- (Topic 3)
A company is building an application in the AWS Cloud. The company wants to use temporary credentials for the application to access other AWS resources.
Which AWS service will meet these requirements?

1. A. AWS Key Management Service (Aws KMS)
2. B. AWS CloudHSM
3. C. Amazon Cognito
4. D. AWS Security Token Service (Aws STS)

Correct Answer: D
AWS Security Token Service (AWS STS) is a service that provides temporary security credentials to users or applications that need to access AWS resources. The temporary credentials have a limited lifetime and can be configured to last from a few minutes to several hours. The credentials are not stored with the user or application, but are generated dynamically and provided on request. The credentials work almost identically to long-term access key credentials, but have the advantage of not requiring distribution, rotation, or revocation1.
AWS Key Management Service (AWS KMS) is a service that provides encryption and decryption services for data and keys. It does not provide temporary security credentials2. AWS CloudHSM is a service that provides hardware security modules (HSMs) for cryptographic operations and key management. It does not provide temporary security credentials3.
Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. It can also provide temporary security credentials for authenticated users, but not for applications4.

- (Topic 1)
Which of the following are design principles for reliability in the AWS Cloud? (Select TWO.)

1. A. Build architectures with tightly coupled resources.
2. B. Use AWS Trusted Advisor to meet security best practices.
3. C. Use automation to recover immediately from failure.
4. D. Rightsize Amazon EC2 instances to ensure optimal performance.
5. E. Simulate failures to test recovery processes.

Correct Answer: CE
The design principles for reliability in the AWS Cloud are:
✑ Test recovery procedures. The best way to ensure that systems can recover from failures is to regularly test them using simulated scenarios. This can help identify gaps and improve the recovery process.
✑ Automatically recover from failure. By using automation, systems can detect and correct failures without human intervention. This can reduce the impact and duration of failures and improve the availability of the system.
✑ Scale horizontally to increase aggregate system availability. By adding more redundant resources to the system, the impact of individual resource failures can be reduced. This can also improve the performance and scalability of the system.
✑ Stop guessing capacity. By using monitoring and automation, systems can adjust the capacity based on the demand and performance metrics. This can prevent failures due to insufficient or excessive capacity and optimize the cost and efficiency of the system.
✑ Manage change in automation. By using automation, changes to the system can be applied in a consistent and controlled manner. This can reduce the risk of human errors and configuration drifts that can cause failures. AWS Well- Architected Framework

- (Topic 2)
Which AWS service provides the SIMPLEST way for the company to establish a website on AWS?

1. A. Amazon Elastic File System (Amazon EFS)
2. B. AWS Elastic Beanstalk
3. C. AWS Lambda
4. D. Amazon Lightsail

Correct Answer: D
Amazon Lightsail is an easy-to-use cloud platform that offers you everything needed to build an application or website, plus a cost-effective, monthly plan. Whether you’re new to the cloud or looking to get on the cloud quickly with AWS infrastructure you trust, we’ve got you covered. Lightsail provides the simplest way for the company to establish a website on AWS.

- (Topic 3)
A company is building an application on AWS. The application needs to comply with credit card regulatory requirements. The company needs proof that the AWS services and deployment are in compliance.
Which actions should the company take to meet these requirements? (Select TWO.)

1. A. Use Amazon Inspector to submit the application for certification.
2. B. Ensure that the application's underlying hardware components comply with requirements.
3. C. Use AWS Artifact to access AWS documents about the compliance of the services.
4. D. Get the compliance of the application certified by a company assessor.
5. E. Use AWS Security Hub to certify the compliance of the application.

Correct Answer: CD
Using AWS Artifact to access AWS documents about the compliance of the services, and getting the compliance of the application certified by a company assessor are actions that the company should take to meet the requirements of complying with credit card regulatory requirements. AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. AWS Artifact can help you demonstrate compliance with credit card regulatory requirements by providing you with proof that the AWS services and deployment are in compliance. Getting the compliance of the application certified by a company assessor is an action that the company should take to ensure that the application meets the specific requirements of the credit card industry. A company assessor is an independent third-party entity that is qualified to assess the compliance of the application with the relevant standards and regulations. Using Amazon Inspector to submit the application for certification is not an action that the company should take, because Amazon Inspector is a service that helps you improve the security and compliance of your applications deployed on AWS by automatically assessing them for vulnerabilities and deviations from best practices, but it does not provide certification for the applications. Ensuring that the application’s underlying hardware components comply with requirements is not an action that the company should take, because the application is deployed on AWS, and AWS is responsible for the security and compliance of the underlying hardware components. This is part of the shared responsibility model, where AWS is responsible for security of the cloud, and customers are responsible for security in the cloud. Using AWS Security Hub to certify the compliance of the application is not an action that the company should take, because AWS Security Hub is a service that gives you a comprehensive view of your security posture across your AWS accounts and helps you check your environment against security industry standards and best practices, but it does not provide certification for the applications.

- (Topic 2)
A company needs help managing multiple AWS linked accounts that are reported on a consolidated bill.
Which AWS Support plan includes an AWS concierge whom the company can ask for assistance?

1. A. AWS Developer Support
2. B. AWS Enterprise Support
3. C. AWS Business Support
4. D. AWS Basic Support

Correct Answer: B
AWS Enterprise Support is the AWS Support plan that includes an AWS concierge whom the company can ask for assistance. According to the AWS Support Plans page, AWS Enterprise Support provides "a dedicated Technical Account Manager (TAM) who provides advocacy and guidance to help plan and build solutions using best practices, coordinate access to subject matter experts, and proactively keep your AWS environment operationally healthy."2 AWS Business Support, AWS Developer Support, and AWS Basic Support do not include a TAM or a concierge service.