impacting document modifications or additions, with the least amount of change to the application code.

Question: 382 CertyIQ

A company has a three-tier application on AWS that ingests sensor data from its users’ devices. The traffic flows
through a Network Load Balancer (NLB), then to Amazon EC2 instances for the web tier, and finally to EC2
instances for the application tier. The application tier makes calls to a database.

What should a solutions architect do to improve the security of the data in transit?

A.Configure a TLS listener. Deploy the server certificate on the NLB.

B.Configure AWS Shield Advanced. Enable AWS WAF on the NLB.
C.Change the load balancer to an Application Load Balancer (ALB). Enable AWS WAF on the ALB.
D.Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances by using AWS Key
Management Service (AWS KMS).

Answer: A

Explanation:

Network Load Balancers now support TLS protocol. With this launch, you can now offload resource intensive
decryption/encryption from your application servers to a high throughput, and low latency Network Load
Balancer. Network Load Balancer is now able to terminate TLS traffic and set up connections with your
targets either over TCP or TLS
protocol.https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-
listener.htmlhttps://exampleloadbalancer.com/nlbtls_demo.html

Question: 383 CertyIQ

A company is planning to migrate a commercial off-the-shelf application from its on-premises data center to AWS.
The software has a software licensing model using sockets and cores with predictable capacity and uptime
requirements. The company wants to use its existing licenses, which were purchased earlier this year.

Which Amazon EC2 pricing option is the MOST cost-effective?

A. Dedicated Reserved Hosts

B. Dedicated On-Demand Hosts
C. Dedicated Reserved Instances
D. Dedicated On-Demand Instances

Answer: A

Explanation:

Dedicated Host Reservations provide a billing discount compared to running On-Demand Dedicated Hosts.
Reservations are available in three payment options.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html

Question: 384 CertyIQ

A company runs an application on Amazon EC2 Linux instances across multiple Availability Zones. The application
needs a storage layer that is highly available and Portable Operating System Interface (POSIX)-compliant. The
storage layer must provide maximum data durability and must be shareable across the EC2 instances. The data in
the storage layer will be accessed frequently for the first 30 days and will be accessed infrequently after that
time.

Which solution will meet these requirements MOST cost-effectively?

A.Use the Amazon S3 Standard storage class. Create an S3 Lifecycle policy to move infrequently accessed
data to S3 Glacier.
B.Use the Amazon S3 Standard storage class. Create an S3 Lifecycle policy to move infrequently accessed
data to S3 Standard-Infrequent Access (S3 Standard-IA).
C.Use the Amazon Elastic File System (Amazon EFS) Standard storage class. Create a lifecycle management
policy to move infrequently accessed data to EFS Standard-Infrequent Access (EFS Standard-IA).
D.Use the Amazon Elastic File System (Amazon EFS) One Zone storage class. Create a lifecycle management
policy to move infrequently accessed data to EFS One Zone-Infrequent Access (EFS One Zone-IA).

Answer: C

Explanation:

POSIX + sharable across EC2 instances --> EFS --> A, B out Instances run across multiple AZ -> C is needed.

Linux based system points to EFS plus POSIX-compliant is also EFS related.

Question: 385 CertyIQ

A solutions architect is creating a new VPC design. There are two public subnets for the load balancer, two private
subnets for web servers, and two private subnets for MySQL. The web servers use only HTTPS. The solutions
architect has already created a security group for the load balancer allowing port 443 from 0.0.0.0/0. Company
policy requires that each resource has the least access required to still be able to perform its tasks.

Which additional configuration strategy should the solutions architect use to meet these requirements?

A. Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group for
the MySQL servers and allow port 3306 from the web servers security group.
B. Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the
MySQL servers and allow port 3306 from the web servers security group.
C. Create a security group for the web servers and allow port 443 from the load balancer. Create a security
group for the MySQL servers and allow port 3306 from the web servers security group.
D. Create a network ACL for the web servers and allow port 443 from the load balancer. Create a network ACL
for the MySQL servers and allow port 3306 from the web servers security group.

Answer: C

Explanation:

Load balancer is public facing accepting all traffic coming towards the VPC (0.0.0.0/0). The web server needs
to trust traffic originating from the ALB. The DB will only trust traffic originating from the Web server on port
3306 for Mysql

Question: 386 CertyIQ

An ecommerce company is running a multi-tier application on AWS. The front-end and backend tiers both run on
Amazon EC2, and the database runs on Amazon RDS for MySQL. The backend tier communicates with the RDS
instance. There are frequent calls to return identical datasets from the database that are causing performance
slowdowns.

Which action should be taken to improve the performance of the backend?

A. Implement Amazon SNS to store the database calls.

B. Implement Amazon ElastiCache to cache the large datasets.
C. Implement an RDS for MySQL read replica to cache database calls.
D. Implement Amazon Kinesis Data Firehose to stream the calls to the database.

Answer: B

Explanation:

The best solution is to implement Amazon ElastiCache to cache the large datasets, which will store the
frequently accessed data in memory, allowing for faster retrieval times. This can help to alleviate the frequent
calls to the database, reduce latency, and improve the overall performance of the backend tier.

Question: 387 CertyIQ

A new employee has joined a company as a deployment engineer. The deployment engineer will be using AWS
CloudFormation templates to create multiple AWS resources. A solutions architect wants the deployment
engineer to perform job activities while following the principle of least privilege.

Which combination of actions should the solutions architect take to accomplish this goal? (Choose two.)

A.Have the deployment engineer use AWS account root user credentials for performing AWS CloudFormation
stack operations.
B.Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers
IAM policy attached.
C.Create a new IAM user for the deployment engineer and add the IAM user to a group that has the
AdministratorAccess IAM policy attached.
D.Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy
that allows AWS CloudFormation actions only.
E.Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS
CloudFormation stack and launch stacks using that IAM role.

Answer: DE

Explanation:

https://www.certyiq.com/discussions/amazon/view/46428-exam-aws-certified-solutions-architect-associate-
saa-c02/

Question: 388 CertyIQ

A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling
group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for
MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product
information.

The web application is not working as intended. The web application reports that it cannot connect to the
database. The database is confirmed to be up and running. All configurations for the network ACLs, security
groups, and route tables are still in their default states.
What should a solutions architect recommend to fix the application?

A.Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.
B.Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and the database
tier.
C.Deploy the web tier's EC2 instances and the database tier’s RDS instance into two separate VPCs, and
configure VPC peering.
D.Add an inbound rule to the security group of the database tier’s RDS instance to allow traffic from the web
tiers security group.

Answer: D

Explanation:

By default, all inbound traffic to an RDS instance is blocked. Therefore, an inbound rule needs to be added to
the security group of the RDS instance to allow traffic from the security group of the web tier's EC2 instances.

Question: 389 CertyIQ

A company has a large dataset for its online advertising business stored in an Amazon RDS for MySQL DB instance
in a single Availability Zone. The company wants business reporting queries to run without impacting the write
operations to the production DB instance.

Which solution meets these requirements?

A. Deploy RDS read replicas to process the business reporting queries.

B. Scale out the DB instance horizontally by placing it behind an Elastic Load Balancer.
C. Scale up the DB instance to a larger instance type to handle write operations and queries.
D. Deploy the DB instance in multiple Availability Zones to process the business reporting queries.

Answer: A

Explanation:

1. Option "A" is the right answer . Read replica use cases - You have a production database that is taking on
normal load & You want to run a reporting application to run some analytics • You create a Read Replica to run
the new workload there • The production application is unaffected • Read replicas are used for SELECT (=read)
only kind of statements (not INSERT, UPDATE, DELETE)

Question: 390 CertyIQ

A company hosts a three-tier ecommerce application on a fleet of Amazon EC2 instances. The instances run in an
Auto Scaling group behind an Application Load Balancer (ALB). All ecommerce data is stored in an Amazon RDS
for MariaDB Multi-AZ DB instance.

The company wants to optimize customer session management during transactions. The application must store
session data durably.

Which solutions will meet these requirements? (Choose two.)

A. Turn on the sticky sessions feature (session affinity) on the ALB.

B. Use an Amazon DynamoDB table to store customer session information.
C. Deploy an Amazon Cognito user pool to manage user session information.
 D. Deploy an Amazon ElastiCache for Redis cluster to store customer session information.
E. Use AWS Systems Manager Application Manager in the application to manage user session information.

Answer: AD

Explanation:

It is A and D. Proof is in link below.https://aws.amazon.com/caching/session-management/

optimize customer session management during transactions. Since the session store will be during the
transaction and we have another DB for pre/post transaction storage(Maria DB).

Question: 391 CertyIQ

A company needs a backup strategy for its three-tier stateless web application. The web application runs on
Amazon EC2 instances in an Auto Scaling group with a dynamic scaling policy that is configured to respond to
scaling events. The database tier runs on Amazon RDS for PostgreSQL. The web application does not require
temporary local storage on the EC2 instances. The company’s recovery point objective (RPO) is 2 hours.

The backup strategy must maximize scalability and optimize resource utilization for this environment.

Which solution will meet these requirements?

A. Take snapshots of Amazon Elastic Block Store (Amazon EBS) volumes of the EC2 instances and database
every 2 hours to meet the RPO.
B. Configure a snapshot lifecycle policy to take Amazon Elastic Block Store (Amazon EBS) snapshots. Enable
automated backups in Amazon RDS to meet the RPO.
C. Retain the latest Amazon Machine Images (AMIs) of the web and application tiers. Enable automated
backups in Amazon RDS and use point-in-time recovery to meet the RPO.
D. Take snapshots of Amazon Elastic Block Store (Amazon EBS) volumes of the EC2 instances every 2 hours.
Enable automated backups in Amazon RDS and use point-in-time recovery to meet the RPO.

Answer: C

Explanation:

that if there is no temporary local storage on the EC2 instances, then snapshots of EBS volumes are not
necessary. Therefore, if your application does not require temporary storage on EC2 instances, using AMIs to
back up the web and application tiers is sufficient to restore the system after a failure.Snapshots of EBS
volumes would be necessary if you want to back up the entire EC2 instance, including any applications and
temporary data stored on the EBS volumes attached to the instances. When you take a snapshot of an EBS
volume, it backs up the entire contents of that volume. This ensures that you can restore the entire EC2
instance to a specific point in time more quickly. However, if there is no temporary data stored on the EBS
volumes, then snapshots of EBS volumes are not necessary.

Question: 392 CertyIQ

A company wants to deploy a new public web application on AWS. The application includes a web server tier that
uses Amazon EC2 instances. The application also includes a database tier that uses an Amazon RDS for MySQL DB
instance.

The application must be secure and accessible for global customers that have dynamic IP addresses.

How should a solutions architect configure the security groups to meet these requirements?
 A.Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0.
Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group
of the web servers.
B.Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses
of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from
the security group of the web servers.
C.Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses
of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from
the IP addresses of the customers.
D.Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0.
Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0.0/0.

Answer: A

Explanation:

If the customers have dynamic IP addresses, option A would be the most appropriate solution for allowing
global access while maintaining security.

Question: 393 CertyIQ

A payment processing company records all voice communication with its customers and stores the audio files in an
Amazon S3 bucket. The company needs to capture the text from the audio files. The company must remove from
the text any personally identifiable information (PII) that belongs to customers.

What should a solutions architect do to meet these requirements?

A. Process the audio files by using Amazon Kinesis Video Streams. Use an AWS Lambda function to scan for
known PII patterns.
B. When an audio file is uploaded to the S3 bucket, invoke an AWS Lambda function to start an Amazon
Textract task to analyze the call recordings.
C. Configure an Amazon Transcribe transcription job with PII redaction turned on. When an audio file is
uploaded to the S3 bucket, invoke an AWS Lambda function to start the transcription job. Store the output in a
separate S3 bucket.
D. Create an Amazon Connect contact flow that ingests the audio files with transcription turned on. Embed an
AWS Lambda function to scan for known PII patterns. Use Amazon EventBridge to start the contact flow when
an audio file is uploaded to the S3 bucket.

Answer: C

Explanation:

Option C is the most suitable solution as it suggests using Amazon Transcribe with PII redaction turned on.
When an audio file is uploaded to the S3 bucket, an AWS Lambda function can be used to start the
transcription job. The output can be stored in a separate S3 bucket to ensure that the PII redaction is applied
to the transcript. Amazon Transcribe can redact PII such as credit card numbers, social security numbers, and
phone numbers.

Question: 394 CertyIQ

A company is running a multi-tier ecommerce web application in the AWS Cloud. The application runs on Amazon
EC2 instances with an Amazon RDS for MySQL Multi-AZ DB instance. Amazon RDS is configured with the latest
generation DB instance with 2,000 GB of storage in a General Purpose SSD (gp3) Amazon Elastic Block Store
(Amazon EBS) volume. The database performance affects the application during periods of high demand.
A database administrator analyzes the logs in Amazon CloudWatch Logs and discovers that the application
performance always degrades when the number of read and write IOPS is higher than 20,000.

What should a solutions architect do to improve the application performance?

A.Replace the volume with a magnetic volume.

B.Increase the number of IOPS on the gp3 volume.
C.Replace the volume with a Provisioned IOPS SSD (io2) volume.
D.Replace the 2,000 GB gp3 volume with two 1,000 GB gp3 volumes.

Answer: D

Explanation:

A - Magnetic Max IOPS 200 - WrongB - gp3 Max IOPS 16000 per volume - WrongC - RDS not supported io2 -
WrongD - Correct; 2 gp3 volume with 16 000 each 2*16000 = 32 000 IOPS

To improve the application performance, you can replace the 2,000 GB gp3 volume with two 1,000 GB gp3
volumes. This will increase the number of IOPS available to the database and improve performance.

Question: 395 CertyIQ

An IAM user made several configuration changes to AWS resources in their company's account during a
production deployment last week. A solutions architect learned that a couple of security group rules are not
configured as desired. The solutions architect wants to confirm which IAM user was responsible for making
changes.

Which service should the solutions architect use to find the desired information?

A. Amazon GuardDuty
B. Amazon Inspector
C. AWS CloudTrail
D. AWS Config

Answer: C

Explanation:

C. AWS CloudTrailThe best option is to use AWS CloudTrail to find the desired information. AWS CloudTrail is
a service that enables governance, compliance, operational auditing, and risk auditing of AWS account
activities. CloudTrail can be used to log all changes made to resources in an AWS account, including changes
made by IAM users, EC2 instances, AWS management console, and other AWS services. By using CloudTrail,
the solutions architect can identify the IAM user who made the configuration changes to the security group
rules.

AWS CloudTrail

Question: 396 CertyIQ

A company has implemented a self-managed DNS service on AWS. The solution consists of the following:

• Amazon EC2 instances in different AWS Regions

• Endpoints of a standard accelerator in AWS Global Accelerator
The company wants to protect the solution against DDoS attacks.

What should a solutions architect do to meet this requirement?

A. Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.

B. Subscribe to AWS Shield Advanced. Add the EC2 instances as resources to protect.
C. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the accelerator.
D. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the EC2
instances.

Answer: A

Explanation:

AWS Shield is a managed service that provides protection against Distributed Denial of Service (DDoS)
attacks for applications running on AWS. AWS Shield Standard is automatically enabled to all AWS
customers at no additional cost. AWS Shield Advanced is an optional paid service. AWS Shield Advanced
provides additional protections against more sophisticated and larger attacks for your applications running on
Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global
Accelerator, and Route 53.

Question: 397 CertyIQ

An ecommerce company needs to run a scheduled daily job to aggregate and filter sales records for analytics. The
company stores the sales records in an Amazon S3 bucket. Each object can be up to 10 GB in size. Based on the
number of sales events, the job can take up to an hour to complete. The CPU and memory usage of the job are
constant and are known in advance.

A solutions architect needs to minimize the amount of operational effort that is needed for the job to run.

Which solution meets these requirements?

A.Create an AWS Lambda function that has an Amazon EventBridge notification. Schedule the EventBridge
event to run once a day.
B.Create an AWS Lambda function. Create an Amazon API Gateway HTTP API, and integrate the API with the
function. Create an Amazon EventBridge scheduled event that calls the API and invokes the function.
C.Create an Amazon Elastic Container Service (Amazon ECS) cluster with an AWS Fargate launch type. Create
an Amazon EventBridge scheduled event that launches an ECS task on the cluster to run the job.
D.Create an Amazon Elastic Container Service (Amazon ECS) cluster with an Amazon EC2 launch type and an
Auto Scaling group with at least one EC2 instance. Create an Amazon EventBridge scheduled event that
launches an ECS task on the cluster to run the job.

Answer: C

Explanation:

The requirement is to run a daily scheduled job to aggregate and filter sales records for analytics in the most
efficient way possible. Based on the requirement, we can eliminate option A and B since they use AWS
Lambda which has a limit of 15 minutes of execution time, which may not be sufficient for a job that can take
up to an hour to complete.Between options C and D, option C is the better choice since it uses AWS Fargate
which is a serverless compute engine for containers that eliminates the need to manage the underlying EC2
instances, making it a low operational effort solution. Additionally, Fargate also provides instant scale-up and
scale-down capabilities to run the scheduled job as per the requirement.Therefore, the correct answer is:C.
Create an Amazon Elastic Container Service (Amazon ECS) cluster with an AWS Fargate launch type. Create
an Amazon EventBridge scheduled event that launches an ECS task on the cluster to run the job.
Question: 398 CertyIQ
A company needs to transfer 600 TB of data from its on-premises network-attached storage (NAS) system to the
AWS Cloud. The data transfer must be complete within 2 weeks. The data is sensitive and must be encrypted in
transit. The company’s internet connection can support an upload speed of 100 Mbps.

Which solution meets these requirements MOST cost-effectively?

A.Use Amazon S3 multi-part upload functionality to transfer the files over HTTPS.
B.Create a VPN connection between the on-premises NAS system and the nearest AWS Region. Transfer the
data over the VPN connection.
C.Use the AWS Snow Family console to order several AWS Snowball Edge Storage Optimized devices. Use the
devices to transfer the data to Amazon S3.
D.Set up a 10 Gbps AWS Direct Connect connection between the company location and the nearest AWS
Region. Transfer the data over a VPN connection into the Region to store the data in Amazon S3.

Answer: C

Explanation:

C. Use the AWS Snow Family console to order several AWS Snowball Edge Storage Optimized devices. Use
the devices to transfer the data to Amazon S3.The best option is to use the AWS Snow Family console to
order several AWS Snowball Edge Storage Optimized devices and use the devices to transfer the data to
Amazon S3. Snowball Edge is a petabyte-scale data transfer device that can help transfer large amounts of
data securely and quickly. Using Snowball Edge can be the most cost-effective solution for transferring large
amounts of data over long distances and can help meet the requirement of transferring 600 TB of data within
two weeks.

Question: 399 CertyIQ

A financial company hosts a web application on AWS. The application uses an Amazon API Gateway Regional API
endpoint to give users the ability to retrieve current stock prices. The company’s security team has noticed an
increase in the number of API requests. The security team is concerned that HTTP flood attacks might take the
application offline.

A solutions architect must design a solution to protect the application from this type of attack.

Which solution meets these requirements with the LEAST operational overhead?

A. Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a
maximum TTL of 24 hours.
B. Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway
stage.
C. Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the
predefined rate is reached.
D. Create an Amazon CloudFront distribution with [email protected] in front of the API Gateway Regional API
endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined
rate.

Answer: B

Explanation:
 A rate-based rule in AWS WAF allows the security team to configure thresholds that trigger rate-based rules,
which enable AWS WAF to track the rate of requests for a specified time period and then block them
automatically when the threshold is exceeded. This provides the ability to prevent HTTP flood attacks with
minimal operational overhead.

Question: 400 CertyIQ

A meteorological startup company has a custom web application to sell weather data to its users online. The
company uses Amazon DynamoDB to store its data and wants to build a new service that sends an alert to the
managers of four internal teams every time a new weather event is recorded. The company does not want this new
service to affect the performance of the current application.

What should a solutions architect do to meet these requirements with the LEAST amount of operational overhead?

A. Use DynamoDB transactions to write new event data to the table. Configure the transactions to notify
internal teams.
B. Have the current application publish a message to four Amazon Simple Notification Service (Amazon SNS)
topics. Have each team subscribe to one topic.
C. Enable Amazon DynamoDB Streams on the table. Use triggers to write to a single Amazon Simple
Notification Service (Amazon SNS) topic to which the teams can subscribe.
D. Add a custom attribute to each record to flag new items. Write a cron job that scans the table every minute
for items that are new and notifies an Amazon Simple Queue Service (Amazon SQS) queue to which the teams
can subscribe.

Answer: C

Explanation:

The best solution to meet these requirements with the least amount of operational overhead is to enable
Amazon DynamoDB Streams on the table and use triggers to write to a single Amazon Simple Notification
Service (Amazon SNS) topic to which the teams can subscribe. This solution requires minimal configuration
and infrastructure setup, and Amazon DynamoDB Streams provide a low-latency way to capture changes to
the DynamoDB table. The triggers automatically capture the changes and publish them to the SNS topic,
which notifies the internal teams.

Question: 401 CertyIQ

A company wants to use the AWS Cloud to make an existing application highly available and resilient. The current
version of the application resides in the company's data center. The application recently experienced data loss
after a database server crashed because of an unexpected power outage.

The company needs a solution that avoids any single points of failure. The solution must give the application the
ability to scale to meet user demand.

Which solution will meet these requirements?

A.Deploy the application servers by using Amazon EC2 instances in an Auto Scaling group across multiple
Availability Zones. Use an Amazon RDS DB instance in a Multi-AZ configuration.
B.Deploy the application servers by using Amazon EC2 instances in an Auto Scaling group in a single
Availability Zone. Deploy the database on an EC2 instance. Enable EC2 Auto Recovery.
C.Deploy the application servers by using Amazon EC2 instances in an Auto Scaling group across multiple
Availability Zones. Use an Amazon RDS DB instance with a read replica in a single Availability Zone. Promote
the read replica to replace the primary DB instance if the primary DB instance fails.
D.Deploy the application servers by using Amazon EC2 instances in an Auto Scaling group across multiple
 Availability Zones. Deploy the primary and secondary database servers on EC2 instances across multiple
Availability Zones. Use Amazon Elastic Block Store (Amazon EBS) Multi-Attach to create shared storage
between the instances.

Answer: A

Explanation:

The correct answer is A. Deploy the application servers by using Amazon EC2 instances in an Auto Scaling
group across multiple Availability Zones. Use an Amazon RDS DB instance in a Multi-AZ configuration.To
make an existing application highly available and resilient while avoiding any single points of failure and
giving the application the ability to scale to meet user demand, the best solution would be to deploy the
application servers using Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones
and use an Amazon RDS DB instance in a Multi-AZ configuration.By using an Amazon RDS DB instance in a
Multi-AZ configuration, the database is automatically replicated across multiple Availability Zones, ensuring
that the database is highly available and can withstand the failure of a single Availability Zone. This provides
fault tolerance and avoids any single points of failure.

Question: 402 CertyIQ

A company needs to ingest and handle large amounts of streaming data that its application generates. The
application runs on Amazon EC2 instances and sends data to Amazon Kinesis Data Streams, which is configured
with default settings. Every other day, the application consumes the data and writes the data to an Amazon S3
bucket for business intelligence (BI) processing. The company observes that Amazon S3 is not receiving all the
data that the application sends to Kinesis Data Streams.

What should a solutions architect do to resolve this issue?

A. Update the Kinesis Data Streams default settings by modifying the data retention period.
B. Update the application to use the Kinesis Producer Library (KPL) to send the data to Kinesis Data Streams.
C. Update the number of Kinesis shards to handle the throughput of the data that is sent to Kinesis Data
Streams.
D. Turn on S3 Versioning within the S3 bucket to preserve every version of every object that is ingested in the
S3 bucket.

Answer: A

Explanation:

A Kinesis data stream stores records from 24 hours by default, up to 8760 hours (365 days)."

https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html

The question mentioned Kinesis data stream default settings and "every other day". After 24hrs, the data isn't
in the Data stream if the default settings is not modified to store data more than 24hrs.

Question: 403 CertyIQ

A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the
required permissions to perform the task. The developer already has an IAM user with valid IAM credentials
required for Amazon S3.

What should a solutions architect do to grant the permissions?

A.Add required IAM permissions in the resource policy of the Lambda function.
 B.Create a signed request using the existing IAM credentials in the Lambda function.
C.Create a new IAM user and use the existing IAM credentials in the Lambda function.
D.Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Answer: D

Explanation:

Create Lambda execution role and attach existing S3 IAM role to the lambda function

Question: 404 CertyIQ

A company has deployed a serverless application that invokes an AWS Lambda function when new documents are
uploaded to an Amazon S3 bucket. The application uses the Lambda function to process the documents. After a
recent marketing campaign, the company noticed that the application did not process many of the documents.

What should a solutions architect do to improve the architecture of this application?

A. Set the Lambda function's runtime timeout value to 15 minutes.

B. Configure an S3 bucket replication policy. Stage the documents in the S3 bucket for later processing.
C. Deploy an additional Lambda function. Load balance the processing of the documents across the two
Lambda functions.
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send the requests to the queue. Configure
the queue as an event source for Lambda.

Answer: D

Explanation:

To improve the architecture of this application, the best solution would be to use Amazon Simple Queue
Service (Amazon SQS) to buffer the requests and decouple the S3 bucket from the Lambda function. This will
ensure that the documents are not lost and can be processed at a later time if the Lambda function is not
available.

This will ensure that the documents are not lost and can be processed at a later time if the Lambda function is
not available. By using Amazon SQS, the architecture is decoupled and the Lambda function can process the
documents in a scalable and fault-tolerant manner.

Question: 405 CertyIQ

A solutions architect is designing the architecture for a software demonstration environment. The environment will
run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The system will
experience significant increases in traffic during working hours but is not required to operate on weekends.

Which combination of actions should the solutions architect take to ensure that the system can scale to meet
demand? (Choose two.)

A. Use AWS Auto Scaling to adjust the ALB capacity based on request rate.
B. Use AWS Auto Scaling to scale the capacity of the VPC internet gateway.
C. Launch the EC2 instances in multiple AWS Regions to distribute the load across Regions.
D. Use a target tracking scaling policy to scale the Auto Scaling group based on instance CPU utilization.
E. Use scheduled scaling to change the Auto Scaling group minimum, maximum, and desired capacity to zero
for weekends. Revert to the default values at the start of the week.
 Answer: DE

Explanation:

Scaling should be at the ASG not ALB. So, not sure about "Use AWS Auto Scaling to adjust the ALB capacity
based on request rate"

Question: 406 CertyIQ

A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet.
The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB
instance in the database subnet must be accessible only to the web servers on port 3306.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

A.Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
B.Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on
port 3306.
C.Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on
port 443.
D.Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group
on port 3306.
E.Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’
security group on port 3306.

