Practice Free SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Exam Questions Answers With Explanation

AWS Secrets Manager is the managed service for securely storing, rotating, and retrieving database credentials. When you store Aurora credentials in Secrets Manager and enable automatic rotation, Secrets Manager updates the credentials in both the database and the stored secret.

Each Lambda function version or alias can call Secrets Manager at runtime to retrieve the current secret value, so even older deployed Lambda versions that use an alias will always obtain the most recent credentials without redeployment.

Why others are not suitable:

B: Embeds credentials in code, requiring redeployment on every rotation and violating security best practices.

C: Environment variables are version-specific; old aliases would continue using outdated values unless you redeploy or change them.

D: Parameter Store can store and rotate secrets but is less integrated for database credential rotation than Secrets Manager; Secrets Manager is the purpose-built minimal-overhead choice here.

Amazon ECS on AWS Fargate: AWS Fargate is a serverless compute engine for containers that works with Amazon ECS. It allows you to run containers without managing servers or clusters.

Amazon EFS: Amazon Elastic File System (EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It can be mounted to ECS tasks running on Fargate, allowing containers to access a shared file system with standard file system semantics, including OS-level permissions.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

To ensure high availability and scalability, the web application should run in anAuto Scaling groupacross two Availability Zones behind anApplication Load Balancer (ALB). The database should be migrated toAmazon RDSwithMulti-AZ deployment, which ensures fault tolerance and automatic failover in case of an AZ failure. This setup minimizes administrative overhead while meeting the company ' s requirements for high availability and scalability.

Option A: Read replicas are typically used for scaling read operations, and Multi-AZ provides better availability for a transactional database.

Option B: Replicating across AWS Regions adds unnecessary complexity for a single web application.

Option D: EC2 instances across three Availability Zones add unnecessary complexity for this scenario.

AWS References:

Auto Scaling Groups

Amazon RDS Multi-AZ

According to the AWS Well-Architected Framework – Security Pillar and the AWS Identity and Access Management (IAM) User Guide, the root user account in an AWS account is extremely powerful and should be protected with strict security measures.

From AWS documentation:

“We recommend that you not use the root user for everyday tasks, even administrative ones. Instead, create IAM users and grant them only the permissions they need. To help protect your AWS account, enable multi-factor authentication (MFA) for the root user.”

(Source: AWS Identity and Access Management User Guide – Securing the Root User)

The correct and recommended action is to create IAM users with specific permissions for daily operations and enable MFA on the root user to provide an additional layer of security. The root user cannot be disabled, so Option A is technically incorrect. AWS also explicitly advises against using root access keys (Option C) or sharing root credentials (Option D), both of which violate the principle of least privilege.

Best practices summarized from AWS official documentation:

Do not use root user for routine tasks

Enable MFA for root user immediately

Create individual IAM users and assign least privilege

Avoid creating or using root user access keys

These recommendations are foundational to securing any new AWS account and are consistently emphasized in the AWS Certified Solutions Architect – Official Study Guide and the AWS Security Best Practices whitepaper.

Using a Lambda function as part of the Kinesis Data Firehose pipeline allows for real-time detection and masking of PII before data is written to S3. This ensures that PII is never stored in its raw form in the data lake.

Option B:Amazon Macie can scan and classify data but does not provide in-line PII masking for data ingestion.

Option C:Server-side encryption secures data but does not mask PII.

Option D:CloudHSM is unnecessary for PII masking and adds complexity without addressing the requirements.

AWS Documentation References:

Using Lambda with Kinesis Data Firehose

To run RDS instances only during business hours with the least operational overhead, you can useAmazon EventBridgeto schedule events that invokeAWS Lambda functions. The Lambda functions can be configured to start and stop the RDS instances based on the specified schedule (business hours). EventBridge rules allow you to define recurring events easily, and Lambda functions provide a serverless way to manage RDS instance start and stop operations, reducing administrative overhead.

Option A: While CloudWatch alarms could be used, they are more suited for monitoring, and using Lambda with EventBridge is simpler.

Option B (Trusted Advisor): Trusted Advisor is not ideal for scheduling tasks.

Option C (Systems Manager): Systems Manager could also work, but EventBridge and Lambda offer a more streamlined and lower-overhead solution.

AWS References:

Amazon EventBridge Scheduler

AWS Lambda

For workloads where tasks are independent and can be processed in parallel, and where minimizing management overhead is a priority, a serverless architecture using AWS Lambda is ideal.

AWS Lambda allows you to run code without provisioning or managing servers. It automatically scales your application by running code in response to each trigger.

Parallel Processing: Lambda functions can process multiple tasks concurrently, making it suitable for parallel workloads.

Automatic Scaling: Lambda automatically scales by running code in response to each event, scaling precisely with the size of the workload.

Minimal Management Overhead: With Lambda, there ' s no need to manage the underlying infrastructure, reducing operational complexity.Wikipedia

For the relational database tier, Amazon RDS Multi-AZ provides high availability with minimal manual intervention. In Multi-AZ mode, RDS maintains a synchronous standby in a different Availability Zone and provides automatic failover during certain failure scenarios. This reduces operational burden because the service handles replication, health monitoring, and failover orchestration.

For the container-based application tier, Amazon ECS with the Fargate launch type minimizes operational overhead because it removes the need to provision, patch, and scale the underlying EC2 instances that host containers. With Fargate, AWS manages the compute infrastructure, and the team focuses on task definitions, scaling policies, and application configuration. This supports a highly available, load-balanced architecture because ECS services can run tasks across multiple Availability Zones behind an Application Load Balancer, and scaling is managed via ECS Service Auto Scaling.

Option B describes read replicas, which are primarily used for scaling reads and, depending on configuration, may not provide the same automated failover characteristics as Multi-AZ for high availability. Read replicas are not a direct substitute for Multi-AZ HA. Option C (self-managed Docker cluster on EC2) is operationally heavy: you must manage node capacity, patching, cluster lifecycle, and scheduling. Option E (ECS on EC2) is a valid container platform but still requires managing EC2 instances, AMIs, and scaling/patching, which increases manual intervention compared to Fargate.

Therefore, combining RDS Multi-AZ (A) for database resilience and ECS Fargate (D) for serverless container operations meets the HA requirement with the least manual effort.

Amazon OpenSearch Service is the AWS-native service for real-time search, analytics, and visualization. Ingesting streaming data with Amazon Kinesis Data Streams ensures scalable and reliable data ingestion. OpenSearch supports indexing and querying the data in near real time. QuickSight can then be integrated for visualization and reporting. Options A and B involve batch processing and are not optimized for real-time search. Option C (EKS + DynamoDB) is not a fit for search workloads, as DynamoDB does not support advanced text search. Option D provides the closest AWS-native equivalent to the company’s existing search-and-visualization architecture.

Aurora Global Database is designed for low-latency cross-Region reads and disaster recovery for relational data.

Amazon S3 Cross-Region Replication (CRR) automatically replicates unstructured data to another Region, ensuring high availability and resilience.

“Aurora Global Database replicates your data with typical latency of less than 1 second to secondary AWS Regions.”

“Amazon S3 Cross-Region Replication automatically replicates every object uploaded to your bucket to a destination bucket in another AWS Region.”

— Aurora Global Database

— S3 Cross-Region Replication

This combination meets the multi-Region, high availability, fault-tolerant requirement for both relational and unstructured data.

For Amazon RDS for PostgreSQL, AWS provides IAM database authentication. With this feature, applications do not use stored long-term usernames and passwords. Instead, they use temporary authentication tokens that are generated by AWS and validated by the RDS database.

The AWS best practice pattern is:

Attach an IAM role to the EC2 instances (instance profile).

Grant that role the necessary permissions (for example, rds-db:connect) to the specific RDS database user.

The application running on the EC2 instance uses the role’s temporary credentials to call the RDS token-generation API and obtain a short-lived authentication token.

The application then uses this token as the password when connecting to RDS for PostgreSQL.

This removes the need to store long-term credentials in the application or on the instance and uses IAM roles with temporary credentials, aligning with the security requirement.

Option A still relies on stored credentials (even if in Secrets Manager), which are long-lived and rotated but not token-based per-connection IAM authentication.

Option B uses static passwords and IP-based access, which does not meet the “no long-term credentials” requirement.

Option C stores long-term IAM user keys on the instances, which is explicitly against best practices and does not directly integrate with RDS authentication.

Using Amazon SQS decouples the API from the database, allowing the system to handle write bursts without data loss. The queue buffers incoming requests, and AWS Lambda processes them asynchronously, writing to the RDS instance at a sustainable rate.

From AWS Documentation:

“Amazon SQS acts as a buffer between components that produce and consume data, allowing each to operate independently. You can use AWS Lambda to process messages from SQS and write them to other services such as Amazon RDS.”

(Source: Amazon SQS Developer Guide)

Why C is correct:

SQS absorbs write surges and ensures durable message retention.

Lambda scales automatically with message volume and reduces DB connections.

Prevents timeout errors by smoothing traffic spikes.

Why others are incorrect:

A: Scaling RDS vertically doesn’t address connection spikes.

B: Multi-AZ is for availability, not write throughput.

D: SNS is for fan-out message delivery, not queue-based buffering.

AWS documentation states that for API Gateway REST APIs, AWS WAF must be deployed in the same Region to apply web access control lists. WAF geographic match rules can block requests from non-US Regions. Deploying the WAF and API Gateway in the same Region ensures minimal latency because the traffic does not traverse Regions.

Options B and C violate the requirement that WAF and API Gateway must be in the same Region. Option D uses HTTP API, which supports WAF only indirectly via regional ALBs, not directly as REST API does.

=====================================================

Comprehensive and Detailed Explanation (from AWS Solutions Architect documentation):

Amazon DynamoDB is a fully managed NoSQL database engineered for extremely high throughput and millisecond-level response times at any scale. It can automatically scale to support millions of requests per second and requires no management of infrastructure, storage provisioning, or server maintenance.

AWS documentation specifically highlights DynamoDB as the optimal solution for ecommerce workloads that require consistent low-latency performance, massive scalability, and near-zero operational overhead.

Aurora and RDS cannot support millions of requests per second, and Redshift is a data warehouse not intended for transactional workloads.

AWS Service Catalogallows organizations to centrally manage commonly deployed IT services and offers self-service deployment capabilities to customers. By creatingService Catalog products, the consulting company can package their solutions and tools for easy reuse by customers while maintaining central control over configuration and access. This provides a standardized and automated solution with the least operational overhead for managing and deploying solutions across different customers.

Option A (CloudFormation): CloudFormation templates are useful but don ' t provide the same level of management and user-friendly self-service capabilities as Service Catalog.

Option C (Systems Manager): Systems Manager is more focused on managing infrastructure and doesn ' t offer the same self-service capabilities.

Option D (AWS Config): AWS Config is used for tracking resource configurations, not for deploying solutions.

AWS References:

AWS Service Catalog

Private subnets require outbound internet access to download updates, but they must not have public IPs or direct inbound access.

The recommended AWS solution is to create a NAT gateway in a public subnet. Private subnet route tables are updated to route internet-bound traffic (0.0.0.0/0) to the NAT gateway. The NAT gateway then uses the internet gateway attached to the VPC to communicate with the internet.

Option B (NAT instances) is an older approach and less scalable/maintainable than NAT gateways. Option C (egress-only internet gateway) is for IPv6 outbound-only traffic, not IPv4. Option D is invalid because NAT gateways must be deployed in public subnets.

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

To route S3 traffic privately from within a VPC, AWS provides Gateway VPC Endpoints for Amazon S3. These allow private connectivity to S3 without traversing the public internet or requiring an Internet Gateway.

From AWS Documentation:

“A gateway endpoint enables you to privately connect your VPC to supported AWS services such as Amazon S3 and DynamoDB without requiring an Internet Gateway, NAT device, or public IP.”

(Source: Amazon VPC User Guide – Gateway Endpoints)

Why A is correct:

Gateway VPC endpoints route S3 traffic internally within the AWS network.

Improves security and data privacy while reducing exposure to the public internet.

Requires only a simple route table modification and IAM policy configuration.

Why other options are incorrect:

B: S3 is a regional service; you cannot “move” it inside a VPC.

C: Access points do not change the routing path; still uses S3 endpoints.

D: AWS Direct Connect is for hybrid environments, not intra-AWS private connectivity.

Amazon S3 is the strongest storage choice because it is designed for highly durable object storage, and CloudFront can use an S3 bucket as its origin to deliver content globally. AWS Backup documentation also states that for Amazon S3 you can createcontinuous backupsand restore data to a point in time, which reduces the risk of data loss more effectively than simple daily backups. The EC2-based options introduce more infrastructure management and weaker durability characteristics than S3 for this content-storage pattern. Lambda ephemeral storage is temporary and is not intended as a durable content repository. For globally distributed campaign assets that must stay highly available and protected with the strongest managed backup posture among the options,S3 + CloudFront + AWS Backup continuous backupsis the best design. (AWS Documentation)

============

Amazon S3 is designed for durability, scalability, and millisecond access. For small monthly data volumes (300 MB), S3 Standard is cost-effective and provides immediate access. To meet 30-day retention, Lifecycle policies can automatically expire objects after the required time. For disaster recovery, S3 Cross-Region Replication (CRR) copies objects across Regions to a backup bucket, ensuring data resiliency. OpenSearch (A) is not needed because the requirement is storage and retrieval, not indexing. Aurora or RDS options (C, D) add unnecessary complexity and cost, as a relational database is not required for JSON storage and millisecond retrieval. Therefore, option B provides the simplest, most resilient, and cost-optimized solution.

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

This workload has two distinct needs: (1) a managed way for external clients to upload files using a familiar managed file transfer protocol, and (2) an automated, low-ops method to run a watermarking step and store the resulting images as objects. AWS Transfer Family provides a fully managed capability to receive files over protocols such as SFTP, while landing those files directly into Amazon S3 as objects. That directly satisfies the requirement that “uploaded images must be stored as objects” with minimal infrastructure management.

To automate watermarking with minimal operational overhead, invoking AWS Lambda is a strong fit. Lambda is serverless and scales automatically with incoming uploads, and it can run the watermarking logic as code without managing servers. Transfer Family supports managed workflows that can orchestrate post-upload actions; using a Transfer Family workflow to invoke a Lambda function provides a clean, managed, event-driven pipeline: clients upload via SFTP ? objects land in S3 ? workflow triggers watermark processing ? output is written back to S3.

Option A adds operational burden by requiring an EC2-based application tier for watermarking, which increases patching and scaling responsibilities. Option B can work (S3 + Batch), but it requires building and operating the upload mechanism (REST APIs) and typically more orchestration than necessary for simple “upload then process” flows; Batch is better when you need large-scale, long-running batch compute rather than lightweight per-object processing. Option D is unsuitable because S3 Glacier Deep Archive is intended for long-term archival with slow retrieval, which conflicts with active workflow processing and watermark automation.

Therefore, C best meets the requirements using managed services end-to-end: Transfer Family for ingestion, S3 for object storage, and Lambda for automated watermarking.

Using an Application Load Balancer (ALB) allows for integration with AWS WAF to inspect all incoming traffic. Running the application on Amazon ECS provides a scalable and managed container orchestration service. Utilizing Amazon Aurora Serverless for the PostgreSQL database offers automatic scaling based on application demand, which is cost-effective for workloads with variable traffic patterns, such as higher traffic on weekdays and lower traffic on weekends.

For bursty and seasonal workloads, AWS recommends serverless architectures using Amazon API Gateway + AWS Lambda:

API Gateway exposes a fully managed, scalable API endpoint.

Lambda provides automatic scaling based on request volume, with no need to provision or manage servers.

This is ideal for workloads with variable or seasonal demand, such as end-of-year tax computation bursts.

This combination minimizes operational overhead (no OS patching, no capacity planning) while scaling seamlessly to meet peak demand.

Options A, C, and D rely on EC2 instances. They require capacity planning, scaling configuration, and ongoing management. They do not scale as effortlessly as Lambda for unpredictable or highly seasonal workloads.

Amazon S3 supports one Lifecycle configuration per bucket that can contain multiple rules. Lifecycle rules can include filters, including object size filters: ObjectSizeGreaterThan and ObjectSizeLessThan. You can combine rules so that one targets large objects and another provides a default expiration. Here, configure Rule 1 with a size filter ObjectSizeGreaterThan = 1 TB and Expiration = 2 days (48 hours) to purge very large videos early. Configure Rule 2 with Expiration = 7 days without a size filter to serve as a catch-all maximum retention for all objects. Options B and D are invalid because S3 does not allow multiple Lifecycle configurations per bucket. Option C cannot distinguish large files; it would delete all files at the same schedule without honoring the 48-hour policy for > 1 TB objects. This single configuration with two rules meets both retention targets with minimal overhead and full S3-native capability.

To meet the requirements for tagging and preventing instance creation or deletion without proper tags, the company can use a combination of AWS Organizations tag policies and service control policies (SCPs).

Tag Policies: These enforce specific tag values across resources. Creating a tag policy with required values (e.g., sensitive, non-sensitive) and attaching it to the appropriate organizational unit (OU) ensures consistency in tagging.

SCPs: SCPs can be used to enforce compliance by preventing instance creation without a tag and preventing tag deletion. These policies control actions at the account level across the organization.

