service to process the payment. Users are
experiencing timeouts during the checkout process. When users resubmit
the checkout form, multiple unique orders are created for the same
desired transaction.

How should a solutions architect refactor this workflow to prevent the

creation of multiple orders?

 A. Configure the web application to send an order message to

Amazon Kinesis Data Firehose. Set the payment service to retrieve
the message from Kinesis Data Firehose and process the order.

 B. Create a rule in AWS CloudTrail to invoke an AWS Lambda

function based on the logged application path request. Use Lambda
to query the database, call the payment service, and pass in the
order information.

 C. Store the order in the database. Send a message that includes

the order number to Amazon Simple Notification Service (Amazon
SNS). Set the payment service to poll Amazon SNS, retrieve the
message, and process the order.

 D. Store the order in the database. Send a message that includes

the order number to an Amazon Simple Queue Service (Amazon
SQS) FIFO queue. Set the payment service to retrieve the message
 and process the order. Delete the message from the queue. Most
Voted

256
A solutions architect is implementing a document review application using
an Amazon S3 bucket for storage. The solution must prevent accidental
deletion of the documents and ensure that all versions of the documents
are available. Users must be able to download, modify, and upload
documents. -BD

Which combination of actions should be taken to meet these

requirements? (Choose two.)

 A. Enable a read-only bucket ACL.

 B. Enable versioning on the bucket.

 C. Attach an IAM policy to the bucket.

 D. Enable MFA Delete on the bucket.

 E. Encrypt the bucket using AWS KMS.

257
A company is building a solution that will report Amazon EC2 Auto Scaling
events across all the applications in an AWS account. The company needs
to use a serverless solution to store the EC2 Auto Scaling status data in
Amazon S3. The company then will use the data in Amazon S3 to provide
near-real-time updates in a dashboard. The solution must not affect the
speed of EC2 instance launches.

How should the company move the data to Amazon S3 to meet these
requirements?

 A. Use an Amazon CloudWatch metric stream to send the EC2 Auto

Scaling status data to Amazon Kinesis Data Firehose. Store the data
in Amazon S3. Most Voted
  B. Launch an Amazon EMR cluster to collect the EC2 Auto Scaling
status data and send the data to Amazon Kinesis Data Firehose.
Store the data in Amazon S3.

 C. Create an Amazon EventBridge rule to invoke an AWS Lambda

function on a schedule. Configure the Lambda function to send the
EC2 Auto Scaling status data directly to Amazon S3.

 D. Use a bootstrap script during the launch of an EC2 instance to

install Amazon Kinesis Agent. Configure Kinesis Agent to collect the
EC2 Auto Scaling status data and send the data to Amazon Kinesis
Data Firehose. Store the data in Amazon S3.

258
A company has an application that places hundreds of .csv files into an
Amazon S3 bucket every hour. The files are 1 GB in size. Each time a file
is uploaded, the company needs to convert the file to Apache Parquet
format and place the output file into an S3 bucket.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Create an AWS Lambda function to download the .csv files,

convert the files to Parquet format, and place the output files in an
S3 bucket. Invoke the Lambda function for each S3 PUT event.

 B. Create an Apache Spark job to read the .csv files, convert the
files to Parquet format, and place the output files in an S3 bucket.
Create an AWS Lambda function for each S3 PUT event to invoke
the Spark job.

 C. Create an AWS Glue table and an AWS Glue crawler for the S3
bucket where the application places the .csv files. Schedule an AWS
Lambda function to periodically use Amazon Athena to query the
 AWS Glue table, convert the query results into Parquet format, and
place the output files into an S3 bucket.

 D. Create an AWS Glue extract, transform, and load (ETL) job to

convert the .csv files to Parquet format and place the output files
into an S3 bucket. Create an AWS Lambda function for each S3 PUT
event to invoke the ETL job. Most Voted

259
A company is implementing new data retention policies for all databases
that run on Amazon RDS DB instances. The company must retain daily
backups for a minimum period of 2 years. The backups must be consistent
and restorable.

Which solution should a solutions architect recommend to meet these

requirements?

 A. Create a backup vault in AWS Backup to retain RDS backups.

Create a new backup plan with a daily schedule and an expiration
period of 2 years after creation. Assign the RDS DB instances to the
backup plan. Most Voted

 B. Configure a backup window for the RDS DB instances for daily

snapshots. Assign a snapshot retention policy of 2 years to each
RDS DB instance. Use Amazon Data Lifecycle Manager (Amazon
DLM) to schedule snapshot deletions.

 C. Configure database transaction logs to be automatically backed

up to Amazon CloudWatch Logs with an expiration period of 2 years.