Answer: CD

Explanation:

To meet the requirements of allowing access to the web servers in the public subnet on port 443 and the
Amazon RDS for MySQL DB instance in the database subnet on port 3306, the best solution would be to
create a security group for the web servers and another security group for the DB instance, and then define
the appropriate inbound and outbound rules for each security group.1. Create a security group for the web
servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.2. Create a security group
for the DB instance. Add a rule to allow traffic from the web servers' security group on port 3306.This will
allow the web servers in the public subnet to receive traffic from the internet on port 443, and the Amazon
RDS for MySQL DB instance in the database subnet to receive traffic only from the web servers on port 3306.

Question: 407 CertyIQ

A company is implementing a shared storage solution for a gaming application that is hosted in the AWS Cloud.
The company needs the ability to use Lustre clients to access data. The solution must be fully managed.

Which solution meets these requirements?

A.Create an AWS DataSync task that shares the data as a mountable file system. Mount the file system to the
application server.
B.Create an AWS Storage Gateway file gateway. Create a file share that uses the required client protocol.
Connect the application server to the file share.
C.Create an Amazon Elastic File System (Amazon EFS) file system, and configure it to support Lustre. Attach
the file system to the origin server. Connect the application server to the file system.
D.Create an Amazon FSx for Lustre file system. Attach the file system to the origin server. Connect the
 application server to the file system.

Answer: D

Explanation:

To meet the requirements of a shared storage solution for a gaming application that can be accessed using
Lustre clients and is fully managed, the best solution would be to use Amazon FSx for Lustre.Amazon FSx for
Lustre is a fully managed file system that is optimized for compute-intensive workloads, such as high-
performance computing, machine learning, and gaming. It provides a POSIX-compliant file system that can be
accessed using Lustre clients and offers high performance, scalability, and data durability.This solution
provides a highly available, scalable, and fully managed shared storage solution that can be accessed using
Lustre clients. Amazon FSx for Lustre is optimized for compute-intensive workloads and provides high
performance and durability.

Question: 408 CertyIQ

A company runs an application that receives data from thousands of geographically dispersed remote devices that
use UDP. The application processes the data immediately and sends a message back to the device if necessary. No
data is stored.

The company needs a solution that minimizes latency for the data transmission from the devices. The solution also
must provide rapid failover to another AWS Region.

Which solution will meet these requirements?

A. Configure an Amazon Route 53 failover routing policy. Create a Network Load Balancer (NLB) in each of the
two Regions. Configure the NLB to invoke an AWS Lambda function to process the data.
B. Use AWS Global Accelerator. Create a Network Load Balancer (NLB) in each of the two Regions as an
endpoint. Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type.
Create an ECS service on the cluster. Set the ECS service as the target for the NLProcess the data in Amazon
ECS.
C. Use AWS Global Accelerator. Create an Application Load Balancer (ALB) in each of the two Regions as an
endpoint. Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type.
Create an ECS service on the cluster. Set the ECS service as the target for the ALB. Process the data in Amazon
ECS.
D. Configure an Amazon Route 53 failover routing policy. Create an Application Load Balancer (ALB) in each of
the two Regions. Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch
type. Create an ECS service on the cluster. Set the ECS service as the target for the ALB. Process the data in
Amazon ECS.

Answer: B

Explanation:

To meet the requirements of minimizing latency for data transmission from the devices and providing rapid
failover to another AWS Region, the best solution would be to use AWS Global Accelerator in combination
with a Network Load Balancer (NLB) and Amazon Elastic Container Service (Amazon ECS).

AWS Global Accelerator is a service that improves the availability and performance of applications by using
static IP addresses (Anycast) to route traffic to optimal AWS endpoints. With Global Accelerator, you can
direct traffic to multiple Regions and endpoints, and provide automatic failover to another AWS Region.

Question: 409 CertyIQ

A solutions architect must migrate a Windows Internet Information Services (IIS) web application to AWS. The
application currently relies on a file share hosted in the user's on-premises network-attached storage (NAS). The
solutions architect has proposed migrating the IIS web servers to Amazon EC2 instances in multiple Availability
Zones that are connected to the storage solution, and configuring an Elastic Load Balancer attached to the
instances.

Which replacement to the on-premises file share is MOST resilient and durable?

A. Migrate the file share to Amazon RDS.

B. Migrate the file share to AWS Storage Gateway.
C. Migrate the file share to Amazon FSx for Windows File Server.
D. Migrate the file share to Amazon Elastic File System (Amazon EFS).

Answer: C

Explanation:

A) RDS is a database serviceB) Storage Gateway is a hybrid cloud storage service that connects on-premises
applications to AWS storage services.D) provides shared file storage for Linux-based workloads, but it does
not natively support Windows-based workloads.

The most resilient and durable replacement for the on-premises file share in this scenario would be Amazon
FSx for Windows File Server.Amazon FSx is a fully managed Windows file system service that is built on
Windows Server and provides native support for the SMB protocol. It is designed to be highly available and
durable, with built-in backup and restore capabilities. It is also fully integrated with AWS security services,
providing encryption at rest and in transit, and it can be configured to meet compliance standards.

Question: 410 CertyIQ

A company is deploying a new application on Amazon EC2 instances. The application writes data to Amazon Elastic
Block Store (Amazon EBS) volumes. The company needs to ensure that all data that is written to the EBS volumes
is encrypted at rest.

Which solution will meet this requirement?

A.Create an IAM role that specifies EBS encryption. Attach the role to the EC2 instances.
B.Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
C.Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require
encryption at the EBS level.
D.Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account.
Ensure that the key policy is active.

Answer: B

Explanation:

Create encrypted EBS volumes and attach encrypted EBS volumes to EC2 instances..

Question: 411 CertyIQ

A company has a web application with sporadic usage patterns. There is heavy usage at the beginning of each
month, moderate usage at the start of each week, and unpredictable usage during the week. The application
consists of a web server and a MySQL database server running inside the data center. The company would like to
move the application to the AWS Cloud, and needs to select a cost-effective database platform that will not
require database modifications.

Which solution will meet these requirements?

A.Amazon DynamoDB
B.Amazon RDS for MySQL
C.MySQL-compatible Amazon Aurora Serverless
D.MySQL deployed on Amazon EC2 in an Auto Scaling group

Answer: C

Explanation:

C: Aurora Serverless is a MySQL-compatible relational database engine that automatically scales compute
and memory resources based on application usage. no upfront costs or commitments required. A: DynamoDB
is a NoSQLB: Fixed cost on RDS classD: More operation requires

Question: 412 CertyIQ

An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental
exposure of the objects in the S3 buckets to the public. All S3 objects in the entire AWS account need to remain
private.

Which solution will meet these requirements?

A. Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses
an AWS Lambda function to remediate any change that makes the objects public.
B. Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted
Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
C. Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification
Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda
function that programmatically remediates the change.
D. Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service
control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.

Answer: D

Explanation:

Answer D is the correct solution that meets the requirements. The S3 Block Public Access feature allows you
to restrict public access to S3 buckets and objects within the account. You can enable this feature at the
account level to prevent any S3 bucket from being made public, regardless of the bucket policy settings.
AWS Organizations can be used to apply a Service Control Policy (SCP) to the account to prevent IAM users
from changing this setting, ensuring that all S3 objects remain private. This is a straightforward and effective
solution that requires minimal operational overhead.

Question: 413 CertyIQ

An ecommerce company is experiencing an increase in user traffic. The company’s store is deployed on Amazon
EC2 instances as a two-tier web application consisting of a web tier and a separate database tier. As traffic
increases, the company notices that the architecture is causing significant delays in sending timely marketing and
order confirmation email to users. The company wants to reduce the time it spends resolving complex email
delivery issues and minimize operational overhead.
What should a solutions architect do to meet these requirements?

A. Create a separate application tier using EC2 instances dedicated to email processing.
B. Configure the web instance to send email through Amazon Simple Email Service (Amazon SES).
C. Configure the web instance to send email through Amazon Simple Notification Service (Amazon SNS).
D. Create a separate application tier using EC2 instances dedicated to email processing. Place the instances in
an Auto Scaling group.

Answer: B

Explanation:

Amazon SES is a cost-effective and scalable email service that enables businesses to send and receive email
using their own email addresses and domains. Configuring the web instance to send email through Amazon
SES is a simple and effective solution that can reduce the time spent resolving complex email delivery issues
and minimize operational overhead.

Question: 414 CertyIQ

A company has a business system that generates hundreds of reports each day. The business system saves the
reports to a network share in CSV format. The company needs to store this data in the AWS Cloud in near-real time
for analysis.

Which solution will meet these requirements with the LEAST administrative overhead?

A. Use AWS DataSync to transfer the files to Amazon S3. Create a scheduled task that runs at the end of each
day.
B. Create an Amazon S3 File Gateway. Update the business system to use a new network share from the S3 File
Gateway.
C. Use AWS DataSync to transfer the files to Amazon S3. Create an application that uses the DataSync API in
the automation workflow.
D. Deploy an AWS Transfer for SFTP endpoint. Create a script that checks for new files on the network share
and uploads the new files by using SFTP.

Answer: B

Explanation:
1. Key words: 1. near-real-time (A is out)2. LEAST administrative (C n D is out)
2. A - creating a scheduled task is not near-real time.B - The S3 File Gateway caches frequently accessed
data locally and automatically uploads it to Amazon S3, providing near-real-time access to the data.C -
creating an application that uses the DataSync API in the automation workflow may provide near-real-time
data access, but it requires additional development effort.D - it requires additional development effort.

Question: 415 CertyIQ

A company is storing petabytes of data in Amazon S3 Standard. The data is stored in multiple S3 buckets and is
accessed with varying frequency. The company does not know access patterns for all the data. The company
needs to implement a solution for each S3 bucket to optimize the cost of S3 usage.

Which solution will meet these requirements with the MOST operational efficiency?

A. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 Intelligent-
Tiering.
B. Use the S3 storage class analysis tool to determine the correct tier for each object in the S3 bucket. Move
 each object to the identified storage tier.
C. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 Glacier
Instant Retrieval.
D. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 One Zone-
Infrequent Access (S3 One Zone-IA).

Answer: A

Explanation:

Creating an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 Intelligent-
Tiering would be the most efficient solution to optimize the cost of S3 usage. S3 Intelligent-Tiering is a
storage class that automatically moves objects between two access tiers (frequent and infrequent) based on
changing access patterns. It is a cost-effective solution that does not require any manual intervention to move
data to different storage classes, unlike the other options.

Question: 416 CertyIQ

A rapidly growing global ecommerce company is hosting its web application on AWS. The web application includes
static content and dynamic content. The website stores online transaction processing (OLTP) data in an Amazon
RDS database The website’s users are experiencing slow page loads.

Which combination of actions should a solutions architect take to resolve this issue? (Choose two.)

A.Configure an Amazon Redshift cluster.

B.Set up an Amazon CloudFront distribution.
C.Host the dynamic web content in Amazon S3.
D.Create a read replica for the RDS DB instance.
E.Configure a Multi-AZ deployment for the RDS DB instance.

Answer: BD

Explanation:

To resolve the issue of slow page loads for a rapidly growing e-commerce website hosted on AWS, a solutions
architect can take the following two actions:1. Set up an Amazon CloudFront distribution2. Create a read
replica for the RDS DB instanceConfiguring an Amazon Redshift cluster is not relevant to this issue since
Redshift is a data warehousing service and is typically used for the analytical processing of large amounts of
data.Hosting the dynamic web content in Amazon S3 may not necessarily improve performance since S3 is an
object storage service, not a web application server. While S3 can be used to host static web content, it may
not be suitable for hosting dynamic web content since S3 doesn't support server-side scripting or
processing.Configuring a Multi-AZ deployment for the RDS DB instance will improve high availability but may
not necessarily improve performance.

Question: 417 CertyIQ

A company uses Amazon EC2 instances and AWS Lambda functions to run its application. The company has VPCs
with public subnets and private subnets in its AWS account. The EC2 instances run in a private subnet in one of the
VPCs. The Lambda functions need direct network access to the EC2 instances for the application to work.

The application will run for at least 1 year. The company expects the number of Lambda functions that the
application uses to increase during that time. The company wants to maximize its savings on all application
resources and to keep network latency between the services low.
Which solution will meet these requirements?

A.Purchase an EC2 Instance Savings Plan Optimize the Lambda functions’ duration and memory usage and the
number of invocations. Connect the Lambda functions to the private subnet that contains the EC2 instances.
B.Purchase an EC2 Instance Savings Plan Optimize the Lambda functions' duration and memory usage, the
number of invocations, and the amount of data that is transferred. Connect the Lambda functions to a public
subnet in the same VPC where the EC2 instances run.
C.Purchase a Compute Savings Plan. Optimize the Lambda functions’ duration and memory usage, the number
of invocations, and the amount of data that is transferred. Connect the Lambda functions to the private subnet
that contains the EC2 instances.
D.Purchase a Compute Savings Plan. Optimize the Lambda functions’ duration and memory usage, the number
of invocations, and the amount of data that is transferred. Keep the Lambda functions in the Lambda service
VPC.

Answer: C

Explanation:

Answer C is the best solution that meets the company’s requirements.By purchasing a Compute Savings Plan,
the company can save on the costs of running both EC2 instances and Lambda functions. The Lambda
functions can be connected to the private subnet that contains the EC2 instances through a VPC endpoint for
AWS services or a VPC peering connection. This provides direct network access to the EC2 instances while
keeping the traffic within the private network, which helps to minimize network latency.Optimizing the
Lambda functions’ duration, memory usage, number of invocations, and amount of data transferred can help
to further minimize costs and improve performance. Additionally, using a private subnet helps to ensure that
the EC2 instances are not directly accessible from the public internet, which is a security best practice.

Question: 418 CertyIQ

A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts:
a development account and a production account. The team currently has access to S3 buckets in the
development account by using unique IAM users that are assigned to an IAM group that has appropriate
permissions in the account.

The solutions architect has created an IAM role in the production account. The role has a policy that grants access
to an S3 bucket in the production account.

Which solution will meet these requirements while complying with the principle of least privilege?

A. Attach the Administrator Access policy to the development account users.

B. Add the development account as a principal in the trust policy of the role in the production account.
C. Turn off the S3 Block Public Access feature on the S3 bucket in the production account.
D. Create a user in the production account with unique credentials for each team member.

Answer: B

Explanation:

The solution that will meet these requirements while complying with the principle of least privilege is to add
the development account as a principal in the trust policy of the role in the production account. This will allow
team members to access Amazon S3 buckets in two different AWS accounts while complying with the
principle of least privilege.

Option A is not recommended because it grants too much access to development account users. Option C is
not relevant to this scenario. Option D is not recommended because it does not comply with the principle of
 least privilege.

Question: 419 CertyIQ

A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-
southeast-2 Region. The company has a service control policy (SCP) that prevents any resources from being
created in any other Region. A security policy requires the company to encrypt all data at rest.

An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2
instances without encrypting the volumes. The company wants any new EC2 instances that any IAM user or root
user launches in ap-southeast-2 to use encrypted EBS volumes. The company wants a solution that will have
minimal effect on employees who create EBS volumes.

Which combination of steps will meet these requirements? (Choose two.)

A.In the Amazon EC2 console, select the EBS encryption account attribute and define a default encryption key.
B.Create an IAM permission boundary. Attach the permission boundary to the root organizational unit (OU).
Define the boundary to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
C.Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the
ec2:CreateVolume action whenthe ec2:Encrypted condition equals false.
D.Update the IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted
condition equals false.
E.In the Organizations management account, specify the Default EBS volume encryption setting.

Answer: CE

Explanation:

SCP that denies the ec2:CreateVolume action when the ec2:Encrypted condition equals false. This will
prevent users and service accounts in member accounts from creating unencrypted EBS volumes in the ap-
southeast-2 Region.

Question: 420 CertyIQ

A company wants to use an Amazon RDS for PostgreSQL DB cluster to simplify time-consuming database
administrative tasks for production database workloads. The company wants to ensure that its database is highly
available and will provide automatic failover support in most scenarios in less than 40 seconds. The company
wants to offload reads off of the primary instance and keep costs as low as possible.

Which solution will meet these requirements?

A.Use an Amazon RDS Multi-AZ DB instance deployment. Create one read replica and point the read workload
to the read replica.
B.Use an Amazon RDS Multi-AZ DB duster deployment Create two read replicas and point the read workload to
the read replicas.
C.Use an Amazon RDS Multi-AZ DB instance deployment. Point the read workload to the secondary instances in
the Multi-AZ pair.
D.Use an Amazon RDS Multi-AZ DB cluster deployment Point the read workload to the reader endpoint.

Answer: D

Explanation:

The company wants high availability, automatic failover support in less than 40 seconds, read offloading from
 the primary instance, and cost-effectiveness.

Answer D is the best choice for several reasons:

1. Amazon RDS Multi-AZ deployments provide high availability and automatic failover support.

2. In a Multi-AZ DB cluster, Amazon RDS automatically provisions and maintains a standby in a different
Availability Zone. If a failure occurs, Amazon RDS performs an automatic failover to the standby, minimizing
downtime.

3. The "Reader endpoint" for an Amazon RDS DB cluster provides load-balancing support for read-only
connections to the DB cluster. Directing read traffic to the reader endpoint helps in offloading read operations
from the primary instance.

Question: 421 CertyIQ

A company runs a highly available SFTP service. The SFTP service uses two Amazon EC2 Linux instances that run
with elastic IP addresses to accept traffic from trusted IP sources on the internet. The SFTP service is backed by
shared storage that is attached to the instances. User accounts are created and managed as Linux users in the
SFTP servers.

The company wants a serverless option that provides high IOPS performance and highly configurable security. The
company also wants to maintain control over user permissions.

Which solution will meet these requirements?

A.Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume. Create an AWS Transfer Family SFTP
service with a public endpoint that allows only trusted IP addresses. Attach the EBS volume to the SFTP service
endpoint. Grant users access to the SFTP service.
B.Create an encrypted Amazon Elastic File System (Amazon EFS) volume. Create an AWS Transfer Family SFTP
service with elastic IP addresses and a VPC endpoint that has internet-facing access. Attach a security group to
the endpoint that allows only trusted IP addresses. Attach the EFS volume to the SFTP service endpoint. Grant
users access to the SFTP service.
C.Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service
with a public endpoint that allows only trusted IP addresses. Attach the S3 bucket to the SFTP service
endpoint. Grant users access to the SFTP service.
D.Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service
with a VPC endpoint that has internal access in a private subnet. Attach a security group that allows only
trusted IP addresses. Attach the S3 bucket to the SFTP service endpoint. Grant users access to the SFTP
service.

Answer: B

Explanation:

The question is requiring highly configurable security --> that excludes default S3 encryption, which is SSE-
S3 (is not configurable)

Question: 422 CertyIQ

A company is developing a new machine learning (ML) model solution on AWS. The models are developed as
independent microservices that fetch approximately 1 GB of model data from Amazon S3 at startup and load the
data into memory. Users access the models through an asynchronous API. Users can send a request or a batch of
requests and specify where the results should be sent.

The company provides models to hundreds of users. The usage patterns for the models are irregular. Some models
could be unused for days or weeks. Other models could receive batches of thousands of requests at a time.

Which design should a solutions architect recommend to meet these requirements?

A.Direct the requests from the API to a Network Load Balancer (NLB). Deploy the models as AWS Lambda
functions that are invoked by the NLB.
B.Direct the requests from the API to an Application Load Balancer (ALB). Deploy the models as Amazon Elastic
Container Service (Amazon ECS) services that read from an Amazon Simple Queue Service (Amazon SQS)
queue. Use AWS App Mesh to scale the instances of the ECS cluster based on the SQS queue size.
C.Direct the requests from the API into an Amazon Simple Queue Service (Amazon SQS) queue. Deploy the
models as AWS Lambda functions that are invoked by SQS events. Use AWS Auto Scaling to increase the
number of vCPUs for the Lambda functions based on the SQS queue size.
D.Direct the requests from the API into an Amazon Simple Queue Service (Amazon SQS) queue. Deploy the
models as Amazon Elastic Container Service (Amazon ECS) services that read from the queue. Enable AWS
Auto Scaling on Amazon ECS for both the cluster and copies of the service based on the queue size.

Answer: D

Explanation:

because it is scalable, reliable, and efficient.C does not scale the models automatically

Question: 423 CertyIQ

A solutions architect wants to use the following JSON text as an identity-based policy to grant specific
permissions:

Which IAM principals can the solutions architect attach this policy to? (Choose two.)

A.Role
B.Group
C.Organization
D.Amazon Elastic Container Service (Amazon ECS) resource
E.Amazon EC2 resource

Answer: AB

Explanation:
 identity-based policy used for role and group

Question: 424 CertyIQ

A company is running a custom application on Amazon EC2 On-Demand Instances. The application has frontend
nodes that need to run 24 hours a day, 7 days a week and backend nodes that need to run only for a short time
based on workload. The number of backend nodes varies during the day.

The company needs to scale out and scale in more instances based on workload.

Which solution will meet these requirements MOST cost-effectively?

A.Use Reserved Instances for the frontend nodes. Use AWS Fargate for the backend nodes.
B.Use Reserved Instances for the frontend nodes. Use Spot Instances for the backend nodes.
C.Use Spot Instances for the frontend nodes. Use Reserved Instances for the backend nodes.
D.Use Spot Instances for the frontend nodes. Use AWS Fargate for the backend nodes.

Answer: B

Explanation:

Reserved+ spot .Fargate for serverless

Question: 425 CertyIQ

A company uses high block storage capacity to runs its workloads on premises. The company's daily peak input
and output transactions per second are not more than 15,000 IOPS. The company wants to migrate the workloads
to Amazon EC2 and to provision disk performance independent of storage capacity.

Which Amazon Elastic Block Store (Amazon EBS) volume type will meet these requirements MOST cost-
effectively?

A.GP2 volume type

B.io2 volume type
C.GP3 volume type
D.io1 volume type

Answer: C

Explanation:

Both GP2 and GP3 has max IOPS 16000 but GP3 is cost
effective.https://aws.amazon.com/blogs/storage/migrate-your-amazon-ebs-volumes-from-gp2-to-gp3-and-
save-up-to-20-on-costs/

Question: 426 CertyIQ

A company needs to store data from its healthcare application. The application’s data frequently changes. A new
regulation requires audit access at all levels of the stored data.

The company hosts the application on an on-premises infrastructure that is running out of storage capacity. A
solutions architect must securely migrate the existing data to AWS while satisfying the new regulation.
Which solution will meet these requirements?

A.Use AWS DataSync to move the existing data to Amazon S3. Use AWS CloudTrail to log data events.
B.Use AWS Snowcone to move the existing data to Amazon S3. Use AWS CloudTrail to log management events.
C.Use Amazon S3 Transfer Acceleration to move the existing data to Amazon S3. Use AWS CloudTrail to log
data events.
D.Use AWS Storage Gateway to move the existing data to Amazon S3. Use AWS CloudTrail to log management
events.

Answer: A

Explanation:
1. https://docs.aws.amazon.com/ja_jp/datasync/latest/userguide/encryption-in-transit.html
2. One time synch, its Data Sync. Dont bother for greyrose answers, they are usually wrong

Question: 427 CertyIQ

A solutions architect is implementing a complex Java application with a MySQL database. The Java application
must be deployed on Apache Tomcat and must be highly available.

What should the solutions architect do to meet these requirements?

A.Deploy the application in AWS Lambda. Configure an Amazon API Gateway API to connect with the Lambda
functions.
B.Deploy the application by using AWS Elastic Beanstalk. Configure a load-balanced environment and a rolling
deployment policy.
C.Migrate the database to Amazon ElastiCache. Configure the ElastiCache security group to allow access from
the application.
D.Launch an Amazon EC2 instance. Install a MySQL server on the EC2 instance. Configure the application on
the server. Create an AMI. Use the AMI to create a launch template with an Auto Scaling group.

Answer: B

Explanation:

Deploy the application by using AWS Elastic Beanstalk. Configure a load-balanced environment and a rolling
deployment policy.

Question: 428 CertyIQ

A serverless application uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The Lambda function
needs permissions to read and write to the DynamoDB table.

Which solution will give the Lambda function access to the DynamoDB table MOST securely?

A.Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows
read and write access to the DynamoDB table. Store the access_key_id and secret_access_key parameters as
part of the Lambda environment variables. Ensure that other AWS users do not have read and write access to
the Lambda function configuration.
B.Create an IAM role that includes Lambda as a trusted service. Attach a policy to the role that allows read and
write access to the DynamoDB table. Update the configuration of the Lambda function to use the new role as
the execution role.
C.Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows
read and write access to the DynamoDB table. Store the access_key_id and secret_access_key parameters in
 AWS Systems Manager Parameter Store as secure string parameters. Update the Lambda function code to
retrieve the secure string parameters before connecting to the DynamoDB table.
D.Create an IAM role that includes DynamoDB as a trusted service. Attach a policy to the role that allows read
and write access from the Lambda function. Update the code of the Lambda function to attach to the new role
as an execution role.

Answer: B

Explanation:

B is rightRole key word and trusted service lambda

Question: 429 CertyIQ

The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

What are the effective IAM permissions of this policy for group members?

A.Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the
Allow permission are not applied.
 B.Group members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in
with multi-factor authentication (MFA).
C.Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for all Regions
when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2
action.
D.Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for the us-east-1
Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other
Amazon EC2 action within the us-east-1 Region.

Answer: D

Explanation:

Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for the us-east-1
Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other
Amazon EC2 action within the us-east-1 Region.

Question: 430 CertyIQ

A manufacturing company has machine sensors that upload .csv files to an Amazon S3 bucket. These .csv files
must be converted into images and must be made available as soon as possible for the automatic generation of
graphical reports.

The images become irrelevant after 1 month, but the .csv files must be kept to train machine learning (ML) models
twice a year. The ML trainings and audits are planned weeks in advance.

Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)

A.Launch an Amazon EC2 Spot Instance that downloads the .csv files every hour, generates the image files, and
uploads the images to the S3 bucket.
B.Design an AWS Lambda function that converts the .csv files into images and stores the images in the S3
bucket. Invoke the Lambda function when a .csv file is uploaded.
C.Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3
Standard to S3 Glacier 1 day after they are uploaded. Expire the image files after 30 days.
D.Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3
Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) 1 day after they are uploaded. Expire the image
files after 30 days.
E.Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3
Standard to S3 Standard-Infrequent Access (S3 Standard-IA) 1 day after they are uploaded. Keep the image
files in Reduced Redundancy Storage (RRS).

Answer: BC

Explanation:

B severless and cost effectiveC corrctl rule to store

Question: 431 CertyIQ

A company has developed a new video game as a web application. The application is in a three-tier architecture in
a VPC with Amazon RDS for MySQL in the database layer. Several players will compete concurrently online. The
game’s developers want to display a top-10 scoreboard in near-real time and offer the ability to stop and restore
the game while preserving the current scores.

What should a solutions architect do to meet these requirements?

 A.Set up an Amazon ElastiCache for Memcached cluster to cache the scores for the web application to display.
B.Set up an Amazon ElastiCache for Redis cluster to compute and cache the scores for the web application to
display.
C.Place an Amazon CloudFront distribution in front of the web application to cache the scoreboard in a section
of the application.
D.Create a read replica on Amazon RDS for MySQL to run queries to compute the scoreboard and serve the
read traffic to the web application.

Answer: B

Explanation:

https://aws.amazon.com/jp/blogs/news/building-a-real-time-gaming-leaderboard-with-amazon-elasticache-
for-redis/

Question: 432 CertyIQ

An ecommerce company wants to use machine learning (ML) algorithms to build and train models. The company
will use the models to visualize complex scenarios and to detect trends in customer data. The architecture team
wants to integrate its ML models with a reporting platform to analyze the augmented data and use the data
directly in its business intelligence dashboards.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use AWS Glue to create an ML transform to build and train models. Use Amazon OpenSearch Service to
visualize the data.
B.Use Amazon SageMaker to build and train models. Use Amazon QuickSight to visualize the data.
C.Use a pre-built ML Amazon Machine Image (AMI) from the AWS Marketplace to build and train models. Use
Amazon OpenSearch Service to visualize the data.
D.Use Amazon QuickSight to build and train models by using calculated fields. Use Amazon QuickSight to
visualize the data.

Answer: B

Explanation:

Business intelligence, visualiations = AmazonQuicksightML = Amazon SageMaker

Question: 433 CertyIQ

A company is running its production and nonproduction environment workloads in multiple AWS accounts. The
accounts are in an organization in AWS Organizations. The company needs to design a solution that will prevent
the modification of cost usage tags.

Which solution will meet these requirements?

A.Create a custom AWS Config rule to prevent tag modification except by authorized principals.
B.Create a custom trail in AWS CloudTrail to prevent tag modification.
C.Create a service control policy (SCP) to prevent tag modification except by authorized principals.
D.Create custom Amazon CloudWatch logs to prevent tag modification.

Answer: C
 Explanation:

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in
your organization.

Question: 434 CertyIQ

A company hosts its application in the AWS Cloud. The application runs on Amazon EC2 instances behind an
Elastic Load Balancer in an Auto Scaling group and with an Amazon DynamoDB table. The company wants to
ensure the application can be made available in anotherAWS Region with minimal downtime.

What should a solutions architect do to meet these requirements with the LEAST amount of downtime?

A.Create an Auto Scaling group and a load balancer in the disaster recovery Region. Configure the DynamoDB
table as a global table. Configure DNS failover to point to the new disaster recovery Region's load balancer.
B.Create an AWS CloudFormation template to create EC2 instances, load balancers, and DynamoDB tables to
be launched when needed Configure DNS failover to point to the new disaster recovery Region's load balancer.
C.Create an AWS CloudFormation template to create EC2 instances and a load balancer to be launched when
needed. Configure the DynamoDB table as a global table. Configure DNS failover to point to the new disaster
recovery Region's load balancer.
D.Create an Auto Scaling group and load balancer in the disaster recovery Region. Configure the DynamoDB
table as a global table. Create an Amazon CloudWatch alarm to trigger an AWS Lambda function that updates
Amazon Route 53 pointing to the disaster recovery load balancer.

Answer: A

Explanation:

.Create an Auto Scaling group and a load balancer in the disaster recovery Region. Configure the DynamoDB
table as a global table. Configure DNS failover to point to the new disaster recovery Region's load balancer.

Question: 435 CertyIQ

A company needs to migrate a MySQL database from its on-premises data center to AWS within 2 weeks. The
database is 20 TB in size. The company wants to complete the migration with minimal downtime.

Which solution will migrate the database MOST cost-effectively?

A.Order an AWS Snowball Edge Storage Optimized device. Use AWS Database Migration Service (AWS DMS)
with AWS Schema Conversion Tool (AWS SCT) to migrate the database with replication of ongoing changes.
Send the Snowball Edge device to AWS to finish the migration and continue the ongoing replication.
B.Order an AWS Snowmobile vehicle. Use AWS Database Migration Service (AWS DMS) with AWS Schema
Conversion Tool (AWS SCT) to migrate the database with ongoing changes. Send the Snowmobile vehicle back
to AWS to finish the migration and continue the ongoing replication.
C.Order an AWS Snowball Edge Compute Optimized with GPU device. Use AWS Database Migration Service
(AWS DMS) with AWS Schema Conversion Tool (AWS SCT) to migrate the database with ongoing changes.
Send the Snowball device to AWS to finish the migration and continue the ongoing replication
D.Order a 1 GB dedicated AWS Direct Connect connection to establish a connection with the data center. Use
AWS Database Migration Service (AWS DMS) with AWS Schema Conversion Tool (AWS SCT) to migrate the
database with replication of ongoing changes.

Answer: A

Explanation:
 D - Direct Connect takes atleast a month to setup! Requirement is for within 2 weeks.

https://docs.aws.amazon.com/ja_jp/snowball/latest/developer-guide/device-differences.html#device-
optionsAです。

Question: 436 CertyIQ

A company moved its on-premises PostgreSQL database to an Amazon RDS for PostgreSQL DB instance. The
company successfully launched a new product. The workload on the database has increased. The company wants
to accommodate the larger workload without adding infrastructure.

Which solution will meet these requirements MOST cost-effectively?

A.Buy reserved DB instances for the total workload. Make the Amazon RDS for PostgreSQL DB instance larger.
B.Make the Amazon RDS for PostgreSQL DB instance a Multi-AZ DB instance.
C.Buy reserved DB instances for the total workload. Add another Amazon RDS for PostgreSQL DB instance.
D.Make the Amazon RDS for PostgreSQL DB instance an on-demand DB instance.

Answer: A

Explanation:

A.

"without adding infrastructure" means scaling vertically and choosing larger instance.

"MOST cost-effectively" reserved instances

Question: 437 CertyIQ

A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB)
in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from
illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS
attacks against the website. The company must block the illegitimate incoming requests in a way that has a
minimal impact on legitimate users.

What should a solutions architect recommend?

A.Deploy Amazon Inspector and associate it with the ALB.

B.Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
C.Deploy rules to the network ACLs associated with the ALB to block the incomingtraffic.
D.Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.

Answer: B

Explanation:

Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.

Question: 438 CertyIQ

A company wants to share accounting data with an external auditor. The data is stored in an Amazon RDS DB
instance that resides in a private subnet. The auditor has its own AWS account and requires its own copy of the
database.

What is the MOST secure way for the company to share the database with the auditor?

A.Create a read replica of the database. Configure IAM standard database authentication to grant the auditor
access.
B.Export the database contents to text files. Store the files in an Amazon S3 bucket. Create a new IAM user for
the auditor. Grant the user access to the S3 bucket.
C.Copy a snapshot of the database to an Amazon S3 bucket. Create an IAM user. Share the user's keys with the
auditor to grant access to the object in the S3 bucket.
D.Create an encrypted snapshot of the database. Share the snapshot with the auditor. Allow access to the AWS
Key Management Service (AWS KMS) encryption key.

Answer: D

Explanation:

Create an encrypted snapshot of the database. Share the snapshot with the auditor. Allow access to the AWS
Key Management Service (AWS KMS) encryption key.

Question: 439 CertyIQ

A solutions architect configured a VPC that has a small range of IP addresses. The number of Amazon EC2
instances that are in the VPC is increasing, and there is an insufficient number of IP addresses for future
workloads.

Which solution resolves this issue with the LEAST operational overhead?

A.Add an additional IPv4 CIDR block to increase the number of IP addresses and create additional subnets in
the VPC. Create new resources in the new subnets by using the new CIDR.
B.Create a second VPC with additional subnets. Use a peering connection to connect the second VPC with the
first VPC Update the routes and create new resources in the subnets of the second VPC.
C.Use AWS Transit Gateway to add a transit gateway and connect a second VPC with the first VPUpdate the
routes of the transit gateway and VPCs. Create new resources in the subnets of the second VPC.
D.Create a second VPC. Create a Site-to-Site VPN connection between the first VPC and the second VPC by
using a VPN-hosted solution on Amazon EC2 and a virtual private gateway. Update the route between VPCs to
the traffic through the VPN. Create new resources in the subnets of the second VPC.

Answer: A

Explanation:

Add an additional IPv4 CIDR block to increase the number of IP addresses and create additional subnets in the
VPC. Create new resources in the new subnets by using the new CIDR.

Question: 440 CertyIQ

A company used an Amazon RDS for MySQL DB instance during application testing. Before terminating the DB
instance at the end of the test cycle, a solutions architect created two backups. The solutions architect created
the first backup by using the mysqldump utility to create a database dump. The solutions architect created the
second backup by enabling the final DB snapshot option on RDS termination.

The company is now planning for a new test cycle and wants to create a new DB instance from the most recent
backup. The company has chosen a MySQL-compatible edition ofAmazon Aurora to host the DB instance.
Which solutions will create the new DB instance? (Choose two.)

A.Import the RDS snapshot directly into Aurora.

B.Upload the RDS snapshot to Amazon S3. Then import the RDS snapshot into Aurora.
C.Upload the database dump to Amazon S3. Then import the database dump into Aurora.
D.Use AWS Database Migration Service (AWS DMS) to import the RDS snapshot into Aurora.
E.Upload the database dump to Amazon S3. Then use AWS Database Migration Service (AWS DMS) to import
the database dump into Aurora.

Answer: AC

Explanation:
1. A,CA because the snapshot is already stored in AWS. C because you dont need a migration tool going from
MySQL to MySQL. You would use the MySQL utility.

Question: 441 CertyIQ

A company hosts a multi-tier web application on Amazon Linux Amazon EC2 instances behind an Application Load
Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The company observes
that the Auto Scaling group launches more On-Demand Instances when the application's end users access high
volumes of static web content. The company wants to optimize cost.

What should a solutions architect do to redesign the application MOST cost-effectively?

A.Update the Auto Scaling group to use Reserved Instances instead of On-Demand Instances.
B.Update the Auto Scaling group to scale by launching Spot Instances instead of On-Demand Instances.
C.Create an Amazon CloudFront distribution to host the static web contents from an Amazon S3 bucket.
D.Create an AWS Lambda function behind an Amazon API Gateway API to host the static website contents.

Answer: C

Explanation:

.Create an Amazon CloudFront distribution to host the static web contents from an Amazon S3 bucket.

Question: 442 CertyIQ

A company stores several petabytes of data across multiple AWS accounts. The company uses AWS Lake
Formation to manage its data lake. The company's data science team wants to securely share selective data from
its accounts with the company's engineering team for analytical purposes.

Which solution will meet these requirements with the LEAST operational overhead?

A.Copy the required data to a common account. Create an IAM access role in that account. Grant access by
specifying a permission policy that includes users from the engineering team accounts as trusted entities.
B.Use the Lake Formation permissions Grant command in each account where the data is stored to allow the
required engineering team users to access the data.
C.Use AWS Data Exchange to privately publish the required data to the required engineering team accounts.
D.Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the
required data to the engineering team accounts.

Answer: D
 Explanation:

By utilizing Lake Formation's tag-based access control, you can define tags and tag-based policies to grant
selective access to the required data for the engineering team accounts. This approach allows you to control
access at a granular level without the need to copy or move the data to a common account or manage
permissions individually in each account. It provides a centralized and scalable solution for securely sharing
data across accounts with minimal operational overhead.

Question: 443 CertyIQ

A company wants to host a scalable web application on AWS. The application will be accessed by users from
different geographic regions of the world. Application users will be able to download and upload unique data up to
gigabytes in size. The development team wants a cost-effective solution to minimize upload and download latency
and maximize performance.

What should a solutions architect do to accomplish this?

A.Use Amazon S3 with Transfer Acceleration to host the application.

B.Use Amazon S3 with CacheControl headers to host the application.
C.Use Amazon EC2 with Auto Scaling and Amazon CloudFront to host the application.
D.Use Amazon EC2 with Auto Scaling and Amazon ElastiCache to host the application.

Answer: A

Explanation:

https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/transfer-acceleration.html

Question: 444 CertyIQ

A company has hired a solutions architect to design a reliable architecture for its application. The application
consists of one Amazon RDS DB instance and two manually provisioned Amazon EC2 instances that run web
servers. The EC2 instances are located in a single Availability Zone.

An employee recently deleted the DB instance, and the application was unavailable for 24 hours as a result. The
company is concerned with the overall reliability of its environment.

What should the solutions architect do to maximize reliability of the application's infrastructure?

A.Delete one EC2 instance and enable termination protection on the other EC2 instance. Update the DB
instance to be Multi-AZ, and enable deletion protection.
B.Update the DB instance to be Multi-AZ, and enable deletion protection. Place the EC2 instances behind an
Application Load Balancer, and run them in an EC2 Auto Scaling group across multiple Availability Zones.
C.Create an additional DB instance along with an Amazon API Gateway and an AWS Lambda function.
Configure the application to invoke the Lambda function through API Gateway. Have the Lambda function write
the data to the two DB instances.
D.Place the EC2 instances in an EC2 Auto Scaling group that has multiple subnets located in multiple
Availability Zones. Use Spot Instances instead of On-Demand Instances. Set up Amazon CloudWatch alarms to
monitor the health of the instances Update the DB instance to be Multi-AZ, and enable deletion protection.

Answer: B

Explanation:
 B is correct. HA ensured by DB in Mutli-AZ and EC2 in AG

Question: 445 CertyIQ

A company is storing 700 terabytes of data on a large network-attached storage (NAS) system in its corporate
data center. The company has a hybrid environment with a 10 Gbps AWS Direct Connect connection.

After an audit from a regulator, the company has 90 days to move the data to the cloud. The company needs to
move the data efficiently and without disruption. The company still needs to be able to access and update the data
during the transfer window.

Which solution will meet these requirements?

A.Create an AWS DataSync agent in the corporate data center. Create a data transfer task Start the transfer to
an Amazon S3 bucket.
B.Back up the data to AWS Snowball Edge Storage Optimized devices. Ship the devices to an AWS data center.
Mount a target Amazon S3 bucket on the on-premises file system.
C.Use rsync to copy the data directly from local storage to a designated Amazon S3 bucket over the Direct
Connect connection.
D.Back up the data on tapes. Ship the tapes to an AWS data center. Mount a target Amazon S3 bucket on the
on-premises file system.

Answer: A

Explanation:

By leveraging AWS DataSync in combination with AWS Direct Connect, the company can efficiently and
securely transfer its 700 terabytes of data to an Amazon S3 bucket without disruption. The solution allows
continued access and updates to the data during the transfer window, ensuring business continuity
throughout the migration process.

Question: 446 CertyIQ

A company stores data in PDF format in an Amazon S3 bucket. The company must follow a legal requirement to
retain all new and existing data in Amazon S3 for 7 years.

Which solution will meet these requirements with the LEAST operational overhead?

A.Turn on the S3 Versioning feature for the S3 bucket. Configure S3 Lifecycle to delete the data after 7 years.
Configure multi-factor authentication (MFA) delete for all S3 objects.
B.Turn on S3 Object Lock with governance retention mode for the S3 bucket. Set the retention period to expire
after 7 years. Recopy all existing objects to bring the existing data into compliance.
C.Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire
after 7 years. Recopy all existing objects to bring the existing data into compliance.
D.Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire
after 7 years. Use S3 Batch Operations to bring the existing data into compliance.

Answer: D

Explanation:

You need AWS Batch to re-apply certain config to files that were already in S3, like encryption

D for me, bcs no sense to recopy all data

Question: 447 CertyIQ
A company has a stateless web application that runs on AWS Lambda functions that are invoked by Amazon API
Gateway. The company wants to deploy the application across multiple AWS Regions to provide Regional failover
capabilities.

What should a solutions architect do to route traffic to multiple Regions?

A.Create Amazon Route 53 health checks for each Region. Use an active-active failover configuration.
B.Create an Amazon CloudFront distribution with an origin for each Region. Use CloudFront health checks to
route traffic.
C.Create a transit gateway. Attach the transit gateway to the API Gateway endpoint in each Region. Configure
the transit gateway to route requests.
D.Create an Application Load Balancer in the primary Region. Set the target group to point to the API Gateway
endpoint hostnames in each Region.

Answer: B

Explanation:

This approach leverages the capabilities of CloudFront's intelligent routing and health checks to
automatically distribute traffic across multiple AWS Regions and provide failover capabilities in case of
Regional disruptions or unavailability.

B, bcs a cant' provide regional failover

Question: 448 CertyIQ

A company has two VPCs named Management and Production. The Management VPC uses VPNs through a
customer gateway to connect to a single device in the data center. The Production VPC uses a virtual private
gateway with two attached AWS Direct Connect connections. The Management and Production VPCs both use a
single VPC peering connection to allow communication between the applications.

What should a solutions architect do to mitigate any single point of failure in this architecture?

A.Add a set of VPNs between the Management and Production VPCs.

B.Add a second virtual private gateway and attach it to the Management VPC.
C.Add a second set of VPNs to the Management VPC from a second customer gateway device.
D.Add a second VPC peering connection between the Management VPC and the Production VPC.

Answer: C

Explanation:

Redundant VPN connections: Instead of relying on a single device in the data center, the Management VPC
should have redundant VPN connections established through multiple customer gateways. This will ensure
high availability and fault tolerance in case one of the VPN connections or customer gateways fails.

Question: 449 CertyIQ

A company runs its application on an Oracle database. The company plans to quickly migrate to AWS because of
limited resources for the database, backup administration, and data center maintenance. The application uses
third-party database features that require privileged access.

Which solution will help the company migrate the database to AWS MOST cost-effectively?

A.Migrate the database to Amazon RDS for Oracle. Replace third-party features with cloud services.
B.Migrate the database to Amazon RDS Custom for Oracle. Customize the database settings to support third-
party features.
C.Migrate the database to an Amazon EC2 Amazon Machine Image (AMI) for Oracle. Customize the database
settings to support third-party features.
D.Migrate the database to Amazon RDS for PostgreSQL by rewriting the application code to remove
dependency on Oracle APEX.

Answer: B

Explanation:

https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-rds-custom-oracle/

https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/Oracle.Resources.html

Question: 450 CertyIQ

A company has a three-tier web application that is in a single server. The company wants to migrate the application
to the AWS Cloud. The company also wants the application to align with the AWS Well-Architected Framework
and to be consistent with AWS recommended best practices for security, scalability, and resiliency.

Which combination of solutions will meet these requirements? (Choose three.)

A.Create a VPC across two Availability Zones with the application's existing architecture. Host the application
with existing architecture on an Amazon EC2 instance in a private subnet in each Availability Zone with EC2
Auto Scaling groups. Secure the EC2 instance with security groups and network access control lists (network
ACLs).
B.Set up security groups and network access control lists (network ACLs) to control access to the database
layer. Set up a single Amazon RDS database in a private subnet.
C.Create a VPC across two Availability Zones. Refactor the application to host the web tier, application tier, and
database tier. Host each tier on its own private subnet with Auto Scaling groups for the web tier and application
tier.
D.Use a single Amazon RDS database. Allow database access only from the application tier security group.
E.Use Elastic Load Balancers in front of the web tier. Control access by using security groups containing
references to each layer's security groups.
F.Use an Amazon RDS database Multi-AZ cluster deployment in private subnets. Allow database access only
from application tier security groups.

Answer: CEF

Explanation:

Only this valid for best practices and well architected

Question: 451 CertyIQ

A company is migrating its applications and databases to the AWS Cloud. The company will use Amazon Elastic
Container Service (Amazon ECS), AWS Direct Connect, and Amazon RDS.

Which activities will be managed by the company's operational team? (Choose three.)
 A.Management of the Amazon RDS infrastructure layer, operating system, and platforms
B.Creation of an Amazon RDS DB instance and configuring the scheduled maintenance window
C.Configuration of additional software components on Amazon ECS for monitoring, patch management, log
management, and host intrusion detection
D.Installation of patches for all minor and major database versions for Amazon RDS
E.Ensure the physical security of the Amazon RDS infrastructure in the data center
F.Encryption of the data that moves in transit through Direct Connect

Answer: BCF

Explanation:

BCFB: Mentioned RDSC: Mentioned ECSF: Mentioned Direct connect

Question: 452 CertyIQ

A company runs a Java-based job on an Amazon EC2 instance. The job runs every hour and takes 10 seconds to run.
The job runs on a scheduled interval and consumes 1 GB of memory. The CPU utilization of the instance is low
except for short surges during which the job uses the maximum CPU available. The company wants to optimize the
costs to run the job.

Which solution will meet these requirements?

A.Use AWS App2Container (A2C) to containerize the job. Run the job as an Amazon Elastic Container Service
(Amazon ECS) task on AWS Fargate with 0.5 virtual CPU (vCPU) and 1 GB of memory.
B.Copy the code into an AWS Lambda function that has 1 GB of memory. Create an Amazon EventBridge
scheduled rule to run the code each hour.
C.Use AWS App2Container (A2C) to containerize the job. Install the container in the existing Amazon Machine
Image (AMI). Ensure that the schedule stops the container when the task finishes.
D.Configure the existing schedule to stop the EC2 instance at the completion of the job and restart the EC2
instance when the next job starts.

Answer: B

Explanation:

B - Within 10 sec and 1 GB Memory (Lambda Memory 128MB to 10GB)

Question: 453 CertyIQ

A company wants to implement a backup strategy for Amazon EC2 data and multiple Amazon S3 buckets.
Because of regulatory requirements, the company must retain backup files for a specific time period. The company
must not alter the files for the duration of the retention period.

Which solution will meet these requirements?

A.Use AWS Backup to create a backup vault that has a vault lock in governance mode. Create the required
backup plan.
B.Use Amazon Data Lifecycle Manager to create the required automated snapshot policy.
C.Use Amazon S3 File Gateway to create the backup. Configure the appropriate S3 Lifecycle management.
D.Use AWS Backup to create a backup vault that has a vault lock in compliance mode. Create the required
backup plan.
 Answer: D

Explanation:

Compliance mode

D bcs in governance we can delete backup

Question: 454 CertyIQ

A company has resources across multiple AWS Regions and accounts. A newly hired solutions architect discovers
a previous employee did not provide details about the resources inventory. The solutions architect needs to build
and map the relationship details of the various workloads across all accounts.

Which solution will meet these requirements in the MOST operationally efficient way?

A.Use AWS Systems Manager Inventory to generate a map view from the detailed view report.
B.Use AWS Step Functions to collect workload details. Build architecture diagrams of the workloads manually.
C.Use Workload Discovery on AWS to generate architecture diagrams of the workloads.
D.Use AWS X-Ray to view the workload details. Build architecture diagrams with relationships.

Answer: C

Explanation:

Option A: AWS SSM offers "Software inventory": Collect software catalog and configuration for your
instances.Option C: Workload Discovery on AWS: is a tool for maintaining an inventory of the AWS resources
across your accounts and various Regions and mapping relationships between them, and displaying them in a
web UI.

AWS Workload Discovery - create diagram, map and visualise AWS resources across AWS accounts and
Regions

Question: 455 CertyIQ

A company uses AWS Organizations. The company wants to operate some of its AWS accounts with different
budgets. The company wants to receive alerts and automatically prevent provisioning of additional resources on
AWS accounts when the allocated budget threshold is met during a specific period.

Which combination of solutions will meet these requirements? (Choose three.)

A.Use AWS Budgets to create a budget. Set the budget amount under the Cost and Usage Reports section of
the required AWS accounts.
B.Use AWS Budgets to create a budget. Set the budget amount under the Billing dashboards of the required
AWS accounts.
C.Create an IAM user for AWS Budgets to run budget actions with the required permissions.
D.Create an IAM role for AWS Budgets to run budget actions with the required permissions.
E.Add an alert to notify the company when each account meets its budget threshold. Add a budget action that
selects the IAM identity created with the appropriate config rule to prevent provisioning of additional
resources.
F.Add an alert to notify the company when each account meets its budget threshold. Add a budget action that
selects the IAM identity created with the appropriate service control policy (SCP) to prevent provisioning of
additional resources.
 Answer: BDF

Explanation:

https://docs.aws.amazon.com/ja_jp/awsaccountbilling/latest/aboutv2/view-billing-dashboard.html

Question: 456 CertyIQ

A company runs applications on Amazon EC2 instances in one AWS Region. The company wants to back up the
EC2 instances to a second Region. The company also wants to provision EC2 resources in the second Region and
manage the EC2 instances centrally from one AWS account.

Which solution will meet these requirements MOST cost-effectively?

A.Create a disaster recovery (DR) plan that has a similar number of EC2 instances in the second Region.
Configure data replication.
B.Create point-in-time Amazon Elastic Block Store (Amazon EBS) snapshots of the EC2 instances. Copy the
snapshots to the second Region periodically.
C.Create a backup plan by using AWS Backup. Configure cross-Region backup to the second Region for the
EC2 instances.
D.Deploy a similar number of EC2 instances in the second Region. Use AWS DataSync to transfer the data from
the source Region to the second Region.

Answer: C

Explanation:

Using AWS Backup, you can create backup plans that automate the backup process for your EC2 instances.
By configuring cross-Region backup, you can ensure that backups are replicated to the second Region,
providing a disaster recovery capability. This solution is cost-effective as it leverages AWS Backup's built-in
features and eliminates the need for manual snapshot management or deploying and managing additional
EC2 instances in the second Region.

Question: 457 CertyIQ

A company that uses AWS is building an application to transfer data to a product manufacturer. The company has
its own identity provider (IdP). The company wants the IdP to authenticate application users while the users use the
application to transfer data. The company must use Applicability Statement 2 (AS2) protocol.