Key AWS features:

Tag Policieshelp standardize tags across accounts, andSCPsenforce governance by restricting actions that violate the policies.

AWS Documentation: AWS best practices recommend using tag policies and SCPs to enforce compliance across multiple accounts within AWS Organizations?.

SQS Standard queues provide at-least-once delivery; they can, by design, deliver duplicate messages, and you cannot turn that off.

To guarantee no duplicates to consumers, AWS provides SQS FIFO queues with exactly-once processing semantics in conjunction with deduplication.

The minimal change to achieve this behavior is to:

Recreate the queue as a FIFO queue and

Enable content-based deduplication, so SQS automatically deduplicates messages with identical bodies within the deduplication window.

Why others are not correct:

A: Long polling reduces empty responses and costs but does not eliminate duplicates.

C: Content-based deduplication is available only for FIFO queues, not for standard queues—so you cannot “modify” a standard queue this way.

D: Moving to Amazon MQ is a much bigger architectural change and adds more operational overhead; it’s not the “fewest changes” approach.

The most secure and manageable way to provide developers with temporary, least-privilege access is by using AWS IAM Identity Center (formerly AWS SSO). IAM Identity Center allows assigning IAM roles with scoped permissions based on the developer’s team role. This ensures no permanent credentials are required and minimizes risk.

Option B enables role-based access with centralized identity and access management, making it the most secure and scalable solution for managing developer permissions.

AWS guidance is to cover steady baseline with commitments (Reserved Instances or Savings Plans) and use EC2 Spot Instances for burst capacity to minimize cost. Spot provides up to 90% discounts and is well-suited to fault-tolerant, queue-based workloads; interruptions are handled by replacing capacity automatically while messages remain durably in SQS. Using only Spot (A) risks capacity gaps; only RIs sized for peak (B) wastes cost during low demand. Option D scales on backlog but uses On-Demand for bursts, which is more expensive than Spot. With C, baseline capacity (RIs) keeps processing continuously (no downtime), and Spot adds cost-efficient throughput during spikes, aligning with Well-Architected cost and reliability patterns for queue workers.

For near-real-time streaming workloads that are highly latency-sensitive, the network layer must provide ultra-low latency and high throughput between compute nodes. Elastic Fabric Adapter (EFA) is specifically designed to meet these requirements. EFA enables EC2 instances to communicate using a high-performance network interface that bypasses traditional TCP/IP networking, providing lower and more consistent latency. This is especially valuable for tightly coupled workloads that require fast inter-node communication.

Option B is the correct choice because EFA supports custom networking stacks and is optimized for applications such as real-time data processing, distributed computing, and high-performance workloads. EFA integrates directly with supported EC2 instance types and allows applications to take advantage of enhanced networking capabilities without requiring complex multi-VPC architectures.

Option A introduces additional network hops and latency due to VPC peering and is not suitable for ultra-low-latency workloads. Option C (spread placement groups) is designed to increase fault tolerance by placing instances on separate hardware, but it does not optimize for low-latency communication and may actually increase network distance between instances. Option D improves storage performance, not network performance, and does not affect inter-instance latency.

Therefore, B is the best solution because Elastic Fabric Adapter is the AWS-recommended approach for achieving the lowest possible network latency between EC2 instances in performance-critical streaming architectures.

To build a distributed, serverless, event-driven workflow with minimal operational overhead, AWS Step Functions orchestrating AWS Lambda is the best fit. Step Functions provides a managed state machine service that coordinates multiple steps, handles retries and error handling patterns, and maintains execution state without requiring the company to run orchestration servers. Lambda provides serverless compute for each workflow task, scaling automatically with demand and eliminating server management.

Option D directly matches “performing different aspects of the workflow” because Step Functions is specifically designed to model multi-step business processes and coordinate activities across services. It also aligns with “minimize operational overhead” because both Step Functions and Lambda are managed services: there are no instances to patch, no cluster management, and scaling is handled by the platform.

Option B contradicts the serverless goal by deploying the application on EC2 instances, increasing operational overhead (capacity management, patching, scaling, and availability concerns). Option C mixes eventing with scheduling: EventBridge can route events, but invoking Lambda “on a schedule” is not the same as orchestrating a multi-step workflow with branching, waiting, retries, compensation, and state tracking. EventBridge is excellent as an event bus, but Step Functions is the purpose-built workflow orchestrator. Option A is a mismatch because AWS Glue is primarily an ETL/data integration service; while it can run jobs and triggers, it is not the general workflow orchestrator for arbitrary application steps, and using it to invoke Lambda for a broad workflow is less direct and typically less operationally clean than a Step Functions state machine.

Therefore, D is the most aligned solution for serverless, distributed workflow orchestration with low operational burden.

Amazon Elastic File System (Amazon EFS) is a fully managed, elastic, shared file system that can be mounted concurrently by multiple EC2 instances across multiple Availability Zones. EFS automatically grows and shrinks as files are added or removed, providing seamless scalability for unpredictable and growing storage needs. It supports simultaneous access from multiple compute resources, making it ideal for applications where several EC2 instances must read and write to the same data set concurrently. EBS volumes cannot be shared across multiple Availability Zones, and S3 Glacier is intended for archival and infrequent access, not for active, hourly data analysis.

Reference Extract from AWS Documentation / Study Guide:

" Amazon EFS provides a scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It can be mounted to many EC2 instances across multiple Availability Zones and is ideal for shared data scenarios. "

Source: AWS Certified Solutions Architect – Official Study Guide, Storage Solutions section; Amazon EFS User Guide.

AWS CloudFormationallows for the automated, repeatable setup of infrastructure, reducing human error and ensuring consistency.AWS Configprovides the ability to track changes in the infrastructure, ensuring that all changes are logged and auditable, which satisfies the requirement for tracking incremental changes.

Option A and C (AWS Organizations): AWS Organizations manage multiple accounts, but they are not designed for infrastructure setup or change tracking.

Option D (Service Catalog): Service Catalog is used for deploying products, not for setting up infrastructure or tracking changes.

AWS References:

AWS Config

AWS CloudFormation

AWS Application Migration Service (AWS MGN) is the recommended tool for a lift-and-shift strategy, especially for time-sensitive migrations. It automates the replication of on-premises VMs to AWS, minimizing the effort required for migration and testing.

Key steps:

Replication with AWS MGN: The AWS Replication Agent is installed on the VMs to continuously replicate data to AWS, allowing you to manage migration easily.

Testing and Cutover: Initial replication allows for testing in AWS before performing the final cutover, ensuring that the migration process is smooth and data integrity is maintained.

AWS Documentation: AWS MGN is recommended for migrating virtual machines to the cloud with minimal downtime and disruption??.

This solution is the most cost-effective and efficient way to break down costs per application.

Tagging Resources: By tagging all AWS resources with a specific key (e.g., " cost " ) and a value representing the application ' s name, you can easily identify and categorize costs associated with each application. This tagging strategy allows for granular tracking of costs within AWS.

Activating Cost Allocation Tags: Once tags are applied to resources, you need to activate cost allocation tags in the AWS Billing and Cost Management console. This ensures that the costs associated with each tag are included in your billing reports and can be used for cost analysis.

AWS Cost Explorer: Cost Explorer is a powerful tool that allows you to visualize, understand, and manage your AWS costs and usage over time. You can filter and group your cost data by the tags you’ve applied to resources, enabling you to easily see the cost breakdown for each application. Cost Explorer also supports generating regular reports, which can be scheduled and emailed to stakeholders.

Why Not Other Options?:

Option A (AWS Budgets): AWS Budgets is more focused on setting cost and usage thresholds and monitoring them, rather than providing detailed cost breakdowns by application.

Option B (Load Cost and Usage Reports into RDS): This approach is less cost-effective and involves more operational overhead, as it requires setting up and maintaining an RDS instance and running SQL queries.

Option D (AWS Billing and Cost Management Console): While you can download bills, this method is more manual and less dynamic compared to using Cost Explorer with activated tags.

AWS References:

AWS Tagging Strategies- Overview of how to use tagging to organize and track AWS resources.

AWS Cost Explorer- Details on how to use Cost Explorer to analyze costs.

After 180 days, the images become infrequently accessed but still must remain immediately available, which fits S3 Standard-IA better than One Zone-IA because the question requires high availability and redundancy throughout the lifecycle. AWS documents that Standard-IA is for long-lived, infrequently accessed data with millisecond access and multi-AZ resilience, while One Zone-IA stores data in a single AZ. After 360 days, the company still needs instant access, so S3 Glacier Instant Retrieval is the right archival class. AWS states that Glacier Instant Retrieval provides real-time access with lower storage cost than Standard-IA for archive data that still must be immediately retrievable. Glacier Flexible Retrieval would not meet the instant-access requirement.

============

To decouple distributed workloads and improve scalability and resiliency, Amazon SQS should be used as a reliable job queue. The compute nodes (workers) can poll the SQS queue for tasks, and EC2 Auto Scaling can dynamically scale instances based on the ApproximateNumberOfMessages metric.

From AWS Documentation:

“Amazon SQS enables you to decouple application components, allowing each part to scale independently. You can scale EC2 instances automatically based on the number of messages in the queue.”

(Source: Amazon SQS Developer Guide – Scaling Consumers with Auto Scaling)

Why B is correct:

Eliminates the single point of failure (the primary coordinator).

Enables event-driven scaling based on queue depth.

Provides durability and resiliency since messages are stored redundantly.

Fully managed and integrates seamlessly with Auto Scaling policies.

Why other options are incorrect:

A: Scheduled scaling does not respond to variable workloads.

C & D: Misuse of CloudTrail/EventBridge; not intended for workload coordination.

The correct approach is to attach anIAM roleto the EC2 instance profile and grant that role permission to read the secret fromAWS Secrets Manager. AWS documentation states that Secrets Manager uses IAM for authentication and authorization, and EC2 instance profiles are the supported mechanism for providing temporary credentials to applications running on EC2 instances. This avoids hardcoded credentials and removes the need for long-term access keys on the server. The other options either misuse IAM users, rely on the wrong access mechanism, or do not reflect how Secrets Manager permissions are normally granted to workloads.

============

Amazon EventBridge supports routing application-generated events to AWS Lambda targets. The Lambda function can process and insert events into a DynamoDB table. This is a standard design pattern for connecting event-driven applications with DynamoDB. Option A confuses DynamoDB Streams (which streams changes from DynamoDB) with EventBridge (which is for event routing). Options C and D reference partner event buses, which are intended for SaaS integrations, not custom application events. Therefore, the correct and simplest solution is to use a custom EventBridge event bus with a Lambda target (B).

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

VPC Endpoint for S3: A gateway endpoint for Amazon S3 enables you to privately connect your VPC to S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Configuration Steps:

In the VPC console, navigate to " Endpoints " and create a new endpoint.

Select the service name for S3 (com.amazonaws.region.s3).

Choose the VPC and the subnets where your EC2 instances are running.

Update the route tables for the selected subnets to include a route pointing to the endpoint.

Security Compliance: By configuring an S3 gateway endpoint, all traffic between the VPC and S3 stays within the AWS network, complying with the company ' s security regulations to avoid internet traversal.

The requirement has three key elements: high availability with automatic recovery, separation of transactional and analytical workloads, and acceptable reporting lag up to 4 hours. The clean AWS-native pattern for isolating heavy read/reporting traffic from transactional writes in RDS for MySQL is to use read replicas and direct reporting queries to the replica endpoint(s).

Option C meets these requirements well. The primary RDS for MySQL instance handles transactional traffic (reads/writes). One or more RDS read replicas asynchronously replicate data from the primary. Because replication is asynchronous, some lag is expected; the requirement explicitly tolerates up to a 4-hour lag, which fits the read replica model. Directing batch reporting and analytical queries to a replica prevents those expensive queries from consuming CPU, memory, and I/O on the primary, thereby protecting interactive user performance. Deploying replicas across multiple Availability Zones also improves availability of the reporting tier and reduces the risk that an AZ issue prevents reporting access.

Option A is incorrect because a standard Multi-AZ DB instance uses a synchronous standby that is not readable and is intended for failover, not for serving analytical queries. Option B describes a Multi-AZ DB cluster deployment, which does provide readable standbys in some RDS engines; however, for the classic RDS MySQL exam pattern, the most direct and widely used method to isolate analytics is read replicas. Option D creates a nightly snapshot-based read-only copy; this increases operational complexity, can result in stale data for most of the day, and introduces provisioning delays, which is unnecessary when replicas provide continuous near-real-time copies.

Therefore, C is the best fit because it provides HA for the primary, isolates reporting reads to replicas, and meets the allowed replication lag requirement.

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

" With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources. "

" LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column. "

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.

In Amazon Aurora, a custom endpoint is a feature that allows you to create a load-balanced endpoint that directs traffic to a specific set of instances in your Aurora DB cluster. This is particularly useful when you want to route traffic to a subset of instances that have different configurations or when you want to isolate specific workloads (e.g., reporting queries) to certain instances.

Custom Endpoint: The correct solution is to create a custom endpoint that includes the three Aurora Replicas that the department wants to use for near-real-time reporting. This custom endpoint will distribute the reporting queries only across the three selected replicas with the specified compute and memory configurations, ensuring that these queries do not affect the rest of the DB cluster.

Other Options:

Option B (Create a three-node cluster clone): This would create a separate cluster with its own resources, but it is not necessary and could incur additional costs. Also, it doesn ' t leverage the existing replicas.

Option C (Use any of the instance endpoints): This would involve manually managing connections to individual instances, which is not scalable or automatic.

Option D (Use the reader endpoint): The reader endpoint would distribute the read queries across all replicas in the cluster, not just the selected three. This would not meet the requirement to limit the reporting queries to only three specific replicas.

AWS References:

Amazon Aurora Endpoints- Provides detailed information on the different types of endpoints available in Aurora, including custom endpoints.

Custom Endpoints in Amazon Aurora- Specific documentation on how to create and use custom endpoints to direct traffic to selected instances in an Aurora cluster.

The most effective way to reduce load on the web servers is to move the static video content toAmazon S3and deliver it throughAmazon CloudFront. CloudFront caches content at edge locations so repeated requests are served closer to users without repeatedly hitting the origin. AWS documentation also recommendsorigin access control OACto securely restrict direct access to the S3 origin and allow CloudFront to fetch the objects on behalf of viewers. ElastiCache is not a video-origin service, EFS would still keep the web servers in the delivery path, and File Gateway is for hybrid file access rather than internet content distribution. For high-traffic video delivery with the least origin load, S3 plus CloudFront with OAC is the correct design.

The requirement is an event-driven pub/sub system that guarantees ordered delivery of events.

Amazon SNS FIFO topics provide the publish-subscribe model along with FIFO (First-In-First-Out) delivery and exactly-once message processing, ensuring ordered delivery to multiple subscribers.

Option A, EventBridge, provides event buses but does not guarantee event ordering across multiple subscribers. Option C (SNS standard topics) provides pub/sub but without ordering guarantees. Option D (SQS FIFO queues) guarantees order but are point-to-point queues, not pub/sub.

Thus, Amazon SNS FIFO topics meet the requirements for ordered pub/sub messaging.

Amazon Transcribe supports automatic speech recognition (ASR) with speaker diarization (i.e., multiple speaker identification). The transcripts can be stored in Amazon S3 and queried using Amazon Athena, which provides a serverless, pay-as-you-go interactive querying model.

To handle temporary high workloads, Amazon RDS provisioned IOPS can be increased to meet the expected spike in database throughput.

Amazon EFS Elastic throughput mode is ideal for workloads with unpredictable or spiky traffic patterns. It automatically scales throughput based on the file system ' s size and activity, which is more effective than Bursting throughput during high sustained activity like a marketing campaign.

Multi-AZ improves availability but does not directly address performance. Migrating to PostgreSQL during a short campaign period introduces unnecessary complexity.

AWS Global Accelerator: This service provides a global fixed entry point to your applications and optimizes the path to your application through the AWS global network, reducing latency and improving performance.

Accelerated TCP Connections:

Global Accelerator uses the AWS global network to route traffic to the nearest edge location, improving the performance and reliability of your live streams.

It provides static IP addresses that act as a fixed entry point to your application, simplifying DNS management.

High-Quality Streams:

By leveraging Global Accelerator, reporters can send live streams with the highest quality and low latency.

This service automatically reroutes traffic to the nearest available AWS Region, ensuring consistent performance even during traffic spikes or failures.

Operational Efficiency: Using Global Accelerator simplifies the network setup and provides an optimized path for live streams without the need for complex configurations, making it an efficient solution for real-time streaming applications.

Amazon DynamoDB supports both TTL (Time to Live) for automatic deletion and Point-in-Time Recovery (PITR) for backup and restore of table data. It ' s ideal for frequently updated data with short retention requirements and minimal operational overhead.

TTL attribute ensures expired items are automatically removed.

PITR enables recovery from accidental deletes or application errors.

The requirement is for immediate processing of uploaded videos and prompt notification to users. According to AWS best practices for event-driven architectures, using S3 event notifications to trigger a Lambda function upon an object creation (upload) is the optimal solution for real-time processing. Lambda can process the file as soon as it is uploaded, ensuring low latency. Once processing is complete, Lambda can save the processed file back to S3 and use Amazon SNS to notify the user.

