practice 1 - scenarios, keywords

Auto Scaling group of EC2. Manager worried about OVER-PROVISIONING costs. Needs DYNAMIC scaling without affecting performance. Keywords: over-provisioning + dynamic scaling

Target Tracking Scaling. Automatically adds or removes capacity to keep a specific metric at a target value. Responds to changing load patterns continuously. No cooldown wait. No manual intervention.

AWS Fargate batch job runs when object uploaded to S3. Minimum ECS task count = 1. Scale up based on NEW objects uploaded. Keywords: S3 PUT triggers ECS + LEAST effort

EventBridge rule on S3 PUT → target set directly to ECS cluster to run new task. EventBridge natively supports ECS as a direct rule target. No Lambda or intermediary needed. Single rule with single target is the least effort solution.

Company needs to PROGRAMMATICALLY access and FORECAST usage costs on specific AWS services. Keywords: programmatic + forecast + least operational overhead

AWS Cost Explorer API with pagination. Allows programmatic retrieval of cost and usage data including forecasting by service. Pagination handles large datasets. No manual steps required.

Manager wants estimate of AWS resource costs. Which TWO resources incur costs? Keywords: what costs money

1) Running EC2 instance 2) EBS Volumes attached to STOPPED EC2 instances. EC2 billed per second while running. EBS always billed for provisioned storage regardless of whether EC2 is stopped or running.

Files are EASILY REPRODUCIBLE. Accessed frequently first month then INFREQUENTLY. Files under tdojo-finance prefix need MILLISECOND retrieval. Other files have no retrieval time requirement. Keywords: reproducible + prefix filter + millisecond for some + cheap for rest

S3 Standard then after 1 month tdojo-finance prefix moves to One Zone-IA and remaining files move to Glacier via lifecycle policy. Reproducible data is safe in One Zone-IA because losing a single AZ copy is acceptable. Non-finance files rarely accessed so Glacier is cheapest.

Sales team needs to run ANALYSIS on sales records stored in S3 and VISUALIZE results. Keywords: query S3 + visualize + most cost-effective

AWS Glue Crawler → Glue Data Catalog → Amazon Athena for queries → Amazon QuickSight for visualization. Glue catalogs the S3 data automatically. Athena queries it in place with no cluster needed. QuickSight connects to Athena for visualization. Fully serverless and cost-effective.

Startup uses RDS. Low activity most of time but BURSTS OF TRAFFIC WITHIN SECONDS on product announcements. Need global API. Keywords: burst in seconds + API + global

Amazon API Gateway + AWS Lambda. Lambda scales to thousands of instances within seconds automatically. API Gateway provides the managed API layer. No infrastructure to provision. Scales from zero to peak instantly.

Company receives raw CSV files into S3 averaging 2GB. Must AUTOMATICALLY convert to Apache Parquet each time new file uploaded. Keywords: automated + event-driven + CSV to Parquet + LEAST overhead

AWS Glue ETL job to convert CSV to Parquet + EventBridge rule on S3 Object Created event triggers Glue job. Glue natively supports Parquet conversion with no custom code. EventBridge triggers the job immediately on each upload. Fully managed and serverless.

Company needs to query data from MULTIPLE AWS ACCOUNTS from a CENTRAL DATA LAKE. Each account has own S3 bucket. Access must be ROLE-BASED. Keywords: multi-account + data lake + role-based access + minimize overhead

AWS Lake Formation. Supports cross-account data sharing natively. Role-based grant and revoke permissions on catalog objects like tables and columns. Integrates with Glue Data Catalog. No data movement required.

Photo-sharing app stores uploads in S3. Need AI to FLAG explicit images for review. Communication with VPC resources must NOT TRAVERSE public internet. Keywords: image moderation + AI + private VPC + least effort

Amazon Rekognition for content moderation + Interface VPC Endpoint for Rekognition. Rekognition provides off-the-shelf image moderation with no ML training needed. Returns hierarchical taxonomy of moderation labels. Interface VPC Endpoint keeps all traffic within AWS network.