Which solution will meet these requirements?

A.Use AWS DataSync to transfer the data. Create an AWS Lambda function for IdP authentication.
B.Use Amazon AppFlow flows to transfer the data. Create an Amazon Elastic Container Service (Amazon ECS)
task for IdP authentication.
C.Use AWS Transfer Family to transfer the data. Create an AWS Lambda function for IdP authentication.
D.Use AWS Storage Gateway to transfer the data. Create an Amazon Cognito identity pool for IdP
authentication.

Answer: C

Explanation:

Use AWS Transfer Family to transfer the data. Create an AWS Lambda function for IdP authentication.
Question: 458 CertyIQ
A solutions architect is designing a RESTAPI in Amazon API Gateway for a cash payback service. The application
requires 1 GB of memory and 2 GB of storage for its computation resources. The application will require that the
data is in a relational format.

Which additional combination ofAWS services will meet these requirements with the LEAST administrative effort?
(Choose two.)

A.Amazon EC2
B.AWS Lambda
C.Amazon RDS
D.Amazon DynamoDB
E.Amazon Elastic Kubernetes Services (Amazon EKS)

Answer: BC

Explanation:

The application will require that the data is in a relational format" so DynamoDB is out. RDS is the choice.
Lambda is severless.

Question: 459 CertyIQ

A company uses AWS Organizations to run workloads within multiple AWS accounts. A tagging policy adds
department tags to AWS resources when the company creates tags.

An accounting team needs to determine spending on Amazon EC2 consumption. The accounting team must
determine which departments are responsible for the costs regardless ofAWS account. The accounting team has
access to AWS Cost Explorer for all AWS accounts within the organization and needs to access all reports from
Cost Explorer.

Which solution meets these requirements in the MOST operationally efficient way?

A.From the Organizations management account billing console, activate a user-defined cost allocation tag
named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.
B.From the Organizations management account billing console, activate an AWS-defined cost allocation tag
named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.
C.From the Organizations member account billing console, activate a user-defined cost allocation tag named
department. Create one cost report in Cost Explorer grouping by the tag name, and filter by EC2.
D.From the Organizations member account billing console, activate an AWS-defined cost allocation tag named
department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.

Answer: A

Explanation:

From the Organizations management account billing console, activate a user-defined cost allocation tag
named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.

By activating a user-defined cost allocation tag named "department" and creating a cost report in Cost
Explorer that groups by the tag name and filters by EC2, the accounting team will be able to track and
attribute costs to specific departments across all AWS accounts within the organization. This approach allows
for consistent cost allocation and reporting regardless of the AWS account structure.
 https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html

Question: 460 CertyIQ

A company wants to securely exchange data between its software as a service (SaaS) application Salesforce
account and Amazon S3. The company must encrypt the data at rest by using AWS Key Management Service
(AWS KMS) customer managed keys (CMKs). The company must also encrypt the data in transit. The company has
enabled API access for the Salesforce account.

A.Create AWS Lambda functions to transfer the data securely from Salesforce to Amazon S3.
B.Create an AWS Step Functions workflow. Define the task to transfer the data securely from Salesforce to
Amazon S3.
C.Create Amazon AppFlow flows to transfer the data securely from Salesforce to Amazon S3.
D.Create a custom connector for Salesforce to transfer the data securely from Salesforce to Amazon S3.

Answer: C

Explanation:

Amazon AppFlow is a fully managed integration service that allows you to securely transfer data between
different SaaS applications and AWS services. It provides built-in encryption options and supports encryption
in transit using SSL/TLS protocols. With AppFlow, you can configure the data transfer flow from Salesforce to
Amazon S3, ensuring data encryption at rest by utilizing AWS KMS CMKs.

Question: 461 CertyIQ

A company is developing a mobile gaming app in a single AWS Region. The app runs on multiple Amazon EC2
instances in an Auto Scaling group. The company stores the app data in Amazon DynamoDB. The app
communicates by using TCP traffic and UDP traffic between the users and the servers. The application will be used
globally. The company wants to ensure the lowest possible latency for all users.

Which solution will meet these requirements?

A.Use AWS Global Accelerator to create an accelerator. Create an Application Load Balancer (ALB) behind an
accelerator endpoint that uses Global Accelerator integration and listening on the TCP and UDP ports. Update
the Auto Scaling group to register instances on the ALB.
B.Use AWS Global Accelerator to create an accelerator. Create a Network Load Balancer (NLB) behind an
accelerator endpoint that uses Global Accelerator integration and listening on the TCP and UDP ports. Update
the Auto Scaling group to register instances on the NLB.
C.Create an Amazon CloudFront content delivery network (CDN) endpoint. Create a Network Load Balancer
(NLB) behind the endpoint and listening on the TCP and UDP ports. Update the Auto Scaling group to register
instances on the NLB. Update CloudFront to use the NLB as the origin.
D.Create an Amazon CloudFront content delivery network (CDN) endpoint. Create an Application Load Balancer
(ALB) behind the endpoint and listening on the TCP and UDP ports. Update the Auto Scaling group to register
instances on the ALB. Update CloudFront to use the ALB as the origin.

Answer: B

Explanation:

NLB + Accelerator

AWS Global Accelerator+NLB

AWS Global Accelerator is a better solution for the mobile gaming app than CloudFront
Question: 462 CertyIQ
A company has an application that processes customer orders. The company hosts the application on an Amazon
EC2 instance that saves the orders to an Amazon Aurora database. Occasionally when traffic is high the workload
does not process orders fast enough.

What should a solutions architect do to write the orders reliably to the database as quickly as possible?

A.Increase the instance size of the EC2 instance when traffic is high. Write orders to Amazon Simple
Notification Service (Amazon SNS). Subscribe the database endpoint to the SNS topic.
B.Write orders to an Amazon Simple Queue Service (Amazon SQS) queue. Use EC2 instances in an Auto Scaling
group behind an Application Load Balancer to read from the SQS queue and process orders into the database.
C.Write orders to Amazon Simple Notification Service (Amazon SNS). Subscribe the database endpoint to the
SNS topic. Use EC2 instances in an Auto Scaling group behind an Application Load Balancer to read from the
SNS topic.
D.Write orders to an Amazon Simple Queue Service (Amazon SQS) queue when the EC2 instance reaches CPU
threshold limits. Use scheduled scaling of EC2 instances in an Auto Scaling group behind an Application Load
Balancer to read from the SQS queue and process orders into the database.

Answer: B

Explanation:

By decoupling the write operation from the processing operation using SQS, you ensure that the orders are
reliably stored in the queue, regardless of the processing capacity of the EC2 instances. This allows the
processing to be performed at a scalable rate based on the available EC2 instances, improving the overall
reliability and speed of order processing.

Question: 463 CertyIQ

An IoT company is releasing a mattress that has sensors to collect data about a user’s sleep. The sensors will send
data to an Amazon S3 bucket. The sensors collect approximately 2 MB of data every night for each mattress. The
company must process and summarize the data for each mattress. The results need to be available as soon as
possible. Data processing will require 1 GB of memory and will finish within 30 seconds.

Which solution will meet these requirements MOST cost-effectively?

A.Use AWS Glue with a Scala job

B.Use Amazon EMR with an Apache Spark script
C.Use AWS Lambda with a Python script
D.Use AWS Glue with a PySpark job

Answer: C

Explanation:

AWS Lambda charges you based on the number of invocations and the execution time of your function. Since
the data processing job is relatively small (2 MB of data), Lambda is a cost-effective choice. You only pay for
the actual usage without the need to provision and maintain infrastructure.
Question: 464 CertyIQ
A company hosts an online shopping application that stores all orders in an Amazon RDS for PostgreSQL Single-
AZ DB instance. Management wants to eliminate single points of failure and has asked a solutions architect to
recommend an approach to minimize database downtime without requiring any changes to the application code.

Which solution meets these requirements?

A.Convert the existing database instance to a Multi-AZ deployment by modifying the database instance and
specifying the Multi-AZ option.
B.Create a new RDS Multi-AZ deployment. Take a snapshot of the current RDS instance and restore the new
Multi-AZ deployment with the snapshot.
C.Create a read-only replica of the PostgreSQL database in another Availability Zone. Use Amazon Route 53
weighted record sets to distribute requests across the databases.
D.Place the RDS for PostgreSQL database in an Amazon EC2 Auto Scaling group with a minimum group size of
two. Use Amazon Route 53 weighted record sets to distribute requests across instances.

Answer: A

Explanation:

Compared to other solutions that involve creating new instances, restoring snapshots, or setting up
replication manually, converting to a Multi-AZ deployment is a simpler and more streamlined approach with
lower overhead.Overall, option A offers a cost-effective and efficient way to minimize database downtime
without requiring significant changes or additional complexities.

Question: 465 CertyIQ

A company is developing an application to support customer demands. The company wants to deploy the
application on multiple Amazon EC2 Nitro-based instances within the same Availability Zone. The company also
wants to give the application the ability to write to multiple block storage volumes in multiple EC2 Nitro-based
instances simultaneously to achieve higher application availability.

Which solution will meet these requirements?

A.Use General Purpose SSD (gp3) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach
B.Use Throughput Optimized HDD (st1) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-
Attach
C.Use Provisioned IOPS SSD (io2) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach
D.Use General Purpose SSD (gp2) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach

Answer: C

Explanation:

C is right Amazon EBS Multi-Attach enables you to attach a single Provisioned IOPS SSD (io1 or io2) volume to
multiple instances that are in the same Availability Zone.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.htmlnothing about gp

Question: 466 CertyIQ

A company designed a stateless two-tier application that uses Amazon EC2 in a single Availability Zone and an
Amazon RDS Multi-AZ DB instance. New company management wants to ensure the application is highly available.
What should a solutions architect do to meet this requirement?

A.Configure the application to use Multi-AZ EC2 Auto Scaling and create an Application Load Balancer
B.Configure the application to take snapshots of the EC2 instances and send them to a different AWS Region
C.Configure the application to use Amazon Route 53 latency-based routing to feed requests to the application
D.Configure Amazon Route 53 rules to handle incoming requests and create a Multi-AZ Application Load
Balancer

Answer: A

Explanation:

By combining Multi-AZ EC2 Auto Scaling and an Application Load Balancer, you achieve high availability for
the EC2 instances hosting your stateless two-tier application.

Question: 467 CertyIQ

A company uses AWS Organizations. A member account has purchased a Compute Savings Plan. Because of
changes in the workloads inside the member account, the account no longer receives the full benefit of the
Compute Savings Plan commitment. The company uses less than 50% of its purchased compute power.

A.Turn on discount sharing from the Billing Preferences section of the account console in the member account
that purchased the Compute Savings Plan.
B.Turn on discount sharing from the Billing Preferences section of the account console in the company's
Organizations management account.
C.Migrate additional compute workloads from another AWS account to the account that has the Compute
Savings Plan.
D.Sell the excess Savings Plan commitment in the Reserved Instance Marketplace.

Answer: B

Explanation:

To summarize, option C (Migrate additional compute workloads from another AWS account to the account
that has the Compute Savings Plan) is a valid solution to address the underutilization of the Compute Savings
Plan. However, it involves workload migration and may require careful planning and coordination. Consider the
feasibility and impact of migrating workloads before implementing this solution.

Question: 468 CertyIQ

A company is developing a microservices application that will provide a search catalog for customers. The
company must use REST APIs to present the frontend of the application to users. The REST APIs must access the
backend services that the company hosts in containers in private VPC subnets.

Which solution will meet these requirements?

A.Design a WebSocket API by using Amazon API Gateway. Host the application in Amazon Elastic Container
Service (Amazon ECS) in a private subnet. Create a private VPC link for API Gateway to access Amazon ECS.
B.Design a REST API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service
(Amazon ECS) in a private subnet. Create a private VPC link for API Gateway to access Amazon ECS.
C.Design a WebSocket API by using Amazon API Gateway. Host the application in Amazon Elastic Container
Service (Amazon ECS) in a private subnet. Create a security group for API Gateway to access Amazon ECS.
D.Design a REST API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service
 (Amazon ECS) in a private subnet. Create a security group for API Gateway to access Amazon ECS.

Answer: B

Explanation:

REST API with Amazon API Gateway: REST APIs are the appropriate choice for providing the frontend of the
microservices application. Amazon API Gateway allows you to design, deploy, and manage REST APIs at
scale.Amazon ECS in a Private Subnet: Hosting the application in Amazon ECS in a private subnet ensures that
the containers are securely deployed within the VPC and not directly exposed to the public internet.Private
VPC Link: To enable the REST API in API Gateway to access the backend services hosted in Amazon ECS, you
can create a private VPC link. This establishes a private network connection between the API Gateway and
ECS containers, allowing secure communication without traversing the public internet.

Question: 469 CertyIQ

A company stores raw collected data in an Amazon S3 bucket. The data is used for several types of analytics on
behalf of the company's customers. The type of analytics requested determines the access pattern on the S3
objects.

The company cannot predict or control the access pattern. The company wants to reduce its S3 costs.

Which solution will meet these requirements?

A.Use S3 replication to transition infrequently accessed objects to S3 Standard-Infrequent Access (S3

Standard-IA)
B.Use S3 Lifecycle rules to transition objects from S3 Standard to Standard-Infrequent Access (S3 Standard-
IA)
C.Use S3 Lifecycle rules to transition objects from S3 Standard to S3 Intelligent-Tiering
D.Use S3 Inventory to identify and transition objects that have not been accessed from S3 Standard to S3
Intelligent-Tiering

Answer: C

Explanation:

S3 Inventory can't to move files to another class

Question: 470 CertyIQ

A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate
communications with other external applications using the internet. However the company’s security policy states
that any external service cannot initiate a connection to the EC2 instances.

What should a solutions architect recommend to resolve this issue?

A.Create a NAT gateway and make it the destination of the subnet's route table
B.Create an internet gateway and make it the destination of the subnet's route table
C.Create a virtual private gateway and make it the destination of the subnet's route table
D.Create an egress-only internet gateway and make it the destination of the subnet's route table

Answer: D
 Explanation:

An egress-only internet gateway (EIGW) is specifically designed for IPv6-only VPCs and provides outbound
IPv6 internet access while blocking inbound IPv6 traffic. It satisfies the requirement of preventing external
services from initiating connections to the EC2 instances while allowing the instances to initiate outbound
communications.

Question: 471 CertyIQ

A company is creating an application that runs on containers in a VPC. The application stores and accesses data in
an Amazon S3 bucket. During the development phase, the application will store and access 1 TB of data in Amazon
S3 each day. The company wants to minimize costs and wants to prevent traffic from traversing the internet
whenever possible.

Which solution will meet these requirements?

A.Enable S3 Intelligent-Tiering for the S3 bucket

B.Enable S3 Transfer Acceleration for the S3 bucket
C.Create a gateway VPC endpoint for Amazon S3. Associate this endpoint with all route tables in the VPC
D.Create an interface endpoint for Amazon S3 in the VPC. Associate this endpoint with all route tables in the
VPC

Answer: C

Explanation:

Gateway VPC Endpoint: A gateway VPC endpoint enables private connectivity between a VPC and Amazon S3.
It allows direct access to Amazon S3 without the need for internet gateways, NAT devices, VPN connections,
or AWS Direct Connect.Minimize Internet Traffic: By creating a gateway VPC endpoint for Amazon S3 and
associating it with all route tables in the VPC, the traffic between the VPC and Amazon S3 will be kept within
the AWS network. This helps in minimizing data transfer costs and prevents the need for traffic to traverse
the internet.Cost-Effective: With a gateway VPC endpoint, the data transfer between the application running
in the VPC and the S3 bucket stays within the AWS network, reducing the need for data transfer across the
internet. This can result in cost savings, especially when dealing with large amounts of data.

Question: 472 CertyIQ

A company has a mobile chat application with a data store based in Amazon DynamoDB. Users would like new
messages to be read with as little latency as possible. A solutions architect needs to design an optimal solution
that requires minimal application changes.

Which method should the solutions architect select?

A.Configure Amazon DynamoDB Accelerator (DAX) for the new messages table. Update the code to use the
DAX endpoint.
B.Add DynamoDB read replicas to handle the increased read load. Update the application to point to the read
endpoint for the read replicas.
C.Double the number of read capacity units for the new messages table in DynamoDB. Continue to use the
existing DynamoDB endpoint.
D.Add an Amazon ElastiCache for Redis cache to the application stack. Update the application to point to the
Redis cache endpoint instead of DynamoDB.

Answer: A
 Explanation:

Amazon DynamoDB Accelerator (DAX): DAX is an in-memory cache for DynamoDB that provides low-latency
access to frequently accessed data. By configuring DAX for the new messages table, read requests for the
table will be served from the DAX cache, significantly reducing the latency.Minimal Application Changes: With
DAX, the application code can be updated to use the DAX endpoint instead of the standard DynamoDB
endpoint. This change is relatively minimal and does not require extensive modifications to the application's
data access logic.Low Latency: DAX caches frequently accessed data in memory, allowing subsequent read
requests for the same data to be served with minimal latency. This ensures that new messages can be read by
users with minimal delay.

Question: 473 CertyIQ

A company hosts a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website
serves static content. Website traffic is increasing, and the company is concerned about a potential increase in
cost.

A.Create an Amazon CloudFront distribution to cache state files at edge locations

B.Create an Amazon ElastiCache cluster. Connect the ALB to the ElastiCache cluster to serve cached files
C.Create an AWS WAF web ACL and associate it with the ALB. Add a rule to the web ACL to cache static files
D.Create a second ALB in an alternative AWS Region. Route user traffic to the closest Region to minimize data
transfer costs

Answer: A

Explanation:

Amazon CloudFront: CloudFront is a content delivery network (CDN) service that caches content at edge
locations worldwide. By creating a CloudFront distribution, static content from the website can be cached at
edge locations, reducing the load on the EC2 instances and improving the overall performance. Caching Static
Files: Since the website serves static content, caching these files at CloudFront edge locations can
significantly reduce the number of requests forwarded to the EC2 instances. This helps to lower the overall
cost by offloading traffic from the instances and reducing the data transfer costs.

Question: 474 CertyIQ

A company has multiple VPCs across AWS Regions to support and run workloads that are isolated from workloads
in other Regions. Because of a recent application launch requirement, the company’s VPCs must communicate with
all other VPCs across all Regions.

Which solution will meet these requirements with the LEAST amount of administrative effort?

A.Use VPC peering to manage VPC communication in a single Region. Use VPC peering across Regions to
manage VPC communications.
B.Use AWS Direct Connect gateways across all Regions to connect VPCs across regions and manage VPC
communications.
C.Use AWS Transit Gateway to manage VPC communication in a single Region and Transit Gateway peering
across Regions to manage VPC communications.
D.Use AWS PrivateLink across all Regions to connect VPCs across Regions and manage VPC communications

Answer: C
 Explanation:

AWS Transit Gateway: Transit Gateway is a highly scalable service that simplifies network connectivity
between VPCs and on-premises networks. By using a Transit Gateway in a single Region, you can centralize
VPC communication management and reduce administrative effort.Transit Gateway Peering: Transit Gateway
supports peering connections across AWS Regions, allowing you to establish connectivity between VPCs in
different Regions without the need for complex VPC peering configurations. This simplifies the management
of VPC communications across Regions.

Question: 475 CertyIQ

A company is designing a containerized application that will use Amazon Elastic Container Service (Amazon ECS).
The application needs to access a shared file system that is highly durable and can recover data to another AWS
Region with a recovery point objective (RPO) of 8 hours. The file system needs to provide a mount target m each
Availability Zone within a Region.

A solutions architect wants to use AWS Backup to manage the replication to another Region.

Which solution will meet these requirements?

A.Amazon FSx for Windows File Server with a Multi-AZ deployment

B.Amazon FSx for NetApp ONTAP with a Multi-AZ deployment
C.Amazon Elastic File System (Amazon EFS) with the Standard storage class
D.Amazon FSx for OpenZFS

Answer: C

Explanation:

EFS Replication can replicate your file system data to another Region or within the same Region without
requiring additional infrastructure or a custom process. Amazon EFS Replication automatically and
transparently replicates your data to a second file system in a Region or AZ of your choice. You can use the
Amazon EFS console, AWS CLI, and APIs to activate replication on an existing file system. EFS Replication is
continual and provides a recovery point objective (RPO) and a recovery time objective (RTO) of minutes,
helping you meet your compliance and business continuity goals.

Question: 476 CertyIQ

A company is expecting rapid growth in the near future. A solutions architect needs to configure existing users
and grant permissions to new users on AWS. The solutions architect has decided to create IAM groups. The
solutions architect will add the new users to IAM groups based on department.

Which additional action is the MOST secure way to grant permissions to the new users?

A.Apply service control policies (SCPs) to manage access permissions

B.Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
C.Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
D.Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions

Answer: C

Explanation:
 Option B is incorrect because IAM roles are not directly attached to IAM groups.

Question: 477 CertyIQ

A group requires permissions to list an Amazon S3 bucket and delete objects from that bucket. An administrator
has created the following IAM policy to provide access to the bucket and applied that policy to the group. The
group is not able to delete objects in the bucket. The company follows least-privilege access rules.

Which statement should a solutions architect add to the policy to correct bucket access?

A.
 B.

C.

D.

Answer: D

Explanation:

D for sure

Question: 478 CertyIQ

A law firm needs to share information with the public. The information includes hundreds of files that must be
publicly readable. Modifications or deletions of the files by anyone before a designated future date are prohibited.

Which solution will meet these requirements in the MOST secure way?

A.Upload all files to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM
permissions to any AWS principals that access the S3 bucket until the designated date.
B.Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in
accordance with the designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket
policy to allow read-only access to the objects.
C.Create a new Amazon S3 bucket with S3 Versioning enabled. Configure an event trigger to run an AWS
Lambda function in case of object modification or deletion. Configure the Lambda function to replace the
 objects with the original versions from a private S3 bucket.
D.Upload all files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that
contains the files. Use S3 Object Lock with a retention period in accordance with the designated date. Grant
read-only IAM permissions to any AWS principals that access the S3 bucket.

Answer: B

Explanation:

Option A allows the files to be modified or deleted by anyone with read-only IAM permissions. Option C allows
the files to be modified or deleted by anyone who can trigger the AWS Lambda function.Option D allows the
files to be modified or deleted by anyone with read-only IAM permissions to the S3 bucket

Question: 479 CertyIQ

A company is making a prototype of the infrastructure for its new website by manually provisioning the necessary
infrastructure. This infrastructure includes an Auto Scaling group, an Application Load Balancer and an Amazon
RDS database. After the configuration has been thoroughly validated, the company wants the capability to
immediately deploy the infrastructure for development and production use in two Availability Zones in an
automated fashion.

What should a solutions architect recommend to meet these requirements?

A.Use AWS Systems Manager to replicate and provision the prototype infrastructure in two Availability Zones
B.Define the infrastructure as a template by using the prototype infrastructure as a guide. Deploy the
infrastructure with AWS CloudFormation.
C.Use AWS Config to record the inventory of resources that are used in the prototype infrastructure. Use AWS
Config to deploy the prototype infrastructure into two Availability Zones.
D.Use AWS Elastic Beanstalk and configure it to use an automated reference to the prototype infrastructure to
automatically deploy new environments in two Availability Zones.

Answer: B

Explanation:

Define the infrastructure as a template by using the prototype infrastructure as a guide. Deploy the
infrastructure with AWS CloudFormation.

Question: 480 CertyIQ

A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief
information security officer has directed that no application traffic between the two services should traverse the
public internet.

Which capability should the solutions architect use to meet the compliance requirements?

A.AWS Key Management Service (AWS KMS)

B.VPC endpoint
C.Private subnet
D.Virtual private gateway

Answer: B

Explanation:
 A VPC endpoint enables you to privately access AWS services without requiring internet gateways, NAT
gateways, VPN connections, or AWS Direct Connect connections. It allows you to connect your VPC directly to
supported AWS services, such as Amazon S3, over a private connection within the AWS network.By creating a
VPC endpoint for Amazon S3, the traffic between your EC2 instances and S3 will stay within the AWS
network and won't traverse the public internet. This provides a more secure and compliant solution, as the
data transfer remains within the private network boundaries.

Question: 481 CertyIQ

A company hosts a three-tier web application in the AWS Cloud. A Multi-AZAmazon RDS for MySQL server forms
the database layer Amazon ElastiCache forms the cache layer. The company wants a caching strategy that adds or
updates data in the cache when a customer adds an item to the database. The data in the cache must always
match the data in the database.

Which solution will meet these requirements?

A.Implement the lazy loading caching strategy

B.Implement the write-through caching strategy
C.Implement the adding TTL caching strategy
D.Implement the AWS AppConfig caching strategy

Answer: B

Explanation:

In the write-through caching strategy, when a customer adds or updates an item in the database, the
application first writes the data to the database and then updates the cache with the same data. This ensures
that the cache is always synchronized with the database, as every write operation triggers an update to the
cache.

Question: 482 CertyIQ

A company wants to migrate 100 GB of historical data from an on-premises location to an Amazon S3 bucket. The
company has a 100 megabits per second (Mbps) internet connection on premises. The company needs to encrypt
the data in transit to the S3 bucket. The company will store new data directly in Amazon S3.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use the s3 sync command in the AWS CLI to move the data directly to an S3 bucket
B.Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket
C.Use AWS Snowball to move the data to an S3 bucket
D.Set up an IPsec VPN from the on-premises location to AWS. Use the s3 cp command in the AWS CLI to move
the data directly to an S3 bucket

Answer: B

Explanation:

AWS DataSync is a fully managed data transfer service that simplifies and automates the process of moving
data between on-premises storage and Amazon S3. It provides secure and efficient data transfer with built-in
encryption, ensuring that the data is encrypted in transit.By using AWS DataSync, the company can easily
migrate the 100 GB of historical data from their on-premises location to an S3 bucket. DataSync will handle
 the encryption of data in transit and ensure secure transfer.

Question: 483 CertyIQ

A company containerized a Windows job that runs on .NET 6 Framework under a Windows container. The company
wants to run this job in the AWS Cloud. The job runs every 10 minutes. The job’s runtime varies between 1 minute
and 3 minutes.

Which solution will meet these requirements MOST cost-effectively?