This approach uses managed services with minimal operational overhead, is scalable, and ensures event-driven processing with instant user feedback. AWS Amplify primarily facilitates application development and hosting but does not natively provide direct push notification support for this backend workflow; instead, SNS is designed for such notification scenarios.

Reference Extract from AWS Documentation / Study Guide:

" Amazon S3 can publish events to AWS Lambda when objects are created. AWS Lambda runs code in response to events and can interact with other AWS services. Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients. "

Source: AWS Certified Solutions Architect – Official Study Guide, Event-driven Architectures section; AWS Lambda Developer Guide (S3 triggers); Amazon SNS User Guide.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is toprevent Application A from sending traffic to Application B.

Understanding AWS Network Security Components:

Security Groups

Stateful(if traffic is allowed in one direction, it is automatically allowed in the reverse).

Do not support explicit deny rules, onlyallow rules.

Not suitable for blocking traffic in this scenario.

Network ACLs (NACLs)

Stateless(must define explicit rules for both inbound and outbound traffic).

Support explicit DENY rules.

Best suited for blocking traffic between subnets.

Analysis of the Options:

Option A: Deny Outbound Rule in Security Group for Application B?(Incorrect)

Security Groups do not support explicit deny rules.

Does not block traffic from Application A to Application B.

Option B: Deny Outbound Rule in Security Group for Application A?(Incorrect)

Security Groups do not support explicit deny rules.

Cannot effectively prevent Application A from sending traffic to Application B.

Option C: Deny Outbound Rule in NACL for Application B Subnet?(Incorrect)

This wouldprevent Application B from sending traffic, butthe requirement is to block traffic from Application A to Application B.

Incorrect subnet is being modified.

Option D: Deny Outbound Rule in NACL for Application A Subnet?(Correct Choice)

Prevents Application A from sending traffic to Application B by blocking outbound requests at the network level.

Effectively stops communication from A to B at the subnet level.

Why Option D is the Best Choice?

?NACLs support explicit deny rules, unlike security groups.?Blocks outbound traffic from Application A before it reaches Application B.?Works at the subnet level, making it scalable.

The Requester Pays feature in Amazon S3 allows the bucket owner to configure the bucket so that the requester, rather than the bucket owner, pays for data transfer and request costs. This is ideal for sharing large datasets with the public or with other AWS accounts when you want to minimize your own data transfer expenses.

Reference Extract from AWS Documentation / Study Guide:

" Requester Pays buckets allow you to configure the bucket so that the requester instead of the bucket owner pays the cost of the request and the data download from the bucket. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Cost Management section.

Option A is the most operationally efficient because it moves permissions from individual users todepartment-based IAM groups, which is easier to manage consistently at scale. AWS IAM best practices emphasize applyingleast privilegeand note that managed policies can help get started, though broad managed policies like AdministratorAccess are not least privilege in the strictest sense. Given the answer choices, placing engineering and operations users into separate groups with the appropriate policies and removing direct user-level permissions is the cleanest and most maintainable improvement. Options C and D still leave user-by-user administration, and option B is clearly over-permissive.

============

Amazon DynamoDB is a serverless, NoSQL database that is fully managed, highly available, and scales automatically. It is ideal for data without a fixed schema and for use cases where fields can vary by user. DynamoDB Streams enables the capture of changes to table items in real time, which is ideal for triggering additional processing or workflows on data modifications.

Reference Extract from AWS Documentation / Study Guide:

" DynamoDB provides a scalable, highly available NoSQL database service for applications requiring flexible schema. DynamoDB Streams captures table activity for processing changes in real time. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Serverless section.

Amazon Aurora Serverless is a fully managed, MySQL-compatible database that automatically scales based on demand and provides high availability. Combining this with EC2 Auto Scaling and an Application Load Balancer achieves both application and database high availability and scalability.

Reference Extract:

" Aurora Serverless automatically starts up, shuts down, and scales capacity based on your application ' s needs, providing a cost-effective, highly available database solution. "

Source: AWS Certified Solutions Architect – Official Study Guide, Aurora Serverless and Scaling section.

Regulatory compliance often requires immutability, meaning data cannot be altered or deleted by any user, including administrators, during a retention period. Amazon S3 Object Lock in compliance mode is specifically designed for this requirement.

Option B enforces a write-once-read-many (WORM) model. Once compliance mode is enabled and a retention period is set, no one—including root users—can delete or overwrite the objects until the retention expires. This provides the strongest level of protection and satisfies strict regulatory standards.

Option A (governance mode) allows privileged users to override the lock, which may not satisfy regulatory mandates. Option C does not prevent deletion or modification before retention expiration. Option D addresses storage cost, not immutability.

Therefore, B is the correct solution for regulatory-grade data protection.

Amazon Macieis purpose-built for detecting PII in S3.

Option Auses EventBridge to filter SensitiveData findings and notify via SNS, meeting the requirements.

Options B and Dinvolve GuardDuty, which is not designed for PII detection.

Option Cuses SQS, which is less suitable for immediate notifications.

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

Requirement Analysis: Need secure, direct connectivity from an on-premises client to an RDS cluster, accessible only when in the office.

VPC with Private Subnets: Ensures the RDS cluster is not publicly accessible, enhancing security.

Site-to-Site VPN: Provides secure, encrypted connection between on-premises office and AWS VPC.

Implementation:

Create a VPC with two private subnets.

Launch the RDS cluster in the private subnets.

Set up a Site-to-Site VPN connection with a customer gateway in the office.

Conclusion: This setup ensures secure and direct connectivity with minimal exposure, meeting the requirement for secure access from the office.

References

AWS Site-to-Site VPN:AWS Site-to-Site VPN Documentation

Amazon RDS:Amazon RDS Documentation

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.

AWS guidance for global, highly available, low-latency applications using a relational database recommends:

Amazon CloudFront with Amazon S3 for static content to cache data at edge locations globally and minimize latency for static assets.

A regional application tier deployed close to users using managed container services such as Amazon ECS on AWS Fargate, which removes the need to manage servers and scales automatically, reducing operational overhead.

A relational database tier using Amazon Aurora global database, which is purpose-built for globally distributed applications. Aurora global database provides a primary cluster in one Region with low-latency read replicas in secondary Regions and fast cross-Region replication, enabling low-latency reads and high availability for global users.

Option A uses only a single Region, which does not meet the “global users with low latency” requirement.

Option C uses RDS and DMS-based replication, which requires more management and does not provide Aurora’s integrated global database features.

Option D replaces the relational database with DynamoDB, which violates the requirement that the application interacts with a relational database.

For encryption in transit, AWS Certificate Manager ACM is the correct service because it provisions and manages TLS certificates for HTTPS connections. For encryption at rest, AWS KMS is the right service because it manages encryption keys used by services such as Amazon EBS. AWS documentation and whitepapers consistently position ACM for certificate-based transport encryption and KMS for at-rest encryption key management across AWS services. GuardDuty and Shield are security detection and DDoS protection services, not encryption services. Secrets Manager stores and rotates secrets, but it is not the service used to encrypt all application data at rest or TLS sessions in transit.

============

AWSSecrets Manageris the best solution for securely storing and managing sensitive information, such as usernames and passwords. Secrets Manager provides automatic rotation, fine-grained access control, and encryption of credentials. It is designed to integrate easily with other AWS services, such as CloudFormation, to automate the retrieval of secrets via theBatchGetSecretValue API.

Secrets Manager has a lower operational overhead than manually managing credentials, and it offers features like automatic secret rotation that reduce the need for human intervention.

Option A and C (Parameter Store): While Systems Manager Parameter Store can store secrets, Secrets Manager provides more specialized capabilities for securely managing and rotating credentials with less operational overhead.

Option B and C (AWS Batch): Introducing AWS Batch unnecessarily complicates the solution. Secrets Manager already provides simple API calls for retrieving secrets without needing an additional service.

AWS References:

AWS Secrets Manager

Secrets Manager with CloudFormation

EC2 Auto Scaling warm pools allow you to pre-initialize instances, reducing the delay in scale-out events. This results in significantly faster response times during demand surges while remaining cost-effective compared to always running at peak capacity.

Amazon SQS is the best messaging layer here because it providesdurable bufferingand decouples microservices so they can scale independently while absorbing bursts without losing data. AWS recommends SQS for decoupled architectures where producers and consumers operate at different speeds. For compute,AWS Fargatereduces operational overhead because AWS manages the underlying servers, patching, and capacity layer. API Gateway and WebSockets are not the primary answer for internal asynchronous microservice communication, and SNS is fanout-oriented rather than the most natural queueing model for durable work processing between services. Therefore, SQS plus ECS on Fargate is the most appropriate low-overhead design.

============

AWS Well-Architected recommends multi-AZ, elastic architectures: use Auto Scaling groups across multiple Availability Zones for EC2 to eliminate single-AZ failure and automatically replace capacity. For relational databases, Amazon RDS Multi-AZ provides synchronous replication and automatic failover for high availability. Serving static content via Amazon CloudFront (with S3 origin) improves resiliency and performance by caching at edge locations and reducing origin load/latency. Options A and C concentrate compute in one AZ and lack resilient static delivery. Option D changes the stack unnecessarily and proposes EFS One Zone-IA for static assets, which is not multi-AZ and is intended for infrequently accessed, single-AZ workloads, reducing resilience. Therefore, B aligns with best practices for high availability, fault tolerance, and global performance.

The best answer ismessage batching. AWS documentation explains that SQS batch actions let applications send, receive, or delete up to 10 messages at a time. AWS also notes that batching can be combined with horizontal scaling to improve throughput with fewer requests and connections. That makes batching the most relevant feature for handling sudden traffic increases efficiently. FIFO queues address strict ordering and deduplication, visibility timeout controls how long a received message stays hidden from other consumers, and long polling reduces empty responses and unnecessary polling cost. None of those features directly improve throughput as effectively as batching for traffic spikes.

============

The correct answer isBbecause the company explicitly wants to move from amonolithic architectureto aloosely coupled architecturethat supportsindependent scaling. Refactoring the application intomicroservicesis the architectural approach that best meets that requirement. Running the microservices onAmazon ECScontainers provides a managed container orchestration platform with less operational overhead than managing a Kubernetes environment.

With microservices, separate business functions such as product catalog management and customer checkout can be deployed as individual services. Each service can scale independently based on its own traffic and performance characteristics. This is far more efficient than scaling the entire monolithic application when only one part of the system experiences increased demand.

AnApplication Load Balanceris appropriate because it can route HTTP and HTTPS traffic and supports path-based and host-based routing, which is useful for directing requests to different services. This design improves agility, performance, and operational flexibility while supporting the company’s need for growth.

Option A improves availability and scalability, but it still runs a copy of thesame monolithic applicationon multiple EC2 instances. That does not enable independent scaling of individual functions. Option C creates a basic two-tier design, but it is not a fully loosely coupled microservices architecture. Option D uses Amazon EKS but places the application into asingle container, which does not achieve independent scaling of separate components and introduces more operational complexity than necessary.

AWS architectural best practices recommend decomposing monoliths intomicroserviceswhen independent scaling, agility, and component isolation are required. Therefore,Amazon ECS with microservicesis the best solution.

AWS X-Ray is the AWS service designed for distributed tracing, giving end-to-end visibility into how requests flow through microservices, APIs, and serverless components. It provides service maps, latency breakdowns, and performance insight per service, which is exactly what is required.

To use X-Ray effectively, each application stack must be instrumented. For infrastructure deployed through AWS CloudFormation, best practice is to enable and configure X-Ray in the CloudFormation templates (for Lambda, API Gateway, ECS, etc.). That way, all teams and stacks have consistent tracing enabled as part of their IaC.

Control Tower (Option B) cannot “turn on” X-Ray tracing inside applications; it only helps with account setup and guardrails.

CloudTrail (Option A) is for audit logging of API calls, not performance tracing.

CloudWatch (Option C) provides metrics and logs, but not request-level distributed tracing across multiple services.

AWS Config has a built-in managed rule (access-keys-rotated) that evaluates IAM access key age. Config rules detect non-compliant resources automatically, without building custom logic.

After Config identifies old keys, EventBridge can trigger an AWS Lambda function to disable and delete the keys. Lambda provides a fully managed compute layer requiring no servers or batch environments.

Using AWS Batch (Options A, B, and D) adds unnecessary operational overhead for a simple automation task.

=====================================================

The requirements include:

Scalability: The solution must scale as video files are uploaded.

Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

Analysis of Options:

Option A:

AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

Option B:

AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

Option C:

Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

Option D:

Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

AWS References:

Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

AWS Step Functions:AWS Documentation - Step Functions

AWS Fargate:AWS Documentation - Fargate

Comparison of Storage Services:AWS Storage Options

By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

Amazon CloudFront uses a globally distributed network of edge locations that cache content close to users. When Outposts servers around the world download large software packages, CloudFront provides significantly reduced latency due to edge caching. This is the AWS-recommended solution for accelerating downloads of static files at scale and across global locations.

S3 Transfer Acceleration optimizes uploads and downloads to a single Region but does not provide edge caching. Multi-Region replication with failover does not reduce latency globally because requests still must reach the regional origins. Therefore, CloudFront with caching enabled is the correct design for improving download speed worldwide.

=====================================================

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirement is an automated notification 30 days before an imported ACM certificate expires, delivered to the security team via an existing SNS topic with email subscription. The most operationally efficient approach is to use Amazon EventBridge with the managed event type for ACM certificate expiration. ACM publishes an event when a certificate is approaching expiration, and EventBridge can match that event and route it directly to a target service without custom polling logic.

Option D uses an EventBridge rule for the ACM Certificate Approaching Expiration event and sets the SNS topic as the target. This directly delivers an alert to the existing notification channel (email via SNS) and requires minimal code and minimal ongoing maintenance. It also avoids building and scheduling a scanner that must enumerate certificates, calculate dates, handle pagination, and manage failures.

Option C sends the event to SQS. While SQS is useful for decoupling and buffering, the requirement is to notify the security team, and SNS is already configured for email delivery. Using SQS would add an extra consumer component to read from the queue and publish notifications, which is additional operational overhead.

Options A and B require a custom Lambda-based scanning solution. That introduces scheduling (for example, EventBridge schedule), logic to detect “30 days remaining,” error handling, and ongoing maintenance. Since ACM already emits a purpose-built event for expiring certificates, polling is unnecessary and less efficient.

Therefore, D is the best solution: it uses a native event from ACM, routes it through EventBridge, and notifies the security team through the existing SNS topic with the least operational effort.

A warm pool is an Auto Scaling feature that keeps instances in a pre-initialized state so they can quickly join the active group when scaling is required. This reduces the time needed for instance bootstrapping and makes new capacity available almost instantly. Option A only increases capacity limits but does not address slow boot times. Option C merely extends grace periods without solving the delay. Option D forces overprovisioning, which is wasteful and not aligned with cost optimization. Using a warm pool (B) directly addresses the problem by reducing response time to scaling events.

Pre-Signed URLs: Allow temporary access to S3 buckets, making it easy to manage time-limited upload permissions without complex operational overhead.

Lambda for Automation: Automatically generates and provides pre-signed URLs when users authenticate, minimizing manual steps and code complexity.

Least Operational Overhead: Requires no custom authentication service or deep integration with STS or Cognito.

Amazon S3 Pre-Signed URLs Documentation

AWS WAF Bot Control is the best fit because the problem is abusive automated traffic submitting unnecessary requests and consuming compute resources. AWS documents that the Bot Control managed rule group is specifically designed to identify and manage bot traffic, including high-confidence bot signatures and common bot categories. This is more targeted than maintaining custom IP blocks and more directly aligned to the behavior described than general IP reputation controls. AWS Shield focuses on DDoS protection, not detailed application-layer bot categorization. Therefore, associating a WAF web ACL with the ALB and enabling Bot Control is the most appropriate solution.

============

AWS Lambda function URLs are specifically designed to give a Lambda function a simple direct HTTP(S) endpoint. AWS documentation describes function URLs as a straightforward way to invoke a Lambda function through an HTTP request, and AWS even provides a webhook tutorial built around Lambda function URLs. That makes this the most operationally efficient option because it avoids placing an ALB in front of the function or building an unnecessary messaging layer with SNS or SQS. The requirement is simply to expose the Lambda function so a third party can call it through a webhook. Function URLs are the lightest-weight AWS-native feature for that use case and provide the fastest path from webhook sender to function execution. (AWS Documentation)

============

Lambda@Edge allows you to run functions at CloudFront edge locations, enabling modifications to content before it ' s delivered to users, including compression — which directly reduces data transfer cost.

“Lambda@Edge can be used to compress or modify your content before delivering it to end users, which reduces the amount of data transferred.”

— Lambda@Edge Use Cases

Since code modifications aren’t allowed, using Lambda@Edge is a non-invasive way to:

Compress responses.

Reduce transfer size = lower CloudFront cost.

Incorrect Options:

B: S3 Transfer Acceleration improves speed, not cost.

C: Caching doesn’t help if content is always unique (single-use).

D: Multipart uploads help with large file uploads, not transfers.

