A company runs a web application on AWS. The web application delivers static content from an Amazon S3 bucket that is behind an Amazon CloudFront distribution. The application serves dynamic content by using an Application Load Balancer (ALB) that distributes requests to a fleet of Amazon EC2 instances in Auto Scaling groups. The application uses a domain name setup in Amazon Route 53. Some users reported occasional issues when the users attempted to access the website during peak hours. An operations team found that the ALB sometimes returned HTTP 503 Service Unavailable errors. The company wants to display a custom error message page when these errors occur. The page should be displayed immediately for this error code. Which solution will meet these requirements with the LEAST operational overhead?
A. Set up a Route 53 failover routing policy. Configure a health check to determine thestatus of the ALB endpoint and to fail over to the failover S3 bucket endpoint.
B. Create a second CloudFront distribution and an S3 static website to host the customerror page. Set up a Route 53 failover routing policy. Use an active-passive configurationbetween the two distributions.
C. Create a CloudFront origin group that has two origins. Set the ALB endpoint as theprimary origin. For the secondary origin, set an S3 bucket that is configured to host a staticwebsite Set up origin failover for the CloudFront distribution. Update the S3 static websiteto incorporate the custom error page.
D. Create a CloudFront function that validates each HTTP response code that the ALBreturns. Create an S3 static website in an S3 bucket. Upload the custom error page to theS3 bucket as a failover. Update the function to read the S3 bucket and to serve the errorpage to the end users.
A company's solutions architect needs to provide secure Remote Desktop connectivity to users for Amazon EC2 Windows instances that are hosted in a VPC. The solution must integrate centralized user management with the company's on-premises Active Directory. Connectivity to the VPC is through the internet. The company has hardware that can be used to establish an AWS Site-to-Site VPN connection. Which solution will meet these requirements MOST cost-effectively?
A. Deploy a managed Active Directory by using AWS Directory Service for Microsoft ActiveDirectory. Establish a trust with the on-premises Active Directory. Deploy an EC2 instanceas a bastion host in the VPC. Ensure that the EC2 instance is joined to the domain. Usethe bastion host to access the target instances through RDP.
B. Configure AWS IAM Identity Center (AWS Single Sign-On) to integrate with the onpremisesActive Directory by using the AWS Directory Service for Microsoft ActiveDirectory AD Connector. Configure permission sets against user groups for access to AWSSystems Manager. Use Systems Manager Fleet Manager to access the target instancesthrough RDP.
C. Implement a VPN between the on-premises environment and the target VPC. Ensurethat the target instances are joined to the on-premises Active Directory domain over theVPN connection. Configure RDP access through the VPN. Connect from the company'snetwork to the target instances.
D. Deploy a managed Active Directory by using AWS Directory Service for Microsoft ActiveDirectory. Establish a trust with the on-premises Active Directory. Deploy a RemoteDesktop Gateway on AWS by using an AWS Quick Start. Ensure that the Remote DesktopGateway is joined to the domain. Use the Remote Desktop Gateway to access the targetinstances through RDP.
A team of data scientists is using Amazon SageMaker instances and SageMaker APIs to train machine learning (ML) models. The SageMaker instances are deployed in a VPC that does not have access to or from the internet. Datasets for ML model training are stored in an Amazon S3 bucket. Interface VPC endpoints provide access to Amazon S3 and the SageMaker APIs. Occasionally, the data scientists require access to the Python Package Index (PyPl) repository to update Python packages that they use as part of their workflow. A solutions architect must provide access to the PyPI repository while ensuring that the SageMaker instances remain isolated from the internet. Which solution will meet these requirements?
A. Create an AWS CodeCommit repository for each package that the data scientists needto access. Configure code synchronization between the PyPl repository and theCodeCommit repository. Create a VPC endpoint for CodeCommit.
B. Create a NAT gateway in the VPC. Configure VPC routes to allow access to the internetwith a network ACL that allows access to only the PyPl repository endpoint.
C. Create a NAT instance in the VPC. Configure VPC routes to allow access to theinternet. Configure SageMaker notebook instance firewall rules that allow access to onlythe PyPI repository endpoint.
D. Create an AWS CodeArtifact domain and repository. Add an external connection forpublic:pypi to the CodeArtifact repository. Configure the Python client to use theCodeArtifact repository. Create a VPC endpoint for CodeArtifact.