Custom messaging service receives THOUSANDS of messages per day processed by EMR. NO messages lost. NO duplicates. Messages processed in SAME ORDER AS ARRIVAL. Keywords: no loss + no duplicates + ordered + EMR

Amazon Kinesis Data Stream. Preserves record ordering within shards using unique sequence numbers. Durably replicates across multiple AZs so no data is lost. Consumers process records in exact order received within a shard.

Company uses AWS Direct Connect. Needs to AUTOMATE AND ACCELERATE REPLICATION of data to and from various AWS storage services. Keywords: automate + accelerate + replication + Direct Connect

AWS DataSync agent over a Direct Connect service endpoint. DataSync automates and accelerates data transfer to AWS storage services. When Direct Connect is in place traffic uses the service endpoint and stays off the public internet.

Hybrid architecture needs connection from VPC to on-premises. Must provide HIGH BANDWIDTH and MORE CONSISTENT network experience than internet-based solutions. Keywords: dedicated + consistent + high bandwidth + not internet

AWS Direct Connect. Uses a dedicated Ethernet fiber-optic cable bypassing internet service providers entirely. Provides consistent network experience and high bandwidth. Does not traverse the public internet.

Web application stores static assets in S3. Expects OVER 2000 PUT and 3500 GET requests per second at peak. Keywords: high request rate + S3 performance

Do nothing. Amazon S3 automatically manages performance at this scale. Since 2018 S3 supports at least 3500 PUT and 5500 GET requests per second per prefix with no configuration needed.

Fast food company ALB routes traffic. URLs matching /api/android go to Android target group. URLs matching /api/ios go to iOS target group. Keywords: URL path routing + different target groups

Use path conditions on ALB to define listener rules forwarding requests to different target groups based on the URL path. ALB inspects the URL path in each request and routes to the matching target group. This is called path-based routing.

Animation studio uploads 5GB VIDEO OBJECTS to S3. Upload takes longer than expected impacting performance. Keywords: large file + slow upload + S3 performance

S3 Multipart Upload API. Splits large files into parts that upload in parallel improving throughput. Each part is independent so a failed part retransmits without affecting others. Recommended for any object over 100MB and required over 5GB.

Microservices architecture. Fine-grained decoupling. Services should scale HORIZONTALLY. What is the difference between horizontal and vertical scaling? Keywords: horizontal vs vertical scaling definition

Vertical scaling means running the same software on bigger machines. Limited by the capacity of the individual server. Horizontal scaling means adding more servers to the existing pool. No individual server limitations. Can be fully automated. Does not incur downtime.

Mission-critical EKS cluster with microservices. Need FULLY MANAGED CENTRALIZED logging collecting metrics and application logs automatically. Need DASHBOARD to monitor metrics. Keywords: EKS + centralized logging + metrics + dashboard + LEAST overhead

Amazon CloudWatch Container Insights with EKS + CloudWatch dashboard. Container Insights automatically collects CPU memory disk and network metrics plus logs from EKS. Creates aggregated metrics at cluster node pod and service level. Dashboard is built-in with no extra setup.

Multinational corporation. CloudTrail enabled. Need to efficiently monitor ACCESS DENIED and UNAUTHORIZED errors in IAM. Keywords: query CloudTrail logs for specific errors + least effort

AWS CloudTrail Lake with SQL queries. Converts CloudTrail events to Apache ORC columnar format optimized for fast SQL querying. Query directly on CloudTrail logs with no additional setup. No need to define tables or load data elsewhere.

Animation studio needs HIGH AVAILABLE PARALLEL FILE SYSTEM for HPC rendering. Accessed CONCURRENTLY by fleet of EC2. Must have SUSTAINED THROUGHPUT. Keywords: HPC + parallel file system + concurrent + sustained throughput + HA

Amazon FSx for Lustre with Persistent file system. Provides high-performance parallel file system with sub-millisecond latency and up to terabytes per second throughput. Persistent type automatically replicates data within the same AZ for high availability and durability.

Application uses Lambda to process data. Receiving THROTTLING ERRORS during processing. Lambda concurrent executions limit raised multiple times. Keywords: throttling + Lambda + buffer + scalability

Rewrite into 2 Lambda functions. First receives the request and puts message on SQS. Second polls SQS and persists to database. SQS acts as buffer absorbing traffic spikes. Second Lambda implements backoff strategy automatically when throttled. Decouples ingestion from processing.