Amazon S3 is the natural long-term storage service for terabytes of images and videos because it scales massively and integrates directly withAmazon SageMaker AIfor machine learning workflows. UsingS3 Intelligent-Tieringhelps optimize storage cost automatically when access patterns vary over time. AWS recommends Intelligent-Tiering when access frequency changes or is unpredictable, because the service automatically moves objects between tiers while keeping them available. The alternatives introduce extra file system copies and additional cost or use a notebook instance as a storage endpoint, which is not a scalable long-term ingestion design. Therefore, S3 with direct SageMaker integration and Intelligent-Tiering is the most scalable and cost-conscious solution. (AWS Documentation)

============

Amazon FSx for Lustre is the ideal solution for high-performance computing (HPC) workloads that require parallel access to a shared file system with low latency. FSx for Lustre is designed specifically to meet the needs of such workloads, offering sub-millisecond latencies, which makes it well-suited for the 1 ms latency requirement mentioned in the question.

Here is why FSx for Lustre is the best fit:

Parallel File System: FSx for Lustre is a parallel file system that can scale across hundreds of Amazon EC2 instances, providing high throughput and low-latency access to data. It is optimized for processing large datasets in parallel, which is essential for HPC workloads.

Low Latency: FSx for Lustre is capable of providing access latencies well within 1 ms, making it ideal for performance-sensitive workloads like HPC.

Seamless Integration with Amazon S3: FSx for Lustre can be linked to an Amazon S3 bucket. This integration allows data to be imported from S3 into FSx for Lustre before the workload begins and exported back to S3 after processing. This feature is crucial for manual postprocessing because it enables engineers to access the dataset in S3 after processing.

Performance: FSx for Lustre is built for workloads that require high performance, such as machine learning, analytics, media processing, and financial simulations, which are typical for HPC environments.

In contrast:

Amazon EFS (Option A): While EFS provides shared file storage and scales across multiple EC2 instances, it does not offer the same level of performance or sub-millisecond latencies as FSx for Lustre. EFS is more suited for general-purpose workloads, not high-performance computing.

Mounting S3 as a file system (Option B and D): S3 is object storage, not a file system designed for low-latency access and parallel processing. Mounting S3 buckets directly or using AWS Resource Access Manager to share the bucket would not meet the low-latency (1 ms) or performance requirements needed for HPC workloads.

Therefore, Amazon FSx for Lustre (Option C) is the most appropriate and verified solution for this scenario.

AWS References:

Amazon FSx for Lustre

Best Practices for High Performance Computing (HPC)

Amazon FSx and Amazon S3 Integration

Amazon Route 53 health checks can automatically perform DNS failover to healthy endpoints. When integrated with an Application Load Balancer, this provides a highly resilient system architecture that automatically routes traffic to healthy resources across Regions or endpoints.

From AWS Documentation:

“Route 53 DNS failover automatically routes traffic away from unhealthy resources and directs it to healthy resources that you specify in DNS records.”

(Source: Amazon Route 53 Developer Guide – DNS Failover)

Why B is correct:

Route 53 health checks automatically monitor endpoint health and switch to a healthy target when the primary endpoint fails.

The failover process is automatic, with no manual updates to DNS records required.

Combined with ALB’s built-in multi-AZ resilience, this provides maximum availability.

Why others are incorrect:

A & C: Require manual DNS updates, which are not automatic and introduce latency.

D: Creating new ALBs during failover increases downtime and is operationally inefficient.

Amazon S3 is the most cost-effective option for archiving data. Using AWS DMS to migrate to S3 in Apache Parquet format provides an optimized columnar format for analytics. By storing in S3 Glacier Flexible Retrieval, costs are minimized while maintaining compliance with retention. When queries are required, Athena can run SQL queries directly on archived data in S3 without provisioning infrastructure. Options A and B rely on maintaining RDS or EC2 instances, which increases cost and operational overhead. Option C requires full restores to EC2 before running queries, which is slow and inefficient. Therefore, D provides the lowest operational overhead and direct query capability with Athena.

Amazon EFS is a regional, elastic file system that “scales to petabytes” and can be accessed from “thousands of compute instances” concurrently. You can mount EFS across VPCs and across AWS accounts by providing network connectivity (e.g., VPC peering) to the EFS mount targets and allowing NFS (TCP 2049) in the mount target security group, optionally using EFS access points and a file system policy for cross-account access control. VPC peering has no hourly charge and minimal operational overhead, and EFS automatically scales as files are added—meeting the scalability and cost goals.

Option A duplicates data, incurs DataSync and extra storage costs, and adds sync lag.

Option C adds an extra Lambda hop and complexity without exposing a shared filesystem to the primary function.

Option D is impractical: Lambda layers are immutable artifacts with tight size limits (up to 50 MB compressed/250 MB uncompressed) and are not suited for dynamic, growing file sets.

Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) is a fully managed, serverless service for real-time processing of streaming data. You can consume data from Kinesis Data Streams, perform anomaly detection, and then output the results to another Kinesis stream. This approach is loosely coupled, fully managed, and does not require modifying the application code.

AWS Documentation Extract:

“Amazon Managed Service for Apache Flink enables you to process streaming data in real time, integrating with Kinesis Data Streams as source and sink, and is fully managed and serverless.”

(Source: Apache Flink on AWS documentation)

B: S3/Redshift is not real-time and adds complexity.

C, D: EC2/ECS solutions are not serverless or fully managed.

The lowest-overhead centralized access model is to connect the existingon-premises Active Directoryby usingAD Connectorand then manage AWS account access throughIAM Identity Center permission sets. AWS documentation explains that IAM Identity Center providesone place to assign permissions to multiple AWS accounts, and AD Connector is specifically designed to let AWS services use an existing directory without storing directory information in AWS. This approach preserves the company’s current authentication source and adds centralized authorization across the organization. Creating IAM users or scripting cross-account role assignments would add significant administrative work and weaken the identity model.

============

Why Option B is Correct:

AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

Why Other Options Are Not Ideal:

Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

AWS References:

AWS WAF Geomatch:AWS Documentation - WAF Geomatch

To restrict S3 access to a specific VPC, AWS documentation specifies using a Deny policy with aws:SourceVpc for all unmatched VPCs:

Deny if aws:SourceVpc != vpc-11aabb22

This ensures only that VPC can reach the bucket via a VPC endpoint.

Allow policies (Options B and C) are incorrectly structured or use the wrong condition logic.

Option D limits by account, not VPC, and does not enforce VPC-level access.

=====================================================

AWS Storage Gateway stored volume gateway is designed for use cases where:

The primary data set remains on premises.

You want to maintain full local access to data with low latency.

You need asynchronous, secure replication and backup to AWS.

With stored volumes, you:

Map gateway storage volumes to local on-premises disks.

Present these volumes as iSCSI block devices to on-prem systems.

Storage Gateway then asynchronously backs up snapshots to Amazon S3, providing secure, durable offsite backup automatically.

Cached volume gateway (Option C) keeps the primary copy in AWS and only a subset cached locally, which does not meet the requirement to maintain full local access to all data.

Snowball and Snowball Edge (Options A and B) are primarily for bulk, one-time or periodic offline data transfer and do not provide an ongoing backup solution with continuous local access.

This is a classic session-persistence problem. AWS Elastic Load Balancing documentation explains thatstickinesslets a load balancer bind a user’s session to a specific target. For an ALB,application-based cookie stickinesscan be enabled at the target group level, which is useful when the application expects a user to continue hitting the same backend instance for the duration of a session. That prevents users from being redirected back to login because of requests landing on different instances. The other options either do not solve the session problem or reduce availability by forcing traffic to one instance. (docs.aws.amazon.com)

============

For latency-sensitive, globally distributed applications such as online gaming, minimizing network latency between users and application endpoints is critical. AWS Global Accelerator is designed specifically for this purpose. It uses the AWS global network and Anycast IP addresses to route user traffic to the closest healthy endpoint, reducing latency and improving performance for users worldwide.

Option C is the best solution because Global Accelerator directs traffic over the AWS backbone network instead of the public internet, which significantly reduces jitter and latency. It also provides built-in health checks and automatic failover, improving availability as the service expands globally. Importantly, Global Accelerator works seamlessly with existing Application Load Balancers, allowing the company to enhance performance without redesigning the application stack.

Option A (CloudFront) is optimized for caching static and cacheable content and is not ideal for real-time, stateful gaming traffic. Option B adds unnecessary API abstraction and additional latency. Option D introduces regional duplication and DNS-based routing, which is slower to react to network conditions and does not provide the same low-latency routing as Global Accelerator.

Therefore, C meets the requirement for global expansion with the least possible latency while maintaining a simple and highly performant architecture.

Option Cis the most secure and practical solution. Presigned URLs allow temporary, limited access to upload files to specific S3 prefixes. This ensures that artists can upload files securely without needing AWS credentials or accounts. Each artist receives a unique URL with permissions tied to the intended S3 location, and the URL can be configured to expire after a certain time, minimizing security risks.

Why Other Options Are Incorrect:

Option A:Enabling CORS allows cross-origin access but does not provide authentication or authorization for uploads. This does not secure the uploads or restrict access to specific artists.

Option B:Turning off block public access and sharing the bucket URL exposes the bucket to potential misuse and unauthorized uploads. This approach is highly insecure.

Option D:While a web interface might work, it introduces additional complexity and potential security risks by exposing upload functionality through a public-facing application.

AWS Documentation References:

Using Amazon S3 Presigned URLs

AWS Best Practices for Secure S3 Access

Hardcoded database credentials create security risks and operational challenges, especially when compliance requires regular credential rotation. AWS Secrets Manager is the AWS-recommended service for securely storing, managing, and rotating secrets such as database credentials.

Option B is the correct solution because Secrets Manager natively supports automated credential rotation using AWS-managed or custom Lambda functions. By enabling rotation on a 90-day schedule, Secrets Manager automatically updates the credentials in the RDS database and stores the new values securely. The application retrieves credentials dynamically at runtime, eliminating the need for storing passwords on EC2 instances.

Options A, C, and D all rely on custom scripts, SSH access, and manual distribution of secrets, which significantly increases operational overhead, security risk, and failure potential. These approaches also violate AWS best practices by spreading sensitive credentials across multiple hosts.

Secrets Manager integrates with IAM for fine-grained access control, supports auditing through AWS CloudTrail, and improves overall security posture while reducing operational complexity. Therefore, B best meets the requirements in a secure, scalable, and compliant manner.

Amazon S3 Access Points simplify managing data access for shared datasets in S3 by allowing the creation of distinct access policies for different applications or users. Each access point has its own policy and can be managed independently. This method avoids overloading a single bucket policy and helps remain within policy size limits.

Option D provides a scalable and operationally efficient solution by offloading individual access controls from a central bucket policy to individually managed access points, which is ideal for environments with many consuming applications.

The requirements emphasize high availability across multiple Availability Zones, automatic recovery, and least operational overhead. The simplest way to achieve this for containerized microservices is to use a fully managed container orchestration service with serverless compute. Amazon ECS with the Fargate launch type provides exactly that.

With ECS Fargate, AWS manages the underlying compute infrastructure (no EC2 instances to provision, patch, scale, or secure at the OS level). You define task definitions and services, and ECS schedules tasks across Availability Zones based on your networking configuration (multiple subnets in different AZs). If a container fails, ECS service scheduling automatically replaces it, fulfilling the “recover from failures” requirement. Fargate also integrates with load balancing, CloudWatch logging, and scaling policies, reducing the operational burden of keeping the platform healthy.

Option A (ECS on EC2) is still managed orchestration, but it requires managing the EC2 capacity layer: AMI updates, instance patching, cluster capacity planning, and instance scaling. Option B (EKS with self-managed nodes) typically carries even more operational responsibility because you manage node groups, upgrades, and Kubernetes operational complexity in addition to the underlying instances. Option D is the highest operational overhead because it lacks managed scheduling and self-healing; you would need to build and maintain your own process manager and failover mechanisms.

Therefore, C is the best answer because it provides a managed, multi-AZ capable, self-healing container platform with minimal infrastructure management—matching the operational efficiency goal while maintaining high availability.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The company wants to increase security and reduce operational overhead for SQL Server relational databases. The most direct AWS managed service for SQL Server is Amazon RDS for SQL Server, which offloads routine database administration tasks such as provisioning, backups, patching (within managed service controls), monitoring integrations, and high availability management compared with running SQL Server on self-managed EC2.

Choosing Multi-AZ enhances availability and resilience by maintaining a synchronous standby in a separate Availability Zone with automated failover. This improves overall security posture and operational reliability because the platform handles common infrastructure failure scenarios without requiring custom clustering or manual intervention.

For encryption of sensitive data, integrating RDS with AWS KMS allows encryption at rest using KMS keys. Using an AWS managed key is operationally simple while still providing strong encryption controls, auditability, and centralized key management.

Option A still requires managing the database on EC2 (OS patching, SQL Server patching, backups, HA design, monitoring, recovery), which increases operational overhead significantly. Option C is not a database migration approach; S3 plus Macie does not provide a relational SQL Server engine for applications. Option D changes the data model by moving to DynamoDB and does not preserve SQL Server relational capabilities; CloudWatch Logs is not a data security control for database content.

Therefore, B best satisfies the goals: a managed relational database service (RDS for SQL Server) with built-in high availability (Multi-AZ) and encryption at rest via KMS, reducing ongoing operational work while improving security controls.

The workload is bursting and must be able to buffer more orders than the printers can process. The best practice for this is a durable, scalable queue: Amazon SQS.

SQS decouples the frontend from the backend and can handle large, spiky volumes of messages.

AWS Lambda is a good fit for processing messages from SQS because it scales automatically with queue depth and requires no server management.

Deploying the frontend in Docker on Amazon ECS with Fargate provides a fully managed, auto-scaling container environment without managing EC2 instances.

Why others are not correct:

A and D: SNS is a pub/sub service, not a queue; it does not provide durable back-pressure buffering when the printers are slower than incoming requests. Lambda@Edge is for CloudFront edge processing, not back-end order processing.

B: Same SNS issue—no durable queue semantics and not ideal for workload that must be buffered and retried.

Amazon S3 Intelligent-Tiering automatically moves objects between two access tiers based on changing access patterns. Objects not accessed for 30 days move to a lower-cost tier, but are still immediately available with millisecond retrieval. If objects become frequently accessed again, they are moved back to the frequent access tier. There are no retrieval charges and no impact on availability or performance. This storage class is specifically designed for unpredictable access patterns and cost optimization, requiring minimal management.

AWS Documentation Extract:

" S3 Intelligent-Tiering is the only storage class that automatically moves data between frequent and infrequent access tiers when access patterns change, with no retrieval charges and no impact on performance. It is designed to optimize costs automatically when data access patterns are unpredictable. "

(Source: Amazon S3 documentation, Intelligent-Tiering storage class)

B: Glacier Deep Archive is for archival, not for low-latency millisecond access.

C: EFS is not optimized for object storage or global CDN distribution.

D: Cache-Control only affects CloudFront or browser caching, not S3 storage cost.

Analysis:

The company ' s requirements are to migrate 5 PB of data from physical tapes to AWS within 6 months, preserve the data for 10 years, and ensure cost efficiency.AWS Storage Gateway Tape Gatewayis purpose-built for such use cases, as it seamlessly integrates with backup applications and provides virtual tape storage in Amazon S3 Glacier Deep Archive.

Why Option D is Correct:

Tape Gateway: Enables the migration of physical tapes to virtual tapes. Virtual tapes are stored in Amazon S3 and can later be archived in Amazon S3 Glacier Deep Archive for long-term storage.

Cost Efficiency: Amazon S3 Glacier Deep Archive is the lowest-cost storage class for long-term data preservation.

Operational Simplicity: Tape Gateway integrates with existing on-premises backup software, reducing the need for additional tools or manual processes.

Scalability: Can handle the migration of large datasets, such as 5 PB, within the required timeframe.

Why Other Options Are Not Ideal:

Option A:

AWS DataSync is not designed for reading data directly from physical tapes. Staging the data on local storage adds unnecessary complexity and cost.Not suitable.

Option B:

Using backup applications to write directly to S3 Glacier Deep Archive may not leverage AWS-native services optimally. Tape Gateway simplifies the workflow significantly.Less efficient.

Option C:

Snowball Edge is ideal for environments without high-bandwidth connectivity. However, the company already has a 10 Gbps Direct Connect, making Tape Gateway a better choice.Not cost-effective.

AWS References:

AWS Storage Gateway - Tape Gateway:AWS Documentation - Tape Gateway

Amazon S3 Glacier Deep Archive:AWS Documentation - Glacier Deep Archive

Amazon EFS allows automatic transitions to Infrequent Access (IA) and back to Standard when accessed again using the lifecycle policy.

By specifying the bursting throughput mode, throughput scales automatically with file system size.

“With EFS Lifecycle Management, you can automatically move files to EFS Infrequent Access storage and automatically return them to Standard storage when accessed.”

“The Bursting Throughput mode scales with your file system size.”

— Amazon EFS Lifecycle Management

This option matches all requirements:

Auto transition to IA after 30 days.

Auto transition back to Standard on access.

Bursting throughput for scaling with file system size.

Partition Key Issue:

Using " service name " as the partition key results in uneven data distribution. Some shards may become hot due to excessive logs from certain services, leading to throttling errors.

Changing the partition key to " creation timestamp " ensures a more even distribution of records across shards.