A.Create an AWS Lambda function based on the container image of the job. Configure Amazon EventBridge to
invoke the function every 10 minutes.
B.Use AWS Batch to create a job that uses AWS Fargate resources. Configure the job scheduling to run every
10 minutes.
C.Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate to run the job. Create a scheduled task
based on the container image of the job to run every 10 minutes.
D.Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate to run the job. Create a standalone task
based on the container image of the job. Use Windows task scheduler to run the job every
10 minutes.

Answer: C

Explanation:

By using Amazon ECS on AWS Fargate, you can run the job in a containerized environment while benefiting
from the serverless nature of Fargate, where you only pay for the resources used during the job's execution.
Creating a scheduled task based on the container image of the job ensures that it runs every 10 minutes,
meeting the required schedule. This solution provides flexibility, scalability, and cost-effectiveness.

Question: 484 CertyIQ

A company wants to move from many standalone AWS accounts to a consolidated, multi-account architecture. The
company plans to create many new AWS accounts for different business units. The company needs to
authenticate access to these AWS accounts by using a centralized corporate directory service.

Which combination of actions should a solutions architect recommend to meet these requirements? (Choose two.)

A.Create a new organization in AWS Organizations with all features turned on. Create the new AWS accounts in
the organization.
B.Set up an Amazon Cognito identity pool. Configure AWS IAM Identity Center (AWS Single Sign-On) to accept
Amazon Cognito authentication.
C.Configure a service control policy (SCP) to manage the AWS accounts. Add AWS IAM Identity Center (AWS
Single Sign-On) to AWS Directory Service.
D.Create a new organization in AWS Organizations. Configure the organization's authentication mechanism to
use AWS Directory Service directly.
E.Set up AWS IAM Identity Center (AWS Single Sign-On) in the organization. Configure IAM Identity Center, and
integrate it with the company's corporate directory service.

Answer: AE

Explanation:
 A. By creating a new organization in AWS Organizations, you can establish a consolidated multi-account
architecture. This allows you to create and manage multiple AWS accounts for different business units under
a single organization.E. Setting up AWS IAM Identity Center (AWS Single Sign-On) within the organization
enables you to integrate it with the company's corporate directory service. This integration allows for
centralized authentication, where users can sign in using their corporate credentials and access the AWS
accounts within the organization.Together, these actions create a centralized, multi-account architecture that
leverages AWS Organizations for account management and AWS IAM Identity Center (AWS Single Sign-On)
for authentication and access control.

Question: 485 CertyIQ

A company is looking for a solution that can store video archives in AWS from old news footage. The company
needs to minimize costs and will rarely need to restore these files. When the files are needed, they must be
available in a maximum of five minutes.

What is the MOST cost-effective solution?

A.Store the video archives in Amazon S3 Glacier and use Expedited retrievals.
B.Store the video archives in Amazon S3 Glacier and use Standard retrievals.
C.Store the video archives in Amazon S3 Standard-Infrequent Access (S3 Standard-IA).
D.Store the video archives in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA).

Answer: A

Explanation:

By choosing Expedited retrievals in Amazon S3 Glacier, you can reduce the retrieval time to minutes, making
it suitable for scenarios where quick access is required. Expedited retrievals come with a higher cost per
retrieval compared to standard retrievals but provide faster access to your archived data.

Expedited retrieval typically takes 1-5 minutes to retrieve data, making it suitable for the company's
requirement of having the files available in a maximum of five minutes.

Question: 486 CertyIQ

A company is building a three-tier application on AWS. The presentation tier will serve a static website The logic
tier is a containerized application. This application will store data in a relational database. The company wants to
simplify deployment and to reduce operational costs.

Which solution will meet these requirements?

A.Use Amazon S3 to host static content. Use Amazon Elastic Container Service (Amazon ECS) with AWS
Fargate for compute power. Use a managed Amazon RDS cluster for the database.
B.Use Amazon CloudFront to host static content. Use Amazon Elastic Container Service (Amazon ECS) with
Amazon EC2 for compute power. Use a managed Amazon RDS cluster for the database.
C.Use Amazon S3 to host static content. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS
Fargate for compute power. Use a managed Amazon RDS cluster for the database.
D.Use Amazon EC2 Reserved Instances to host static content. Use Amazon Elastic Kubernetes Service (Amazon
EKS) with Amazon EC2 for compute power. Use a managed Amazon RDS cluster for the database.

Answer: A

Explanation:
 Amazon S3 is a highly scalable and cost-effective storage service that can be used to host static website
content. It provides durability, high availability, and low latency access to the static files.Amazon ECS with
AWS Fargate eliminates the need to manage the underlying infrastructure. It allows you to run containerized
applications without provisioning or managing EC2 instances. This reduces operational overhead and provides
scalability.By using a managed Amazon RDS cluster for the database, you can offload the management tasks
such as backups, patching, and monitoring to AWS. This reduces the operational burden and ensures high
availability and durability of the database.

Question: 487 CertyIQ

A company seeks a storage solution for its application. The solution must be highly available and scalable. The
solution also must function as a file system be mountable by multiple Linux instances in AWS and on premises
through native protocols, and have no minimum size requirements. The company has set up a Site-to-Site VPN for
access from its on-premises network to its VPC.

Which storage solution meets these requirements?

A.Amazon FSx Multi-AZ deployments

B.Amazon Elastic Block Store (Amazon EBS) Multi-Attach volumes
C.Amazon Elastic File System (Amazon EFS) with multiple mount targets
D.Amazon Elastic File System (Amazon EFS) with a single mount target and multiple access points

Answer: C

Explanation:

Amazon EFS is a fully managed file system service that provides scalable, shared storage for Amazon EC2
instances. It supports the Network File System version 4 (NFSv4) protocol, which is a native protocol for
Linux-based systems. EFS is designed to be highly available, durable, and scalable.

Question: 488 CertyIQ

A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts.
According to the company's finance team, the billing information on the member accounts must not be accessible
to anyone, including the root user of the member accounts.

Which solution will meet these requirements?

A.Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.
B.Attach an identity-based policy to deny access to the billing information to all users, including the root user.
C.Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root
organizational unit (OU).
D.Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

Answer: C

Explanation:

Service Control Policies (SCP): SCPs are an integral part of AWS Organizations and allow you to set fine-
grained permissions on the organizational units (OUs) within your AWS Organization. SCPs provide central
control over the maximum permissions that can be granted to member accounts, including the root
user.Denying Access to Billing Information: By creating an SCP and attaching it to the root OU, you can
 explicitly deny access to billing information for all accounts within the organization. SCPs can be used to
restrict access to various AWS services and actions, including billing-related services.Granular Control: SCPs
enable you to define specific permissions and restrictions at the organizational unit level. By denying access
to billing information at the root OU, you can ensure that no member accounts, including root users, have
access to the billing information.

Question: 489 CertyIQ

An ecommerce company runs an application in the AWS Cloud that is integrated with an on-premises warehouse
solution. The company uses Amazon Simple Notification Service (Amazon SNS) to send order messages to an on-
premises HTTPS endpoint so the warehouse application can process the orders. The local data center team has
detected that some of the order messages were not received.

A solutions architect needs to retain messages that are not delivered and analyze the messages for up to 14 days.

Which solution will meet these requirements with the LEAST development effort?

A.Configure an Amazon SNS dead letter queue that has an Amazon Kinesis Data Stream target with a retention
period of 14 days.
B.Add an Amazon Simple Queue Service (Amazon SQS) queue with a retention period of 14 days between the
application and Amazon SNS.
C.Configure an Amazon SNS dead letter queue that has an Amazon Simple Queue Service (Amazon SQS) target
with a retention period of 14 days.
D.Configure an Amazon SNS dead letter queue that has an Amazon DynamoDB target with a TTL attribute set
for a retention period of 14 days.

Answer: C

Explanation:

The message retention period in Amazon SQS can be set between 1 minute and 14 days (the default is 4 days).
Therefore, you can configure your SQS DLQ to retain undelivered SNS messages for 14 days. This will enable
you to analyze undelivered messages with the least development effort.

Question: 490 CertyIQ

A gaming company uses Amazon DynamoDB to store user information such as geographic location, player data,
and leaderboards. The company needs to configure continuous backups to an Amazon S3 bucket with a minimal
amount of coding. The backups must not affect availability of the application and must not affect the read capacity
units (RCUs) that are defined for the table.

Which solution meets these requirements?

A.Use an Amazon EMR cluster. Create an Apache Hive job to back up the data to Amazon S3.
B.Export the data directly from DynamoDB to Amazon S3 with continuous backups. Turn on point-in-time
recovery for the table.
C.Configure Amazon DynamoDB Streams. Create an AWS Lambda function to consume the stream and export
the data to an Amazon S3 bucket.
D.Create an AWS Lambda function to export the data from the database tables to Amazon S3 on a regular
basis. Turn on point-in-time recovery for the table.

Answer: B

Explanation:
 Continuous Backups: DynamoDB provides a feature called continuous backups, which automatically backs up
your table data. Enabling continuous backups ensures that your table data is continuously backed up without
the need for additional coding or manual interventions.Export to Amazon S3: With continuous backups
enabled, DynamoDB can directly export the backups to an Amazon S3 bucket. This eliminates the need for
custom coding to export the data.Minimal Coding: Option B requires the least amount of coding effort as
continuous backups and the export to Amazon S3 functionality are built-in features of DynamoDB.No Impact
on Availability and RCUs: Enabling continuous backups and exporting data to Amazon S3 does not affect the
availability of your application or the read capacity units (RCUs) defined for the table. These operations
happen in the background and do not impact the table's performance or consume additional RCUs.

Question: 491 CertyIQ

A solutions architect is designing an asynchronous application to process credit card data validation requests for a
bank. The application must be secure and be able to process each request at least once.

Which solution will meet these requirements MOST cost-effectively?

A.Use AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard queues
as the event source. Use AWS Key Management Service (SSE-KMS) for encryption. Add the kms:Decrypt
permission for the Lambda execution role.
B.Use AWS Lambda event source mapping. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as
the event source. Use SQS managed encryption keys (SSE-SQS) for encryption. Add the encryption key
invocation permission for the Lambda function.
C.Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) FIFO queues
as the event source. Use AWS KMS keys (SSE-KMS). Add the kms:Decrypt permission for the Lambda
execution role.
D.Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard
queues as the event source. Use AWS KMS keys (SSE-KMS) for encryption. Add the encryption key invocation
permission for the Lambda function.

Answer: A

Explanation:

SQS FIFO is slightly more expensive than standard queuehttps://calculator.aws/#/addService/SQSI would still
go with the standard because of the keyword "at least once" because FIFO process "exactly once". That
leaves us with A and D, I believe that lambda function only needs to decrypt so I would choose A

Question: 492 CertyIQ

A company has multiple AWS accounts for development work. Some staff consistently use oversized Amazon EC2
instances, which causes the company to exceed the yearly budget for the development accounts. The company
wants to centrally restrict the creation of AWS resources in these accounts.

Which solution will meet these requirements with the LEAST development effort?

A.Develop AWS Systems Manager templates that use an approved EC2 creation process. Use the approved
Systems Manager templates to provision EC2 instances.
B.Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service
control policy (SCP) to control the usage of EC2 instance types.
C.Configure an Amazon EventBridge rule that invokes an AWS Lambda function when an EC2 instance is
created. Stop disallowed EC2 instance types.
D.Set up AWS Service Catalog products for the staff to create the allowed EC2 instance types. Ensure that
staff can deploy EC2 instances only by using the Service Catalog products.
 Answer: B

Explanation:

AWS Organizations: AWS Organizations is a service that helps you centrally manage multiple AWS accounts.
It enables you to group accounts into organizational units (OUs) and apply policies across those
accounts.Service Control Policies (SCPs): SCPs in AWS Organizations allow you to define fine-grained
permissions and restrictions at the account or OU level. By attaching an SCP to the development accounts,
you can control the creation and usage of EC2 instance types.Least Development Effort: Option B requires
minimal development effort as it leverages the built-in features of AWS Organizations and SCPs. You can
define the SCP to restrict the use of oversized EC2 instance types and apply it to the appropriate OUs or
accounts.

Question: 493 CertyIQ

A company wants to use artificial intelligence (AI) to determine the quality of its customer service calls. The
company currently manages calls in four different languages, including English. The company will offer new
languages in the future. The company does not have the resources to regularly maintain machine learning (ML)
models.

The company needs to create written sentiment analysis reports from the customer service call recordings. The
customer service call recording text must be translated into English.

Which combination of steps will meet these requirements? (Choose three.)

A.Use Amazon Comprehend to translate the audio recordings into English.

B.Use Amazon Lex to create the written sentiment analysis reports.
C.Use Amazon Polly to convert the audio recordings into text.
D.Use Amazon Transcribe to convert the audio recordings in any language into text.
E.Use Amazon Translate to translate text in any language to English.
F.Use Amazon Comprehend to create the sentiment analysis reports.

Answer: DEF

Explanation:

Amazon Transcribe will convert the audio recordings into text, Amazon Translate will translate the text into
English, and Amazon Comprehend will perform sentiment analysis on the translated text to generate
sentiment analysis reports.

Question: 494 CertyIQ

A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an
administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403
(Access Denied) error message.

The administrator is using an IAM role that has the following IAM policy attached:
What is the cause of the unsuccessful request?

A.The EC2 instance has a resource-based policy with a Deny statement.

B.The principal has not been specified in the policy statement.
C.The "Action" field does not grant the actions that are required to terminate the EC2 instance.
D.The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or
203.0.113.0/24.

Answer: D

Explanation:

The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or
203.0.113.0/24.

Question: 495 CertyIQ

A company is conducting an internal audit. The company wants to ensure that the data in an Amazon S3 bucket
that is associated with the company’s AWS Lake Formation data lake does not contain sensitive customer or
employee data. The company wants to discover personally identifiable information (PII) or financial information,
including passport numbers and credit card numbers.

Which solution will meet these requirements?

A.Configure AWS Audit Manager on the account. Select the Payment Card Industry Data Security Standards
(PCI DSS) for auditing.
B.Configure Amazon S3 Inventory on the S3 bucket Configure Amazon Athena to query the inventory.
C.Configure Amazon Macie to run a data discovery job that uses managed identifiers for the required data
types.
D.Use Amazon S3 Select to run a report across the S3 bucket.

Answer: C

Explanation:

Amazon Macie is a service that helps discover, classify, and protect sensitive data stored in AWS. It uses
machine learning algorithms and managed identifiers to detect various types of sensitive information,
including personally identifiable information (PII) and financial information. By configuring Amazon Macie to
run a data discovery job with the appropriate managed identifiers for the required data types (such as
passport numbers and credit card numbers), the company can identify and classify any sensitive data present
in the S3 bucket.

Question: 496 CertyIQ

A company uses on-premises servers to host its applications. The company is running out of storage capacity. The
applications use both block storage and NFS storage. The company needs a high-performing solution that
supports local caching without re-architecting its existing applications.

Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)

A.Mount Amazon S3 as a file system to the on-premises servers.

B.Deploy an AWS Storage Gateway file gateway to replace NFS storage.
C.Deploy AWS Snowball Edge to provision NFS mounts to on-premises servers.
D.Deploy an AWS Storage Gateway volume gateway to replace the block storage.
E.Deploy Amazon Elastic File System (Amazon EFS) volumes and mount them to on-premises servers.

Answer: BD

Explanation:

By combining the deployment of an AWS Storage Gateway file gateway and an AWS Storage Gateway
volume gateway, the company can address both its block storage and NFS storage needs, while leveraging
local caching capabilities for improved performance.

Question: 497 CertyIQ

A company has a service that reads and writes large amounts of data from an Amazon S3 bucket in the same AWS
Region. The service is deployed on Amazon EC2 instances within the private subnet of a VPC. The service
communicates with Amazon S3 over a NAT gateway in the public subnet. However, the company wants a solution
that will reduce the data output costs.
Which solution will meet these requirements MOST cost-effectively?

A.Provision a dedicated EC2 NAT instance in the public subnet. Configure the route table for the private subnet
to use the elastic network interface of this instance as the destination for all S3 traffic.
B.Provision a dedicated EC2 NAT instance in the private subnet. Configure the route table for the public subnet
to use the elastic network interface of this instance as the destination for all S3 traffic.
C.Provision a VPC gateway endpoint. Configure the route table for the private subnet to use the gateway
endpoint as the route for all S3 traffic.
D.Provision a second NAT gateway. Configure the route table for the private subnet to use this NAT gateway as
the destination for all S3 traffic.

Answer: C

Explanation:

A VPC gateway endpoint allows you to privately access Amazon S3 from within your VPC without using a NAT
gateway or NAT instance. By provisioning a VPC gateway endpoint for S3, the service in the private subnet
can directly communicate with S3 without incurring data transfer costs for traffic going through a NAT
gateway.

Question: 498 CertyIQ

A company uses Amazon S3 to store high-resolution pictures in an S3 bucket. To minimize application changes,
the company stores the pictures as the latest version of an S3 object. The company needs to retain only the two
most recent versions of the pictures.

The company wants to reduce costs. The company has identified the S3 bucket as a large expense.

Which solution will reduce the S3 costs with the LEAST operational overhead?

A.Use S3 Lifecycle to delete expired object versions and retain the two most recent versions.
B.Use an AWS Lambda function to check for older versions and delete all but the two most recent versions.
C.Use S3 Batch Operations to delete noncurrent object versions and retain only the two most recent versions.
D.Deactivate versioning on the S3 bucket and retain the two most recent versions.

Answer: A

Explanation:

S3 Lifecycle policies allow you to define rules that automatically transition or expire objects based on their
age or other criteria. By configuring an S3 Lifecycle policy to delete expired object versions and retain only
the two most recent versions, you can effectively manage the storage costs while maintaining the desired
retention policy. This solution is highly automated and requires minimal operational overhead as the lifecycle
management is handled by S3 itself.

Question: 499 CertyIQ

A company needs to minimize the cost of its 1 Gbps AWS Direct Connect connection. The company's average
connection utilization is less than 10%. A solutions architect must recommend a solution that will reduce the cost
without compromising security.

Which solution will meet these requirements?

 A.Set up a new 1 Gbps Direct Connect connection. Share the connection with another AWS account.
B.Set up a new 200 Mbps Direct Connect connection in the AWS Management Console.
C.Contact an AWS Direct Connect Partner to order a 1 Gbps connection. Share the connection with another
AWS account.
D.Contact an AWS Direct Connect Partner to order a 200 Mbps hosted connection for an existing AWS account.

Answer: D

Explanation:
1. D For Dedicated Connections, 1 Gbps, 10 Gbps, and 100 Gbps ports are available. For Hosted Connections,
connection speeds of 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps
and 10 Gbps may be ordered from approved AWS Direct Connect Partners. See AWS Direct Connect Partners
for more information.
2. A hosted connection is a lower-cost option that is offered by AWS Direct Connect Partners

Question: 500 CertyIQ

A company has multiple Windows file servers on premises. The company wants to migrate and consolidate its files
into an Amazon FSx for Windows File Server file system. File permissions must be preserved to ensure that access
rights do not change.

Which solutions will meet these requirements? (Choose two.)

A.Deploy AWS DataSync agents on premises. Schedule DataSync tasks to transfer the data to the FSx for
Windows File Server file system.
B.Copy the shares on each file server into Amazon S3 buckets by using the AWS CLI. Schedule AWS DataSync
tasks to transfer the data to the FSx for Windows File Server file system.
C.Remove the drives from each file server. Ship the drives to AWS for import into Amazon S3. Schedule AWS
DataSync tasks to transfer the data to the FSx for Windows File Server file system.
D.Order an AWS Snowcone device. Connect the device to the on-premises network. Launch AWS DataSync
agents on the device. Schedule DataSync tasks to transfer the data to the FSx for Windows File Server file
system.
E.Order an AWS Snowball Edge Storage Optimized device. Connect the device to the on-premises network.
Copy data to the device by using the AWS CLI. Ship the device back to AWS for import into Amazon S3.
Schedule AWS DataSync tasks to transfer the data to the FSx for Windows File Server file system.

Answer: AD

Explanation:

A This option involves deploying DataSync agents on your on-premises file servers and using DataSync to
transfer the data directly to the FSx for Windows File Server. DataSync ensures that file permissions are
preserved during the migration process.DThis option involves using an AWS Snowcone device, a portable data
transfer device. You would connect the Snowcone device to your on-premises network, launch DataSync
agents on the device, and schedule DataSync tasks to transfer the data to FSx for Windows File Server.
DataSync handles the migration process while preserving file permissions.

Question: 501 CertyIQ

A company wants to ingest customer payment data into the company's data lake in Amazon S3. The company
receives payment data every minute on average. The company wants to analyze the payment data in real time.
Then the company wants to ingest the data into the data lake.

Which solution will meet these requirements with the MOST operational efficiency?
 A.Use Amazon Kinesis Data Streams to ingest data. Use AWS Lambda to analyze the data in real time.
B.Use AWS Glue to ingest data. Use Amazon Kinesis Data Analytics to analyze the data in real time.
C.Use Amazon Kinesis Data Firehose to ingest data. Use Amazon Kinesis Data Analytics to analyze the data in
real time.
D.Use Amazon API Gateway to ingest data. Use AWS Lambda to analyze the data in real time.

Answer: C

Explanation:

By leveraging the combination of Amazon Kinesis Data Firehose and Amazon Kinesis Data Analytics, you can
efficiently ingest and analyze the payment data in real time without the need for manual processing or
additional infrastructure management. This solution provides a streamlined and scalable approach to handle
continuous data ingestion and analysis requirements.

Amazon Kinesis Data Firehose the most optimal variant

Question: 502 CertyIQ

A company runs a website that uses a content management system (CMS) on Amazon EC2. The CMS runs on a
single EC2 instance and uses an Amazon Aurora MySQL Multi-AZ DB instance for the data tier. Website images are
stored on an Amazon Elastic Block Store (Amazon EBS) volume that is mounted inside the EC2 instance.

Which combination of actions should a solutions architect take to improve the performance and resilience of the
website? (Choose two.)

A.Move the website images into an Amazon S3 bucket that is mounted on every EC2 instance
B.Share the website images by using an NFS share from the primary EC2 instance. Mount this share on the
other EC2 instances.
C.Move the website images onto an Amazon Elastic File System (Amazon EFS) file system that is mounted on
every EC2 instance.
D.Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to provision new
instances behind an Application Load Balancer as part of an Auto Scaling group. Configure the Auto Scaling
group to maintain a minimum of two instances. Configure an accelerator in AWS Global Accelerator for the
website
E.Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to provision new
instances behind an Application Load Balancer as part of an Auto Scaling group. Configure the Auto Scaling
group to maintain a minimum of two instances. Configure an Amazon CloudFront distribution for the website.

Answer: CE

Explanation:

By combining the use of Amazon EFS for shared file storage and Amazon CloudFront for content delivery, you
can achieve improved performance and resilience for the website.

Question: 503 CertyIQ

A company runs an infrastructure monitoring service. The company is building a new feature that will enable the
service to monitor data in customer AWS accounts. The new feature will call AWS APIs in customer accounts to
describe Amazon EC2 instances and read Amazon CloudWatch metrics.

What should the company do to obtain access to customer accounts in the MOST secure way?
 A.Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch
permissions and a trust policy to the company’s account.
B.Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a
role with read-only EC2 and CloudWatch permissions.
C.Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch
permissions. Encrypt and store customer access and secret keys in a secrets management system.
D.Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only
EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user and password in a secrets
management system.

Answer: A

Explanation:

By having customers create an IAM role with the necessary permissions in their own accounts, the company
can use AWS Identity and Access Management (IAM) to establish cross-account access. The trust policy
allows the company's AWS account to assume the customer's IAM role temporarily, granting access to the
specified resources (EC2 instances and CloudWatch metrics) within the customer's account. This approach
follows the principle of least privilege, as the company only requests the necessary permissions and does not
require long-term access keys or user credentials from the customers.

Question: 504 CertyIQ

A company needs to connect several VPCs in the us-east-1 Region that span hundreds of AWS accounts. The
company's networking team has its own AWS account to manage the cloud network.

What is the MOST operationally efficient solution to connect the VPCs?

A.Set up VPC peering connections between each VPC. Update each associated subnet’s route table
B.Configure a NAT gateway and an internet gateway in each VPC to connect each VPC through the internet
C.Create an AWS Transit Gateway in the networking team’s AWS account. Configure static routes from each
VPC.
D.Deploy VPN gateways in each VPC. Create a transit VPC in the networking team’s AWS account to connect to
each VPC.

Answer: C

Explanation:

AWS Transit Gateway is a highly scalable and centralized hub for connecting multiple VPCs, on-premises
networks, and remote networks. It simplifies network connectivity by providing a single entry point and
reducing the number of connections required. In this scenario, deploying an AWS Transit Gateway in the
networking team's AWS account allows for efficient management and control over the network connectivity
across multiple VPCs.

Question: 505 CertyIQ

A company has Amazon EC2 instances that run nightly batch jobs to process data. The EC2 instances run in an
Auto Scaling group that uses On-Demand billing. If a job fails on one instance, another instance will reprocess the
job. The batch jobs run between 12:00 AM and 06:00 AM local time every day.

Which solution will provide EC2 instances to meet these requirements MOST cost-effectively?
 A.Purchase a 1-year Savings Plan for Amazon EC2 that covers the instance family of the Auto Scaling group
that the batch job uses.
B.Purchase a 1-year Reserved Instance for the specific instance type and operating system of the instances in
the Auto Scaling group that the batch job uses.
C.Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances. Set a policy to
scale out based on CPU usage.
D.Create a new launch template for the Auto Scaling group. Increase the instance size. Set a policy to scale out
based on CPU usage.

Answer: C

Explanation:

Purchasing a 1-year Savings Plan (option A) or a 1-year Reserved Instance (option B) may provide cost savings,
but they are more suitable for long-running, steady-state workloads. Since your batch jobs run for a specific
period each day, using Spot Instances with the ability to scale out based on CPU usage is a more cost-
effective choice.

Question: 506 CertyIQ

A social media company is building a feature for its website. The feature will give users the ability to upload
photos. The company expects significant increases in demand during large events and must ensure that the
website can handle the upload traffic from users.

Which solution meets these requirements with the MOST scalability?

A.Upload files from the user's browser to the application servers. Transfer the files to an Amazon S3 bucket.
B.Provision an AWS Storage Gateway file gateway. Upload files directly from the user's browser to the file
gateway.
C.Generate Amazon S3 presigned URLs in the application. Upload files directly from the user's browser into an
S3 bucket.
D.Provision an Amazon Elastic File System (Amazon EFS) file system. Upload files directly from the user's
browser to the file system.