E-commerce company stores sales data in S3. Needs to run AD-HOC SQL QUERIES to gain insights. Keywords: ad-hoc SQL + S3 data + least operational overhead

AWS Glue Crawler → Glue Data Catalog → Amazon Athena. Athena is serverless and queries S3 directly using standard SQL. Glue handles schema discovery automatically. No infrastructure to provision or manage. Pay only per query.

Fleet of delivery trucks with GPS upload location data to S3. Need to process GPS data AS IT IS UPLOADED. Processing takes 3 minutes needs 64MB memory. Keywords: event-driven + S3 upload triggers processing + cost-effective

S3 Event Notifications → SQS queue → Lambda function processes by retrieving queue messages. S3 events populate SQS queue. Lambda polls SQS and processes each message. SQS buffers messages if volume spikes. Lambda only runs when there is work to do so cost is minimal.

Junior DevOps accidentally DELETED user data in S3. Need to protect from both ACCIDENTAL DELETION and OVERWRITING. Select TWO. Keywords: protect from delete + protect from overwrite

1) Enable S3 Versioning 2) Enable Multi-Factor Authentication Delete. Versioning preserves every version of every object so deleted objects can be recovered. MFA Delete requires a second authentication factor to permanently delete a version or change versioning state.

Cryptocurrency exchange on ECS + RDS Multi-AZ. Need to monitor CPU bandwidth and MEMORY CONSUMED BY EACH PROCESS OR THREAD on DB instance in real-time. Keywords: per-process CPU + per-thread memory + RDS monitoring

Enable Enhanced Monitoring on RDS. Gathers metrics from an agent installed directly on the DB instance. Shows per-process and per-thread CPU and memory usage in real-time. Standard CloudWatch only shows hypervisor-level metrics and cannot break down by individual process.

Need to deploy AT LEAST 2 EC2 instances for normal workloads and automatically scale up to 6 for peak. Architecture must be HIGHLY AVAILABLE AND FAULT TOLERANT. Keywords: min 2 instances + max 6 + HA + fault tolerant across AZs

Auto Scaling group minimum capacity = 4 maximum capacity = 6. Deploy 2 instances in AZ-A and 2 instances in AZ-B. If one AZ fails 2 instances remain running in the other AZ. Minimum must be 4 not 2 because after an AZ failure half the instances are gone.

Company receives CSV files daily in S3. Wants to AUTOMATICALLY convert to Parquet and store in tutorialsdojo-data-transformed bucket. Triggered by new file uploads. Keywords: automated CSV to Parquet + LEAST overhead

AWS Glue Crawler to discover raw data and schema + scheduled AWS Glue ETL job to convert CSV to Parquet and store in target bucket. Glue is fully managed and serverless. Crawler handles schema discovery automatically. ETL job handles Parquet conversion natively with no custom code.

Web app on EC2 Auto Scaling behind ALB. Application overloaded due to DATABASE REQUESTS. Management wants database to be EVENTUALLY CONSISTENT and HIGHLY AVAILABLE. Keywords: embedded NoSQL + migrate to managed + HA + least overhead

Configure Auto Scaling across 3 AZs + use AWS DMS with replication server and ongoing replication task to migrate embedded NoSQL database to Amazon DynamoDB. DynamoDB is fully managed highly available and eventually consistent. DMS handles the migration and keeps source and target in sync during cutover.

New subnet in VPC with Internet Gateway attached. EC2 instance in new subnet CANNOT BE ACCESSED from internet. Select TWO possible reasons. Keywords: cannot access EC2 from internet + two reasons

1) EC2 instance does not have a public IP address 2) Route table not configured to send traffic through the Internet Gateway. Every internet-accessible EC2 needs a public IP or Elastic IP. The subnet route table must have a route entry pointing 0.0.0.0/0 to the Internet Gateway.

Sensors send data to Kinesis stream with DEFAULT SETTINGS every day. Consumer processes data EVERY OTHER DAY. S3 bucket not receiving all data. Sensors verified working. Keywords: Kinesis + consumer every other day + missing data

Default Kinesis data stream retention period is 24 hours. Consumer processes every 48 hours so records expire before being read. Fix by increasing the retention period on the stream or by making the consumer process data daily.