Incorrect Options Analysis:

Option A: On-demand capacity mode eliminates throughput management but is more expensive and does not address the root cause.

Option B: Adding more shards does not solve the issue if the partition key still creates hot shards.

Option D: Using separate streams increases complexity and is unnecessary.

AWS Batch supports Windows-based jobs and automates provisioning and scaling of compute environments. Paired with AWS Fargate, it removes the need to manage infrastructure. This solution requires the least operational overhead and is cloud-native, providing flexibility and scalability.

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.

For the web tier, the company needs multi-AZ scaling and high availability, which is best achieved with anAuto Scaling group across multiple Availability Zones behind an Application Load Balancer. AWS fault-tolerance guidance recommends distributing EC2 instances across multiple AZs and using Auto Scaling to maintain balance and resilience. For the database tier, the question specifically requires reduced MySQL read latency, so anAurora MySQL cluster with a reader instance in a separate AZis the stronger fit. AWS Aurora guidance recommends distributing the primary and reader instances across Availability Zones and notes that Aurora Auto Scaling can add reader instances for handling increased connectivity and workload. Together, B and C deliver scalability, HA, and better read performance.

============

AWS best practice for a highly available, resilient web application is:

Run EC2 instances in an Auto Scaling group across multiple Availability Zones.

Put an Application Load Balancer (ALB) in front of the Auto Scaling group.

Use CloudWatch alarms and scaling policies for horizontal scaling based on demand.

Option D implements exactly this: a minimum of three instances spread across AZs (resilience to AZ failure), behind an ALB, with automatic horizontal scaling. This provides both elasticity and high availability with good cost efficiency (instances scale out/in based on traffic).

Option A uses only three fixed instances and relies on vertical scaling, which does not scale as well and is less resilient.

Option B overprovisions to nine instances from the start, which is unnecessarily expensive.

Option C keeps all instances in a single AZ, which does not meet resilience requirements.

Amazon Kinesis Data Streams in on-demand mode is purpose-built for real-time ingestion of streaming data and scales automatically with traffic, which is ideal for fluctuating workloads like clickstream data.

Combined with AWS Lambda, which scales concurrently based on incoming events, this setup ensures efficient, real-time processing with minimal configuration and cost overhead.

Option B involves Firehose, which is not optimal for low-latency processing. Option C is incorrect as Kinesis Video Streams is designed for video data, not clickstream. Option D introduces Flink, which adds unnecessary complexity when Lambda suffices.

AWS WAF (Web Application Firewall) is designed to protect public-facing web applications from common web exploits and allows for deep inspection of HTTP and HTTPS requests. By enabling logging on AWS WAF, you can gain insights into traffic flow, request sources, and blocked requests, which improves both security visibility and posture. Integrating AWS WAF logging with Amazon Kinesis Data Firehose allows automatic, near-real-time delivery of log data to Amazon S3 for analysis, reporting, or integration with analytics tools. This solution not only secures the website but also enables comprehensive traffic analysis, satisfying both requirements efficiently.

Reference Extract from AWS Documentation / Study Guide:

" AWS WAF provides detailed logs of web requests, which can be delivered to Amazon S3 via Amazon Kinesis Data Firehose. This logging enables analysis of web traffic and sources, supporting both security and operational monitoring. "

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Compliance section; AWS WAF Developer Guide (Logging and Monitoring).

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.

Option A:The ALB must accept HTTPS traffic from the public internet. Allowing inbound traffic on port 443 from 0.0.0.0/0 enables this functionality.

Option C:The ALB must forward HTTPS traffic to the web application servers on port 443. Outbound traffic for port 443 must be allowed for this communication.

Option E:The ALB must perform health checks on the web application servers over HTTPS on port 8443. Outbound traffic for port 8443 must be allowed for this purpose.

Option B:Allowing all outbound traffic is overly permissive and does not align with the specific requirements.

Option D and F:Inbound traffic to the ALB from the web application instances is unnecessary because the flow of traffic is from the ALB to the web application instances, not vice versa.

AWS Documentation References:

Application Load Balancer Security Groups

Health Checks for ALBs

The correct solution is to create anIAM roleand attach it to the EC2 instance profile. AWS documentation states that applications running on EC2 should use IAM roles so the instance can receivetemporary credentials automaticallythrough the instance metadata service. This avoids embedding long-term access keys in code or on the server. DynamoDB supports IAM and temporary credentials, so the application can use the role’s permissions to access the table securely. EC2 key pairs are only for SSH access and have nothing to do with DynamoDB authorization. IAM users and long-term access keys are less secure and create unnecessary credential management overhead.

============

AWS Step Functions can orchestrate Lambda executions without modifying the Lambda code, and the Map state is designed to run a Lambda function once per item in a list—perfect for activating many devices in parallel or controlled batches.

This eliminates the loop inside the Retrieve function and prevents timeouts.

EventBridge (Option A) only changes the schedule. DynamoDB Streams (Option B) is unrelated to the activation workflow. EC2 (Option D) increases operational overhead.

Export Requirements:

To export data from DynamoDB to Amazon S3, point-in-time recovery (PITR) must be enabled for the tables. This feature creates a snapshot of the data, which is essential for exports.

Incorrect Options Analysis:

Option B: S3 buckets and DynamoDB tables do not need to be in the same region for exports.

Option C: DynamoDB streams are unrelated to the export functionality.

Option D: DAX accelerates reads but has no role in exports.

Amazon CloudFront is a content delivery network (CDN) service that caches copies of your content at edge locations around the world. This helps improve performance by serving content from the edge nearest to the user. However, when the content in Amazon S3 (your origin) is updated, those updates may not immediately reflect on the website if they are cached at the CloudFront edge locations.

The issue described in the question suggests that the CI/CD pipeline is functioning correctly, and updates are being deployed to S3. However, since CloudFront caches this content, the edge locations may still be serving outdated content, causing the updates to not be reflected on the website.

To resolve this issue, you need to invalidate the CloudFront cache. By invalidating the cache, CloudFront will remove the outdated content and retrieve the latest version from the S3 origin.

AWS documentation on this process:

CloudFront cache invalidation allows you to clear items from the cache so that CloudFront retrieves the latest version from the origin. You can create invalidation requests via the AWS Management Console, AWS CLI, or SDKs.

AWS CloudFront Documentation

Why the other options are incorrect:

A. Add an Application Load Balancer: ALBs are used to distribute incoming application traffic and are not relevant to caching or serving content from CloudFront.

B. Add Amazon ElastiCache for Redis or Memcached: This would help in caching database queries but has no relation to static website content hosted on CloudFront and S3.

D. Use AWS Certificate Manager (ACM): ACM is used for managing SSL/TLS certificates and is unrelated to the issue of content not being updated on CloudFront.

Amazon API Gateway supportsresource policies, which allow you to control access to your API by specifying the IP addresses or ranges that can access the API. By creating a resource policythat explicitly denies access to any IP address outside the allowed set, you can ensure that only trusted IP addresses (such as those from your internal network) can access the critical information in your API. This approach provides fine-grained access control without the need for additional infrastructure or complex configurations.

Option A (Private integration): API Gateway private integrations are for creating private APIs that are only accessible within a VPC, but this solution is about restricting access to certain IP addresses.

Option C (Private subnet and ACLs): Deploying the API in a private subnet and using network ACLs adds unnecessary complexity and isn ' t the best fit for HTTP APIs.

Option D (Security group): API Gateway doesn ' t have a security group because it isn ' t a resource inside a VPC. Instead, resource policies are the correct mechanism for controlling IP-based access.

AWS References:

Controlling Access to API Gateway with Resource Policies

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

Because the workload follows apredictable business-hours schedule, the lowest-overhead solution is to usescheduled scalingwith EC2 Auto Scaling. AWS documentation states that scheduled actions let you scale an Auto Scaling group at specific times or on recurring schedules by changing desired, minimum, and maximum capacity. That directly matches a workload that needs instances during business hours and not at night. Manual start and stop actions add operational work, Spot Instances risk interruptions during business hours, and sizing for maximum load with Reserved Instances would overpay for idle time. Scheduled scaling automates the exact time-based pattern the question describes.

============

Amazon SQS is a fully managed message queuing service that reliably decouples and scales microservices, distributed systems, and serverless applications. By using SQS, microservices can communicate asynchronously, handle bursts of traffic, and avoid data loss by buffering messages until they are processed. Deploying the services on ECS with AWS Fargate further reduces operational overhead by removing the need to manage servers, allowing independent scaling of each microservice.

Reference Extract:

" Amazon SQS decouples application components and enables message durability and scaling. AWS Fargate removes the need to manage infrastructure, supporting independent scaling and minimal operational overhead. "

Source: AWS Certified Solutions Architect – Official Study Guide, Microservices and Messaging section.

The requirement is to restrict actions by Region to prevent accidental cross-Region operations that could violate data residency rules. The most direct and flexible way to enforce Region-based restrictions in AWS is to use IAM condition keys, specifically aws:RequestedRegion, in identity-based policies (and commonly in permission boundaries or SCPs when managing an organization).

Option B is correct because it applies Region constraints at authorization time. By adding conditions that allow actions only when aws:RequestedRegion matches an approved list (or denies when it matches disallowed Regions), the company can prevent users and roles from creating, modifying, or accessing resources in the wrong Region. This approach is broad and can be applied across many services, not just EC2, making it suitable for enforcing data residency boundaries across a multi-Region footprint.

Option A is too narrow because it restricts only ec2:RunInstances. Data residency concerns typically apply to many services (S3, RDS, DynamoDB, KMS, etc.), and limiting only EC2 does not prevent accidental data operations elsewhere. Option C controls where requests come from (source IP), not which Region is targeted. Option D (AWS Config) is detective, not preventative; it can alert after noncompliant actions occur, which does not meet the requirement to prevent accidental operations.

Therefore, B best meets the requirement by enforcing Region-level guardrails through IAM authorization conditions, helping ensure workloads remain within approved geographic boundaries.

AWS Lake Formationis designed for managing fine-grained access control to data in an efficient manner:

Granular Permissions: Lake Formation allows column-level, row-level, and table-level access controls, which can precisely define access to PII data.

Integration with AWS Glue Catalog: Lake Formation natively integrates with AWS Glue for seamless data cataloging and access control.

Operational Efficiency: Centralized access control policies minimize the need for separate IAM roles or policies.

Why Other Options Are Not Ideal:

Option A:

Creating multiple IAM policies introduces complexity and lacks column-level access control.Not efficient.

Option B:

Managing multiple IAM roles for granular access is operationally complex.Not efficient.

Option D:

Creating views in Glue adds unnecessary complexity and may not provide the level of granularity that Lake Formation offers.Not the best choice.

AWS References:

AWS Lake Formation:AWS Documentation - Lake Formation

Fine-Grained Permissions with Lake Formation:AWS Documentation - Fine-Grained Permissions

EC2 Account Attributes: Amazon EC2 allows you to set account attributes to automatically encrypt new EBS volumes. This ensures that all new volumes created in your account are encrypted by default.

Configuration Steps:

Go to the EC2 Dashboard.

Select " Account Attributes " and then " EBS encryption " .

Enable default EBS encryption and select the default AWS KMS key or a customer-managed key.

Prevention of Unencrypted Volumes: By setting this account attribute, you ensure that it is not possible to create unencrypted EBS volumes, thereby enforcing compliance with security requirements.

Operational Efficiency: This solution requires minimal configuration changes and provides automatic enforcement of encryption policies, reducing operational overhead.

AWS Glue provides a serverless ETL solution requiring minimal development. Glue supports conversion to Parquet with managed jobs and integrates with S3 for output.

AWS Documentation References:

AWS Glue Overview

Big data workloads that need to process terabytes of data in memory requirememory-optimized instancesfor the core and task nodes to ensure sufficient memory for processing data efficiently.

Primary Node:Ageneral purpose instanceis suitable because it manages cluster operations, including coordination and monitoring, and does not process data directly.

Core and Task Nodes:These nodes handle data storage and processing.Memory-optimized instancesare ideal because they provide high memory-to-CPU ratios, which is critical for in-memory big data workloads.

Why Other Options Are Incorrect:

Option A:Storage optimized and compute optimized instances are not suitable for workloads that rely heavily on in-memory processing.

Option B:A memory-optimized primary node is unnecessary because the primary node does not process data.

Option D:General purpose instances for all nodes will not provide sufficient memory for processing terabytes of data in memory.

AWS Documentation References:

Amazon EMR Instance Types

Memory-Optimized Instances

The best design is todecouple the two stages with SQS queuesand scale each Auto Scaling group based onqueue depth. Amazon SQS provides durable message storage, so orders are not lost if one processing tier scales slowly or temporarily falls behind. AWS recommends queue-based scaling when producers and consumers operate at different speeds. Monitoring CPU alone does not reflect business backlog accurately, but queue length directly represents pending work. Using two queues also lets the company scale collection and fulfillment independently, which is important because fulfillment takes longer than collection. This is the most resilient and scalable pattern for variable order traffic.

============

Compute Savings Plansoffer the most flexible and cost-effective solution for the production instances, as they provide significant savings (up to 66%) for both EC2 and AWS Lambda usage, while allowing flexibility in the type of instance family, size, and even region. For nonproduction instances, usingOn-Demand Instancesensures you only pay for the instances when they are running, and shutting them down during off-hours further optimizes cost.

Key AWS features:

Compute Savings Plans: Provide savings based on consistent usage, making it ideal for production environments with steady load.

On-Demand Instances: Suitable for nonproduction environments that are used intermittently. Shutting them down when not in use avoids unnecessary costs.

AWS Documentation: According to AWS ' s cost optimization best practices, using a combination of Savings Plans for production and On-Demand Instances for nonproduction environments that are used sparingly results in optimal cost savings??.

AWS Organizations: AWS Organizations allows you to create multiple AWS accounts and manage them centrally. You can organize accounts into organizational units (OUs) and apply policies to these units.

Organizational Units (OUs):

Create separate OUs for each department: finance, data analytics, and development.

Place the respective AWS accounts for each department into their corresponding OUs.

Service Control Policies (SCPs):

SCPs are policies that can restrict which AWS services and actions are available to accounts in an OU.

Create SCPs to define which services each department can use and attach these policies to the appropriate OUs.

SCPs apply to all IAM users, groups, and roles within the accounts in the OU, providing centralized control over service usage.

Operational Efficiency: Using AWS Organizations and SCPs provides a scalable and centralized way to manage permissions across multiple accounts with minimal operational overhead.

Amazon EMR on EC2 supports “runtime roles (application-scoped IAM roles)” so each application/step assumes its own IAM role with least-privilege S3 access. You enable this via an EMR security configuration by setting “EnableApplicationScopedIAMRole = true.” The EMR core/Task nodes run under the cluster’s EC2 instance profile; therefore the instance profile must be permitted to “sts:AssumeRole” into the defined EMR runtime roles, and each runtime role must trust the instance profile (trust policy principal is the instance profile role). This design limits each job’s S3 scope via role policies and enforces per-job access segregation. Option B reverses the trust (incorrect). Option E trusts the EMR service role (not used to assume runtime roles). Option F is unrelated (encryption in transit). The correct trio is to enable application-scoped roles (A), authorize the instance profile to assume them (C), and configure the runtime roles’ trust relationship to allow that assumption (D).

Explanation (AWS Docs):

DynamoDB has a built-in feature called Time to Live (TTL) which automatically deletes expired items without manual intervention. This requires adding a timestamp attribute and setting a TTL on the table. This is the lowest operational overhead approach.

“You can use DynamoDB TTL to automatically delete items after a specified time, reducing storage costs and administrative overhead.”

— DynamoDB TTL

Amazon FSx for Lustre: Lustre is a high-performance file system designed for workloads that require fast storage with sustained high throughput and low latency. It integrates with Amazon S3, making it suitable for HPC environments.

Persistent File Systems:

Persistent Storage: Suitable for long-term storage and recurrent use, providing durability and availability.

High Throughput and Low Latency: Persistent Lustre file systems can handle large amounts of data with sub-millisecond latency, meeting the needs of high-performance computing workloads.

Simultaneous Access: FSx for Lustre allows thousands of compute instances to access and process large datasets concurrently, ensuring that the high volume of data is handled efficiently.

Highly Available: FSx for Lustre is designed to provide high availability and is managed by AWS, reducing the operational burden.

The database workload has high variability and unpredictability, which makes fixed-capacity database solutions inefficient and costly. The company also requires MySQL compatibility without schema or application changes.

Amazon Aurora Serverless (MySQL-compatible) is specifically designed for this scenario. Option C automatically scales database capacity up or down based on workload demand, making it highly cost-effective for sporadic usage patterns. During peak periods, Aurora Serverless scales seamlessly to handle increased load, and during idle periods, capacity scales down, significantly reducing cost.

Option A (DynamoDB) is not suitable because it is a NoSQL service and would require significant application and schema changes. Option B (RDS for MySQL) uses fixed instance sizes and would require overprovisioning to handle peak loads, increasing cost. Option D introduces high operational overhead and does not provide automatic database scaling.

Therefore, C best meets the requirements by providing MySQL compatibility, serverless scaling, and cost optimization for variable workloads.

Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.

From AWS Documentation:

“You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.”

(Source: Amazon RDS User Guide – Encrypting Amazon RDS Resources)

Why B is correct:

Meets the requirement for dedicated HSM hardware.