Answer: C

Explanation:

This approach allows users to upload files directly to S3 without passing through the application servers,
reducing the load on the application and improving scalability. It leverages the client-side capabilities to
handle the file uploads and offloads the processing to S3.

Question: 507 CertyIQ

A company has a web application for travel ticketing. The application is based on a database that runs in a single
data center in North America. The company wants to expand the application to serve a global user base. The
company needs to deploy the application to multiple AWS Regions. Average latency must be less than 1 second on
updates to the reservation database.

The company wants to have separate deployments of its web platform across multiple Regions. However, the
company must maintain a single primary reservation database that is globally consistent.

Which solution should a solutions architect recommend to meet these requirements?

 A.Convert the application to use Amazon DynamoDB. Use a global table for the center reservation table. Use
the correct Regional endpoint in each Regional deployment.
B.Migrate the database to an Amazon Aurora MySQL database. Deploy Aurora Read Replicas in each Region.
Use the correct Regional endpoint in each Regional deployment for access to the database.
C.Migrate the database to an Amazon RDS for MySQL database. Deploy MySQL read replicas in each Region.
Use the correct Regional endpoint in each Regional deployment for access to the database.
D.Migrate the application to an Amazon Aurora Serverless database. Deploy instances of the database to each
Region. Use the correct Regional endpoint in each Regional deployment to access the database. Use AWS
Lambda functions to process event streams in each Region to synchronize the databases.

Answer: A

Explanation:

Using DynamoDB's global tables feature, you can achieve a globally consistent reservation database with low
latency on updates, making it suitable for serving a global user base. The automatic replication provided by
DynamoDB eliminates the need for manual synchronization between Regions.

A. Convert the application to use Amazon DynamoDB. Use a global table for the center reservation table. Use
the correct Regional endpoint in each Regional deployment.

Question: 508 CertyIQ

A company has migrated multiple Microsoft Windows Server workloads to Amazon EC2 instances that run in the
us-west-1 Region. The company manually backs up the workloads to create an image as needed.

In the event of a natural disaster in the us-west-1 Region, the company wants to recover workloads quickly in the
us-west-2 Region. The company wants no more than 24 hours of data loss on the EC2 instances. The company also
wants to automate any backups of the EC2 instances.

Which solutions will meet these requirements with the LEAST administrative effort? (Choose two.)

A.Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup based on
tags. Schedule the backup to run twice daily. Copy the image on demand.
B.Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup based on
tags. Schedule the backup to run twice daily. Configure the copy to the us-west-2 Region.
C.Create backup vaults in us-west-1 and in us-west-2 by using AWS Backup. Create a backup plan for the EC2
instances based on tag values. Create an AWS Lambda function to run as a scheduled job to copy the backup
data to us-west-2.
D.Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the EC2 instances
based on tag values. Define the destination for the copy as us-west-2. Specify the backup schedule to run twice
daily.
E.Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the EC2 instances
based on tag values. Specify the backup schedule to run twice daily. Copy on demand to us-west-2.

Answer: BD

Explanation:

Option B suggests using an EC2-backed Amazon Machine Image (AMI) lifecycle policy to automate the
backup process. By configuring the policy to run twice daily and specifying the copy to the us-west-2 Region,
the company can ensure regular backups are created and copied to the alternate region.Option D proposes
using AWS Backup, which provides a centralized backup management solution. By creating a backup vault
and backup plan based on tag values, the company can automate the backup process for the EC2 instances.
The backup schedule can be set to run twice daily, and the destination for the copy can be defined as the us-
west-2 Region.
 solutions are both automated and require no manual intervention to create or copy backups

Question: 509 CertyIQ

A company operates a two-tier application for image processing. The application uses two Availability Zones, each
with one public subnet and one private subnet. An Application Load Balancer (ALB) for the web tier uses the public
subnets. Amazon EC2 instances for the application tier use the private subnets.

Users report that the application is running more slowly than expected. A security audit of the web server log files
shows that the application is receiving millions of illegitimate requests from a small number of IP addresses. A
solutions architect needs to resolve the immediate performance problem while the company investigates a more
permanent solution.

What should the solutions architect recommend to meet this requirement?

A.Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are consuming
resources.
B.Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are
consuming resources.
C.Modify the inbound security group for the application tier. Add a deny rule for the IP addresses that are
consuming resources.
D.Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP addresses that
are consuming resources.

Answer: B

Explanation:

In this scenario, the security audit reveals that the application is receiving millions of illegitimate requests
from a small number of IP addresses. To address this issue, it is recommended to modify the network ACL
(Access Control List) for the web tier subnets.By adding an inbound deny rule specifically targeting the IP
addresses that are consuming resources, the network ACL can block the illegitimate traffic at the subnet
level before it reaches the web servers. This will help alleviate the excessive load on the web tier and improve
the application's performance.

Question: 510 CertyIQ

A global marketing company has applications that run in the ap-southeast-2 Region and the eu-west-1 Region.
Applications that run in a VPC in eu-west-1 need to communicate securely with databases that run in a VPC in ap-
southeast-2.

Which network design will meet these requirements?

A.Create a VPC peering connection between the eu-west-1 VPC and the ap-southeast-2 VPC. Create an inbound
rule in the eu-west-1 application security group that allows traffic from the database server IP addresses in the
ap-southeast-2 security group.
B.Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPC. Update the
subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that references the
security group ID of the application servers in eu-west-1.
C.Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPUpdate the
subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that allows traffic
from the eu-west-1 application server IP addresses.
D.Create a transit gateway with a peering attachment between the eu-west-1 VPC and the ap-southeast-2 VPC.
After the transit gateways are properly peered and routing is configured, create an inbound rule in the
database security group that references the security group ID of the application servers in eu-west-1.
 Answer: C

Explanation:

Answer: C -->"You cannot reference the security group of a peer VPC that's in a different Region. Instead, use
the CIDR block of the peer VPC."

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

Question: 511 CertyIQ

A company is developing software that uses a PostgreSQL database schema. The company needs to configure
multiple development environments and databases for the company's developers. On average, each development
environment is used for half of the 8-hour workday.

Which solution will meet these requirements MOST cost-effectively?

A.Configure each development environment with its own Amazon Aurora PostgreSQL database
B.Configure each development environment with its own Amazon RDS for PostgreSQL Single-AZ DB instances
C.Configure each development environment with its own Amazon Aurora On-Demand PostgreSQL-Compatible
database
D.Configure each development environment with its own Amazon S3 bucket by using Amazon S3 Object Select

Answer: C

Explanation:

Option C suggests using Amazon Aurora On-Demand PostgreSQL-Compatible databases for each
development environment. This option provides the benefits of Amazon Aurora, which is a high-performance
and scalable database engine, while allowing you to pay for usage on an on-demand basis. Amazon Aurora
On-Demand instances are typically more cost-effective for individual development environments compared to
the provisioned capacity options.

C cost effectively

Question: 512 CertyIQ

A company uses AWS Organizations with resources tagged by account. The company also uses AWS Backup to
back up its AWS infrastructure resources. The company needs to back up all AWS resources.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use AWS Config to identify all untagged resources. Tag the identified resources programmatically. Use tags
in the backup plan.
B.Use AWS Config to identify all resources that are not running. Add those resources to the backup vault.
C.Require all AWS account owners to review their resources to identify the resources that need to be backed
up.
D.Use Amazon Inspector to identify all noncompliant resources.

Answer: A

Explanation:

This solution allows you to leverage AWS Config to identify any untagged resources within your AWS
 Organizations accounts. Once identified, you can programmatically apply the necessary tags to indicate the
backup requirements for each resource. By using tags in the backup plan configuration, you can ensure that
only the tagged resources are included in the backup process, reducing operational overhead and ensuring all
necessary resources are backed up.

Question: 513 CertyIQ

A social media company wants to allow its users to upload images in an application that is hosted in the AWS
Cloud. The company needs a solution that automatically resizes the images so that the images can be displayed on
multiple device types. The application experiences unpredictable traffic patterns throughout the day. The
company is seeking a highly available solution that maximizes scalability.

What should a solutions architect do to meet these requirements?

A.Create a static website hosted in Amazon S3 that invokes AWS Lambda functions to resize the images and
store the images in an Amazon S3 bucket.
B.Create a static website hosted in Amazon CloudFront that invokes AWS Step Functions to resize the images
and store the images in an Amazon RDS database.
C.Create a dynamic website hosted on a web server that runs on an Amazon EC2 instance. Configure a process
that runs on the EC2 instance to resize the images and store the images in an Amazon S3 bucket.
D.Create a dynamic website hosted on an automatically scaling Amazon Elastic Container Service (Amazon
ECS) cluster that creates a resize job in Amazon Simple Queue Service (Amazon SQS). Set up an image-resizing
program that runs on an Amazon EC2 instance to process the resize jobs.

Answer: A

Explanation:

By using Amazon S3 and AWS Lambda together, you can create a serverless architecture that provides highly
scalable and available image resizing capabilities. Here's how the solution would work:Set up an Amazon S3
bucket to store the original images uploaded by users.Configure an event trigger on the S3 bucket to invoke
an AWS Lambda function whenever a new image is uploaded.The Lambda function can be designed to
retrieve the uploaded image, perform the necessary resizing operations based on device requirements, and
store the resized images back in the S3 bucket or a different bucket designated for resized images.Configure
the Amazon S3 bucket to make the resized images publicly accessible for serving to users.

Question: 514 CertyIQ

A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the
application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must
configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to
false to maintain security compliance. The company must also put the data plane in private subnets. However, the
company has received error notifications because the node cannot join the cluster.

Which solution will allow the node to join the cluster?

A.Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole
IAM role.
B.Create interface VPC endpoints to allow nodes to access the control plane.
C.Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
D.Allow outbound traffic in the security group of the nodes.

Answer: B
 Explanation:

By creating interface VPC endpoints, you can enable the necessary communication between the Amazon EKS
control plane and the nodes in private subnets. This solution ensures that the control plane maintains
endpoint private access (set to true) and endpoint public access (set to false) for security compliance.

Question: 515 CertyIQ

A company is migrating an on-premises application to AWS. The company wants to use Amazon Redshift as a
solution.

Which use cases are suitable for Amazon Redshift in this scenario? (Choose three.)

A.Supporting data APIs to access data with traditional, containerized, and event-driven applications
B.Supporting client-side and server-side encryption
C.Building analytics workloads during specified hours and when the application is not active
D.Caching data to reduce the pressure on the backend database
E.Scaling globally to support petabytes of data and tens of millions of requests per minute
F.Creating a secondary replica of the cluster by using the AWS Management Console

Answer: BCE

Explanation:

B. Supporting client-side and server-side encryption: Amazon Redshift supports both client-side and server-
side encryption for improved data security.C. Building analytics workloads during specified hours and when
the application is not active: Amazon Redshift is optimized for running complex analytic queries against very
large datasets, making it a good choice for this use case.E. Scaling globally to support petabytes of data and
tens of millions of requests per minute: Amazon Redshift is designed to handle petabytes of data, and to
deliver fast query and I/O performance for virtually any size dataset.

Question: 516 CertyIQ

A company provides an API interface to customers so the customers can retrieve their financial information. Еhe
company expects a larger number of requests during peak usage times of the year.

The company requires the API to respond consistently with low latency to ensure customer satisfaction. The
company needs to provide a compute host for the API.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use an Application Load Balancer and Amazon Elastic Container Service (Amazon ECS).
B.Use Amazon API Gateway and AWS Lambda functions with provisioned concurrency.
C.Use an Application Load Balancer and an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
D.Use Amazon API Gateway and AWS Lambda functions with reserved concurrency.

Answer: B

Explanation:

In the context of the given scenario, where the company wants low latency and consistent performance for
their API during peak usage times, it would be more suitable to use provisioned concurrency. By allocating a
 specific number of concurrent executions, the company can ensure that there are enough function instances
available to handle the expected load and minimize the impact of cold starts. This will result in lower latency
and improved performance for the API.

Question: 517 CertyIQ

A company wants to send all AWS Systems Manager Session Manager logs to an Amazon S3 bucket for archival
purposes.

Which solution will meet this requirement with the MOST operational efficiency?

A.Enable S3 logging in the Systems Manager console. Choose an S3 bucket to send the session data to.
B.Install the Amazon CloudWatch agent. Push all logs to a CloudWatch log group. Export the logs to an S3
bucket from the group for archival purposes.
C.Create a Systems Manager document to upload all server logs to a central S3 bucket. Use Amazon
EventBridge to run the Systems Manager document against all servers that are in the account daily.
D.Install an Amazon CloudWatch agent. Push all logs to a CloudWatch log group. Create a CloudWatch logs
subscription that pushes any incoming log events to an Amazon Kinesis Data Firehose delivery stream. Set
Amazon S3 as the destination.

Answer: A

Explanation:
1. It have menu to Enable S3 Logging.https://docs.aws.amazon.com/systems-
manager/latest/userguide/session-manager-logging.html#session-manager-logging-s3
2. option A does not involve CloudWatch, while option D does. Therefore, in terms of operational overhead,
option A would generally have less complexity and operational overhead compared to option D.Option A
simply enables S3 logging in the Systems Manager console, allowing you to directly send session logs to an
S3 bucket. This approach is straightforward and requires minimal configuration.On the other hand, option D
involves installing and configuring the Amazon CloudWatch agent, creating a CloudWatch log group, setting
up a CloudWatch Logs subscription, and configuring an Amazon Kinesis Data Firehose delivery stream to
store logs in an S3 bucket. This requires additional setup and management compared to option A.So, if
minimizing operational overhead is a priority, option A would be a simpler and more straightforward choice.

Question: 518 CertyIQ

An application uses an Amazon RDS MySQL DB instance. The RDS database is becoming low on disk space. A
solutions architect wants to increase the disk space without downtime.

Which solution meets these requirements with the LEAST amount of effort?

A.Enable storage autoscaling in RDS

B.Increase the RDS database instance size
C.Change the RDS database instance storage type to Provisioned IOPS
D.Back up the RDS database, increase the storage capacity, restore the database, and stop the previous
instance

Answer: A

Explanation:

Enabling storage autoscaling allows RDS to automatically adjust the storage capacity based on the
application's needs. When the storage usage exceeds a predefined threshold, RDS will automatically increase
 the allocated storage without requiring manual intervention or causing downtime. This ensures that the RDS
database has sufficient disk space to handle the increasing storage requirements.

Question: 519 CertyIQ

A consulting company provides professional services to customers worldwide. The company provides solutions
and tools for customers to expedite gathering and analyzing data on AWS. The company needs to centrally
manage and deploy a common set of solutions and tools for customers to use for self-service purposes.

Which solution will meet these requirements?

A.Create AWS CloudFormation templates for the customers.

B.Create AWS Service Catalog products for the customers.
C.Create AWS Systems Manager templates for the customers.
D.Create AWS Config items for the customers.

Answer: B

Explanation:

AWS Service Catalog allows you to create and manage catalogs of IT services that can be deployed within
your organization. With Service Catalog, you can define a standardized set of products (solutions and tools in
this case) that customers can self-service provision. By creating Service Catalog products, you can control
and enforce the deployment of approved and validated solutions and tools.

Question: 520 CertyIQ

A company is designing a new web application that will run on Amazon EC2 Instances. The application will use
Amazon DynamoDB for backend data storage. The application traffic will be unpredictable. The company expects
that the application read and write throughput to the database will be moderate to high. The company needs to
scale in response to application traffic.

Which DynamoDB table configuration will meet these requirements MOST cost-effectively?

A.Configure DynamoDB with provisioned read and write by using the DynamoDB Standard table class. Set
DynamoDB auto scaling to a maximum defined capacity.
B.Configure DynamoDB in on-demand mode by using the DynamoDB Standard table class.
C.Configure DynamoDB with provisioned read and write by using the DynamoDB Standard Infrequent Access
(DynamoDB Standard-IA) table class. Set DynamoDB auto scaling to a maximum defined capacity.
D.Configure DynamoDB in on-demand mode by using the DynamoDB Standard Infrequent Access (DynamoDB
Standard-IA) table class.

Answer: B

Explanation:

AWS Service Catalog allows you to create and manage catalogs of IT services that can be deployed within
your organization. With Service Catalog, you can define a standardized set of products (solutions and tools in
this case) that customers can self-service provision. By creating Service Catalog products, you can control
and enforce the deployment of approved and validated solutions and tools.
Question: 521 CertyIQ
A retail company has several businesses. The IT team for each business manages its own AWS account. Each team
account is part of an organization in AWS Organizations. Each team monitors its product inventory levels in an
Amazon DynamoDB table in the team's own AWS account.

The company is deploying a central inventory reporting application into a shared AWS account. The application
must be able to read items from all the teams' DynamoDB tables.

Which authentication option will meet these requirements MOST securely?

A.Integrate DynamoDB with AWS Secrets Manager in the inventory application account. Configure the
application to use the correct secret from Secrets Manager to authenticate and read the DynamoDB table.
Schedule secret rotation for every 30 days.
B.In every business account, create an IAM user that has programmatic access. Configure the application to use
the correct IAM user access key ID and secret access key to authenticate and read the DynamoDB table.
Manually rotate IAM access keys every 30 days.
C.In every business account, create an IAM role named BU_ROLE with a policy that gives the role access to the
DynamoDB table and a trust policy to trust a specific role in the inventory application account. In the inventory
account, create a role named APP_ROLE that allows access to the STS AssumeRole API operation. Configure
the application to use APP_ROLE and assume the crossaccount role BU_ROLE to read the DynamoDB table.
D.Integrate DynamoDB with AWS Certificate Manager (ACM). Generate identity certificates to authenticate
DynamoDB. Configure the application to use the correct certificate to authenticate and read the DynamoDB
table.

Answer: C

Explanation:

IAM Roles: IAM roles provide a secure way to grant permissions to entities within AWS. By creating an IAM
role in each business account named BU_ROLE with the necessary permissions to access the DynamoDB
table, the access can be controlled at the IAM role level.Cross-Account Access: By configuring a trust policy
in the BU_ROLE that trusts a specific role in the inventory application account (APP_ROLE), you establish a
trusted relationship between the two accounts.Least Privilege: By creating a specific IAM role (BU_ROLE) in
each business account and granting it access only to the required DynamoDB table, you can ensure that each
team's table is accessed with the least privilege principle.Security Token Service (STS): The use of STS
AssumeRole API operation in the inventory application account allows the application to assume the cross-
account role (BU_ROLE) in each business account.

Question: 522 CertyIQ

A company runs container applications by using Amazon Elastic Kubernetes Service (Amazon EKS). The company's
workload is not consistent throughout the day. The company wants Amazon EKS to scale in and out according to
the workload.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

A.Use an AWS Lambda function to resize the EKS cluster.

B.Use the Kubernetes Metrics Server to activate horizontal pod autoscaling.
C.Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster.
D.Use Amazon API Gateway and connect it to Amazon EKS.
E.Use AWS App Mesh to observe network activity.

Answer: BC

Explanation:
 By combining the Kubernetes Cluster Autoscaler (option C) to manage the number of nodes in the cluster and
enabling horizontal pod autoscaling (option B) with the Kubernetes Metrics Server, you can achieve automatic
scaling of your EKS cluster and container applications based on workload demand. This approach minimizes
operational overhead as it leverages built-in Kubernetes functionality and automation mechanisms.

Question: 523 CertyIQ

A company runs a microservice-based serverless web application. The application must be able to retrieve data
from multiple Amazon DynamoDB tables A solutions architect needs to give the application the ability to retrieve
the data with no impact on the baseline performance of the application.

Which solution will meet these requirements in the MOST operationally efficient way?

A.AWS AppSync pipeline resolvers

B.Amazon CloudFront with [email protected] functions
C.Edge-optimized Amazon API Gateway with AWS Lambda functions
D.Amazon Athena Federated Query with a DynamoDB connector

Answer: B

Explanation:
1. By using CloudFront with [email protected], you can benefit from the distributed CDN infrastructure, reduce
the load on DynamoDB, and retrieve data with low latency. The use of caching also helps to minimize the
impact on baseline performance and improve the overall efficiency of data retrieval in your application.

Question: 524 CertyIQ

A company wants to analyze and troubleshoot Access Denied errors and Unauthorized errors that are related to
IAM permissions. The company has AWS CloudTrail turned on.

Which solution will meet these requirements with the LEAST effort?

A.Use AWS Glue and write custom scripts to query CloudTrail logs for the errors.
B.Use AWS Batch and write custom scripts to query CloudTrail logs for the errors.
C.Search CloudTrail logs with Amazon Athena queries to identify the errors.
D.Search CloudTrail logs with Amazon QuickSight. Create a dashboard to identify the errors.

Answer: C

Explanation:

"Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service
activity."https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

Question: 525 CertyIQ

A company wants to add its existing AWS usage cost to its operation cost dashboard. A solutions architect needs
to recommend a solution that will give the company access to its usage cost programmatically. The company must
be able to access cost data for the current year and forecast costs for the next 12 months.

Which solution will meet these requirements with the LEAST operational overhead?
 A.Access usage cost-related data by using the AWS Cost Explorer API with pagination.
B.Access usage cost-related data by using downloadable AWS Cost Explorer report .csv files.
C.Configure AWS Budgets actions to send usage cost data to the company through FTP.
D.Create AWS Budgets reports for usage cost data. Send the data to the company through SMTP.

Answer: A

Explanation:
1. Answer is: Asays dashboard = Cost Explorer, therefor C & D are eliminated.also says programmatically,
means non manual intervention therefor API.
2. least operational overhead = API access

Question: 526 CertyIQ

A solutions architect is reviewing the resilience of an application. The solutions architect notices that a database
administrator recently failed over the application's Amazon Aurora PostgreSQL database writer instance as part of
a scaling exercise. The failover resulted in 3 minutes of downtime for the application.

Which solution will reduce the downtime for scaling exercises with the LEAST operational overhead?

A.Create more Aurora PostgreSQL read replicas in the cluster to handle the load during failover.
B.Set up a secondary Aurora PostgreSQL cluster in the same AWS Region. During failover, update the
application to use the secondary cluster's writer endpoint.
C.Create an Amazon ElastiCache for Memcached cluster to handle the load during failover.
D.Set up an Amazon RDS proxy for the database. Update the application to use the proxy endpoint.

Answer: D

Explanation:

D is the correct answer.It is talking about the write database. Not reader.Amazon RDS proxy allows you to
automatically route write request to the healthy writer, minimizing downtime.

Question: 527 CertyIQ

A company has a regional subscription-based streaming service that runs in a single AWS Region. The architecture
consists of web servers and application servers on Amazon EC2 instances. The EC2 instances are in Auto Scaling
groups behind Elastic Load Balancers. The architecture includes an Amazon Aurora global database cluster that
extends across multiple Availability Zones.

The company wants to expand globally and to ensure that its application has minimal downtime.

Which solution will provide the MOST fault tolerance?

A.Extend the Auto Scaling groups for the web tier and the application tier to deploy instances in Availability
Zones in a second Region. Use an Aurora global database to deploy the database in the primary Region and the
second Region. Use Amazon Route 53 health checks with a failover routing policy to the second Region.
B.Deploy the web tier and the application tier to a second Region. Add an Aurora PostgreSQL cross-Region
Aurora Replica in the second Region. Use Amazon Route 53 health checks with a failover routing policy to the
second Region. Promote the secondary to primary as needed.
C.Deploy the web tier and the application tier to a second Region. Create an Aurora PostgreSQL database in the
second Region. Use AWS Database Migration Service (AWS DMS) to replicate the primary database to the
second Region. Use Amazon Route 53 health checks with a failover routing policy to the second Region.
D.Deploy the web tier and the application tier to a second Region. Use an Amazon Aurora global database to
 deploy the database in the primary Region and the second Region. Use Amazon Route 53 health checks with a
failover routing policy to the second Region. Promote the secondary to primary as needed.

Answer: D

Explanation:

B&C are discarted.The answer is between A and D. I would go with D because it explicitley created this web /
app tier in second region, instead A just autoscales into a secondary region, rather then always having
resources in this second region.

Question: 528 CertyIQ

A data analytics company wants to migrate its batch processing system to AWS. The company receives thousands
of small data files periodically during the day through FTP. An on-premises batch job processes the data files
overnight. However, the batch job takes hours to finish running.

The company wants the AWS solution to process incoming data files as soon as possible with minimal changes to
the FTP clients that send the files. The solution must delete the incoming data files after the files have been
processed successfully. Processing for each file needs to take 3-8 minutes.

Which solution will meet these requirements in the MOST operationally efficient way?

A.Use an Amazon EC2 instance that runs an FTP server to store incoming files as objects in Amazon S3 Glacier
Flexible Retrieval. Configure a job queue in AWS Batch. Use Amazon EventBridge rules to invoke the job to
process the objects nightly from S3 Glacier Flexible Retrieval. Delete the objects after the job has processed
the objects.
B.Use an Amazon EC2 instance that runs an FTP server to store incoming files on an Amazon Elastic Block
Store (Amazon EBS) volume. Configure a job queue in AWS Batch. Use Amazon EventBridge rules to invoke the
job to process the files nightly from the EBS volume. Delete the files after the job has processed the files.
C.Use AWS Transfer Family to create an FTP server to store incoming files on an Amazon Elastic Block Store
(Amazon EBS) volume. Configure a job queue in AWS Batch. Use an Amazon S3 event notification when each
file arrives to invoke the job in AWS Batch. Delete the files after the job has processed the files.
D.Use AWS Transfer Family to create an FTP server to store incoming files in Amazon S3 Standard. Create an
AWS Lambda function to process the files and to delete the files after they are processed. Use an S3 event
notification to invoke the Lambda function when the files arrive.

Answer: D

Explanation:

1. Most likely D.

2. You cannot setup AWS Transfer Family to save files into EBS.

Question: 529 CertyIQ

A company is migrating its workloads to AWS. The company has transactional and sensitive data in its databases.
The company wants to use AWS Cloud solutions to increase security and reduce operational overhead for the
databases.

Which solution will meet these requirements?

A.Migrate the databases to Amazon EC2. Use an AWS Key Management Service (AWS KMS) AWS managed key
for encryption.
B.Migrate the databases to Amazon RDS Configure encryption at rest.
 C.Migrate the data to Amazon S3 Use Amazon Macie for data security and protection
D.Migrate the database to Amazon RDS. Use Amazon CloudWatch Logs for data security and protection.