 D. Configure an AWS Database Migration Service (AWS DMS)

replication task. Deploy a replication instance, and configure a
change data capture (CDC) task to stream database changes to
Amazon S3 as the target. Configure S3 Lifecycle policies to delete
the snapshots after 2 years.

260
A company’s compliance team needs to move its file shares to AWS. The
shares run on a Windows Server SMB file share. A self-managed on-
premises Active Directory controls access to the files and folders.

The company wants to use Amazon FSx for Windows File Server as part of
the solution. The company must ensure that the on-premises Active
Directory groups restrict access to the FSx for Windows File Server SMB
compliance shares, folders, and files after the move to AWS. The company
has created an FSx for Windows File Server file system.

Which solution will meet these requirements?

 A. Create an Active Directory Connector to connect to the Active

Directory. Map the Active Directory groups to IAM groups to restrict
access.

 B. Assign a tag with a Restrict tag key and a Compliance tag value.
Map the Active Directory groups to IAM groups to restrict access.

 C. Create an IAM service-linked role that is linked directly to FSx for

Windows File Server to restrict access.

 D. Join the file system to the Active Directory to restrict access. Most
Voted

261
A company recently announced the deployment of its retail website to a
global audience. The website runs on multiple Amazon EC2 instances
behind an Elastic Load Balancer. The instances run in an Auto Scaling
group across multiple Availability Zones.

The company wants to provide its customers with different versions of

content based on the devices that the customers use to access the
website.

Which combination of actions should a solutions architect take to meet

these requirements? (Choose two.)

 A. Configure Amazon CloudFront to cache multiple versions of the

content. Most Voted

 B. Configure a host header in a Network Load Balancer to forward

traffic to different instances.

 C. Configure a Lambda@Edge function to send specific objects to

users based on the User-Agent header. Most Voted

 D. Configure AWS Global Accelerator. Forward requests to a Network

Load Balancer (NLB). Configure the NLB to set up host-based routing
to different EC2 instances.
  E. Configure AWS Global Accelerator. Forward requests to a Network
Load Balancer (NLB). Configure the NLB to set up path-based
routing to different EC2 instances.

262
A company plans to use Amazon ElastiCache for its multi-tier web
application. A solutions architect creates a Cache VPC for the ElastiCache
cluster and an App VPC for the application’s Amazon EC2 instances. Both
VPCs are in the us-east-1 Region.

The solutions architect must implement a solution to provide the

application’s EC2 instances with access to the ElastiCache cluster.

Which solution will meet these requirements MOST cost-effectively?

 A. Create a peering connection between the VPCs. Add a route table

entry for the peering connection in both VPCs. Configure an inbound
rule for the ElastiCache cluster’s security group to allow inbound
connection from the application’s security group. Most Voted

 B. Create a Transit VPC. Update the VPC route tables in the Cache
VPC and the App VPC to route traffic through the Transit VPC.
Configure an inbound rule for the ElastiCache cluster's security
group to allow inbound connection from the application’s security
group.

 C. Create a peering connection between the VPCs. Add a route table

entry for the peering connection in both VPCs. Configure an inbound
rule for the peering connection’s security group to allow inbound
connection from the application’s security group.

 D. Create a Transit VPC. Update the VPC route tables in the Cache
VPC and the App VPC to route traffic through the Transit VPC.
Configure an inbound rule for the Transit VPC’s security group to
allow inbound connection from the application’s security group.

263
A company is building an application that consists of several
microservices. The company has decided to use container technologies to
deploy its software on AWS. The company needs a solution that minimizes
the amount of ongoing effort for maintenance and scaling. The company
cannot manage additional infrastructure.
Which combination of actions should a solutions architect take to meet
these requirements? (Choose two.)

 A. Deploy an Amazon Elastic Container Service (Amazon ECS)

cluster. Most Voted

 B. Deploy the Kubernetes control plane on Amazon EC2 instances

that span multiple Availability Zones.

 C. Deploy an Amazon Elastic Container Service (Amazon ECS)

service with an Amazon EC2 launch type. Specify a desired task
number level of greater than or equal to 2.

 D. Deploy an Amazon Elastic Container Service (Amazon ECS)

service with a Fargate launch type. Specify a desired task number
level of greater than or equal to 2. Most Voted

 E. Deploy Kubernetes worker nodes on Amazon EC2 instances that

span multiple Availability Zones. Create a deployment that specifies
two or more replicas for each microservice.

264
A company has a web application hosted over 10 Amazon EC2 instances
with traffic directed by Amazon Route 53. The company occasionally
experiences a timeout error when attempting to browse the application.
The networking team finds that some DNS queries return IP addresses of
unhealthy instances, resulting in the timeout error.

What should a solutions architect implement to overcome these timeout

errors?

 A. Create a Route 53 simple routing policy record for each EC2

instance. Associate a health check with each record.