A company plans to deploy a new private intranet service on Amazon EC2 instances inside a VPC. An AWS Site-to-Site VPN connects the VPC to the company's on-premise network. The new service must communicate with existing on-premises services The onpremises services are accessible through the use of hostnames that reside in the company example DNS zone This DNS zone is wholly hosted on premises and is available only on the company's private network. A solutions architect must ensure that the new service can resolve hostnames on the company example domain to integrate with existing services. Which solution meets these requirements?
A. Create an empty private zone in Amazon Route 53 for company example Add anadditional NS record to the company's on-premises company example zone that points tothe authoritative name servers for the new private zone in Route 53
B. Turn on DNS hostnames for the VPC Configure a new outbound endpoint with AmazonRoute 53 Resolver. Create a Resolver rule to forward requests for company example to theon-premises name servers
C. Turn on DNS hostnames for the VPC Configure a new inbound resolver endpoint withAmazon Route 53 Resolver. Configure the on-premises DNS server to forward requests forcompany example to the new resolver.
D. Use AWS Systems Manager to configure a run document that will install a hosts file thatcontains any required hostnames. Use an Amazon EventBndge rule to run the documentwhen an instance is entering the running state.
A company runs its application in the eu-west-1 Region and has one account for each of its environments development, testing, and production All the environments are running 24 hours a day 7 days a week by using stateful Amazon EC2 instances and Amazon RDS for MySQL databases The databases are between 500 GB and 800 GB in size The development team and testing team work on business days during business hours, but the production environment operates 24 hours a day. 7 days a week. The company wants to reduce costs AH resources are tagged with an environment tag with either development, testing, or production as the key. What should a solutions architect do to reduce costs with the LEAST operational effort?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs once everyday Configure the rule to invoke one AWS Lambda function that starts or stops instancesbased on the tag day and time.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs everybusiness day in the evening. Configure the rule to invoke an AWS Lambda function thatstops instances based on the tag-Create a second EventBridge (CloudWatch Events) rulethat runs every business day in the morning Configure the second rule to invoke anotherLambda function that starts instances based on the tag
C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs everybusiness day in the evening Configure the rule to invoke an AWS Lambda function thatterminates instances based on the tag Create a second EventBridge (CloudWatch Events)rule that runs every business day in the morning Configure the second rule to invokeanother Lambda function that restores the instances from their last backup based on thetag.
D. Create an Amazon EventBridge rule that runs every hour. Configure the rule to invokeone AWS Lambda function that terminates or restores instances from their last backupbased on the tag. day, and time.
A company has used infrastructure as code (IaC) to provision a set of two Amazon EC2 instances. The instances have remained the same for several years. The company's business has grown rapidly in the past few months. In response the company's operations team has implemented an Auto Scaling group to manage the sudden increases in traffic. Company policy requires a monthly installation of security updates on all operating systems that are running. The most recent security update required a reboot. As a result, the Auto Scaling group terminated the instances and replaced them with new, unpatched instances. Which combination of steps should a solutions architect recommend to avoid a recurrence of this issue? (Choose two.)
A. Modify the Auto Scaling group by setting the Update policy to target the oldest launchconfiguration for replacement.
B. Create a new Auto Scaling group before the next patch maintenance. During themaintenance window, patch both groups and reboot the instances.
C. Create an Elastic Load Balancer in front of the Auto Scaling group. Configure monitoringto ensure that target group health checks return healthy after the Auto Scaling groupreplaces the terminated instances.
D. Create automation scripts to patch an AMI, update the launch configuration, and invokean Auto Scaling instance refresh.
E. Create an Elastic Load Balancer in front of the Auto Scaling group. Configuretermination protection on the instances.
A company has application services that have been containerized and deployed on multiple Amazon EC2 instances with public IPs. An Apache Kafka cluster has been deployed to the EC2 instances. A PostgreSQL database has been migrated to Amazon RDS for PostgreSQL. The company expects a significant increase of orders on its platform when a new version of its flagship product is released. What changes to the current architecture will reduce operational overhead and support the product release?
A. Create an EC2 Auto Scaling group behind an Application Load Balancer. Createadditional read replicas for the DB instance. Create Amazon Kinesis data streams andconfigure the application services to use the data streams. Store and serve static contentdirectly from Amazon S3.