Company needs to backup on-premises database to file server share using SMB PROTOCOL. Data from last 48 HOURS must be available for IMMEDIATE ACCESS. Older data accessible with delay acceptable. Keywords: SMB + on-premises + 48-hour immediate access + delay for older OK

AWS Storage Gateway File Gateway with enough local cache to hold last 48 hours of data. Backups sent to SMB share mounted as local disk. Local cache gives immediate access to recent data. Older data is retrieved from S3 with a small delay. Presents as standard SMB share to on-premises applications.

Tech company running low on on-premises storage. Wants to EXTEND STORAGE using AWS cloud. Keywords: extend on-premises storage + hybrid

AWS Storage Gateway. Connects on-premises environment with cloud-based storage seamlessly using standard protocols. Extends on-premises capacity into AWS without changing existing applications.

Lambda processes data and stores JSON results in S3. Need to run BIG DATA ANALYTICS on data WITHOUT MOVING IT to a separate analytics system. Keywords: big data analytics + S3 + in-place + no movement

Amazon Athena + Amazon Redshift Spectrum + AWS Glue. Athena queries S3 directly with SQL. Redshift Spectrum extends Redshift to query S3 data without loading it into the cluster. Glue catalogs and prepares the data. All three work directly on data in S3.

Web application on On-Demand EC2. Need shell script to get instance PUBLIC AND PRIVATE IP ADDRESSES. Keywords: EC2 IP address from inside instance + shell script

Use curl or GET command to retrieve from http://169.254.169.254/latest/meta-data/. Instance metadata endpoint is available from within any running EC2 instance without credentials. Contains public IP private IP and all other instance configuration data.

Amazon EKS with IRSA. Website experiences surge in HOLIDAY TRAFFIC. Infrastructure must AUTOMATICALLY SCALE IN AND OUT in response to demand. Select TWO. Keywords: EKS + scale in and out + pods + nodes + least overhead

1) Install Kubernetes Metrics Server + enable Horizontal Pod Autoscaler 2) Set up Karpenter to automatically adjust number of nodes. HPA scales the number of pods based on CPU utilization automatically. Karpenter provisions appropriately sized EC2 nodes dynamically and responds faster than Cluster Autoscaler.

Investment bank uses Aurora SINGLE INSTANCE with NO READ REPLICAS. In event of SYSTEM FAILURE on primary what happens during FAILOVER? Keywords: Aurora single instance + no replica + failover behavior

Aurora will attempt to create a new DB instance in the SAME Availability Zone as the original instance on a best-effort basis. There is no replica to flip to. Recovery is not guaranteed. If the same AZ has a broader issue the attempt may not succeed.

Movie streaming app on Auto Scaling EC2 across multiple AZs behind load balancer. Must DISTRIBUTE INCOMING REQUESTS EVENLY to all EC2 instances ACROSS MULTIPLE AZs. Keywords: distribute evenly + multiple AZs + load balancer

Enable Cross-Zone Load Balancing. Each load balancer node distributes traffic across all registered targets in all enabled AZs evenly. Without it each LB node only routes to targets in its own AZ causing uneven distribution.

New DevOps engineer created CloudFormation template with Parameters and Outputs sections. Stack will fail to deploy. Why? Keywords: CloudFormation template fails + what is missing

The Resources section is missing. Resources is the ONLY required section in a CloudFormation template. All other sections including Parameters Outputs Conditions Mappings and Metadata are optional.

Online learning portal on large On-Demand EC2 with SINGLE Aurora database. How to IMPROVE AVAILABILITY of Aurora database? Keywords: Aurora + single instance + improve availability

Create Amazon Aurora Replicas. Aurora Replicas share the same underlying storage volume as the primary. Can be promoted to primary during an outage. Improves both read performance and availability.

Company has EC2 instances in US East US West and EU Ireland. Need LATENCY-BASED ROUTING to route traffic for www.tutorialsdojo.com to EC2 instances across all AWS regions. Keywords: latency-based routing + multi-region + EC2

Amazon Route 53 with latency-based routing records for each AWS region. Route 53 determines which region gives the user the lowest latency and responds with that region's record. Works across multiple regions unlike load balancers which are regional.