Answer: B

Explanation:
1. B for sure.First the correct is Amazon RDS, then encryption at rest makes the database secure.
2. B. Migrate the databases to Amazon RDS Configure encryption at rest.Looks like best option

Question: 530 CertyIQ

A company has an online gaming application that has TCP and UDP multiplayer gaming capabilities. The company
uses Amazon Route 53 to point the application traffic to multiple Network Load Balancers (NLBs) in different AWS
Regions. The company needs to improve application performance and decrease latency for the online game in
preparation for user growth.

Which solution will meet these requirements?

A.Add an Amazon CloudFront distribution in front of the NLBs. Increase the Cache-Control max-age parameter.
B.Replace the NLBs with Application Load Balancers (ALBs). Configure Route 53 to use latency-based routing.
C.Add AWS Global Accelerator in front of the NLBs. Configure a Global Accelerator endpoint to use the correct
listener ports.
D.Add an Amazon API Gateway endpoint behind the NLBs. Enable API caching. Override method caching for the
different stages.

Answer: C

Explanation:

only b and c handle TCP/UDP, and C comes with accelerator to enhance performance

UDP and TCP is AWS Global accelarator as it works in the Transportation layer.Now this with NLB is perfect.

Question: 531 CertyIQ

A company needs to integrate with a third-party data feed. The data feed sends a webhook to notify an external
service when new data is ready for consumption. A developer wrote an AWS Lambda function to retrieve data
when the company receives a webhook callback. The developer must make the Lambda function available for the
third party to call.

Which solution will meet these requirements with the MOST operational efficiency?

A.Create a function URL for the Lambda function. Provide the Lambda function URL to the third party for the
webhook.
B.Deploy an Application Load Balancer (ALB) in front of the Lambda function. Provide the ALB URL to the third
party for the webhook.
C.Create an Amazon Simple Notification Service (Amazon SNS) topic. Attach the topic to the Lambda function.
Provide the public hostname of the SNS topic to the third party for the webhook.
D.Create an Amazon Simple Queue Service (Amazon SQS) queue. Attach the queue to the Lambda function.
Provide the public hostname of the SQS queue to the third party for the webhook.

Answer: A

Explanation:
1. key word: Lambda function URLs
 2. https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html

Question: 532 CertyIQ

A company has a workload in an AWS Region. Customers connect to and access the workload by using an Amazon
API Gateway REST API. The company uses Amazon Route 53 as its DNS provider. The company wants to provide
individual and secure URLs for all customers.

Which combination of steps will meet these requirements with the MOST operational efficiency? (Choose three.)

A.Register the required domain in a registrar. Create a wildcard custom domain name in a Route 53 hosted zone
and record in the zone that points to the API Gateway endpoint.
B.Request a wildcard certificate that matches the domains in AWS Certificate Manager (ACM) in a different
Region.
C.Create hosted zones for each customer as required in Route 53. Create zone records that point to the API
Gateway endpoint.
D.Request a wildcard certificate that matches the custom domain name in AWS Certificate Manager (ACM) in
the same Region.
E.Create multiple API endpoints for each customer in API Gateway.
F.Create a custom domain name in API Gateway for the REST API. Import the certificate from AWS Certificate
Manager (ACM).

Answer: ADF

Explanation:

It's ADF

ADF - One to create the custom domain in Route 53 (Amazon DNS)Second to request wildcard certificate
from ADMThirds to import the certificate from ACM.

Question: 533 CertyIQ

A company stores data in Amazon S3. According to regulations, the data must not contain personally identifiable
information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The
company needs to automatically detect PII in S3 buckets and to notify the company’s security team.

Which solution will meet these requirements?

A.Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie
findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
B.Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from
GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the
security team.
C.Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData:S3Object/Personal event
type from Macie findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the
security team.
D.Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from
GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security
team.

Answer: A

Explanation:
 B and D are discarted as Macie is to identify PII. Now that we have between A and C.SNS is more suitable for
this option as a pub/sub service, we subscribe the security team and then they will receive the notifications.

Question: 534 CertyIQ

A company wants to build a logging solution for its multiple AWS accounts. The company currently stores the logs
from all accounts in a centralized account. The company has created an Amazon S3 bucket in the centralized
account to store the VPC flow logs and AWS CloudTrail logs. All logs must be highly available for 30 days for
frequent analysis, retained for an additional 60 days for backup purposes, and deleted 90 days after creation.

Which solution will meet these requirements MOST cost-effectively?

A.Transition objects to the S3 Standard storage class 30 days after creation. Write an expiration action that
directs Amazon S3 to delete objects after 90 days.
B.Transition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class 30 days after
creation. Move all objects to the S3 Glacier Flexible Retrieval storage class after 90 days. Write an expiration
action that directs Amazon S3 to delete objects after 90 days.
C.Transition objects to the S3 Glacier Flexible Retrieval storage class 30 days after creation. Write an
expiration action that directs Amazon S3 to delete objects after 90 days.
D.Transition objects to the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class 30 days after
creation. Move all objects to the S3 Glacier Flexible Retrieval storage class after 90 days. Write an expiration
action that directs Amazon S3 to delete objects after 90 days.

Answer: C

Explanation:

C seems the most sutiable. Is the lowest cost. After 30 days is backup only, doesn't specify frequent access.
Therefor we must transition the items after 30 days to Glacier Flexible Retrieval.Also it says deletion after 90
days, so all answers specifying a transition after 90 days makes no sense.

Question: 535 CertyIQ

A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets
that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store.

Which solution will meet these requirements?

A.Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate,
and store all secrets in Amazon EKS.
B.Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption
on the Amazon EKS cluster.
C.Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS)
Container Storage Interface (CSI) driver as an add-on.
D.Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default
Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.

Answer: B

Explanation:

It is B, because we need to encrypt inside of the EKS cluster, not outside.AWS KMS is to encrypt at rest.
Question: 536 CertyIQ
A company wants to provide data scientists with near real-time read-only access to the company's production
Amazon RDS for PostgreSQL database. The database is currently configured as a Single-AZ database. The data
scientists use complex queries that will not affect the production database. The company needs a solution that is
highly available.

Which solution will meet these requirements MOST cost-effectively?

A.Scale the existing production database in a maintenance window to provide enough power for the data
scientists.
B.Change the setup from a Single-AZ to a Multi-AZ instance deployment with a larger secondary standby
instance. Provide the data scientists access to the secondary instance.
C.Change the setup from a Single-AZ to a Multi-AZ instance deployment. Provide two additional read replicas
for the data scientists.
D.Change the setup from a Single-AZ to a Multi-AZ cluster deployment with two readable standby instances.
Provide read endpoints to the data scientists.

Answer: C

Explanation:

C.The question says highly available therefor Multi Az deployment.Also mentions cost consideration. database
instance is cheaper then cluster (D).Also read replicas is a must since the queries are complex and can slow
down the database (question has not complex queries but is a mistake must have been complex queries)

Question: 537 CertyIQ

A company runs a three-tier web application in the AWS Cloud that operates across three Availability Zones. The
application architecture has an Application Load Balancer, an Amazon EC2 web server that hosts user session
states, and a MySQL database that runs on an EC2 instance. The company expects sudden increases in application
traffic. The company wants to be able to scale to meet future application capacity demands and to ensure high
availability across all three Availability Zones.

Which solution will meet these requirements?

A.Migrate the MySQL database to Amazon RDS for MySQL with a Multi-AZ DB cluster deployment. Use Amazon
ElastiCache for Redis with high availability to store session data and to cache reads. Migrate the web server to
an Auto Scaling group that is in three Availability Zones.
B.Migrate the MySQL database to Amazon RDS for MySQL with a Multi-AZ DB cluster deployment. Use Amazon
ElastiCache for Memcached with high availability to store session data and to cache reads. Migrate the web
server to an Auto Scaling group that is in three Availability Zones.
C.Migrate the MySQL database to Amazon DynamoDB Use DynamoDB Accelerator (DAX) to cache reads. Store
the session data in DynamoDB. Migrate the web server to an Auto Scaling group that is in three Availability
Zones.
D.Migrate the MySQL database to Amazon RDS for MySQL in a single Availability Zone. Use Amazon
ElastiCache for Redis with high availability to store session data and to cache reads. Migrate the web server to
an Auto Scaling group that is in three Availability Zones.

Answer: A

Explanation:

Memcached is best suited for caching data, while Redis is better for storing data that needs to be persisted. If
you need to store data that needs to be accessed frequently, such as user profiles, session data, and
application settings, then Redis is the better choice
Question: 538 CertyIQ
A global video streaming company uses Amazon CloudFront as a content distribution network (CDN). The company
wants to roll out content in a phased manner across multiple countries. The company needs to ensure that viewers
who are outside the countries to which the company rolls out content are not able to view the content.

Which solution will meet these requirements?

A.Add geographic restrictions to the content in CloudFront by using an allow list. Set up a custom error
message.
B.Set up a new URL tor restricted content. Authorize access by using a signed URL and cookies. Set up a
custom error message.
C.Encrypt the data for the content that the company distributes. Set up a custom error message.
D.Create a new URL for restricted content. Set up a time-restricted access policy for signed URLs.

Answer: A

Explanation:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

Question: 539 CertyIQ

A company wants to use the AWS Cloud to improve its on-premises disaster recovery (DR) configuration. The
company's core production business application uses Microsoft SQL Server Standard, which runs on a virtual
machine (VM). The application has a recovery point objective (RPO) of 30 seconds or fewer and a recovery time
objective (RTO) of 60 minutes. The DR solution needs to minimize costs wherever possible.

Which solution will meet these requirements?

A.Configure a multi-site active/active setup between the on-premises server and AWS by using Microsoft SQL
Server Enterprise with Always On availability groups.
B.Configure a warm standby Amazon RDS for SQL Server database on AWS. Configure AWS Database
Migration Service (AWS DMS) to use change data capture (CDC).
C.Use AWS Elastic Disaster Recovery configured to replicate disk changes to AWS as a pilot light.
D.Use third-party backup software to capture backups every night. Store a secondary set of backups in Amazon
S3.

Answer: B

Explanation:

Keyword: change data capture (CDC).

B is the correct one.C and D are discarted as makes no sense.Between A and B is because B is RDS which is a
manged service, we can use even to pay only for used resources when needed. Leveraging AWS DMS it
replicates / syncs the data.

Question: 540 CertyIQ

A company has an on-premises server that uses an Oracle database to process and store customer information.
The company wants to use an AWS database service to achieve higher availability and to improve application
performance. The company also wants to offload reporting from its primary database system.
Which solution will meet these requirements in the MOST operationally efficient way?

A.Use AWS Database Migration Service (AWS DMS) to create an Amazon RDS DB instance in multiple AWS
Regions. Point the reporting functions toward a separate DB instance from the primary DB instance.
B.Use Amazon RDS in a Single-AZ deployment to create an Oracle database. Create a read replica in the same
zone as the primary DB instance. Direct the reporting functions to the read replica.
C.Use Amazon RDS deployed in a Multi-AZ cluster deployment to create an Oracle database. Direct the
reporting functions to use the reader instance in the cluster deployment.
D.Use Amazon RDS deployed in a Multi-AZ instance deployment to create an Amazon Aurora database. Direct
the reporting functions to the reader instances.

Answer: C

Explanation:

C. Use Amazon RDS deployed in a Multi-AZ cluster deployment to create an Oracle database. Direct the
reporting functions to use the reader instance in the cluster deployment.A and B discarted. The answer is
between C and DD says use an Amazon RDS to build an Amazon Aurora, makes no sense.C is the correct one,
high availability in multi az deployment.Also point the reporting to the reader replica.

Question: 541 CertyIQ

A company wants to build a web application on AWS. Client access requests to the website are not predictable and
can be idle for a long time. Only customers who have paid a subscription fee can have the ability to sign in and use
the web application.

Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)

A.Create an AWS Lambda function to retrieve user information from Amazon DynamoDB. Create an Amazon API
Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda function.
B.Create an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer to
retrieve user information from Amazon RDS. Create an Amazon API Gateway endpoint to accept RESTful APIs.
Send the API calls to the Lambda function.
C.Create an Amazon Cognito user pool to authenticate users.
D.Create an Amazon Cognito identity pool to authenticate users.
E.Use AWS Amplify to serve the frontend web content with HTML, CSS, and JS. Use an integrated Amazon
CloudFront configuration.
F.Use Amazon S3 static web hosting with PHP, CSS, and JS. Use Amazon CloudFront to serve the frontend web
content.

Answer: ACE

Explanation:

Option B (Amazon ECS) is not the best option since the website "can be idle for a long time", so Lambda
(Option A) is a more cost-effective choice.Option D is incorrect because User pools are for authentication
(identity verification) while Identity pools are for authorization (access control). Option F is wrong because S3
web hosting only supports static web files like HTML/CSS, and does not support PHP or JavaScript.

Question: 542 CertyIQ

A media company uses an Amazon CloudFront distribution to deliver content over the internet. The company wants
only premium customers to have access to the media streams and file content. The company stores all content in
an Amazon S3 bucket. The company also delivers content on demand to customers for a specific purpose, such as
movie rentals or music downloads.

Which solution will meet these requirements?

A.Generate and provide S3 signed cookies to premium customers.

B.Generate and provide CloudFront signed URLs to premium customers.
C.Use origin access control (OAC) to limit the access of non-premium customers.
D.Generate and activate field-level encryption to block non-premium customers.

Answer: B

Explanation:

Signed URLshttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

Question: 543 CertyIQ

A company runs Amazon EC2 instances in multiple AWS accounts that are individually bled. The company recently
purchased a Savings Pian. Because of changes in the company’s business requirements, the company has
decommissioned a large number of EC2 instances. The company wants to use its Savings Plan discounts on its
other AWS accounts.

Which combination of steps will meet these requirements? (Choose two.)

A.From the AWS Account Management Console of the management account, turn on discount sharing from the
billing preferences section.
B.From the AWS Account Management Console of the account that purchased the existing Savings Plan, turn
on discount sharing from the billing preferences section. Include all accounts.
C.From the AWS Organizations management account, use AWS Resource Access Manager (AWS RAM) to share
the Savings Plan with other accounts.
D.Create an organization in AWS Organizations in a new payer account. Invite the other AWS accounts to join
the organization from the management account.
E.Create an organization in AWS Organizations in the existing AWS account with the existing EC2 instances and
Savings Plan. Invite the other AWS accounts to join the organization from the management account.

Answer: AE

Explanation:

From the AWS Account Management Console of the management account, turn on discount sharing from the
billing preferences section.

.From the AWS Organizations management account, use AWS Resource Access Manager (AWS RAM) to share
the Savings Plan with other accounts.

Question: 544 CertyIQ

A retail company uses a regional Amazon API Gateway API for its public REST APIs. The API Gateway endpoint is a
custom domain name that points to an Amazon Route 53 alias record. A solutions architect needs to create a
solution that has minimal effects on customers and minimal data loss to release the new version of APIs.

Which solution will meet these requirements?

 A.Create a canary release deployment stage for API Gateway. Deploy the latest API version. Point an
appropriate percentage of traffic to the canary stage. After API verification, promote the canary stage to the
production stage.
B.Create a new API Gateway endpoint with a new version of the API in OpenAPI YAML file format. Use the
import-to-update operation in merge mode into the API in API Gateway. Deploy the new version of the API to
the production stage.
C.Create a new API Gateway endpoint with a new version of the API in OpenAPI JSON file format. Use the
import-to-update operation in overwrite mode into the API in API Gateway. Deploy the new version of the API to
the production stage.
D.Create a new API Gateway endpoint with new versions of the API definitions. Create a custom domain name
for the new API Gateway API. Point the Route 53 alias record to the new API Gateway API custom domain name.

Answer: A

Explanation:

A. Create a canary release deployment stage for API Gateway. Deploy the latest API version. Point an
appropriate percentage of traffic to the canary stage. After API verification, promote the canary stage to the
production stage.Canary release meaning only certain percentage of the users.

Question: 545 CertyIQ

A company wants to direct its users to a backup static error page if the company's primary website is unavailable.
The primary website's DNS records are hosted in Amazon Route 53. The domain is pointing to an Application Load
Balancer (ALB). The company needs a solution that minimizes changes and infrastructure overhead.

Which solution will meet these requirements?

A.Update the Route 53 records to use a latency routing policy. Add a static error page that is hosted in an
Amazon S3 bucket to the records so that the traffic is sent to the most responsive endpoints.
B.Set up a Route 53 active-passive failover configuration. Direct traffic to a static error page that is hosted in
an Amazon S3 bucket when Route 53 health checks determine that the ALB endpoint is unhealthy.
C.Set up a Route 53 active-active configuration with the ALB and an Amazon EC2 instance that hosts a static
error page as endpoints. Configure Route 53 to send requests to the instance only if the health checks fail for
the ALB.
D.Update the Route 53 records to use a multivalue answer routing policy. Create a health check. Direct traffic
to the website if the health check passes. Direct traffic to a static error page that is hosted in Amazon S3 if the
health check does not pass.

Answer: B

Explanation:

B is correct..https://repost.aws/knowledge-center/fail-over-s3-r53

Question: 546 CertyIQ

A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's chief
information officer wants to simplify the on-premises backup infrastructure and reduce costs by eliminating the
use of physical backup tapes. The company must preserve the existing investment in the on-premises backup
applications and workflows.

What should a solutions architect recommend?

A.Set up AWS Storage Gateway to connect with the backup applications using the NFS interface.
 B.Set up an Amazon EFS file system that connects with the backup applications using the NFS interface.
C.Set up an Amazon EFS file system that connects with the backup applications using the iSCSI interface.
D.Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library
(VTL) interface.

Answer: D

Explanation:

https://aws.amazon.com/storagegateway/vtl/?nc1=h_ls

Question: 547 CertyIQ

A company has data collection sensors at different locations. The data collection sensors stream a high volume of
data to the company. The company wants to design a platform on AWS to ingest and process high-volume
streaming data. The solution must be scalable and support data collection in near real time. The company must
store the data in Amazon S3 for future reporting.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use Amazon Kinesis Data Firehose to deliver streaming data to Amazon S3.
B.Use AWS Glue to deliver streaming data to Amazon S3.
C.Use AWS Lambda to deliver streaming data and store the data to Amazon S3.
D.Use AWS Database Migration Service (AWS DMS) to deliver streaming data to Amazon S3.

Answer: A

Explanation:

Data collection in near real time = Amazon Kinesis Data Firehose

Question: 548 CertyIQ

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of
costs and security concerns, the company wants to control which services each AWS account can use.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use AWS Systems Manager templates to control which AWS services each department can use.
B.Create organization units (OUs) for each department in AWS Organizations. Attach service control policies
(SCPs) to the OUs.
C.Use AWS CloudFormation to automatically provision only the AWS services that each department can use.
D.Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of
specific AWS services.

Answer: B

Explanation:

To control different AWS account you required AWS Organisation

Question: 549 CertyIQ
A company has created a multi-tier application for its ecommerce website. The website uses an Application Load
Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on
Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing
information that is hosted on the internet by a third-party provider. A solutions architect must devise a strategy
that maximizes security without increasing operational overhead.

What should the solutions architect do to meet these requirements?

A.Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
B.Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-
bound traffic to the NAT gateway.
C.Configure an internet gateway and attach it to the VPModify the private subnet route table to direct internet-
bound traffic to the internet gateway.
D.Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct
internet-bound traffic to the virtual private gateway.

Answer: B

Explanation:

NAT Gateway is safe

Question: 550 CertyIQ

A company is using AWS Key Management Service (AWS KMS) keys to encrypt AWS Lambda environment
variables. A solutions architect needs to ensure that the required permissions are in place to decrypt and use the
environment variables.

Which steps must the solutions architect take to implement the correct permissions? (Choose two.)

A.Add AWS KMS permissions in the Lambda resource policy.

B.Add AWS KMS permissions in the Lambda execution role.
C.Add AWS KMS permissions in the Lambda function policy.
D.Allow the Lambda execution role in the AWS KMS key policy.
E.Allow the Lambda resource policy in the AWS KMS key policy.

Answer: BD

Explanation:

B. Add AWS KMS permissions in the Lambda execution role.

D. Allow the Lambda execution role in the AWS KMS key policy.

Question: 551 CertyIQ

A company has a financial application that produces reports. The reports average 50 KB in size and are stored in
Amazon S3. The reports are frequently accessed during the first week after production and must be stored for
several years. The reports must be retrievable within 6 hours.

Which solution meets these requirements MOST cost-effectively?

A.Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Glacier after 7 days.
 B.Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Standard-Infrequent Access (S3
Standard-IA) after 7 days.
C.Use S3 Intelligent-Tiering. Configure S3 Intelligent-Tiering to transition the reports to S3 Standard-
Infrequent Access (S3 Standard-IA) and S3 Glacier.
D.Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Glacier Deep Archive after 7 days.

Answer: A

Explanation:

For me its A because S3 glacier Flexible retrieval standard can retrieve files in 3 to 5 hours D is incorrect
because S3 glacier deep archive needs 12 hours minimum to retrieve files B and C are more expensive
comparing to A and D

Question: 552 CertyIQ

A company needs to optimize the cost of its Amazon EC2 instances. The company also needs to change the type
and family of its EC2 instances every 2-3 months.

What should the company do to meet these requirements?

A.Purchase Partial Upfront Reserved Instances for a 3-year term.

B.Purchase a No Upfront Compute Savings Plan for a 1-year term.
C.Purchase All Upfront Reserved Instances for a 1-year term.
D.Purchase an All Upfront EC2 Instance Savings Plan for a 1-year term.

Answer: B

Explanation:
1. The key considerations are:The company needs flexibility to change EC2 instance types and families every
2-3 months. This rules out Reserved Instances which lock you into an instance type and family for 1-3 years.A
Compute Savings Plan allows switching instance types and families freely within the term as needed. No
Upfront is more flexible than All Upfront.A 1-year term balances commitment and flexibility better than a 3-
year term given the company's changing needs.With No Upfront, the company only pays for usage monthly
without an upfront payment. This optimizes cost.
2. " needs to change the type and family of its EC2 instances". that means B I think.

Question: 553 CertyIQ

A solutions architect needs to review a company's Amazon S3 buckets to discover personally identifiable
information (PII). The company stores the PII data in the us-east-1 Region and us-west-2 Region.

Which solution will meet these requirements with the LEAST operational overhead?

A.Configure Amazon Macie in each Region. Create a job to analyze the data that is in Amazon S3.
B.Configure AWS Security Hub for all Regions. Create an AWS Config rule to analyze the data that is in Amazon
S3.
C.Configure Amazon Inspector to analyze the data that is in Amazon S3.
D.Configure Amazon GuardDuty to analyze the data that is in Amazon S3.

Answer: A
 Explanation:

AWS Macie = PII detection

Question: 554 CertyIQ

A company's SAP application has a backend SQL Server database in an on-premises environment. The company
wants to migrate its on-premises application and database server to AWS. The company needs an instance type
that meets the high demands of its SAP database. On-premises performance data shows that both the SAP
application and the database have high memory utilization.

Which solution will meet these requirements?

A.Use the compute optimized instance family for the application. Use the memory optimized instance family for
the database.
B.Use the storage optimized instance family for both the application and the database.
C.Use the memory optimized instance family for both the application and the database.
D.Use the high performance computing (HPC) optimized instance family for the application. Use the memory
optimized instance family for the database.

Answer: C

Explanation:

Use the memory optimized instance family for both the application and the database.

Question: 555 CertyIQ

A company runs an application in a VPC with public and private subnets. The VPC extends across multiple
Availability Zones. The application runs on Amazon EC2 instances in private subnets. The application uses an
Amazon Simple Queue Service (Amazon SQS) queue.

A solutions architect needs to design a secure solution to establish a connection between the EC2 instances and
the SQS queue.

Which solution will meet these requirements?

A.Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the private subnets.
Add to the endpoint a security group that has an inbound access rule that allows traffic from the EC2 instances
that are in the private subnets.
B.Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets.
Attach to the interface endpoint a VPC endpoint policy that allows access from the EC2 instances that are in
the private subnets.
C.Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets.
Attach an Amazon SQS access policy to the interface VPC endpoint that allows requests from only a specified
VPC endpoint.
D.Implement a gateway endpoint for Amazon SQS. Add a NAT gateway to the private subnets. Attach an IAM
role to the EC2 instances that allows access to the SQS queue.

Answer: A

Explanation:

A is correct .B,C: 'Configuring endpoints to use public subnets' --> Invalid D: No Gateway Endpoint for SQS.
Question: 556 CertyIQ
A solutions architect is using an AWS CloudFormation template to deploy a three-tier web application. The web
application consists of a web tier and an application tier that stores and retrieves user data in Amazon DynamoDB
tables. The web and application tiers are hosted on Amazon EC2 instances, and the database tier is not publicly
accessible. The application EC2 instances need to access the DynamoDB tables without exposing API credentials
in the template.

What should the solutions architect do to meet these requirements?

A.Create an IAM role to read the DynamoDB tables. Associate the role with the application instances by
referencing an instance profile.
B.Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the
role to the EC2 instance profile, and associate the instance profile with the application instances.
C.Use the parameter section in the AWS CloudFormation template to have the user input access and secret
keys from an already-created IAM user that has the required permissions to read and write from the DynamoDB
tables.
D.Create an IAM user in the AWS CloudFormation template that has the required permissions to read and write
from the DynamoDB tables. Use the GetAtt function to retrieve the access and secret keys, and pass them to
the application instances through the user data.

Answer: B

Explanation:

Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the
role to the EC2 instance profile, and associate the instance profile with the application instances.

Question: 557 CertyIQ

A solutions architect manages an analytics application. The application stores large amounts of semistructured
data in an Amazon S3 bucket. The solutions architect wants to use parallel data processing to process the data
more quickly. The solutions architect also wants to use information that is stored in an Amazon Redshift database
to enrich the data.

Which solution will meet these requirements?

A.Use Amazon Athena to process the S3 data. Use AWS Glue with the Amazon Redshift data to enrich the S3
data.
B.Use Amazon EMR to process the S3 data. Use Amazon EMR with the Amazon Redshift data to enrich the S3
data.
C.Use Amazon EMR to process the S3 data. Use Amazon Kinesis Data Streams to move the S3 data into
Amazon Redshift so that the data can be enriched.
D.Use AWS Glue to process the S3 data. Use AWS Lake Formation with the Amazon Redshift data to enrich the
S3 data.

