A data analytics company has an Amazon Redshift cluster that consists of several reserved nodes. The cluster is experiencing unexpected bursts of usage because a team of employees is compiling a deep audit analysis report. The queries to generate the report are complex read queries and are CPU intensive. Business requirements dictate that the cluster must be able to service read and write queries at all times. A solutions architect must devise a solution that accommodates the bursts of usage. Which solution meets these requirements MOST cost-effectively?
A. Provision an Amazon EMR cluster. Offload the complex data processing tasks.
B. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster byusing a classic resize operation when the cluster's CPU metrics in Amazon CloudWatchreach 80%.
C. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster byusing an elastic resize operation when the cluster's CPU metrics in Amazon CloudWatchreach 80%.
D. Turn on the Concurrency Scaling feature for the Amazon Redshift cluster.
An online survey company runs its application in the AWS Cloud. The application is distributed and consists of microservices that run in an automatically scaled Amazon Elastic Container Service (Amazon ECS) cluster. The ECS cluster is a target for an Application Load Balancer (ALB). The ALB is a custom origin for an Amazon CloudFront distribution. The company has a survey that contains sensitive data. The sensitive data must be encrypted when it moves through the application. The application's data-handling microservice is the only microservice that should be able to decrypt the data. Which solution will meet these requirements?
A. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated tothe data-handling microservice. Create a field-level encryption profile and a configuration.Associate the KMS key and the configuration with the CloudFront cache behavior.
B. Create an RSA key pair that is dedicated to the data-handling microservice. Upload thepublic key to the CloudFront distribution. Create a field-level encryption profile and aconfiguration. Add the configuration to the CloudFront cache behavior.
C. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated tothe data-handling microservice. Create a Lambda@Edge function. Program the function touse the KMS key to encrypt the sensitive data.
D. Create an RSA key pair that is dedicated to the data-handling microservice. Create aLambda@Edge function. Program the function to use the private key of the RSA key pair toencrypt the sensitive data.
A company uses an organization in AWS Organizations to manage the company's AWS accounts. The company uses AWS CloudFormation to deploy all infrastructure. A finance team wants to buikJ a chargeback model The finance team asked each business unit to tag resources by using a predefined list of project values. When the finance team used the AWS Cost and Usage Report in AWS Cost Explorer and filtered based on project, the team noticed noncompliant project values. The company wants to enforce the use of project tags for new resources. Which solution will meet these requirements with the LEAST effort?
A. Create a tag policy that contains the allowed project tag values in the organization'smanagement account. Create an SCP that denies the cloudformation:CreateStack APIoperation unless a project tag is added. Attach the SCP to each OU.
B. Create a tag policy that contains the allowed project tag values in each OU. Create anSCP that denies the cloudformation:CreateStack API operation unless a project tag isadded. Attach the SCP to each OU.
C. Create a tag policy that contains the allowed project tag values in the AWS managementaccount. Create an 1AM policy that denies the cloudformation:CreateStack API operationunless a project tag is added. Assign the policy to each user.
D. Use AWS Service Catalog to manage the CloudFoanation stacks as products. Use aTagOptions library to control project tag values. Share the portfolio with all OUs that are inthe organization.
A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster. The Neptune DB cluster is located in three subnets in a VPC. Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables? (Select TWO.)
A. Create three public subnets in the Neptune VPC, and route traffic through an internetgateway. Host the Lambda functions in the three new public subnets.
B. Create three private subnets in the Neptune VPC, and route internet traffic through aNAT gateway. Host the Lambda functions in the three new private subnets.
C. Host the Lambda functions outside the VPC. Update the Neptune security group to allowaccess from the IP ranges of the Lambda functions.
D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptunedatabase, and have the Lambda functions access Neptune over the VPC endpoint.
E. Create three private subnets in the Neptune VPC. Host the Lambda functions in thethree new isolated subnets. Create a VPC endpoint for DynamoDB, and route DynamoDBtraffic to the VPC endpoint.
A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account. Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads. Which strategy will meet these requirements?
A. Create separate OUs in AWS Organizations for each development unit. Assign thecreated OUs to the company AWS accounts. Create separate SCPs with a deny action anda StringNotEquals condition for the DevelopmentUnit resource tag that matches thedevelopment unit name. Assign the SCP to the corresponding OU.
B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS)session tag during SAML federation. Update the IAM policy for the developers' assumedIAM role with a deny action and a StringNotEquals condition for the DevelopmentUnitresource tag and aws:PrincipalTag/ DevelopmentUnit.
C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS)session tag during SAML federation. Create an SCP with an allow action and aStringEquals condition for the DevelopmentUnit resource tag andaws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
D. Create separate IAM policies for each development unit. For every IAM policy, add anallow action and a StringEquals condition for the DevelopmentUnit resource tag and thedevelopment unit name. During SAML federation, use AWS Security Token Service (AWSSTS) to assign the IAM policy and match the development unit name to the assumed IAMrole.
