A company has a solution that analyzes weather data from thousands of weather stations. The weather stations send the data over an Amazon API Gateway REST API that has an AWS Lambda function integration. The Lambda function calls a third-party service for data pre-processing. The third-party service gets overloaded and fails the pre-processing, causing a loss of data. A solutions architect must improve the resiliency of the solution. The solutions architect must ensure that no data is lost and that data can be processed later if failures occur. What should the solutions architect do to meet these requirements?
A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queueas the dead-letter queue for the API.
B. Create two Amazon Simple Queue Service (Amazon SQS) queues: a primary queueand a secondary queue. Configure the secondary queue as the dead-letter queue for theprimary queue. Update the API to use a new integration to the primary queue. Configurethe Lambda function as the invocation target for the primary queue.
C. Create two Amazon EventBridge event buses: a primary event bus and a secondaryevent bus. Update the API to use a new integration to the primary event bus. Configure anEventBridge rule to react to all events on the primary event bus. Specify the Lambdafunction as the target of the rule. Configure the secondary event bus as the failuredestination for the Lambda function.
D. Create a custom Amazon EventBridge event bus. Configure the event bus as the failuredestination for the Lambda function.
A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group. The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents. The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead. Which combination of actions should a solutions architect take to meet these requirements? (Select TWO.)
A. Create an identity policy that grants the user read and write access. Add a condition thatspecifies that the S3 paths must be prefixed with ${aws:username}. Apply the policy on thescientists' IAM user group.
B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket.Store the trail output in another S3 bucket. Use Amazon Athena to query the logs andgenerate reports.
C. Enable S3 server access logging. Configure another S3 bucket as the target for logdelivery. Use Amazon Athena to query the logs and generate reports.
D. Create an S3 bucket policy that grants read and write access to users in the scientists'IAM user group.
E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucketand write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatchconnector to query the logs and generate reports.
A company is using AWS Organizations with a multi-account architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies. A solutions architect needs to allow an IAM user in Account A to assume a role in Account B. Which combination of steps must the solutions architect take to meet this requirement? (Select THREE.)
A. Configure the SCP for Account A to allow the action.
B. Configure the resource-based policies to allow the action.
C. Configure the identity-based policy on the user in Account A to allow the action.
D. Configure the identity-based policy on the user in Account B to allow the action.
E. Configure the trust policy on the target role in Account B to allow the action.
F. Configure the session policy to allow the action and to be passed programmatically bythe GetSessionToken API operation.
A company is migrating its infrastructure to the AWS Cloud. The company must comply with a variety of regulatory standards for different projects. The company needs a multiaccount environment. A solutions architect needs to prepare the baseline infrastructure. The solution must provide a consistent baseline of management and security, but it must allow flexibility for different compliance requirements within various AWS accounts. The solution also needs to integrate with the existing on-premises Active Directory Federation Services (AD FS) server. Which solution meets these requirements with the LEAST amount of operational overhead?
A. Create an organization in AWS Organizations. Create a single SCP for least privilegeaccess across all accounts. Create a single OU for all accounts. Configure an IAM identityprovider for federation with the on-premises AD FS server. Configure a central loggingaccount with a defined process for log generating services to send log events to the centralaccount. Enable AWS Config in the central account with conformance packs for allaccounts.
B. Create an organization in AWS Organizations. Enable AWS Control Tower on theorganization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Add OUS as necessary. Connect AWS IAM Identity Center (AWSSingle Sign-On) to the on-premises AD FS server.
C. Create an organization in AWS Organizations. Create SCPs for least privilege access.Create an OU structure, and use it to group AWS accounts. Connect AWS IAM IdentityCenter (AWS Single Sign-On) to the on-premises AD FS server. Configure a centrallogging account with a defined process for log generating services to send log events to thecentral account. Enable AWS Config in the central account with aggregators andconformance packs.