Fully integrates with RDS for transparent encryption at rest.

Satisfies compliance standards for healthcare and regulated data.

Why others are incorrect:

A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.

C: EC2 instance stores are ephemeral, not suitable for RDS databases.

D: SSE-S3 applies to S3 objects, not databases.

The correct answer isAbecause the application is aglobal Voice over IPworkload that needslow latency,high availability, andautomated failover across AWS Regions.AWS Global Acceleratoris specifically designed to improve the availability and performance of global applications by routing user traffic over the AWS global network to the optimal healthy endpoint. It usesstatic Anycast IP addresses, which means users connect through fixed IP addresses that do not depend on client-side DNS or IP address caching behavior.

This is especially valuable for latency-sensitive applications such as Voice over IP, where rapid routing decisions and fast failover are critical. Global Accelerator continuously monitors endpoint health and can automatically direct traffic to healthy endpoints in another AWS Region if a failure occurs. This supports the requirement for cross-Region failover with minimal disruption.

Option B is incorrect becauseRoute 53 geolocation routingdirects traffic based on user location, but DNS-based routing can be affected by client-side caching and does not provide the same performance acceleration or fast failover behavior as Global Accelerator. Option C is incorrect becauseAmazon CloudFrontis primarily a content delivery network for HTTP and similar content distribution scenarios, not the preferred service for real-time Voice over IP traffic. Option D is incorrect because anApplication Load Balancerdoes not by itself provide global routing or multi-Region failover.

AWS best practices for global, latency-sensitive applications recommendAWS Global Acceleratorwhen the goal is to improve performance, use the AWS backbone network, and provide health-based failover without depending on DNS cache expiration. Therefore,AWS Global Accelerator with health checksis the best solution.

To track costs by department, you must activate the custom department tag as a cost allocation tag in the AWS Organizations management account. Once activated, Cost Explorer and cost and usage reports can group costs by this tag for all linked accounts. The most operationally efficient way is to activate only the relevant department tag and create a cost and usage report grouped by that tag.

AWS Documentation Extract:

“To use a tag for cost allocation, you must activate it in the AWS Billing and Cost Management console. After activation, you can use the tag to group costs in Cost Explorer and reports.”

(Source: AWS Cost Management documentation)

A, E: aws:createdBy is not related to department cost grouping and is unnecessary.

B: Applying extra filters is optional; D is more direct and operationally efficient.

Explanation (AWS Docs):

Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.

“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”

— Protecting Data Using Server-Side Encryption

Why not D?

Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.

AmazonSES (Simple Email Service)allows for the automatic ingestion of incoming emails. By setting up email receiving in SES and creating a rule set with a receipt rule, you can configure SES to invoke anAWS Lambda functionwhenever an email is received. The Lambda function can then process the email body and attachments, saving any attachments to an Amazon S3 bucket. This solution is highly scalable, cost-effective, and provides near real-time processing of emails with minimal operational overhead.

Option B (Content filtering): This only filters emails based on content and does not provide the functionality to save attachments to S3.

Option C (S3 Event Notifications): While SES can store emails in S3, SES with Lambda offers more flexibility for processing attachments in real-time.

Option D (EventBridge rule): EventBridge cannot directly listen for incoming emails, making this solution incorrect.

AWS References:

Receiving Email with Amazon SES

Invoking Lambda from SES

Amazon EFS provides a shared, elastic, low-latency file system that can be mounted concurrently by many EC2 instances across multiple Availability Zones, delivering strong read-after-write consistency so all instances see updates almost immediately. This is the standard pattern for CMS-style workloads that require shared, up-to-date assets with minimal lag. Syncing local copies from S3 (C) introduces polling windows and eventual consistency delays; hourly sync is not near-real time. Copying from a “newest instance” (A) is brittle and not scalable. EBS volumes/snapshots (D) are single-instance, single-AZ block devices and not designed for multi-writer sharing across instances/AZs. EFS’s multi-AZ design and POSIX semantics provide the simplest, most reliable solution with the least operational overhead.

AWS Secrets Manager natively supports automatic rotation of RDS for Oracle credentials, fully integrating with Amazon RDS. Rotation workflows are managed automatically by the service, eliminating custom scripting and reducing operational effort.

Migrating to EC2 (Option C) requires custom rotation logic. Converting to DynamoDB or Neptune (Options A and D) would require complete database redesign and do not fulfill the requirement to run Oracle.

Amazon SQS FIFO queues support deduplication and ordering. AWS documents thatMessageDeduplicationIdis used with FIFO queues to prevent duplicate delivery within a5-minute deduplication window, which matches this requirement exactly. Standard queues do not provide this deduplication guarantee, and SNS filter policies are not a deduplication mechanism for this use case. Because the company wants the least development effort, using API Gateway to place messages directly on an SQS FIFO queue with a deduplication token is the cleanest approach.

============

AWS Budgets is the correct service because it is built to track AWS costs and usage and to take action when thresholds are reached. In this scenario, the company explicitly doesnotwant automatic resource restriction, so the right pattern is to use budget thresholds and define an action path that supportsmanual review. AWS documentation explains that AWS Budgets can monitor costs and trigger budget actions, and it also supports forecast-based alerts, which help identify likely overruns as early as possible. Daily reports alone are slower and less proactive, while automatic restrictions violate the requirement. Service control policies are not the mechanism used to define spending thresholds themselves. A Budgets-based workflow is therefore the cleanest and most appropriate solution. (AWS Documentation)

============

EBS Elastic Volumes allow you to dynamically increase storage size, adjust performance, and change volume types without downtime, supporting operational efficiency and scalability for SaaS applications that need to allocate varying storage amounts to customers.

Migrating from EBS to S3 (Option A) is not suitable since S3 is object storage, not block storage, and does not support block-level I/O required by many applications. EFS (Option B) and FSx (Option C) are shared file systems, which might add unnecessary complexity and cost, especially if the application depends on block storage semantics.

Using Lambda to automate Elastic Volumes resizing provides cost efficiency by allocating resources on demand and reduces operational overhead, aligning with AWS operational excellence and cost optimization best practices.

Amazon RDS read replicas provide a way to offload read traffic from the primary database, allowing read-intensive applications to query the replica without impacting the performance of the production (write) database. This is especially effective for workloads that involve frequently changing data but do not benefit from caching, since queries are rarely repeated.

Reference Extract from AWS Documentation / Study Guide:

" Read replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. "

Source: AWS Certified Solutions Architect – Official Study Guide, RDS Read Replica section.

The right solution isAPI Gateway + Lambda + Amazon Comprehend + DynamoDB. AWS documents that Amazon Comprehend is the NLP service for detecting entities, sentiment, and key phrases, which matches the workload exactly. DynamoDB is a fully managed, distributed database designed for high-throughput workloads and single-digit millisecond performance at scale, making it a strong fit for a highly available application handling many concurrent requests. The other answers misuse services: Amazon Translate is for translation, Amazon Textract is for extracting text from documents, and ElastiCache is a cache rather than the durable primary database described in the question. This makes option A the only architecture that aligns with both the NLP functions and the scalable database requirement. (AWS Documentation)

============

The correct answer isCbecause the company already usesAmazon FSx for NetApp ONTAPand requires a disaster recovery solution in a secondary Region that preserves access through thesame protocols, specificallyCIFS and NFS. The most appropriate solution is to deploy a secondFSx for ONTAPfile system in the secondary Region and useNetApp SnapMirrorto replicate data between Regions. SnapMirror is built for ONTAP-based replication and is the native mechanism for efficient, storage-level disaster recovery.

This option provides the least operational overhead because it uses the capabilities already integrated into FSx for ONTAP rather than introducing another storage platform or custom replication tooling. It also preserves protocol compatibility, so applications in the recovery Region can continue to access data through CIFS and NFS without architectural changes.

Option A is incorrect because replicating data to Amazon S3 does not preserve native CIFS and NFS file shares. Option B can support recovery, but backups and restores are not the best fit for an active DR strategy where the secondary Region needs accessible replicated storage with the same protocols and lower recovery effort. Option D is incorrect because Amazon EFS does not provide CIFS/SMB support in the same way as FSx for ONTAP and would require a platform change.

AWS guidance for FSx for ONTAP disaster recovery favors usingSnapMirror replicationto another FSx for ONTAP deployment. This approach is protocol-compatible, efficient, and operationally simpler than building a custom DR workflow.

The most efficient way for management-style reporting is AWS Cost Explorer, because it is designed for interactive cost analysis, filtering, grouping, and exporting reports without building a data pipeline. If the organization has activated cost allocation capabilities (for example, by tagging resources or using other allocation methods), Cost Explorer can present costs in a way that supports chargeback/showback and budgeting. From an operational standpoint, generating and downloading a report from Cost Explorer is quick, requires minimal setup, and is repeatable for periodic budget planning.

Option A (Athena) is powerful but typically requires setting up the Cost and Usage Report (CUR) delivery to Amazon S3, defining schemas, and writing/maintaining SQL queries. That is more operational overhead than needed when the ask is “most efficient way to obtain this report information.” Option C (billing dashboard bill download) provides invoice-style line items, but it is not optimized for slicing/grouping “by user” and may not align with departmental budgeting workflows. Option D is unrelated: AWS Budgets alerts on thresholds and forecasts; it does not generate a billed-items-by-user report.

Important nuance: “by user” reporting in AWS is usually achieved through cost allocation tags, account structure, or other allocation dimensions rather than literal per-person IAM identity billing. In practice, departments/teams/users are mapped via tagging and chargeback structures, which Cost Explorer is intended to analyze and export. As a result, Cost Explorer is the most operationally efficient tool to produce a downloadable report for budget planning.

Therefore, B best meets the requirement with the least effort and fastest path to a usable report.

Amazon S3 Intelligent-Tiering is designed for unknown or unpredictable access patterns, automatically moving objects to the most cost-effective tier without performance impact.

It is ideal when you do not know object size or access frequency.

S3 Standard (Option B) works but costs more.

S3 One Zone-IA and Glacier Deep Archive (Options D and A) are not appropriate because data is frequently accessed for processing and persists only 24 hours.

=====================================================

AWS Backup offers centralized management, scheduling, and retention of backups for supported AWS services including Amazon DynamoDB. It enables compliance retention with minimal management.

From AWS Documentation:

“AWS Backup provides centralized backup management across AWS services, including DynamoDB. You can define backup plans, schedules, and retention policies to meet business or regulatory requirements.”

(Source: AWS Backup Developer Guide – Backing up DynamoDB Tables)

Why B is correct:

Automatically manages backup scheduling and retention (7 years).

Centralized compliance monitoring via AWS Backup Audit Manager.

Fully managed and requires no custom automation.

Why others are incorrect:

A: PITR is for continuous restore within 35 days, not long-term compliance retention.

C & D: Manual or Lambda-based backups require custom management and increase operational complexity.

Edge-Optimized API: Designed for global users by routing requests through CloudFront ' s edge locations, reducing latency.

Content Encoding: Enabling content encoding compresses data, further optimizing performance by decreasing payload size.

Caching: Adding API Gateway caching reduces the number of calls to Lambda and database backends, improving latency.

Reserved Concurrency: Although useful, this does not directly affect latency for transferring static and dynamic content.

AWS API Gateway Edge-Optimized APIs Documentation

When operating in disconnected or limited-connectivity environments, such as ships at sea, AWS recommends using AWS Snowball Edge devices to host local compute and storage workloads. Snowball Edge supports Amazon EC2 instances and AWS IoT Greengrass, and can run Amazon EKS Anywhere for local Kubernetes cluster deployments.

From AWS Documentation:

“You can use AWS Snowball Edge devices to run compute-intensive applications in remote or disconnected locations. Snowball Edge devices support running Amazon EC2 instances and Amazon EKS Anywhere clusters.”

(Source: AWS Snow Family – Developer Guide)

Why A is correct:

Snowball Edge provides local compute and storage even without internet connectivity.

Multiple Snowball Edge devices can be clustered together for high availability and failover.

Fully self-contained environment suitable for ships or field operations.

Why the others are incorrect:

B, C, D require network connectivity to AWS Regions or Zones (Local Zone, Outposts, Wavelength), which is not available at sea. These options cannot operate fully disconnected.

Amazon Macie: Detects sensitive data such as PII in S3 buckets using machine learning.

EventBridge Rule: Filters Macie findings for specific sensitive data events (e.g., SensitiveData).

SNS Notification: Provides real-time alerts to the security team for immediate action.

Amazon Macie Documentation,Amazon EventBridge Documentation

AWS Outposts brings native AWS services (including Amazon EMR) on-premises, ideal when data residency or latency constraints require local processing.

You benefit from AWS’s managed services while meeting the requirement to keep data processing local.

Comprehensive and Detailed Explanation (paraphrased from AWS Solutions Architect guidance):

Amazon Route 53 latency-based routing is specifically designed to route users to the endpoint that provides the lowest latency, based on actual latency measurements between AWS Regions and users’ networks. This directly supports the goal of optimizing load times (performance).

For non-AWS endpoints (like an on-premises data center), Route 53 lets you create a latency routing record and associate it with the AWS Region that is closest to that endpoint. In this case, the on-premises data center is near us-west-1, so you associate that latency record with the us-west-1 Region.

Users for whom the eu-central-1 Region has lower latency will be routed to the AWS website in eu-central-1.

Users for whom the us-west-1–associated endpoint has lower latency will be routed to the on-premises website.

This matches AWS best practices for high-performance, low-latency architectures when you have multiple endpoints in different geographic locations, including a mix of AWS and on-premises resources.

Why the other options are not correct:

Option A (Failover routing):

Failover routing is designed for high availability and disaster recovery (active–passive), not for optimizing latency.

All traffic goes to the primary endpoint (eu-central-1) unless it is unhealthy. That does not choose the lowest-latency endpoint for each user, so it does not meet the “optimize load times as much as possible” requirement.

Option B (IP-based routing):

IP-based / geo-based policies are about directing users based on location information (IP/geo), not measured latency.

You would have to manually decide which IP ranges get which endpoint, which does not guarantee that each user goes to the lowest-latency endpoint. It’s less precise and less dynamic than latency-based routing.

Option D (Weighted routing):

Weighted routing splits traffic according to fixed weights (e.g., 50/50), regardless of user location or latency.

This is useful for testing, blue/green deployment, or gradual traffic shifting, but not for performance optimization per user.

Therefore, the only option that directly aligns with AWS guidance for performance optimization and latency-based traffic steering across Regions and on-premises endpoints is:

? C. Create a DNS record with a latency-based routing policy… associate the on-premises endpoint with us-west-1.

To optimize costs for both Amazon EC2 and AWS Fargate, the best option is a Compute Savings Plan because it offers flexibility across instance families, Regions, and compute options including EC2, AWS Fargate, and AWS Lambda.

Unlike EC2 Instance Savings Plans, which apply only to specific instance families, Compute Savings Plans apply across multiple services.

Since the company does not want to commit to multi-year contracts or large upfront payments, the 1-year No Upfront Compute Savings Plan provides the greatest flexibility with no upfront capital commitment, while still offering cost savings over On-Demand pricing.

This option also aligns with cost-optimization best practices by allowing for scalability and service mix flexibility.

???? Reference:

AWS Compute Savings Plans

AWS Pricing Models

DynamoDB Global Tablesprovide a fully managed, multi-region, and multi-master database solution that allows you to deploy DynamoDB tables in multiple AWS Regions. This ensures high availability and resiliency across different geographical locations, providing a seamlessgaming experience for users. Usingprovisioned capacity modewithauto-scalingensures cost-efficiency by scaling up or down based on actual demand.

Option A: While on-demand capacity mode is flexible, provisioned capacity with auto-scaling is more cost-effective for predictable workloads.

Option B (DAX): DAX improves read performance, but it doesn ' t provide the multi-region replication needed for high availability and resiliency.

Option C: DynamoDB Streams with manual cross-region replication adds more complexity and operational overhead compared to Global Tables.

AWS References:

DynamoDB Global Tables

The requirement that the security team manage key lifecycle actions such as creation, deletion, and rotation points tocustomer managed AWS KMS keys, not SSE-S3. Customer managed KMS keys allow fine-grained IAM authorization for both the Lambda execution role and the security administrator group. That supports least privilege because the Lambda role can be restricted to decrypt usage, while the administrator group can be limited to the KMS management actions it actually needs. The other answers either do not provide the required KMS management control or grant permissions too broadly. Therefore, using customer managed KMS keys with separate, scoped IAM permissions for decryption and key administration is the correct design.

============

The requirement is explicitly for database availability inanother AWS Region, so the correct solution isAurora cross-Region read replicas. AWS documentation states that cross-Region Aurora Replicas create a replica of the primary DB cluster in another Region using engine-native replication, which provides a low-disruption disaster recovery option. Multi-AZ and standard Aurora Replicas improve availability or scalingwithin a Region, not across Regions. EBS snapshots are not how Aurora disaster recovery is typically delivered and would involve more operational disruption and slower recovery. Therefore, cross-Region Aurora Replicas are the best match for cross-Region DR with minimal change to operations.

