| Question.26 A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security: The database must use strong, randomly generated passwords stored in a secure AWS managed service. The application resources must be deployed through AWS CloudFormation. The application must rotate credentials for the database every 90 days. A solutions architect will generate a CloudFormation template to deploy the application. Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead? (A) Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days. (B) Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days. (C) Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days. (D) Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days. |
26. Click here to View Answer
Answer: A
Explanation:
The correct answer is A because it leverages AWS Secrets Manager for secure password generation, storage, and automated rotation, aligning with the security engineer’s requirements with minimal operational overhead.
Here’s a detailed justification:
- AWS Secrets Manager: This service is designed for securely managing secrets like database passwords. It offers built-in rotation capabilities, reducing the operational burden of manual rotation. https://aws.amazon.com/secrets-manager/
- Random Password Generation: Secrets Manager can generate strong, random passwords, satisfying the requirement for strong credentials.
- Secure Storage: Secrets Manager encrypts secrets at rest and in transit, enhancing security.
- Automated Rotation: The
RotationScheduleresource in Secrets Manager automates password rotation according to the specified frequency (90 days in this case), eliminating the need for manual intervention or custom scheduling mechanisms, thus minimizing operational overhead. - Lambda Function: A Lambda function acts as the rotation function, executing the necessary steps to update the database password and update the secret in Secrets Manager. Secrets Manager natively integrates with Lambda for this purpose.
- CloudFormation Integration: Secrets Manager resources can be defined and deployed directly through CloudFormation, enabling infrastructure-as-code and streamlining deployment.
Option B is incorrect because AWS Systems Manager Parameter Store, while capable of storing secrets, does not have a built-in automated rotation mechanism like Secrets Manager. Parameter Store does not have a RotationSchedule resource.
Option C is incorrect because using Amazon EventBridge to trigger a Lambda function for rotation requires more configuration and management than the built-in RotationSchedule feature of Secrets Manager, leading to increased operational overhead. Also, while EventBridge would work, Secrets Manager is the designed and recommended approach.
Option D is incorrect because AWS AppSync is not intended for automatic password rotation of RDS databases. AppSync is a GraphQL service. Systems Manager Parameter Store lacks the native rotation features of Secrets Manager.
| Question.27 A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand. Which solutions meet these requirements? (Choose two.) (A) Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type. (B) Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway’s AWS integration type. (C) Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables. (D) Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables. (E) Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions. |
27. Click here to View Answer
Answer: AC
Explanation:
Here’s a detailed justification for why options A and C are the correct choices, and why the others are not:
Why A is correct:
- Amazon API Gateway REST API: API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. It’s designed for creating robust, scalable APIs for backend services. A REST API allows you to expose your DynamoDB data through standard HTTP methods (GET, POST, PUT, DELETE).
- Direct Integrations (AWS Integration Type): API Gateway offers “AWS Service Proxy” integrations, which allow you to directly integrate with AWS services like DynamoDB without needing to write any code. You can map the incoming HTTP request parameters to DynamoDB operations (e.g.,
GetItem,Query,Scan). This greatly simplifies the architecture and reduces latency.
Why C is correct:
- Amazon API Gateway HTTP API: Similar to REST APIs, HTTP APIs also offer a way to expose backend functionality via HTTP. They are often more cost-effective and have lower latency than REST APIs for simpler use cases.
- Lambda Function Integration: This involves using Lambda functions as an intermediary layer between the API Gateway and DynamoDB. The API Gateway triggers the Lambda function upon receiving a request. The Lambda function then interacts with DynamoDB (e.g., querying the database), processes the retrieved data, and returns the response back to the API Gateway, which in turn sends it to the client. This offers flexibility in data transformation and business logic implementation.
Why B is incorrect:
- While HTTP APIs are a viable option for creating APIs, direct integration with DynamoDB is not a supported feature for HTTP APIs. They are better suited for proxying requests to backend computes such as Lambda functions, HTTP endpoints or Application Load Balancers.
