- (Topic 1)
A security engineer wants a single-tenant AWS solution to create, control, and manage their own cryptographic keys to meet regulatory compliance requirements for data security.
Which AWS service should the engineer use?

1. A. AWS Key Management Service (AWS KMS)
2. B. AWS Certificate Manager (ACM)
3. C. AWS CloudHSM
4. D. AWS Systems Manager

Correct Answer: C
The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys. Reference: AWS CloudHSM FAQs

- (Topic 3)
A company needs to store infrequently used data for data archives and long-term backups.
A company needs a history report about how its Amazon EC2 instances were modified last month.
Which AWS service can be used to meet this requirement?

1. A. AWS Service Catalog
2. B. AWS Config
3. C. Amazon CloudWatch
4. D. AWS Artifact

Correct Answer: B
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records
your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config can also track changes to your EC2 instances over time and provide a history report of the modifications. AWS Service Catalog, Amazon CloudWatch, and AWS Artifact are not the best services to meet this requirement. AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. Amazon CloudWatch is a service that monitors your AWS resources and applications and provides metrics, alarms, dashboards, and logs. AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and online agreements

- (Topic 1)
Which pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value?

1. A. Operational excellence
2. B. Security
3. C. Reliability
4. D. Cost optimization

Correct Answer: A
The operational excellence pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value. This principle states that you should monitor and measure key performance indicators (KPIs) and set targets and thresholds that align with your business goals. You should also use feedback loops to continuously improve your processes and procedures1.

- (Topic 3)
Which of the following is a benefit of using an AWS managed service?

1. A. Reduced operational overhead for a company's IT staff
2. B. Increased fixed costs that can be predicted by a finance team
3. C. Removal of the need to have a backup strategy
4. D. Removal of the need to follow compliance standards

Correct Answer: A
This is a benefit of using an AWS managed service, such as Amazon S3, Amazon DynamoDB, or AWS Lambda. AWS managed services are fully managed by AWS, which means that AWS handles the provisioning, scaling, patching, backup, and recovery of the underlying infrastructure and software. This reduces the operational overhead for the company’s IT staff, who can focus on their core business logic and innovation. You can learn more about the AWS managed services from this webpage or this digital course.

- (Topic 2)
A company has an Amazon S3 bucket containing images of scanned financial invoices. The company is building an artificial intelligence (Al)-based application on AWS. The company wants the application to identify and read total balance amounts on the invoices.
Which AWS service will meet these requirements?

1. A. Amazon Forecast
2. B. Amazon Textract
3. C. Amazon Rekognition
4. D. Amazon Lex

Correct Answer: B
Amazon Textract is a service that automatically extracts text and data from scanned documents. Amazon Textract goes beyond simple optical character recognition (OCR) to also identify the contents of fields in forms and information stored in tables. Amazon Textract can analyze images of scanned financial invoices and extract the total balance amounts, as well as other relevant information, such as invoice number, date, vendor name, etc5.