A company has an organization in AWS Organizations that includes a separate AWS account for each of the company's departments. Application teams from different departments develop and deploy solutions independently. The company wants to reduce compute costs and manage costs appropriately across departments. The company also wants to improve visibility into billing for individual departments. The company does not want to lose operational flexibility when the company selects compute resources. Which solution will meet these requirements?
A. Use AWS Budgets for each department. Use Tag Editor to apply tags to appropriateresources. Purchase EC2 Instance Savings Plans.
B. Configure AWS Organizations to use consolidated billing. Implement a tagging strategythat identifies departments. Use SCPs to apply tags to appropriate resources. PurchaseEC2 Instance Savings Plans.
C. Configure AWS Organizations to use consolidated billing. Implement a tagging strategythat identifies departments. Use Tag Editor to apply tags to appropriate resources.Purchase Compute Savings Plans.
D. Use AWS Budgets for each department. Use SCPs to apply tags to appropriateresources. Purchase Compute Savings Plans.
A company is developing a web application that runs on Amazon EC2 instances in an Auto Scaling group behind a public-facing Application Load Balancer (ALB). Only users from a specific country are allowed to access the application. The company needs the ability to log the access requests that have been blocked. The solution should require the least possible maintenance. Which solution meets these requirements?
A. Create an IPSet containing a list of IP ranges that belong to the specified country.Create an AWS WAF web ACL. Configure a rule to block any requests that do not originatefrom an IP range in the IPSet. Associate the rule with the web ACL. Associate the web ACLwith the ALB.
B. Create an AWS WAF web ACL. Configure a rule to block any requests that do notoriginate from the specified country. Associate the rule with the web ACL. Associate theweb ACL with the ALB.
C. Configure AWS Shield to block any requests that do not originate from the specifiedcountry. Associate AWS Shield with the ALB.
D. Create a security group rule that allows ports 80 and 443 from IP ranges that belong tothe specified country. Associate the security group with the ALB.
A company is migrating to the cloud. It wants to evaluate the configurations of virtual machines in its existing data center environment to ensure that it can size new Amazon EC2 instances accurately. The company wants to collect metrics, such as CPU. memory, and disk utilization, and it needs an inventory of what processes are running on each instance. The company would also like to monitor network connections to map communications between servers. Which would enable the collection of this data MOST cost effectively?
A. Use AWS Application Discovery Service and deploy the data collection agent to eachvirtual machine in the data center.
B. Configure the Amazon CloudWatch agent on all servers within the local environmentand publish metrics to Amazon CloudWatch Logs.
C. Use AWS Application Discovery Service and enable agentless discovery in the existingvisualization environment.
D. Enable AWS Application Discovery Service in the AWS Management Console andconfigure the corporate firewall to allow scans over a VPN.
A company uses AWS Organizations to manage a multi-account structure. The company has hundreds of AWS accounts and expects the number of accounts to increase. The company is building a new application that uses Docker images. The company will push the Docker images to Amazon Elastic Container Registry (Amazon ECR). Only accounts that are within the company's organization should have access to the images. The company has a CI/CD process that runs frequently. The company wants to retain all the tagged images. However, the company wants to retain only the five most recent untagged images. Which solution will meet these requirements with the LEAST operational overhead?
A. Create a private repository in Amazon ECR. Create a permissions policy for therepository that allows only required ECR operations. Include a condition to allow the ECRoperations if the value of the aws:PrincipalOrglD condition key is equal to the ID of thecompany's organization. Add a lifecycle rule to the ECR repository that deletes alluntagged images over the count of five.
B. Create a public repository in Amazon ECR. Create an IAM role in the ECR account. Setpermissions so that any account can assume the role if the value of the aws:PrincipalOrglDcondition key is equal to the ID of the company's organization. Add a lifecycle rule to theECR repository that deletes all untagged images over the count of five.
C. Create a private repository in Amazon ECR. Create a permissions policy for therepository that includes only required ECR operations. Include a condition to allow the ECRoperations for all account IDs in the organization. Schedule a daily Amazon EventBridgerule to invoke an AWS Lambda function that deletes all untagged images over the count offive.
D. Create a public repository in Amazon ECR. Configure Amazon ECR to use an interfaceVPC endpoint with an endpoint policy that includes the required permissions for imagesthat the company needs to pull. Include a condition to allow the ECR operations for allaccount IDs in the company's organization. Schedule a daily Amazon EventBridge rule toinvoke an AWS Lambda function that deletes all untagged images over the count of five.
A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet The company has no existing dedicated connectivity to AWS Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)
A. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Set up an AWS Direct Connect connection with a private VIF betweenthe on-premises environment and the private VPC.
B. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Set up an AWS Direct Connect connection with a public VlF betweenthe on-premises environment and the private VPC.
C. Create an Amazon S3 interface endpoint in the networking account.
D. Create an Amazon S3 gateway endpoint in the networking account.
E. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Peer VPCs from the accounts that host the S3 buckets with the VPCin the network account.