Why D is incorrect:
- AWS Global Accelerator and Lambda@Edge: While Global Accelerator improves application availability and performance for globally distributed users, it is not primarily designed for API functionality as described in the question. While Lambda@Edge, which operates as part of CloudFront, could interact with DynamoDB, it’s more commonly used for edge processing and caching closer to users. Using it as the primary API layer introduces unnecessary complexity compared to API Gateway.
Why E is incorrect:
- Network Load Balancer (NLB) with Lambda: While NLBs can front Lambda functions, they are not typically used to expose API endpoints directly to the public. An NLB is a Layer 4 load balancer, which means it operates on the transport layer. It primarily handles TCP, TLS, and UDP traffic. API Gateway provides better features to define API endpoints and ensure security with authorization.
In summary: Options A and C provide the best serverless architectures for exposing DynamoDB data via a public API, offering scalability, security, and ease of management. Option A simplifies the setup with direct integrations, while Option C provides more flexibility and customization.
Authoritative Links:
API Gateway AWS Integrations: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-integration-types.html
Amazon API Gateway: https://aws.amazon.com/api-gateway/
AWS Lambda: https://aws.amazon.com/lambda/
Amazon DynamoDB: https://aws.amazon.com/dynamodb/
| Question.28 A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL for each domain. All domains and target URLs are defined in a JSON document. All DNS records are managed by Amazon Route 53. A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests. Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose three.) (A) Create a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with the event message to look up and respond with a redirect URL. (B) Create an Application Load Balancer that includes HTTP and HTTPS listeners. (C) Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL. (D) Use an Amazon API Gateway API with a custom domain to publish an AWS Lambda function. (E) Create an Amazon CloudFront distribution. Deploy a [email protected] function. (F) Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names. |
28. Click here to View Answer
Answer: CEF
Explanation:
Here’s a detailed justification for choosing options C, E, and F for the redirect service implementation, along with supporting concepts and links:
The most efficient approach leverages serverless architecture and content delivery networks to minimize operational overhead. Option C, using an AWS Lambda function, is key. Lambda allows you to execute code without provisioning or managing servers. The Lambda function will parse the JSON document containing domain-to-URL mappings and use the incoming request’s domain name to determine the appropriate redirect URL.
Option E, creating an Amazon CloudFront distribution and using a Lambda@Edge function, is crucial for performance and cost-effectiveness. CloudFront is a content delivery network (CDN) that caches content closer to users, reducing latency and improving the user experience. Lambda@Edge enables you to execute Lambda functions at CloudFront edge locations. In this scenario, the Lambda@Edge function intercepts the request before it reaches your origin (Lambda function in Option C). It checks the host header, consults your domain-to-URL mapping, and generates an HTTP redirect response directly from the edge location. This avoids invoking the origin Lambda function for every redirect, saving costs and further reducing latency.
Option F, creating an SSL certificate with AWS Certificate Manager (ACM) and including all domain names, is essential for secure HTTPS redirects. ACM provides free SSL/TLS certificates for use with AWS services like CloudFront. Using a wildcard certificate (if appropriate and cost-effective based on the number of domains and your security posture) might be suitable, but including all domains as Subject Alternative Names (SANs) is generally preferred for clarity and manageability. This ensures that the certificate is valid for all the domains, allowing CloudFront to serve HTTPS traffic securely.
Options A, B, and D introduce unnecessary complexity and operational overhead. Option A (EC2 instance) requires managing servers, patching, and scaling. Option B (Application Load Balancer) is overkill; a CDN is more suitable for simple redirects. Option D (API Gateway) is unnecessary because CloudFront can directly serve the redirects via Lambda@Edge, bypassing the need for an API gateway.
Therefore, CEF is the optimal combination. It offers a scalable, performant, and cost-effective solution with minimal operational burden. The other options would result in managing infrastructure or unnecessary layers of complexity.