Cryptocurrency mining server on Reserved EC2 in us-east-1 PRIVATE SUBNET using IPv6. Need to allow EC2 to COMMUNICATE TO THE INTERNET but PREVENT INBOUND IPv6 traffic. Keywords: IPv6 + outbound only + prevent inbound + private subnet

Egress-Only Internet Gateway. Allows outbound IPv6 communication from VPC instances to the internet. Prevents the internet from initiating inbound IPv6 connections. Designed specifically for IPv6 outbound-only use cases.

DR team needs to backup on-premises records to LOCAL FILE SERVER SHARE via SMB. Data from LAST 48 HOURS must be available for IMMEDIATE ACCESS. Accessing OLDER RECORDS with delay is tolerable. Keywords: SMB + 48-hour immediate access + delay for older OK + LEAST configuration

AWS Storage Gateway File Gateway with enough local cache for last 48 hours. Backups sent to SMB share mounted as local disk. Recent data served from local cache immediately. Older data retrieved from S3 with a small delay. Least configuration because no VPN or Direct Connect setup required.

E-commerce company needs ROBUST APPLICATION LAYER and OLTP relational database handling SPIKY TRAFFIC. Must be ALWAYS AVAILABLE while MINIMIZING COST DURING IDLE PERIODS. Keywords: OLTP + spiky traffic + always available + minimize idle cost

Amazon ECS on AWS Fargate for application + Amazon Aurora Serverless for database. Fargate is serverless containers paying only for resources consumed during active use. Aurora Serverless auto-scales the database and costs nothing when idle. Both scale to zero or near zero when traffic is absent.

Investment bank needs SUPER-FAST ANALYTICS on TERABYTES of customer data in near real-time. Keywords: terabytes + fast analytics + data warehouse

Amazon Redshift. Fast scalable data warehouse using columnar storage and massively parallel query execution. Supports complex analytic queries against terabytes to petabytes of data. Ten times faster than other data warehouses for analytical workloads.

Company plans SFTP service on AWS. Must receive traffic ONLY from APPROVED PUBLIC IP ADDRESSES. Manages users and permissions. Needs HIGHLY AVAILABLE SERVERLESS solution with HIGH IOPS. Keywords: SFTP + IP whitelist + serverless + high IOPS + manage users

AWS Transfer Family for SFTP with elastic IPs + publicly accessible VPC endpoint + security group restricting to trusted IPs + Amazon EFS volume integrated. Transfer Family is fully managed SFTP. EFS provides serverless high IOPS file storage. Security group restricts access to approved IPs.

Company migrating to AWS. System requires database that can SCALE GLOBALLY and handle FREQUENT SCHEMA CHANGES. No downtime on schema change. Need LOW LATENCY for high-traffic queries. Keywords: flexible schema + global scale + low latency

Amazon DynamoDB. NoSQL with flexible schema allowing easy addition and removal of attributes without downtime. Stores complex hierarchical data in a single item. Scales globally with consistent low latency.

Payment processing company with IPv6 VPC. Must allow OUTBOUND IPv6 communication to internet but PREVENT INBOUND IPv6. Also needs TRAFFIC FLOW INSPECTION and TRAFFIC FILTERING. Keywords: IPv6 outbound only + no inbound + traffic inspection + traffic filtering

Launch EC2 in private subnet + Egress-Only Internet Gateway for outbound IPv6 + AWS Network Firewall for traffic inspection and filtering. Egress-Only IGW handles IPv6 outbound-only. Network Firewall provides stateful inspection intrusion prevention and web filtering.

Company grants 1200 employees access to S3 for personal documents. Need SINGLE SIGN-ON from corporate AD or LDAP. Each user restricted to their OWN FOLDER in S3. Select TWO. Keywords: SSO + corporate directory + per-user S3 folder access

1) Set up Federation proxy or Identity Provider + use AWS STS to generate temporary tokens 2) Configure IAM role and IAM policy to access the bucket. STS federation allows corporate directory authentication via SAML. IAM role with policy using aws:username variable restricts each user to their own S3 prefix automatically.

