| Question.46 A company that hosts its web application on AWS wants to ensure all Amazon EC2 instances, Amazon RDS DB instances and Amazon Redshift clusters are configured with tags. The company wants to minimize the effort of configuring and operating this check. What should a solutions architect do to accomplish this? (A) Use AWS Config rules to define and detect resources that are not properly tagged. (B) Use Cost Explorer to display resources that are not properly tagged. Tag those resources manually. (C) Write API calls to check all resources for proper tag allocation. Periodically run the code on an EC2 instance. (D) Write API calls to check all resources for proper tag allocation. Schedule an AWS Lambda function through Amazon CloudWatch to periodically run the code. |
46. Click here to View Answer
Answer is (A) Use AWS Config rules to define and detect resources that are not properly tagged.
AWS Config provides a set of pre-built or customizable rules that can be used to check the configuration and compliance of AWS resources. By creating a custom rule or using the built-in rule for tagging, you can define the required tags for EC2, RDS DB and Redshift clusters. AWS Config continuously monitors the resources and generates configuration change events or evaluation results.
By leveraging AWS Config, the solution can automatically detect any resources that do not comply with the defined tagging requirements. This approach eliminates the need for manual checks or periodic code execution, reducing operational overhead. Additionally, AWS Config provides the ability to automatically remediate non-compliant resources by triggering Lambda or sending notifications, further streamlining the configuration management process.
Option B (using Cost Explorer) primarily focuses on cost analysis and does not provide direct enforcement of proper tagging. Option C and D (writing API calls and running them manually or through scheduled Lambda) require more manual effort and maintenance compared to using AWS Config rules.
| Question.47 A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions. Which solution will meet these requirements with the LEAST operational overhead? (A) Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets. (B) Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption. (C) Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets. (D) Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets. |
47. Click here to View Answer
Answer is (B) Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
By creating a customer managed multi-Region KMS key, you can have a single key that works across both AWS Regions.
Creating an S3 bucket in each Region allows you to store data in both Regions.
Configuring replication between the S3 buckets ensures that the data is replicated between the Regions.
Using client-side encryption with the KMS key ensures that the data is encrypted and decrypted with the same KMS key.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html