============

AWS Backup is a fully managed backup service that can create backup plans for EC2 instances, including both instance configurations and attached EBS volumes, with scheduled and cross-Region copy capabilities. By adding the EC2 instances to the resource assignment in the backup plan, AWS Backup automatically backs up all configurations and attached EBS volumes, and can copy backups to a secondary Region for disaster recovery, providing the highest operational efficiency with the least manual effort.

AWS Documentation Extract:

“AWS Backup provides fully managed backup for EC2 instances and attached EBS volumes, with scheduling, retention, and cross-Region copy built in. By adding the EC2 instance as a resource, the backup includes both configuration and attached volumes.”

(Source: AWS Backup documentation)

A, D: Custom Lambda scripts increase operational overhead and are not as integrated or robust as AWS Backup.

C: Assigning only EBS volumes does not include the EC2 instance configuration, which is needed for full recovery.

Predictive scaling in EC2 Auto Scaling uses machine learning to analyze historical load and forecast future capacity needs, then pre-scales capacity before the demand occurs. It is specifically designed for recurring, cyclical workloads such as weekly batch jobs.

In this scenario:

The workload pattern is known and recurring (weekly scripted jobs).

The company explicitly does not want to manually analyze trends.

They need capacity to be ready 30 minutes before jobs start.

Predictive scaling lets you:

Set the metric (CPU utilization) and target (60%).

Configure the policy to pre-launch instances 30 minutes in advance, satisfying the requirement automatically with minimal operational overhead.

Dynamic scaling (Option A) reacts after CPU increases, not before.

Scheduled scaling (Option B) requires manual analysis and ongoing adjustment of capacity values.

EventBridge + Lambda (Option D) introduces unnecessary custom logic and still reacts after CPU reaches 60%, not 30 minutes before.

AWS Transfer Family (SFTP) allows clients to use standard SFTP clients and SSH keys without changes. By enabling service-managed users, clients can continue uploading files with their existing tools.

The service delivers the files directly into S3, reducing latency between upload and processing. This removes the need for EC2, custom scripts, and periodic transfers. It fully meets the requirement for a managed solution with minimal disruption to client processes.

AWS best practices strongly recommend enabling MFA on the root user, but they also emphasize planning for MFA device loss. AWS allows the configuration of multiple MFA devices for the root user, which provides redundancy and ensures continued access in disaster scenarios. Option B directly addresses the requirement by enabling a backup authentication method without weakening security controls.

Adding multiple MFA devices ensures that if one device is lost, damaged, or unavailable, the organization can still authenticate securely using the secondary device. This approach maintains strong security while eliminating the risk of permanent root account lockout. It also avoids time-consuming recovery processes that require contacting AWS Support and proving account ownership.

Option A is not sufficient because IAM administrator accounts do not replace root access and cannot perform certain root-only actions. Options C and D are not feasible because new administrator accounts or policy changes cannot be made if root access is already lost.

Therefore, B is the correct and AWS-recommended solution to ensure uninterrupted, secure access to the root account while maintaining MFA protection.

Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.

Option Bis the correct solution because:

AWS Security Token Service (STS)allows the web application to request temporary security credentials that grant access to AWS resources. These temporary credentials are secure and short-lived, reducing the risk of misuse.

Using STS and IAM roles ensures scalability by enabling the application to dynamically assume roles with the required permissions for each AWS service.

Option A:Assigning IAM roles directly to instances is less flexible and would grant the same permissions to all applications on the instance, which is not ideal for a multi-service web application.Option C:AWS IAM Identity Center is used for managing single sign-on (SSO) for workforce users and is not designed for granting programmatic access to web applications.Option D:Storing long-term access keys, even in AWS Systems Manager Parameter Store, is less secure and does not scale well compared to temporary credentials from STS.

AWS Documentation References:

AWS Security Token Service (STS)

IAM Roles for Temporary Credentials

The critical requirement is immediate processing upon customer submission, with a typical compute duration of about 10 seconds. This is an ideal fit for a synchronous, request-driven, serverless pattern: API Gateway + AWS Lambda. API Gateway provides a managed HTTPS front door for the application, handles request validation/throttling if needed, and integrates directly with Lambda. Lambda is designed for short-lived computations, scales automatically with request volume, and can complete 10-second tasks well within typical Lambda execution limits.

Option A therefore meets the requirement with low latency and minimal operational overhead. When a customer submits data, API Gateway invokes the Lambda function immediately, and the function returns the calculated premium response. This preserves an interactive user experience and avoids provisioning or managing servers. It also handles bursts gracefully because Lambda concurrency can scale quickly, and API Gateway can absorb high request rates.

Option B is unsuitable because launching a Spot instance per upload introduces significant startup latency (instance launch time) and is not reliable due to Spot interruptions. Option C and D are not “immediate”: Transfer Family is for file transfers, and scheduled EKS jobs or Batch jobs introduce queuing and scheduling delays. While Batch can be event-driven, it is typically used for longer-running or batch-oriented workloads and still has job-start overhead compared to Lambda.

Therefore, A best matches the requirements for immediate execution, scalability, and low operational burden while maintaining responsive performance for customers.

AWS documentation states that the most secure method for granting private S3 access from VPCs is to use gateway VPC endpoints for Amazon S3. Endpoint policies enforce least privilege by allowing only specific IAM roles access to specific S3 buckets. Because users can obtain temporary credentials through IAM roles, no permanent access keys must be distributed.

S3 bucket policies based on CIDR ranges (Option B) are less secure because CIDR-based access is broader and can grant unintended access. Access points (Option C) still rely on public S3 endpoints unless combined with VPC-only access, which is not stated here. Option D exposes S3 to public internet egress and depends on public IPs, violating least-privilege principles.

=====================================================

For a large-scale multi-account AWS environment with many VPCs and centralized Direct Connect, AWS recommends using a Transit Gateway (TGW) architecture combined with a Direct Connect gateway (DXGW). This setup allows scalable, centralized connectivity between on-premises and multiple VPCs across accounts.

Step B: Creating a Direct Connect gateway and Transit Gateway in a central network account and connecting them via a transit VIF enables the on-premises network to access all connected VPCs.

Step D: Sharing the transit gateway with other accounts via AWS Resource Access Manager (RAM) allows the central TGW to attach VPCs in multiple accounts, simplifying multi-account connectivity.

Step F: To route cloud resources’ internet traffic back through the on-premises data center (for centralized egress), provisioning only private subnets and routing outbound internet traffic through NAT or firewall services in the data center is necessary. This requires configuring transit gateway and customer gateway routes appropriately.

Option A is partially correct in the use of Direct Connect gateway but association proposals are not scalable for hundreds of VPCs and accounts compared to transit gateway. Option C (internet gateway) is irrelevant here as traffic egress is required via on-premises data center, not directly to the internet. Option E (VPC peering) is not scalable for hundreds of VPCs.

Amazon EFS Lifecycle Management enables automatic cost optimization by transitioning files that haven’t been accessed for a defined period (e.g., 7 days) from EFS Standard to EFS Infrequent Access (IA).

“Amazon EFS Lifecycle Management automatically moves files that haven’t been accessed for a set period to the EFS Infrequent Access storage class, reducing storage costs for infrequently accessed files.”

— Amazon EFS Documentation

Key Points:

EFS IA is ideal for files larger than 128 KB and accessed less frequently.

It’s seamless — no code or tools needed.

Meets requirement for cost optimization and high availability.

Incorrect Options:

A: File Gateway adds unnecessary complexity and does not use EFS.

B: Storing files locally breaks shared access and resiliency.

D: Glacier Deep Archive is cold storage — not " readily available. "

The lowest-overhead answer isAPI Gateway with direct AWS service integration to DynamoDB PutItem. DynamoDB’s API includes a native PutItem action for writing an item to a table, and API Gateway supports direct AWS service integrations, which lets the web application send requests through an API layer without developers touching DynamoDB directly. This approach is scalable, reusable, and avoids managing Lambda code purely as a pass-through layer. The SQS-based design adds unnecessary queueing for a straightforward write API, and ALB is not the appropriate frontend for invoking DynamoDB actions. Therefore, direct API Gateway service integration is the cleanest design.

============

To upload photos to an S3 bucket using Amazon CloudFront with a custom domain name, the following components are required:

ACM in us-east-1 (Option A): When using CloudFront with HTTPS, the SSL/TLS certificate must be created in theus-east-1Region. AWS Certificate Manager (ACM) handles the provisioning, management, and renewal of public certificates, making this a cost-effective and low-maintenance solution.

S3 Transfer Acceleration (Option C): Transfer Acceleration allows faster uploads to S3 from CloudFront by routing traffic through AWS’s edge locations. This significantly speeds up the data upload process, especially for users that are geographically distant from the S3 bucket ' s region.

Option B (ACM in eu-west-1): CloudFront only supports certificates created in us-east-1.

Option D and E (OAC and website endpoint): These are not ideal for handling secure uploads or efficient data transfers in this case.

AWS References:

Using ACM with CloudFront

Amazon S3 Transfer Acceleration

AWS Auto Scaling is the right answer because the requirement is to adjust capacity automatically based on a predictable time-based usage pattern. AWS documentation states that you can use scheduled scaling actions with Amazon EC2 Auto Scaling to change desired capacity at specific times or on recurring schedules. That makes it well suited for workloads that need more capacity during the day and less at night. Spot Instances and Reserved Instances are pricing models, not automation mechanisms for scheduled capacity changes. CloudFormation provisions infrastructure but does not itself optimize day-night scaling behavior. Therefore, AWS Auto Scaling is the correct service for this requirement.

AWS Fargate provides per-pod isolation for CPU, memory, storage, and networking, making it ideal for multi-tenant use cases.

AWS Documentation References:

EKS with Fargate

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

AWS PrivateLink enables private connectivity between VPCs and supported AWS or third-party services without exposing traffic to the public internet. It ensures secure and private communications, making it ideal for connecting internal services to SaaS applications hosted in AWS.

Using S3 gateway endpoints allows private and cost-free access to S3 without routing traffic through a NAT gateway. NAT gateway traffic incurs charges, especially when used across multiple Availability Zones.

By using an S3 gateway endpoint, EC2 instances in private subnets can access S3 directly without needing internet access, reducing both data transfer and NAT gateway costs.

Interface endpoints are more expensive and typically used for services like API Gateway or Systems Manager.

The company’s requirements are:

Store gigabytes of rarely accessed files daily.

Files must be available within minutes during the first year.

Retain files for 7 years cost-effectively.

The S3 Glacier Instant Retrieval storage class provides low-cost, long-term storage for data accessed occasionally, with millisecond retrieval time. This fits the requirement for availability within minutes during the first year. After one year, transitioning files to S3 Glacier Deep Archive (the lowest cost S3 storage class) with longer retrieval times is cost-effective for data retention over 7 years.

Option B uses S3 Standard and Glacier Flexible Retrieval, which is higher cost during the first year and slower retrieval times. Option C is less cost-efficient because EBS volumes are expensive for rarely accessed data and snapshots incur additional costs. Option D uses EFS, which is designed for low-latency file storage but is more expensive than S3 Glacier classes for long-term archival.

To manage EC2 instances with AWS Systems Manager (SSM), the EC2 instance must be configured as a managed instance by attaching an IAM role that has the AmazonSSMManagedInstanceCore managed policy.

This policy allows:

SSM agent to register the instance with SSM

Perform actions like patching, automation, session management, inventory collection, etc.

Access to SSM endpoints (via internet or VPC endpoint if needed)

Since the EC2 instance already has an IAM role, the least operational overhead option is to attach the required policy to the existing role (Option C). No need to create new IAM roles or users, which simplifies management and adheres to the principle of least privilege.

Patching can then be automated via SSM Patch Manager, ensuring consistency, compliance, and operational efficiency.

???? References:

SSM Managed Instance Setup

AmazonSSMManagedInstanceCore Policy

Patching EC2 with SSM

Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.

Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.

Implementation:

During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.

The storage system will automatically handle scaling and performance optimization based on the application load.

Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.

The correct answer isBbecause the company wants to view bothAmazon EKS clustersandon-premises Kubernetes clustersfrom acentral locationwith theleast operational overhead.Amazon EKS Connectoris designed for this purpose. It allows externally managed Kubernetes clusters, including on-premises clusters, to be registered to AWS so they can be viewed in theAmazon EKS consolealongside native EKS clusters. This creates a centralized management experience without requiring the company to migrate or rebuild the existing on-premises clusters.

EKS Connector is a low-overhead solution because it extends visibility into Kubernetes environments that are not running directly on Amazon EKS. It provides centralized cluster registration and observability at the AWS management layer while preserving the existing cluster deployments. This is especially useful for hybrid Kubernetes environments where organizations want a single control point for inventory and visibility.

Option A is incorrect becauseAmazon CloudWatch Container Insightsis primarily for metrics, logs, and performance monitoring. Although it provides observability, it is not the primary service for centrally registering and viewing clusters themselves in a unified cluster-management context. Option C is incorrect becauseAWS Systems Manageris not the main service for centralized Kubernetes cluster management. Option D is incorrect becauseAmazon EKS Anywhereis used to run Kubernetes on-premises, but it is not the simplest way to centrally view existing clusters with the least operational effort.

AWS guidance for hybrid Kubernetes visibility recommendsAmazon EKS Connectorfor connecting external Kubernetes clusters to AWS. Therefore, it is the most appropriate solution.

Amazon FSx for Lustreis a high-performance, fully managed file system that is ideal for applications requiring low-latency access to shared storage, especially in use cases like gaming where high throughput and low latency are essential. It integrates easily with EC2 instances, providing fast and scalable shared storage, and supports custom protocols for specific application needs.

Option A (FSx File Gateway): FSx File Gateway is designed for hybrid cloud storage and is not suited for high-performance gaming workloads.

Option B (EC2 Windows instance): Setting up a file share on a Windows instance would introduce additional administrative overhead and would not provide the necessary performance.

Option C (EFS with Lustre): While Lustre is integrated with FSx, EFS does not natively support Lustre.

AWS References:

Amazon FSx for Lustre

AWS Backup supports cross-Region backup for Amazon EFS, allowing automated, scheduled backups and replication to another Region. This managed service simplifies backup management and ensures data resilience without the need for custom scripts or manual processes

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

Amazon Macie is the AWS managed service specifically built to discover, classify, and protect sensitive data in Amazon S3, including many common types of personally identifiable information (PII). Macie uses automated analysis and machine learning to identify sensitive data patterns at scale and produces findings that can be reviewed, prioritized, and integrated into security workflows. Because the environment spans hundreds of buckets, millions of objects, and multiple Regions, the key requirement is to minimize operational overhead while achieving broad coverage.

Option C is therefore the best fit: enabling Macie and configuring it to evaluate the targeted buckets provides a centralized, managed approach without building custom scanners, maintaining parsing logic, or operating distributed processing pipelines. Macie is designed for large-scale S3 estates and reduces ongoing maintenance compared with bespoke solutions.

Option A is incorrect because Amazon Detective is used to investigate and analyze security findings and relationships, not to classify S3 object content for PII. Option B is incorrect because Trusted Advisor provides best-practice checks (cost, security posture items, limits), but it does not inspect S3 object contents to detect PII. Option D would require building and operating custom Lambda scanning across millions of objects, handling pagination, retries, file types, performance tuning, and cost controls—high operational overhead and ongoing maintenance, which the company wants to avoid.

Therefore, C meets the requirement most directly and with the least operational burden by using the AWS service purpose-built for PII discovery in S3.

When an application is fronted by an Application Load Balancer (ALB) and malicious traffic is detected from a specific IP, the correct way to block the IP is by using AWS WAF (Web Application Firewall).

With AWS WAF, you can create an IP Set to include the offending IP address or range.

Then create a Web ACL (Access Control List) with a rule set to BLOCK requests from that IP set.

Finally, associate the Web ACL with the ALB.

Security groups (Option A) cannot deny specific IPs because they are stateful and allow-only rules.

Amazon Detective (Option B) is a security analysis and investigation tool; it doesn’t block traffic.

AWS RAM (Option C) is for resource sharing across accounts, not for blocking IPs.

This approach aligns with AWS’s Security Pillar of the Well-Architected Framework and is fully managed, with minimal operational effort.

???? Reference:

Using AWS WAF with an Application Load Balancer

Block IPs with AWS WAF

Amazon DynamoDB supports TTL (Time To Live) for automated, scheduled deletion of expired items. It also offers point-in-time recovery (PITR) to restore the table to any second within the retention window (typically up to 35 days), providing full data durability and protection. DynamoDB can efficiently handle frequent updates and offers predictable performance. MemoryDB is an in-memory store, not designed for durable recovery. S3 with lifecycle policies does not handle updates as efficiently for small, frequent writes and is not as optimal for session data.

Reference Extract:

" DynamoDB supports TTL for automated expiration and deletion of items and PITR for continuous backups and restoration of data. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB section.

The correct solution isMulti-AZ deploymentbecause this is the Amazon RDS feature designed for high availability and fast failover. AWS prescriptive guidance shows Multi-AZ deployment as an in-Region DR option with an approximateRTO of 1–2 minutes, which is comfortably within the less-than-5-minute requirement. Read replicas are mainly for scaling reads, while snapshots and CloudFormation are not fast failover mechanisms. For a critical database workload that must remain highly available with minimal recovery time, Multi-AZ is the standard AWS-managed answer.