Company migrated to AWS. Audit team needs to assess whether services meet COMMON SECURITY AND REGULATORY STANDARDS. Need REPORT OF ALL COMPLIANCE-RELATED DOCUMENTS. Keywords: compliance reports + security certifications + audit

AWS Artifact. Provides on-demand access to AWS security and compliance reports including SOC reports PCI reports and certifications from accreditation bodies. Available to all AWS accounts at no additional charge.

Solutions Architect building cloud infrastructure. EC2 instances need access to S3 and Redshift. System administrators need to deploy and test. Need to SECURE ACCESS without compromise. Select TWO. Keywords: secure EC2 access to AWS services + admin access security

1) Enable Multi-Factor Authentication 2) Assign an IAM role to the EC2 instance. IAM roles provide temporary credentials that are automatically rotated. MFA adds a second factor for human administrator access. Never store long-term access keys on EC2 instances.

Application continually sends encrypted documents to S3. Must comply with STRICT COMPLIANCE STANDARDS. Need to be ALERTED if risk of UNAUTHORIZED ACCESS or SUSPICIOUS ACCESS PATTERNS. Keywords: S3 + suspicious access patterns + unauthorized access alert

Amazon GuardDuty to monitor malicious activity on S3. Uses machine learning and threat intelligence to detect suspicious S3 access patterns requests from malicious IPs and bucket policy changes that expose data publicly. Continuous monitoring with no agents to deploy.

GraphQL API on EKS Fargate + DynamoDB with DAX in us-east-1. Must PREVENT DATABASE CALLS from traversing public internet. Need AUTOMATED CROSS-ACCOUNT BACKUP of DynamoDB for long-term retention. Keywords: DynamoDB private access + cross-account backup

Create DynamoDB Gateway Endpoint + associate to route table + use AWS Backup to copy DynamoDB backups to another AWS account. Gateway Endpoint routes DynamoDB traffic through AWS network avoiding public internet. AWS Backup supports cross-account and cross-region DynamoDB backup copies.

Healthcare company must comply with HIPAA. Backups stored in S3 must be ENCRYPTED. Select TWO. Keywords: HIPAA + S3 encryption + two methods

1) Enable Server-Side Encryption on S3 bucket using AES-256 2) Encrypt data locally BEFORE sending to S3 using own encryption keys. SSE with AES-256 encrypts data at rest in S3. Client-side encryption ensures data is encrypted before it ever leaves on-premises. S3 only supports AES-256 not AES-128.

Intelligence agency dev has access to development account. Needs TEMPORARY access to production account. Only WRITE ACCESS to EC2 and S3 allowed. Need SHORT-LIVED ACCESS TOKENS. Keywords: temporary credentials + cross-account + short-lived tokens

AWS Security Token Service STS. Generates temporary security credentials via AssumeRole. Dev account user assumes a role in the production account with only the required write permissions. Tokens are short-lived and automatically expire after the configured duration.

Company has multiple AWS accounts for development teams. Wants to CONSOLIDATE into MULTI-ACCOUNT SETUP. Wants to use EXISTING DIRECTORY SERVICE for user authentication with SIMPLIFIED LOGIN. Select TWO. Keywords: multi-account + consolidate + existing directory + SSO

1) Use AWS Organizations to create new organization with all features on and invite child accounts 2) Configure AWS IAM Identity Center for the organization and integrate with company directory using Active Directory Connector. Organizations consolidates billing and governance. IAM Identity Center with AD Connector enables SSO using existing corporate directory credentials across all accounts.

Auto Scaling group of EC2 behind ALB. SQL INJECTION and CROSS-SITE SCRIPTING attacks detected. Need to MITIGATE these attacks. Keywords: SQL injection + XSS + application layer attacks

Set up security rules blocking SQL injection and XSS in AWS WAF and associate rules to Application Load Balancer. WAF monitors HTTP and HTTPS requests and blocks based on conditions including SQL injection patterns and XSS signatures. Works at the application layer where these attacks occur.

Lambda function processes ENCRYPTED DOCUMENTS from FSx for NetApp ONTAP. Documents protected by AWS KMS CUSTOMER KEY. Lambda must be able to DECRYPT the documents. Keywords: Lambda + KMS decrypt + FSx + customer key

Attach kms:decrypt permission to Lambda function execution role + add statement to KMS key policy granting the execution role the kms:decrypt permission. Lambda uses its execution role to interact with AWS services. Both the execution role policy AND the KMS key policy must explicitly allow the decrypt action.