B. Create an EC2 Auto Scaling group behind an Application Load Balancer. Deploy the DBinstance in Multi-AZ mode and enable storage auto scaling. Create Amazon Kinesis datastreams and configure the application services to use the data streams. Store and servestatic content directly from Amazon S3.
C. Deploy the application on a Kubernetes cluster created on the EC2 instances behind anApplication Load Balancer. Deploy the DB instance in Multi-AZ mode and enable storageauto scaling. Create an Amazon Managed Streaming for Apache Kafka cluster andconfigure the application services to use the cluster. Store static content in Amazon S3behind an Amazon CloudFront distribution.
D. Deploy the application on Amazon Elastic Kubernetes Service (Amazon EKS) with AWSFargate and enable auto scaling behind an Application Load Balancer. Create additionalread replicas for the DB instance. Create an Amazon Managed Streaming for ApacheKafka cluster and configure the application services to use the cluster. Store static contentin Amazon S3 behind an Amazon CloudFront distribution.
A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs not on the internet. What is the MOST operationally efficient way to enforce this requirement?
A. Set the S3 access point resource policy to deny the s3 CreateAccessPoint action unlessthe s3: AccessPointNetworkOngm condition key evaluates to VPC.
B. Create an SCP at the root level in the organization to deny the s3 CreateAccessPointaction unless the s3 AccessPomtNetworkOngin condition key evaluates to VPC.
C. Use AWS CloudFormation StackSets to create a new 1AM policy in each AVVS accountthat allows the s3: CreateAccessPoint action only if the s3 AccessPointNetworkOrigincondition key evaluates to VPC.
D. Set the S3 bucket policy to deny the s3: CreateAccessPoint action unless the s3AccessPointNetworkOrigin condition key evaluates to VPC.
A company's CISO has asked a Solutions Architect to re-engineer the company's current CI/CD practices to make sure patch deployments to its applications can happen as quickly as possible with minimal downtime if vulnerabilities are discovered. The company must also be able to quickly roll back a change in case of errors. The web application is deployed in a fleet of Amazon EC2 instances behind an Application Load Balancer. The company is currently using GitHub to host the application source code, and has configured an AWS CodeBuild project to build the application. The company also intends to use AWS CodePipeline to trigger builds from GitHub commits using the existing CodeBuild project. What CI/CD configuration meets all of the requirements?
A. Configure CodePipeline with a deploy stage using AWS CodeDeploy configured for inplacedeployment. Monitor the newly deployed code, and, if there are any issues, pushanother code update.
B. Configure CodePipeline with a deploy stage using AWS CodeDeploy configured forblue/green deployments. Monitor the newly deployed code, and, if there are any issues,trigger a manual rollback using CodeDeploy.
C. Configure CodePipeline with a deploy stage using AWS CloudFormation to create apipeline for test and production stacks. Monitor the newly deployed code, and, if there areany issues, push another code update.
D. Configure the CodePipeline with a deploy stage using AWS OpsWorks and in-placedeployments. Monitor the newly deployed code, and, if there are any issues, push anothercode update.
A company is planning to migrate its on-premises VMware cluster of 120 VMS to AWS. The VMS have many different operating systems and many custom software packages installed. The company also has an on-premises NFS server that is 10 TB in size. The company has set up a 10 GbpsAWS Direct Connect connection to AWS for the migration Which solution will complete the migration to AWS in the LEAST amount of time?
A. Export the on-premises VMS and copy them to an Amazon S3 bucket. Use VMImport/Export to create AMIS from the VM images that are stored in Amazon S3. Order anAWS Snowball Edge device. Copy the NFS server data to the device. Restore the NFSserver data to an Amazon EC2 instance that has NFS configured.
B. Configure AWS Application Migration Service with a connection to the VMware cluster.Create a replication job for the VMS. Create an Amazon Elastic File System (Amazon EFS)file system. Configure AWS DataSync to copy the NFS server data to the EFS file systemover the Direct Connect connection.
C. Recreate the VMS on AWS as Amazon EC2 instances. Install all the required softwarepackages. Create an Amazon FSx for Lustre file system. Configure AWS DataSync to copythe NFS server data to the FSx for Lustre file system over the Direct Connect connection.
D. Order two AWS Snowball Edge devices. Copy the VMS and the NFS server data to thedevices. Run VM Import/Export after the data from the devices is loaded to an Amazon S3bucket. Create an Amazon Elastic File System (Amazon EFS) file system. Copy the NFS server data from Amazon S3 to the EFS file system.