============

Amazon Kinesis Data Streams provides a highly scalable and durable service for ingesting real-time streaming data. By decoupling ingestion and processing, Kinesis can handle large spikes in traffic without service disruption. Lambda functions (or other consumers) can then process the data as it arrives, scaling automatically. This pattern avoids 503 errors due to compute saturation and delivers a resilient, serverless, and highly scalable architecture.

Reference Extract from AWS Documentation / Study Guide:

" Kinesis Data Streams provides a scalable and durable real-time data streaming service. Coupling Kinesis with AWS Lambda enables event-driven processing, elasticity, and decoupling between ingestion and processing layers. "

Source: AWS Certified Solutions Architect – Official Study Guide, Streaming and Serverless section.

Amazon EBS Snapshots Recycle Bin enables you to specify retention rules for EBS snapshots based on tags. When snapshots are deleted, they are retained in the Recycle Bin for a specified duration, preventing accidental deletion. Tag-level rules allow selective protection without changing IAM roles or user permissions.

The company is already running Kubernetes, soAmazon EKSminimizes application-platform changes while moving to AWS. The application also usesAMQP, and AWS documentation states thatAmazon MQ for RabbitMQsupports AMQP 0-9-1, which preserves the messaging model better than moving to SQS. ECS and Lambda would require a bigger platform or protocol change. Running directly on EC2 adds more operational burden than using managed Kubernetes. Therefore, EKS plus Amazon MQ is the least-overhead migration path that preserves the application’s container and messaging patterns. (docs.aws.amazon.com)

============

Amazon Aurora global database is the best answer because AWS documents state that Aurora global database replicates data to secondary Regions using dedicated infrastructure, with latency typically under one second. That directly matches the requirement for near-real-time access in eu-west-2. AWS also notes that Aurora global database is intended for cross-Region reads with minimal lag and fast disaster recovery. Standard RDS cross-Region read replicas can help, but they are not positioned as the lowest-lag cross-Region option in the way Aurora global database is. DynamoDB global tables are excellent for globally distributed NoSQL workloads, but the question centers on database-backed dashboards with complex analytical queries, which aligns better with Aurora. For the most up-to-date cross-Region dashboard reads, Aurora global database is the strongest fit.

============

Memory Optimized Instances: These instances are designed to deliver fast performance for workloads that process large data sets in memory. They are ideal for high-performance databases like SAP and applications with high memory utilization.

High Memory Utilization: Both the SAP application and the SQL Server database have high memory demands as per the on-premises performance data. Memory optimized instances provide the necessary memory capacity and performance.

Instance Types:

For the SAP application, using a memory optimized instance ensures the application has sufficient memory to handle the high workload efficiently.

For the SQL Server database, memory optimized instances ensure optimal database performance with high memory throughput.

Operational Efficiency: Using the same instance family for both the application and the database simplifies management and ensures both components meet performance requirements.

The correct answer isAbecause the application processes videos for5–30 minutes, must runmultiple jobs in parallel, and should have theleast operational overhead.Amazon ECS with AWS Fargateis a managed container solution that removes the need to provision and manage EC2 instances while still supporting longer-running parallel jobs. UsingAmazon SQS standard queuesdecouples the upload event from processing and provides a scalable buffer for incoming work.

With this design, Amazon S3 sends object-created notifications to the SQS queue whenever users upload videos. ECS services or tasks on Fargate can then consume messages from the queue and process videos independently. Auto scaling based onSQS queue depthensures the system increases task count when more videos arrive and decreases capacity when demand drops. This provides elasticity and efficient parallel processing with minimal infrastructure management.

Option B is incorrect because EC2-based scaling introduces more operational overhead than Fargate. Option C is incorrect because AWS Lambda has a maximum execution duration and is not appropriate for jobs that can run up to 30 minutes. Option D is also incorrect for the same reason; Lambda is not the best fit for this processing duration, and SNS does not provide the same durable queued work pattern as SQS for controlled parallel processing.

AWS best practices recommend usingevent-driven queues with containerized workersfor medium-duration processing jobs that need concurrency and minimal management. Therefore,S3 + SQS + ECS on Fargate with queue-based scalingis the best solution.

Amazon S3 File Gateway provides a local NFS mount point, which can be used with minimal changes by the legacy application. Files are transparently uploaded to Amazon S3, allowing the web application to access them directly from S3. This is the most cost-effective and operationally simple way to bridge legacy on-premises NFS output with S3, requiring no changes to the batch process.

AWS Documentation Extract:

“With S3 File Gateway, you can provide applications a local file interface to Amazon S3. S3 File Gateway presents a file-based interface (NFS or SMB), allowing you to use S3 as your scalable, durable storage while making files available to legacy applications.”

(Source: AWS Storage Gateway documentation)

A: Outposts is far more costly and complex than needed.

B: Volume Gateway presents iSCSI block storage, not NFS.

C: Requires re-coding the legacy app to use S3 APIs, not NFS.

Amazon Kinesis Data Streams is designed for low-latency ingestion of streaming data. Combined with Amazon Managed Service for Apache Flink, telemetry can be processed and aggregated in near real time. Processed metrics can be sent to Amazon CloudWatch, which natively supports creating dashboards, metrics visualization, and alarms. Firehose (B) is primarily for batch ingestion and delivery, not real-time analytics. EMR with Athena (C) introduces more complexity and is better for large-scale offline analytics. DynamoDB Streams (D) is not a fit because telemetry data is not stored in DynamoDB. Therefore, option A provides the most suitable and real-time analytics pipeline for telemetry data.

Amazon S3 Object Lock is the AWS feature designed for WORM storage. AWS documentation says Object Lock helps prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely and supports a WORM model. In compliance mode, even an administrator cannot shorten or remove the retention period before it expires, which is critical for confidential medical records and regulatory retention. Setting a 1-year retention period satisfies the minimum retention requirement, and IAM policies can still control which approved users are allowed to upload new objects. MFA Delete and ordinary IAM policies do not provide the same immutable WORM guarantees. A custom Lambda-based approach would add unnecessary complexity and still would not be the native compliance-oriented control that S3 Object Lock provides.

============

Amazon Kinesis Data Firehose (now known as Amazon Data Firehose) supports near-real-time streaming, with built-in support to:

Invoke AWS Lambda functions for transformation.

Store data directly into Amazon S3 in desired formats like Apache Parquet.

“You can use Data Firehose to transform the data before delivering it, by invoking a Lambda function. You can convert to formats such as JSON or Apache Parquet before storing it into S3.”

— Amazon Data Firehose Developer Guide

Why not the others?

B: Kinesis Data Streams requires more operational overhead than Firehose.

C: DataSync is for file movement—not stream processing.

D: SQS isn’t designed for streaming and transformation pipelines.

For cost-effectiveness and high availability in Amazon EMR workloads, the best approach is to configure atransient cluster(which runs for the duration of the job and then terminates) withOn-Demand Instancesfor the primary and core nodes, andSpot Instancesfor the task nodes. Here ' s why:

Primary and core nodes on On-Demand Instances: These nodes are critical because they manage the cluster and store data on HDFS. Running them on On-Demand Instances ensures stability and that no data is lost, as Spot Instances can be interrupted.

Task nodes on Spot Instances: Task nodes handle additional processing and can be used with Spot Instances to reduce costs. Spot Instances are much cheaper but can be interrupted, which is fine for non-critical tasks as the framework can handle retries.

Atransient clusteris more cost-effective than a long-running cluster for workloads that only run for 6 hours a day. Transient clusters automatically terminate after the workload completes, saving costs by not keeping the cluster running when it ' s not needed.

Option A: A long-running cluster may result in unnecessary costs when the cluster isn ' t being used.

Option C: Running core nodes on Spot Instances risks data loss if the Spot Instances are interrupted, violating the requirement for zero data loss.

Option D: Running both core and task nodes on Spot Instances is highly risky for data-critical workloads.

AWS References:

Amazon EMR Cluster Management

Using Spot Instances in EMR

Option Ais the most automated and cost-efficient solution for exporting data to S3 for analytics.

Option Binvolves manual setup of Streams to S3.

Options C and Dintroduce complexity with EMR.

AWS Lambda is not suitable for long-running jobs that can take up to 20 minutes, as Lambda has a maximum execution duration of 15 minutes.

Amazon ECS with AWS Fargate allows you to run containers without managing EC2 instances, providing a scalable and highly available environment. You can scale Fargate tasks to handle large and parallel video processing jobs. Amazon Aurora is a highly available, managed relational database. S3 Intelligent-Tiering is cost-effective for storing large video files with variable access patterns.

AWS Documentation Extract:

" AWS Fargate lets you run containers without managing servers or clusters, providing a highly available and scalable compute environment. Fargate is suitable for running data processing workloads that require long-running compute tasks. "

(Source: AWS Fargate documentation, Use Cases)

A: Lambda is not suitable for long-running (over 15 min) or heavy compute jobs.

C: Amazon EMR is optimized for big data analytics, not specific video processing. FSx for Lustre and Kinesis are not best fit for this use case.

D: EKS with EC2 adds operational overhead and RDS in a single AZ is not highly available; Glacier Deep Archive is not suitable for frequently accessed video files.

This workload is a strong candidate forAWS Batch with EC2 Spot Instancesbecause the jobs can tolerate interruptions and resume after restart. AWS documents that Spot Instances are a cost-saving option for interruption-tolerant workloads, and AWS Batch is built to manage batch jobs efficiently across EC2 capacity. AWS Batch guidance also notes that Spot is well suited when jobs can be retried or resumed, which matches the scenario. On-Demand Capacity Reservations do not optimize cost, and Savings Plans still cost more than Spot for an interruption-tolerant batch pattern. Therefore, AWS Batch with Spot gives the best balance of automation and lower compute cost.

============

Cluster Placement Group: This type of placement group is designed to provide low-latency network performance and high throughput by grouping instances within a single Availability Zone. It is ideal for applications that require tightly coupled node-to-node communication.

Configuration:

When launching EC2 instances, specify the option to launch them in a cluster placement group.

This ensures that the instances are physically located close to each other, reducing latency and increasing network throughput.

Benefits:

Low-Latency Communication: Instances in a cluster placement group benefit from enhanced networking capabilities, enabling low-latency communication.

High Network Throughput: The network performance within a cluster placement group is optimized for high throughput, which is essential for HPC workloads.

AWS Outposts extends AWS infrastructure and services to on-premises locations. Running Amazon EMR on Outposts allows for processing data that resides locally while benefiting from the managed services of EMR. This enables compliance with data residency requirements and provides scalability and manageability for analytics.

Maintaining two NAT gateways for production ensures high availability. Reducing to one NAT gateway in non-production environments lowers cost while maintaining necessary connectivity. This approach is recommended by AWS for cost optimization in non-critical environments.

Reference Extract:

" For environments that do not require high availability, you can reduce costs by using a single NAT gateway and updating route tables accordingly. "

Source: AWS Certified Solutions Architect – Official Study Guide, Cost Optimization and NAT Gateway section.

The IAM policy includes two statements:

1?? Allow ec2:TerminateInstances on all resources

2?? Deny ec2:TerminateInstances if the request does NOT come from:

192.0.2.0/24

203.0.113.0/24

AWS IAM policy evaluation rules state:

Explicit Deny always overrides Allow.

A request must meet all applicable conditions in the policy to be granted.

aws:SourceIp condition applies when IAM actions are invoked via the public AWS APIs.

In this scenario, the administrator is not originating the request from one of the allowed CIDR blocks, so the Deny condition is triggered, overriding the Allow statement.

Therefore, the operation is blocked with:

403 AccessDenied: explicit deny

This matches the behavior described in the AWS IAM Policy Evaluation Logic used in the Security Pillar of the Well-Architected Framework:

Explicit Deny > Allow > Default Deny

IP-based Conditions restrict API calls originating outside approved network ranges

Options A/B/C do not accurately reflect this explicit Deny condition behavior.

Aurora PostgreSQL supports the pgvector extension, which allows storage and querying of vector embeddings directly inside the database. This eliminates the need for external vector databases and provides cost-effective and performant integration for AI workloads.

This solution provides the most secure access for external support engineers with the least exposure to potential security risks.

AWS Systems Manager (SSM) and Session Manager: Systems Manager Session Manager allows secure and auditable access to EC2 instances without the need to open inbound SSH ports or manage SSH keys. This reduces the attack surface significantly. The SSM Agent must be installed and configured on all instances, and the instances must have an instance profile with the necessary IAM permissions to connect to Systems Manager.

IAM Identity Center: IAM Identity Center provides centralized management of access to the AWS Management Console for external support engineers. By using IAM Identity Center, youcan control console access securely and ensure that external engineers have the appropriate permissions based on their roles.

Why Not Other Options?:

Option B (Local IAM user credentials): This approach is less secure because it involves managing local IAM user credentials and does not leverage the centralized management and security benefits of IAM Identity Center.

Option C (Security group with SSH access): Allowing SSH access opens up the infrastructure to potential security risks, even when restricted by IP addresses. It also requires managing SSH keys, which can be cumbersome and less secure.

Option D (Bastion host): While a bastion host can secure SSH access, it still requires managing SSH keys and opening ports. This approach is less secure and more operationally intensive compared to using Session Manager.

AWS References:

AWS Systems Manager Session Manager- Documentation on using Session Manager for secure instance access.

AWS IAM Identity Center- Overview of IAM Identity Center and its capabilities for managing user access.

A. EC2 with EBS:Does not support SQL Server Always On availability groups effectively.

B. RDS Multi-AZ:Provides high availability but does not support SQL Server Always On availability groups.

C. EC2 with FSx for Windows:Best solution for SQL Server Always On as FSx provides shared storage compatible with SQL Server clustering.

D. EC2 with S3:S3 is not suitable for SQL Server storage.

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of a baseline environment, or landing zone, that includes:

Service Control Policies (SCPs): These are used to manage permissions across AWS Organizations, allowing you to set permission guardrails. SCPs can restrict access to specific AWS services and actions, helping enforce security best practices.

Multi-Factor Authentication (MFA): AWS Control Tower can enforce MFA for the root user across all accounts, enhancing security.

Centralized Governance: It offers centralized logging and monitoring, making it easier to manage and audit multiple AWS accounts.

Amazon Cognito is the AWS-native user authentication service for web and mobile applications, andLambda@Edgecan run authorization logic close to users at CloudFront edge locations. AWS documentation notes that CloudFront can invoke Lambda@Edge functions at edge locations and that Cognito integrates well for user authentication scenarios. This combination fits the requirements for aserverlessauthorization/authentication architecture, low login latency, andglobal web content delivery. The other options either use services that are not ideal for this end-user web-authentication pattern or do not provide the same edge-based global delivery model. (docs.aws.amazon.com)

Amazon EBS io2 Block Express volumes are designed to deliver sub-millisecond latency and up to 256,000 IOPS per volume, with durability and high availability. This makes io2 Block Express the recommended choice for workloads requiring very high and predictable IOPS, such as enterprise databases and high-transaction-rate applications.

Reference Extract:

" EBS io2 Block Express volumes deliver up to 256,000 IOPS and sub-millisecond latency, supporting high-performance, high-durability workloads. "

Source: AWS Certified Solutions Architect – Official Study Guide, EBS Performance section.

CloudFront Signed Cookies:

CloudFront signed cookies allow the company to provide access to premium users while maintaining a single, consistent URL.

This approach is simpler and more scalable than managing presigned URLs for each file.

Incorrect Options Analysis:

Option A: Using EC2 and EBS increases complexity and cost.

Option B: Managing presigned URLs for each file is not scalable.

Option D: CloudFront signed URLs require unique URLs for each file, which does not meet the requirement for a single URL.

For cross-account access, the standard AWS pattern is to create an IAM role in the resource-owning account (the company’s account) and configure the trust policy to allow the external vendor account to assume that role.

Option D correctly follows this model. The company creates an IAM role with the necessary CloudWatch Logs permissions and configures the trust policy to trust the vendor’s IAM role ARN. The vendor then assumes this role to access logs securely.

The other options misconfigure trust relationships or place permissions in the wrong account, breaking the cross-account access model. Therefore, D is the correct solution.

A highly available relational database with minimal manual intervention is best delivered by Amazon RDS Multi-AZ, which provides managed standby infrastructure and automatic failover. For the container-based application layer, Amazon ECS with the Fargate launch type reduces operational effort because AWS manages the underlying compute capacity for the containers. That combination provides managed availability for both the database and the application tier. Read replicas can help scale reads, but they do not replace Multi-AZ as the primary high-availability pattern for the database. ECS on EC2 is workable, but it requires more instance management than Fargate. This makes A and D the strongest pair for high availability with minimal operational overhead.

============

For SQS-backed worker architectures, AWS recommends scaling consumers based on queue metrics (e.g., ApproximateNumberOfMessagesVisible, AgeOfOldestMessage). EC2 Auto Scaling can “scale out based on Amazon CloudWatch alarms” tied to SQS backlog, increasing worker capacity to reduce latency as demand grows. DAX (A) accelerates DynamoDB reads, not message processing. API Gateway (B) and CloudFront (C) optimize request ingress and content delivery, not the asynchronous email-sending application. The bottleneck is consumer throughput; scaling workers with an SQS-driven policy restores timely processing without downtime and follows Well-Architected patterns for decoupled, elastic systems.