 B. Create a Route 53 failover routing policy record for each EC2

instance. Associate a health check with each record.

 C. Create an Amazon CloudFront distribution with EC2 instances as

its origin. Associate a health check with the EC2 instances.

 D. Create an Application Load Balancer (ALB) with a health check in

front of the EC2 instances. Route to the ALB from Route 53. Most
Voted

265
A solutions architect needs to design a highly available application
consisting of web, application, and database tiers. HTTPS content delivery
should be as close to the edge as possible, with the least delivery time.
Which solution meets these requirements and is MOST secure?

 A. Configure a public Application Load Balancer (ALB) with multiple

redundant Amazon EC2 instances in public subnets. Configure
Amazon CloudFront to deliver HTTPS content using the public ALB as
the origin.

 B. Configure a public Application Load Balancer with multiple

redundant Amazon EC2 instances in private subnets. Configure
Amazon CloudFront to deliver HTTPS content using the EC2
instances as the origin.

 C. Configure a public Application Load Balancer (ALB) with multiple

redundant Amazon EC2 instances in private subnets. Configure
Amazon CloudFront to deliver HTTPS content using the public ALB as
the origin.

 D. Configure a public Application Load Balancer with multiple

redundant Amazon EC2 instances in public subnets. Configure
Amazon CloudFront to deliver HTTPS content using the EC2
instances as the origin.

266
A company has a popular gaming platform running on AWS. The
application is sensitive to latency because latency can impact the user
experience and introduce unfair advantages to some players. The
application is deployed in every AWS Region. It runs on Amazon EC2
instances that are part of Auto Scaling groups configured behind
Application Load Balancers (ALBs). A solutions architect needs to
implement a mechanism to monitor the health of the application and
redirect traffic to healthy endpoints.

Which solution meets these requirements?

 A. Configure an accelerator in AWS Global Accelerator. Add a

listener for the port that the application listens on, and attach it to a
 Regional endpoint in each Region. Add the ALB as the endpoint. Most
Voted

 B. Create an Amazon CloudFront distribution and specify the ALB as

the origin server. Configure the cache behavior to use origin cache
headers. Use AWS Lambda functions to optimize the traffic.

 C. Create an Amazon CloudFront distribution and specify Amazon S3

as the origin server. Configure the cache behavior to use origin
cache headers. Use AWS Lambda functions to optimize the traffic.

 D. Configure an Amazon DynamoDB database to serve as the data

store for the application. Create a DynamoDB Accelerator (DAX)
cluster to act as the in-memory cache for DynamoDB hosting the
application data.

267
A company has one million users that use its mobile app. The company
must analyze the data usage in near-real time. The company also must
encrypt the data in near-real time and must store the data in a centralized
location in Apache Parquet format for further processing.

Which solution will meet these requirements with the LEAST operational
overhead?

 A. Create an Amazon Kinesis data stream to store the data in

Amazon S3. Create an Amazon Kinesis Data Analytics application to
analyze the data. Invoke an AWS Lambda function to send the data
to the Kinesis Data Analytics application.

 B. Create an Amazon Kinesis data stream to store the data in

Amazon S3. Create an Amazon EMR cluster to analyze the data.
Invoke an AWS Lambda function to send the data to the EMR
cluster.

 C. Create an Amazon Kinesis Data Firehose delivery stream to store

the data in Amazon S3. Create an Amazon EMR cluster to analyze
the data.

 D. Create an Amazon Kinesis Data Firehose delivery stream to store

the data in Amazon S3. Create an Amazon Kinesis Data Analytics
application to analyze the data. Most Voted
268
A gaming company has a web application that displays scores. The
application runs on Amazon EC2 instances behind an Application Load
Balancer. The application stores data in an Amazon RDS for MySQL
database. Users are starting to experience long delays and interruptions
that are caused by database read performance. The company wants to
improve the user experience while minimizing changes to the
application’s architecture.

What should a solutions architect do to meet these requirements?

 A. Use Amazon ElastiCache in front of the database. Most Voted

 B. Use RDS Proxy between the application and the database.

 C. Migrate the application from EC2 instances to AWS Lambda.

 D. Migrate the database from Amazon RDS for MySQL to Amazon

DynamoDB.

269
An ecommerce company has noticed performance degradation of its
Amazon RDS based web application. The performance degradation is
attributed to an increase in the number of read-only SQL queries triggered
by business analysts. A solutions architect needs to solve the problem
with minimal changes to the existing web application.

What should the solutions architect recommend?

 A. Export the data to Amazon DynamoDB and have the business

analysts run their queries.