D. Create an organization in AWS Organizations. Enable AWS Control Tower on theorganization. Review included controls (guardrails) for SCPs. Check AWS Config for areasthat require additions. Configure an IAM identity provider for federation with the onpremisesAD FS server.
A company needs to store and process image data that will be uploaded from mobile devices using a custom mobile app. Usage peaks between 8 AM and 5 PM on weekdays, with thousands of uploads per minute. The app is rarely used at any other time. A user is notified when image processing is complete. Which combination of actions should a solutions architect take to ensure image processing can scale to handle the load? (Select THREE.)
A. Upload files from the mobile software directly to Amazon S3. Use S3 event notificationsto create a message in an Amazon MQ queue.
B. Upload files from the mobile software directly to Amazon S3. Use S3 event notificationsto create a message in an Amazon Simple Queue Service (Amazon SOS) standard queue.
C. Invoke an AWS Lambda function to perform image processing when a message isavailable in the queue.
D. Invoke an S3 Batch Operations job to perform image processing when a message isavailable in the queue
E. Send a push notification to the mobile app by using Amazon Simple Notification Service(Amazon SNS) when processing is complete.
F. Send a push notification to the mobile app by using Amazon Simple Email Service(Amazon SES) when processing is complete.
A company has mounted sensors to collect information about environmental parameters such as humidity and light throughout all the company's factories. The company needs to stream and analyze the data in the AWS Cloud in real time. If any of the parameters fall out of acceptable ranges, the factory operations team must receive a notification immediately. Which solution will meet these requirements?
A. Stream the data to an Amazon Kinesis Data Firehose delivery stream. Use AWS StepFunctions to consume and analyze the data in the Kinesis Data Firehose delivery stream.use Amazon Simple Notification Service (Amazon SNS) to notify the operations team.
B. Stream the data to an Amazon Managed Streaming for Apache Kafka (Amazon MSK)cluster. Set up a trigger in Amazon MSK to invoke an AWS Fargate task to analyze thedata. Use Amazon Simple Email Service (Amazon SES) to notify the operations team.
C. Stream the data to an Amazon Kinesis data stream. Create an AWS Lambda function toconsume the Kinesis data stream and to analyze the data. Use Amazon Simple NotificationService (Amazon SNS) to notify the operations team.
D. Stream the data to an Amazon Kinesis Data Analytics application. I-Jse an automaticallyscaled and containerized service in Amazon Elastic Container Service (Amazon ECS) toconsume and analyze the data. use Amazon Simple Email Service (Amazon SES) to notifythe operations team.
A software company needs to create short-lived test environments to test pull requests as part of its development process. Each test environment consists of a single Amazon EC2 instance that is in an Auto Scaling group. The test environments must be able to communicate with a central server to report test results. The central server is located in an on-premises data center. A solutions architect must implement a solution so that the company can create and delete test environments without any manual intervention. The company has created a transit gateway with a VPN attachment to the on-premises network. Which solution will meet these requirements with the LEAST operational overhead?
A. Create an AWS CloudFormation template that contains a transit gateway attachmentand related routing configurations. Create a CloudFormation stack set that includes thistemplate. Use CloudFormation StackSets to deploy a new stack for each VPC in theaccount. Deploy a new VPC for each test environment.
B. Create a single VPC for the test environments. Include a transit gateway attachment andrelated routing configurations. Use AWS CloudFormation to deploy all test environmentsinto the VPC.
C. Create a new OU in AWS Organizations for testing. Create an AWS CloudFormationtemplate that contains a VPC, necessary networking resources, a transit gatewayattachment, and related routing configurations. Create a CloudFormation stack set thatincludes this template. Use CloudFormation StackSets for deployments into each accountunder the testing 01.1. Create a new account for each test environment.
D. Convert the test environment EC2 instances into Docker images. Use AWSCloudFormation to configure an Amazon Elastic Kubernetes Service (Amazon EKS) clusterin a new VPC, create a transit gateway attachment, and create related routingconfigurations. Use Kubernetes to manage the deployment and lifecycle of the testenvironments.