Company has 300 IAM users. New policy requires changing permissions for 100 users that control S3 access. Keywords: bulk permission change + 100 users + S3 + least effort

Create a new IAM Group + add the 100 users + apply the S3 policy to the IAM Group. Groups allow applying policies to multiple users at once. Easy to add or remove users from the group going forward. No need to touch individual user policies.

Company generating CONFIDENTIAL data on-premises. Wants to upload to S3 as backup. Encryption must be done BEFORE SENDING TO S3. Company must MANAGE AND ROTATE encryption keys and CONTROL WHO CAN ACCESS the keys. Select TWO. Keywords: encrypt before sending + customer manages keys + rotate keys

1) Client-Side Encryption with AWS KMS key 2) Client-Side Encryption using a client-side master key. Both options encrypt data before it leaves on-premises. KMS key allows managed rotation and access control through KMS policies. Client-side master key gives full customer control outside of AWS.

Company using IAM policy for Lambda. Policy ALLOWS CreateFunction and DeleteFunction from all IPs. Policy DENIES CreateFunction DeleteFunction InvokeFunction and TagResource FROM IP 187.5.104.11/32 only. Which action is ALLOWED? Keywords: IAM policy + explicit deny + IP condition

Create an AWS Lambda function using the 100.220.0.11/32 address. The Deny only applies to IP 187.5.104.11/32. Any other IP can CreateFunction and DeleteFunction per the Allow statement. Explicit Deny always overrides Allow so 187.5.104.11/32 cannot perform any of the denied actions.

Application on On-Demand EC2 uses AWS SDK to communicate with S3 DynamoDB and other services. IT AUDIT requires ALL API CALLS to AWS resources to be LOGGED and DURABLY STORED. Keywords: API call logging + durable storage + audit

AWS CloudTrail. Records all AWS Management Console actions and API calls including who called which service from what IP address and when. Logs stored durably in S3. Covers all AWS service API calls automatically.

Company needs secure access to RDS for MySQL used by multiple applications. Each IAM user must use SHORT-LIVED AUTHENTICATION TOKEN to connect. Keywords: RDS MySQL + short-lived token + IAM user authentication

Use IAM DB Authentication + create database accounts using AWS-provided AWSAuthenticationPlugin in MySQL. Generates authentication tokens valid for 15 minutes. No password needed. AWSAuthenticationPlugin integrates IAM with MySQL authentication. Traffic encrypted via SSL automatically.

Auto Scaling EC2 group + Microsoft SQL Server on Amazon RDS. ALL IN-FLIGHT DATA between web servers and RDS must be SECURED. Select TWO. Keywords: in-flight + RDS SQL Server + encrypt + two answers

1) Force all connections to use SSL by setting rds.forcessl parameter to true then reboot DB instance 2) Download Amazon RDS Root CA certificate import to servers and configure application to use SSL. rds.forcessl forces RDS to reject non-SSL connections. Root CA cert enables the EC2 application side to establish the SSL connection. Together they secure data in transit end to end.

Tech company cannot connect to newly created EC2 instance using REMOTE DESKTOP CONNECTION. Instance has public IP. IGW and route tables are in place. Keywords: RDP + cannot connect + EC2 Windows

Adjust security group to allow inbound traffic on port 3389 from the company's IP address. RDP uses TCP port 3389. Security group must explicitly allow inbound 3389. Port 22 is SSH for Linux not RDP for Windows.

Company moved internal tools to AWS. CloudTrail enabled with SSE-KMS encryption. Company wants to ensure it can IDENTIFY WHETHER A LOG FILE HAS BEEN TAMPERED WITH. Keywords: CloudTrail + tampered + integrity verification

Enable CloudTrail Log File Validation feature on all trails. Creates a SHA-256 hash for every log file and delivers signed digest files hourly. You can use the public key to validate whether any log was modified deleted or unchanged after delivery. Industry-standard SHA-256 with RSA signing makes tampering computationally infeasible to hide.