 B. Load the data into Amazon ElastiCache and have the business
analysts run their queries.

 C. Create a read replica of the primary database and have the

business analysts run their queries. Most Voted

 D. Copy the data into an Amazon Redshift cluster and have the
business analysts run their queries.

270
A company is using a centralized AWS account to store log data in various
Amazon S3 buckets. A solutions architect needs to ensure that the data is
encrypted at rest before the data is uploaded to the S3 buckets. The data
also must be encrypted in transit.

Which solution meets these requirements?

  A. Use client-side encryption to encrypt the data that is being
uploaded to the S3 buckets. Most Voted

 B. Use server-side encryption to encrypt the data that is being

uploaded to the S3 buckets.

 C. Create bucket policies that require the use of server-side

encryption with S3 managed encryption keys (SSE-S3) for S3
uploads.

 D. Enable the security option to encrypt the S3 buckets through the

use of a default AWS Key Management Service (AWS KMS) key.

271
A solutions architect observes that a nightly batch processing job is
automatically scaled up for 1 hour before the desired Amazon EC2
capacity is reached. The peak capacity is the ‘same every night and the
batch jobs always start at 1 AM. The solutions architect needs to find a
cost-effective solution that will allow for the desired EC2 capacity to be
reached quickly and allow the Auto Scaling group to scale down after the
batch jobs are complete.

What should the solutions architect do to meet these requirements?

 A. Increase the minimum capacity for the Auto Scaling group.

 B. Increase the maximum capacity for the Auto Scaling group.

 C. Configure scheduled scaling to scale up to the desired compute

level. Most Voted

 D. Change the scaling policy to add more EC2 instances during each
scaling operation.

273
A company has an image processing workload running on Amazon Elastic
Container Service (Amazon ECS) in two private subnets. Each private
subnet uses a
NAT instance for internet access. All images are stored in Amazon S3
buckets. The company is concerned about the data transfer costs between
Amazon ECS and Amazon S3.
What should a solutions architect do to reduce costs?

 A. Configure a NAT gateway to replace the NAT instances.

 B. Configure a gateway endpoint for traffic destined to Amazon

S3. Most Voted
  C. Configure an interface endpoint for traffic destined to Amazon S3.

 D. Configure Amazon CloudFront for the S3 bucket storing the

images.

274
The financial application at a company stores monthly reports in an
Amazon S3 bucket. The vice president of finance has mandated that all
access to these reports be logged and that any modifications to the log
files be detected.
Which actions can a solutions architect take to meet these requirements?

 A. Use S3 server access logging on the bucket that houses the

reports with the read and write data events and log file validation
options enabled.

 B. Use S3 server access logging on the bucket that houses the

reports with the read and write management events and log file
validation options enabled.

 C. Use AWS CloudTrail to create a new trail. Configure the trail to log
read and write data events on the S3 bucket that houses the
reports. Log these events to a new bucket, and enable log file
validation. Most Voted

 D. Use AWS CloudTrail to create a new trail. Configure the trail to

log read and write management events on the S3 bucket that
houses the reports. Log these events to a new bucket, and enable
log file validation.

275
A company has an on-premises volume backup solution that has reached
its end of life. The company wants to use AWS as part of a new backup
solution and wants to maintain local access to all the data while it is
backed up on AWS. The company wants to ensure that the data backed up
on AWS is automatically and securely transferred.
Which solution meets these requirements?

 A. Use AWS Snowball to migrate data out of the on-premises

solution to Amazon S3. Configure on-premises systems to mount the
Snowball S3 endpoint to provide local access to the data.

 B. Use AWS Snowball Edge to migrate data out of the on-premises

solution to Amazon S3. Use the Snowball Edge file interface to
provide on-premises systems with local access to the data.
  C. Use AWS Storage Gateway and configure a cached volume
gateway. Run the Storage Gateway software appliance on premises
and configure a percentage of data to cache locally. Mount the
gateway storage volumes to provide local access to the data.

 D. Use AWS Storage Gateway and configure a stored volume

gateway. Run the Storage Gateway software appliance on premises
and map the gateway storage volumes to on-premises storage.
Mount the gateway storage volumes to provide local access to the
data.

277
A company is developing an ecommerce application that will consist of a
load-balanced front end, a container-based application, and a relational
database. A solutions architect needs to create a highly available solution
that operates with as little manual intervention as possible.
Which solutions meet these requirements? (Choose two.)

 A. Create an Amazon RDS DB instance in Multi-AZ mode.

 B. Create an Amazon RDS DB instance and one or more replicas in

another Availability Zone.

 C. Create an Amazon EC2 instance-based Docker cluster to handle

the dynamic application load.

 D. Create an Amazon Elastic Container Service (Amazon ECS)

cluster with a Fargate launch type to handle the dynamic application
load.

 E. Create an Amazon Elastic Container Service (Amazon ECS) cluster

with an Amazon EC2 launch type to handle the dynamic application
load.