A company is deploying AWS Lambda functions that access an Amazon RDS for PostgreSQL database. The company needs to launch the Lambda functions in a QA environment and in a production environment. The company must not expose credentials within application code and must rotate passwords automatically. Which solution will meet these requirements?
A. Store the database credentials for both environments in AWS Systems ManagerParameter Store. Encrypt the credentials by using an AWS Key Management Service(AWS KMS) key. Within the application code of the Lambda functions, pull the credentialsfrom the Parameter Store parameter by using the AWS SDK for Python (Bot03). Add a roleto the Lambda functions to provide access to the Parameter Store parameter.
B. Store the database credentials for both environments in AWS Secrets Manager withdistinct key entry for the QA environment and the production environment. Turn on rotation.Provide a reference to the Secrets Manager key as an environment variable for theLambda functions.
C. Store the database credentials for both environments in AWS Key Management Service(AWS KMS). Turn on rotation. Provide a reference to the credentials that are stored inAWS KMS as an environment variable for the Lambda functions.
D. Create separate S3 buckets for the QA environment and the production environment.Turn on server-side encryption with AWS KMS keys (SSE-KMS) for the S3 buckets. Usean object naming pattern that gives each Lambda function's application code the ability topull the correct credentials for the function's corresponding environment. Grant eachLambda function's execution role access to Amazon S3.
A company has a legacy application that runs on multiple .NET Framework components. The components share the same Microsoft SQL Server database and communicate with each other asynchronously by using Microsoft Message Queueing (MSMQ). The company is starting a migration to containerized .NET Core components and wants to refactor the application to run on AWS. The .NET Core components require complex orchestration. The company must have full control over networking and host configuration. The application's database model is strongly relational. Which solution will meet these requirements?
A. Host the .NET Core components on AWS App Runner. Host the database on AmazonRDS for SQL Server. Use Amazon EventBridge for asynchronous messaging.
B. Host the .NET Core components on Amazon Elastic Container Service (Amazon ECS)with the AWS Fargate launch type. Host the database on Amazon DynamoDB. UseAmazon Simple Notification Service (Amazon SNS) for asynchronous messaging.
C. Host the .NET Core components on AWS Elastic Beanstalk. Host the database on Amazon Aurora PostgreSQL Serverless v2. Use Amazon Managed Streaming for ApacheKafka (Amazon MSK) for asynchronous messaging.
D. Host the .NET Core components on Amazon Elastic Container Service (Amazon ECS)with the Amazon EC2 launch type. Host the database on Amazon Aurora MySQLServerless v2. Use Amazon Simple Queue Service (Amazon SQS) for asynchronousmessaging.
A research company is running daily simul-ations in the AWS Cloud to meet high demand. The simu-lations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2. Occasionally, a simu-lation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH. Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail. How can a solutions architect meet these requirements?
A. Launch new EC2 instances, and generate an individual SSH key for each instance.Store the SSH key in AWS Secrets Manager. Create a new IAM policy, and attach it to theengineers' IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through anySSH client.
B. Create an AWS Systems Manager document to run commands on EC2 instances to seta new unique SSH key. Create a new IAM policy, and attach it to the engineers' IAM rolewith an Allow statement to run Systems Manager documents. Instruct the engineers to runthe document to set an SSH key and to connect through any SSH client.
C. Launch new EC2 instances without setting up any SSH key for the instances. Set upEC2 Instance Connect on each instance. Create a new IAM policy, and attach it to theengineers' IAM role with an Allow statement for the SendSSHPublicKey action. Instruct theengineers to connect to the instance by using a browser-based SSH client from the EC2console.
D. Set up AWS Secrets Manager to store the EC2 SSH key. Create a new AWS Lambdafunction to create a new SSH key and to call AWS Systems Manager Session Manager toset the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambdafunction for automatic rotation once daily. Instruct the engineers to fetch the SSH key fromSecrets Manager when they connect through any SSH client.