Supporting Links:
AWS Certificate Manager (ACM): https://aws.amazon.com/certificate-manager/
AWS Lambda: https://aws.amazon.com/lambda/
Amazon CloudFront: https://aws.amazon.com/cloudfront/
Lambda@Edge: https://aws.amazon.com/lambda/edge/
| Question.29 A company that has multiple AWS accounts is using AWS Organizations. The company’s AWS accounts host VPCs, Amazon EC2 instances, and containers. The company’s compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2 instances and send information to the AWS account that is dedicated for the compliance team. The company has tagged all the compliance-related resources with a key of “costCenter” and a value or “compliance”. The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the compliance team’s AWS account. The cost calculation must be as accurate as possible. What should a solutions architect do to meet these requirements? (A) In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources. (B) In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total cost for the costCenter tagged resources. (C) In the member accounts of the organization activate the costCenter user-defined tag. From the management account, schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources. (D) Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the costCenter tagged resources in the compliance team’s AWS account. |
29. Click here to View Answer
Answer: A
Explanation:
The correct answer is A because it provides the most accurate and centralized approach to cost allocation across multiple AWS accounts within an organization.
Here’s a detailed justification:
- Tag Activation: Activating the
costCenteruser-defined tag in the management account ensures that this tag is tracked across all member accounts for cost allocation purposes. Without activating the tag, the Cost and Usage Report will not be able to break down costs based on this tag. - Centralized Cost and Usage Reports: Configuring monthly AWS Cost and Usage Reports (CUR) to be saved to an Amazon S3 bucket in the management account provides a centralized repository for cost data across the entire organization. This eliminates the need to gather reports from individual member accounts, simplifying the analysis process. CUR provide the most granular and detailed billing information available in AWS.
- Tag-Based Cost Breakdown: The CUR includes a tag breakdown, which allows you to filter and analyze costs based on specific tags, such as the
costCentertag in this case. This enables you to accurately determine the total cost associated with the compliance-related resources, specifically the EC2 instances running the security tools. - Accuracy: By using the CUR with tag breakdown, you achieve the most accurate cost calculation. The CUR includes details on all charges, including compute, storage, data transfer, and other AWS services utilized by the tagged resources.
- Centralized Management: Managing the cost reporting and analysis from the management account provides a centralized view of costs and simplifies the process of allocating costs to the compliance team’s AWS account.
Options B and C are less efficient because they involve activating the tag in each member account. While it works technically, it doesn’t leverage the power of consolidated billing. Option B also involves Lambda function, which introduces unnecessary complexity as the CUR already provides the needed breakdown. Option D is incorrect because AWS Trusted Advisor does not directly provide custom billing summaries based on tags.
Refer to the AWS documentation on Cost and Usage Reports and Tagging for more information:
AWS Organizations Consolidated Billing: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account
AWS Cost and Usage Reports: https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html
Tagging AWS Resources: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
| Question.30 A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company wants to use AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment. Which combination of steps will meet these requirements? (Choose two.) (A) From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager. (B) From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP. (C) Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID. (D) Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role. (E) From the management account, share the transit gateway with member accounts by using AWS Service Catalog. |
30. Click here to View Answer
Answer: AC
Explanation:
The correct answer is AC. Here’s why:
A. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
AWS Resource Access Manager (RAM) is the recommended way to share Transit Gateways across accounts within an AWS Organization. This allows the central Transit Gateway, which manages the network connections, to be used by VPCs in different accounts. Without sharing, each account would need its own Transit Gateway, increasing complexity and cost. RAM simplifies the process of granting access and maintains centralized control. https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
C. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.
CloudFormation StackSets enable you to deploy CloudFormation stacks across multiple AWS accounts and regions from a single management account. This automates the creation of new VPCs and Transit Gateway attachments in each newly created member account. Specifying the Transit Gateway ID in the CloudFormation template ensures the new attachments connect to the central Transit Gateway instance. This automates the process of establishing connectivity when a new account is created, fulfilling the requirements of the question. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-stacksets.html
Why other options are incorrect:
E: AWS Service Catalog is used to create and manage catalogs of IT services approved for use in AWS. It’s not designed for sharing Transit Gateways.
B: AWS Organizations SCPs (Service Control Policies) primarily manage permissions and guardrails within an organization. They do not share Transit Gateways.
D: Peering transit gateway attachment is not a valid resource and the approach of sharing via service-linked role isn’t applicable.