Answer: A

Explanation:

https://aws.amazon.com/blogs/architecture/reduce-archive-cost-with-serverless-data-archiving/

Question: 558 CertyIQ

A company has two VPCs that are located in the us-west-2 Region within the same AWS account. The company
needs to allow network traffic between these VPCs. Approximately 500 GB of data transfer will occur between the
VPCs each month.

What is the MOST cost-effective solution to connect these VPCs?

A.Implement AWS Transit Gateway to connect the VPCs. Update the route tables of each VPC to use the transit
gateway for inter-VPC communication.
B.Implement an AWS Site-to-Site VPN tunnel between the VPCs. Update the route tables of each VPC to use
the VPN tunnel for inter-VPC communication.
C.Set up a VPC peering connection between the VPCs. Update the route tables of each VPC to use the VPC
peering connection for inter-VPC communication.
D.Set up a 1 GB AWS Direct Connect connection between the VPCs. Update the route tables of each VPC to use
the Direct Connect connection for inter-VPC communication.

Answer: C

Explanation:

C is the correct answer. VPC peering is the most cost-effective way to connect two VPCs within the same
region and AWS account. There are no additional charges for VPC peering beyond standard data transfer
rates. Transit Gateway and VPN add additional hourly and data processing charges that are not necessary for
simple VPC peering. Direct Connect provides dedicated network connectivity, but is overkill for the relatively
low inter-VPC data transfer needs described here. It has high fixed costs plus data transfer rates .For
occasional inter-VPC communication of moderate data volumes within the same region and account, VPC
peering is the most cost-effective solution. It provides simple private connectivity without transfer charges or
network appliances.

Question: 559 CertyIQ

A company hosts multiple applications on AWS for different product lines. The applications use different compute
resources, including Amazon EC2 instances and Application Load Balancers. The applications run in different AWS
accounts under the same organization in AWS Organizations across multiple AWS Regions. Teams for each
product line have tagged each compute resource in the individual accounts.

The company wants more details about the cost for each product line from the consolidated billing feature in
Organizations.

Which combination of steps will meet these requirements? (Choose two.)

A.Select a specific AWS generated tag in the AWS Billing console.

B.Select a specific user-defined tag in the AWS Billing console.
C.Select a specific user-defined tag in the AWS Resource Groups console.
D.Activate the selected tag from each AWS account.
E.Activate the selected tag from the Organizations management account.

Answer: BE

Explanation:

"Only a management account in an organization and single accounts that aren't members of an organization
have access to the cost allocation tags manager in the Billing and Cost Management console.

"https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html
Question: 560 CertyIQ
A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The
solutions architect has organized the company's accounts into organizational units (OUs).

The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs
to notify the company's operations team of any changes.

Which solution will meet these requirements with the LEAST operational overhead?

A.Provision the AWS accounts by using AWS Control Tower. Use account drift notifications to identify the
changes to the OU hierarchy.
B.Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the
changes to the OU hierarchy.
C.Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrail organization trail to
identify the changes to the OU hierarchy.
D.Use AWS CloudFormation templates to create accounts in Organizations. Use the drift detection operation on
a stack to identify the changes to the OU hierarchy.

Answer: A

Explanation:

The key advantages you highlight of Control Tower are convincing:Fully managed service simplifies multi-
account setup.Built-in account drift notifications detect OU changes automatically.More scalable and less
complex than Config rules or CloudTrail.Better security and compliance guardrails than custom options.Lower
operational overhead compared to other solution

Question: 561 CertyIQ

A company's website handles millions of requests each day, and the number of requests continues to increase. A
solutions architect needs to improve the response time of the web application. The solutions architect determines
that the application needs to decrease latency when retrieving product details from the Amazon DynamoDB table.

Which solution will meet these requirements with the LEAST amount of operational overhead?

A.Set up a DynamoDB Accelerator (DAX) cluster. Route all read requests through DAX.
B.Set up Amazon ElastiCache for Redis between the DynamoDB table and the web application. Route all read
requests through Redis.
C.Set up Amazon ElastiCache for Memcached between the DynamoDB table and the web application. Route all
read requests through Memcached.
D.Set up Amazon DynamoDB Streams on the table, and have AWS Lambda read from the table and populate
Amazon ElastiCache. Route all read requests through ElastiCache.

Answer: A

Explanation:

A , because B,C and D contains Elastic ache which required a heavy code changes, so more operational
overhead

Question: 562 CertyIQ

A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do
not travel across the internet.

Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)

A.Create a route table entry for the endpoint.

B.Create a gateway endpoint for DynamoDB.
C.Create an interface endpoint for Amazon EC2.
D.Create an elastic network interface for the endpoint in each of the subnets of the VPC.
E.Create a security group entry in the endpoint's security group to provide access.

Answer: AB

Explanation:

You can access Amazon DynamoDB from your VPC using gateway VPC endpoints. After you create the
gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to
DynamoDB.

Question: 563 CertyIQ

A company runs its applications on both Amazon Elastic Kubernetes Service (Amazon EKS) clusters and on-
premises Kubernetes clusters. The company wants to view all clusters and workloads from a central location.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use Amazon CloudWatch Container Insights to collect and group the cluster information.
B.Use Amazon EKS Connector to register and connect all Kubernetes clusters.
C.Use AWS Systems Manager to collect and view the cluster information.
D.Use Amazon EKS Anywhere as the primary cluster to view the other clusters with native Kubernetes
commands.

Answer: B

Explanation:

You can use Amazon EKS Connector to register and connect any conformant Kubernetes cluster to AWS and
visualize it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and
workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in
Amazon EKS console, but you can't manage them

Question: 564 CertyIQ

A company is building an ecommerce application and needs to store sensitive customer information. The company
needs to give customers the ability to complete purchase transactions on the website. The company also needs to
ensure that sensitive customer data is protected, even from database administrators.

Which solution meets these requirements?

A.Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt
the data. Use an IAM instance role to restrict access.
B.Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side
encryption to encrypt the data.
C.Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to
 encrypt the data. Use S3 bucket policies to restrict access.
D.Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use
Windows file permissions to restrict access.

Answer: B

Explanation:

Using client-side encryption we can protect specific fields and guarantee only decryption if the client has
access to an API key, we can protect specific fields even from database admins.

Question: 565 CertyIQ

A company has an on-premises MySQL database that handles transactional data. The company is migrating the
database to the AWS Cloud. The migrated database must maintain compatibility with the company's applications
that use the database. The migrated database also must scale automatically during periods of increased demand.

Which migration solution will meet these requirements?

A.Use native MySQL tools to migrate the database to Amazon RDS for MySQL. Configure elastic storage
scaling.
B.Migrate the database to Amazon Redshift by using the mysqldump utility. Turn on Auto Scaling for the
Amazon Redshift cluster.
C.Use AWS Database Migration Service (AWS DMS) to migrate the database to Amazon Aurora. Turn on Aurora
Auto Scaling.
D.Use AWS Database Migration Service (AWS DMS) to migrate the database to Amazon DynamoDB. Configure
an Auto Scaling policy.

Answer: C

Explanation:

C is correct A is incorrect. RDS for MySQL does not scale automatically during periods of increased demand. B
is incorrect. Redshift is used for data sharing purposes. D is incorrect. you muse change application codes.

Question: 566 CertyIQ

A company runs multiple Amazon EC2 Linux instances in a VPC across two Availability Zones. The instances host
applications that use a hierarchical directory structure. The applications need to read and write rapidly and
concurrently to shared storage.

What should a solutions architect do to meet these requirements?

A.Create an Amazon S3 bucket. Allow access from all the EC2 instances in the VPC.
B.Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system from each EC2
instance.
C.Create a file system on a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume.
Attach the EBS volume to all the EC2 instances.
D.Create file systems on Amazon Elastic Block Store (Amazon EBS) volumes that are attached to each EC2
instance. Synchronize the EBS volumes across the different EC2 instances.

Answer: B

Explanation:
 1. The key reasons:EFS provides a scalable, high performance NFS file system that can be concurrently
accessed from multiple EC2 instances.It supports the hierarchical directory structure needed by the
applications.EFS is elastic, growing and shrinking automatically as needed.It can be accessed from instances
across AZs, meeting the shared storage requirement.S3 object storage (option A) lacks the file system
semantics needed by the apps.EBS volumes (options C and D) are attached to a single instance and would
require replication and syncing to share across instances.EFS is purpose-built for this use case of a shared file
system across Linux instances and aligns best with the performance, concurrency, and availability needs.
2. Going with b

Question: 567 CertyIQ

A solutions architect is designing a workload that will store hourly energy consumption by business tenants in a
building. The sensors will feed a database through HTTP requests that will add up usage for each tenant. The
solutions architect must use managed services when possible. The workload will receive more features in the
future as the solutions architect adds independent components.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use Amazon API Gateway with AWS Lambda functions to receive the data from the sensors, process the data,
and store the data in an Amazon DynamoDB table.
B.Use an Elastic Load Balancer that is supported by an Auto Scaling group of Amazon EC2 instances to receive
and process the data from the sensors. Use an Amazon S3 bucket to store the processed data.
C.Use Amazon API Gateway with AWS Lambda functions to receive the data from the sensors, process the data,
and store the data in a Microsoft SQL Server Express database on an Amazon EC2 instance.
D.Use an Elastic Load Balancer that is supported by an Auto Scaling group of Amazon EC2 instances to receive
and process the data from the sensors. Use an Amazon Elastic File System (Amazon EFS) shared file system to
store the processed data.

Answer: A

Explanation:

The key reasons are: ° API Gateway removes the need to manage servers to receive the HTTP requests from
sensors ° Lambda functions provide a serverless compute layer to process data as needed ° DynamoDB is a
fully managed NoSQL database that scales automatically ° This serverless architecture has minimal
operational overhead to manage ° Options B, C, and D all require managing EC2 instances which increases ops
workload ° Option C also adds SQL Server admin tasks and licensing costs ° Option D uses EFS file storage
which requires capacity planning and management

Question: 568 CertyIQ

A solutions architect is designing the storage architecture for a new web application used for storing and viewing
engineering drawings. All application components will be deployed on the AWS infrastructure.

The application design must support caching to minimize the amount of time that users wait for the engineering
drawings to load. The application must be able to store petabytes of data.

Which combination of storage and caching should the solutions architect use?

A.Amazon S3 with Amazon CloudFront

B.Amazon S3 Glacier with Amazon ElastiCache
C.Amazon Elastic Block Store (Amazon EBS) volumes with Amazon CloudFront
D.AWS Storage Gateway with Amazon ElastiCache
 Answer: A

Explanation:

The answer seems A: B : Glacier for archiving C : i don t think EBS scale to petabytes (I am not sure about
that)D : it incorrect because All application components will be deployed on the AWS infrastructure

Question: 569 CertyIQ

An Amazon EventBridge rule targets a third-party API. The third-party API has not received any incoming traffic. A
solutions architect needs to determine whether the rule conditions are being met and if the rule's target is being
invoked.

Which solution will meet these requirements?

A.Check for metrics in Amazon CloudWatch in the namespace for AWS/Events.

B.Review events in the Amazon Simple Queue Service (Amazon SQS) dead-letter queue.
C.Check for the events in Amazon CloudWatch Logs.
D.Check the trails in AWS CloudTrail for the EventBridge events.

Answer: A

Explanation:

Option A is the most appropriate solution because Amazon Event Bridge publishes metrics to Amazon
CloudWatch. You can find relevant metrics in the "AWS/Events" namespace, which allows you to monitor the
number of events matched by the rule and the number of invocations to the rule's target.

Question: 570 CertyIQ

A company has a large workload that runs every Friday evening. The workload runs on Amazon EC2 instances that
are in two Availability Zones in the us-east-1 Region. Normally, the company must run no more than two instances
at all times. However, the company wants to scale up to six instances each Friday to handle a regularly repeating
increased workload.

Which solution will meet these requirements with the LEAST operational overhead?

A.Create a reminder in Amazon EventBridge to scale the instances.

B.Create an Auto Scaling group that has a scheduled action.
C.Create an Auto Scaling group that uses manual scaling.
D.Create an Auto Scaling group that uses automatic scaling.

Answer: B

Explanation:
1. The key reasons:Auto Scaling scheduled actions allow defining specific dates/times to scale out or in. This
can be used to scale to 6 instances every Friday evening automatically.Scheduled scaling removes the need
for manual intervention to scale up/down for the workload.EventBridge reminders and manual scaling require
human involvement each week adding overhead.Automatic scaling responds to demand and may not align
perfectly to scale out every Friday without additional tuning.Scheduled Auto Scaling actions provide the
automation needed to scale for the weekly workload without ongoing operational overhead.
2. Predicted period.. So schedule the instance
Question: 571 CertyIQ
A company is creating a REST API. The company has strict requirements for the use of TLS. The company requires
TLSv1.3 on the API endpoints. The company also requires a specific public third-party certificate authority (CA) to
sign the TLS certificate.

Which solution will meet these requirements?

A.Use a local machine to create a certificate that is signed by the third-party CImport the certificate into AWS
Certificate Manager (ACM). Create an HTTP API in Amazon API Gateway with a custom domain. Configure the
custom domain to use the certificate.
B.Create a certificate in AWS Certificate Manager (ACM) that is signed by the third-party CA. Create an HTTP
API in Amazon API Gateway with a custom domain. Configure the custom domain to use the certificate.
C.Use AWS Certificate Manager (ACM) to create a certificate that is signed by the third-party CA. Import the
certificate into AWS Certificate Manager (ACM). Create an AWS Lambda function with a Lambda function URL.
Configure the Lambda function URL to use the certificate.
D.Create a certificate in AWS Certificate Manager (ACM) that is signed by the third-party CA. Create an AWS
Lambda function with a Lambda function URL. Configure the Lambda function URL to use the certificate.

Answer: B

Explanation:

AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy SSL/TLS
certificates for use with AWS services and your internal resources. By creating a certificate in ACM that is
signed by the third-party CA, the company can meet its requirement for a specific public third-party CA to
sign the TLS certificate.

Question: 572 CertyIQ

A company runs an application on AWS. The application receives inconsistent amounts of usage. The application
uses AWS Direct Connect to connect to an on-premises MySQL-compatible database. The on-premises database
consistently uses a minimum of 2 GiB of memory.

The company wants to migrate the on-premises database to a managed AWS service. The company wants to use
auto scaling capabilities to manage unexpected workload increases.

Which solution will meet these requirements with the LEAST administrative overhead?

A.Provision an Amazon DynamoDB database with default read and write capacity settings.
B.Provision an Amazon Aurora database with a minimum capacity of 1 Aurora capacity unit (ACU).
C.Provision an Amazon Aurora Serverless v2 database with a minimum capacity of 1 Aurora capacity unit (ACU).
D.Provision an Amazon RDS for MySQL database with 2 GiB of memory.

Answer: C

Explanation:

C seems to be the right answer Instead of provisioning and managing database servers, you specify Aurora
capacity units (ACUs). Each ACU is a combination of approximately 2 gigabytes (GB) of memory,
corresponding CPU, and networking. Database storage automatically scales from 10 gibibytes (GiB) to 128
tebibytes (TiB), the same as storage in a standard Aurora DB
clusterhttps://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v1.how-it-
works.htmlhttps://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html
Question: 573 CertyIQ
A company wants to use an event-driven programming model with AWS Lambda. The company wants to reduce
startup latency for Lambda functions that run on Java 11. The company does not have strict latency requirements
for the applications. The company wants to reduce cold starts and outlier latencies when a function scales up.

Which solution will meet these requirements MOST cost-effectively?

A.Configure Lambda provisioned concurrency.

B.Increase the timeout of the Lambda functions.
C.Increase the memory of the Lambda functions.
D.Configure Lambda SnapStart.

Answer: D

Explanation:
1. https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html
2. D is correctLambda SnapStart for Java can improve startup performance for latency-sensitive applications
by up to 10x at no extra cost, typically with no changes to your function code. The largest contributor to
startup latency (often referred to as cold start time) is the time that Lambda spends initializing the function,
which includes loading the function's code, starting the runtime, and initializing the function code.With
SnapStart, Lambda initializes your function when you publish a function version. Lambda takes a Firecracker
microVM snapshot of the memory and disk state of the initialized execution environment, encrypts the
snapshot, and caches it for low-latency access. When you invoke the function version for the first time, and as
the invocations scale up, Lambda resumes new execution environments from the cached snapshot instead of
initializing them from scratch, improving startup latency.

Question: 574 CertyIQ

A financial services company launched a new application that uses an Amazon RDS for MySQL database. The
company uses the application to track stock market trends. The company needs to operate the application for only
2 hours at the end of each week. The company needs to optimize the cost of running the database.

Which solution will meet these requirements MOST cost-effectively?

A.Migrate the existing RDS for MySQL database to an Aurora Serverless v2 MySQL database cluster.
B.Migrate the existing RDS for MySQL database to an Aurora MySQL database cluster.
C.Migrate the existing RDS for MySQL database to an Amazon EC2 instance that runs MySQL. Purchase an
instance reservation for the EC2 instance.
D.Migrate the existing RDS for MySQL database to an Amazon Elastic Container Service (Amazon ECS) cluster
that uses MySQL container images to run tasks.

Answer: B

Explanation:

B seems to be the correct answer, because if we have a predictable workload Aurora database seems to be
most cost effective however if we have unpredictable workload aurora serverless seems to be more cost
effective because our database will scale up and down for more informations please read this article .

https://medium.com/trackit/aurora-or-aurora-serverless-v2-which-is-more-cost-effective-bcd12e172dcf
Question: 575 CertyIQ
A company deploys its applications on Amazon Elastic Kubernetes Service (Amazon EKS) behind an Application
Load Balancer in an AWS Region. The application needs to store data in a PostgreSQL database engine. The
company wants the data in the database to be highly available. The company also needs increased capacity for
read workloads.

Which solution will meet these requirements with the MOST operational efficiency?

A.Create an Amazon DynamoDB database table configured with global tables.

B.Create an Amazon RDS database with Multi-AZ deployments.
C.Create an Amazon RDS database with Multi-AZ DB cluster deployment.
D.Create an Amazon RDS database configured with cross-Region read replicas.

Answer: C

Explanation:
1. RDS Multi-AZ DB cluster deployments provide high availability, automatic failover, and increased read
capacity.A multi-AZ cluster automatically handles replicating data across AZs in a single region.This
maintains operational efficiency as it is natively managed by RDS without needing external
replication.DynamoDB global tables involve complex provisioning and requires app changes.RDS read replicas
require manual setup and management of replication.RDS Multi-AZ clustering is purpose-built by AWS for HA
PostgreSQL deployments and balancing read workloads.
2. Multi-AZ DB clusters provide high availability, increased capacity for read workloads, and lower write
latency when compared to Multi-AZ DB instance deployments.

Question: 576 CertyIQ

A company is building a RESTful serverless web application on AWS by using Amazon API Gateway and AWS
Lambda. The users of this web application will be geographically distributed, and the company wants to reduce the
latency of API requests to these users.

Which type of endpoint should a solutions architect use to meet these requirements?

A.Private endpoint
B.Regional endpoint
C.Interface VPC endpoint
D.Edge-optimized endpoint

Answer: D

Explanation:

The correct answer is D API Gateway - Endpoint Types • Edge-Optimized (default): For global clients •
Requests are routed through the CloudFront Edge locations (improves latency) • The API Gateway still lives in
only one region• Regional: • For clients within the same region • Could manually combine with CloudFront
(more control over the caching strategies and the distribution)• Private: • Can only be accessed from your VPC
using an interface VPC endpoint (ENI) • Use a resource policy to define access

Question: 577 CertyIQ

A company uses an Amazon CloudFront distribution to serve content pages for its website. The company needs to
ensure that clients use a TLS certificate when accessing the company's website. The company wants to automate
the creation and renewal of the TLS certificates.

Which solution will meet these requirements with the MOST operational efficiency?

A.Use a CloudFront security policy to create a certificate.

B.Use a CloudFront origin access control (OAC) to create a certificate.
C.Use AWS Certificate Manager (ACM) to create a certificate. Use DNS validation for the domain.
D.Use AWS Certificate Manager (ACM) to create a certificate. Use email validation for the domain.

Answer: C

Explanation:

"DNS Validation is preferred for automation purposes" -- Stephane's course on Udemy

C seems to be correct

Question: 578 CertyIQ

A company deployed a serverless application that uses Amazon DynamoDB as a database layer. The application
has experienced a large increase in users. The company wants to improve database response time from
milliseconds to microseconds and to cache requests to the database.

Which solution will meet these requirements with the LEAST operational overhead?

A.Use DynamoDB Accelerator (DAX).

B.Migrate the database to Amazon Redshift.
C.Migrate the database to Amazon RDS.
D.Use Amazon ElastiCache for Redis.

Answer: A

Explanation:

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for Amazon
DynamoDB that delivers up to a 10 times performance improvement—from milliseconds to microseconds—
even at millions of requests per second.

https://aws.amazon.com/dynamodb/dax/#:~:text=Amazon%20DynamoDB%20Accelerator%20(DAX)%20is,millions%20o

Question: 579 CertyIQ

A company runs an application that uses Amazon RDS for PostgreSQL. The application receives traffic only on
weekdays during business hours. The company wants to optimize costs and reduce operational overhead based on
this usage.

Which solution will meet these requirements?

A.Use the Instance Scheduler on AWS to configure start and stop schedules.
B.Turn off automatic backups. Create weekly manual snapshots of the database.
C.Create a custom AWS Lambda function to start and stop the database based on minimum CPU utilization.
D.Purchase All Upfront reserved DB instances.
 Answer: A

Explanation:
1. A https://aws.amazon.com/solutions/implementations/instance-scheduler-on-aws/
2. Scheduler do the job

Question: 580 CertyIQ

A company uses locally attached storage to run a latency-sensitive application on premises. The company is using
a lift and shift method to move the application to the AWS Cloud. The company does not want to change the
application architecture.

Which solution will meet these requirements MOST cost-effectively?

A.Configure an Auto Scaling group with an Amazon EC2 instance. Use an Amazon FSx for Lustre file system to
run the application.
B.Host the application on an Amazon EC2 instance. Use an Amazon Elastic Block Store (Amazon EBS) GP2
volume to run the application.
C.Configure an Auto Scaling group with an Amazon EC2 instance. Use an Amazon FSx for OpenZFS file system
to run the application.
D.Host the application on an Amazon EC2 instance. Use an Amazon Elastic Block Store (Amazon EBS) GP3
volume to run the application.

Answer: D

Explanation:

Migrate your Amazon EBS volumes from gp2 to gp3 and save up to 20% on costs.

My rational: Options A y C are based on autoscaling-group and no make sense for me on this scenary.Then,
use Amazon EBS is the solution and GP2 or GP3 is the question. Requirement requires the most COST
effective solution, then, I choose GP3

Question: 581 CertyIQ

A company runs a stateful production application on Amazon EC2 instances. The application requires at least two
EC2 instances to always be running.

A solutions architect needs to design a highly available and fault-tolerant architecture for the application. The
solutions architect creates an Auto Scaling group of EC2 instances.

Which set of additional steps should the solutions architect take to meet these requirements?

A.Set the Auto Scaling group's minimum capacity to two. Deploy one On-Demand Instance in one Availability
Zone and one On-Demand Instance in a second Availability Zone.
B.Set the Auto Scaling group's minimum capacity to four. Deploy two On-Demand Instances in one Availability
Zone and two On-Demand Instances in a second Availability Zone.
C.Set the Auto Scaling group's minimum capacity to two. Deploy four Spot Instances in one Availability Zone.
D.Set the Auto Scaling group's minimum capacity to four. Deploy two On-Demand Instances in one Availability
Zone and two Spot Instances in a second Availability Zone.

Answer: B

Explanation:
1. By setting the Auto Scaling group's minimum capacity to four, the architect ensures that there are always at
 least two running instances. Deploying two On-Demand Instances in each of two Availability Zones ensures
that the application is highly available and fault-tolerant. If one Availability Zone becomes unavailable, the
application can still run in the other Availability Zone.
2. While Spot Instances can be used to reduce costs, they might not provide the same level of availability and
guaranteed uptime that On-Demand Instances offer. So I will go with B and not D.

Question: 582 CertyIQ

An ecommerce company uses Amazon Route 53 as its DNS provider. The company hosts its website on premises
and in the AWS Cloud. The company's on-premises data center is near the us-west-1 Region. The company uses the
eu-central-1 Region to host the website. The company wants to minimize load time for the website as much as
possible.

Which solution will meet these requirements?

A.Set up a geolocation routing policy. Send the traffic that is near us-west-1 to the on-premises data center.
Send the traffic that is near eu-central-1 to eu-central-1.
B.Set up a simple routing policy that routes all traffic that is near eu-central-1 to eu-central-1 and routes all
traffic that is near the on-premises datacenter to the on-premises data center.
C.Set up a latency routing policy. Associate the policy with us-west-1.
D.Set up a weighted routing policy. Split the traffic evenly between eu-central-1 and the on-premises data
center.

Answer: A

Explanation:

The key reasons are:Geolocation routing allows you to route users to the closest endpoint based on their
geographic location. This will provide the lowest latency.Routing us-west-1 traffic to the on-premises data
center minimizes latency for those users since it is also located near there.Routing eu-central-1 traffic to the
eu-central-1 AWS region minimizes latency for users nearby.This achieves routing users to the closest
endpoint on a geographic basis to optimize for low latency.

Question: 583 CertyIQ

A company has 5 PB of archived data on physical tapes. The company needs to preserve the data on the tapes for
another 10 years for compliance purposes. The company wants to migrate to AWS in the next 6 months. The data
center that stores the tapes has a 1 Gbps uplink internet connectivity.

Which solution will meet these requirements MOST cost-effectively?

A.Read the data from the tapes on premises. Stage the data in a local NFS storage. Use AWS DataSync to
migrate the data to Amazon S3 Glacier Flexible Retrieval.
B.Use an on-premises backup application to read the data from the tapes and to write directly to Amazon S3
Glacier Deep Archive.
C.Order multiple AWS Snowball devices that have Tape Gateway. Copy the physical tapes to virtual tapes in
Snowball. Ship the Snowball devices to AWS. Create a lifecycle policy to move the tapes to Amazon S3 Glacier
Deep Archive.
D.Configure an on-premises Tape Gateway. Create virtual tapes in the AWS Cloud. Use backup software to
copy the physical tape to the virtual tape.

Answer: C

Explanation: