A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the on- premises configurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux.
The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use automation to launch and configure the EC2 instances in the DR Region. The company needs to replicate the storage to the DR Region.
Which storage solution will meet these requirements?

1. A. Use Amazon S3 for the application storag
2. B. Create an S3 bucket in the primary Region and an S3 bucket in the DR Regio
3. C. Configure S3 Cross-Region Replication (CRR) from the primary Region to the DR Region.
4. D. Use Amazon Elastic Block Store (Amazon EBS) for the application storag
5. E. Create a backup plan in AWS Backup that creates snapshots of the EBS volumes that are in the primary Region and replicates the snapshots to the DR Region.
6. F. Use a Volume Gateway in AWS Storage Gateway for the application storag
7. G. Configure Cross-Region Replication (CRR) of the Volume Gateway from the primary Region to the DR Region.
8. H. Use Amazon FSx for NetApp ONTAP for the application storag
9. I. Create an FSx for ONTAP instance in the DR Regio
10. J. Configure NetApp SnapMirror replication from the primary Region to the DR Region.

Correct Answer: D
To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high- performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.
The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.
References:
✑ 1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP
✑ 2: Amazon FSx for NetApp ONTAP
✑ 3: Amazon FSx for NetApp ONTAP | NetApp
✑ 4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP
✑ : Replicating Data with NetApp SnapMirror - FSx for ONTAP
✑ : What Is Amazon S3? - Amazon Simple Storage Service
✑ : What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud
✑ : What Is AWS Storage Gateway? - AWS Storage Gateway

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.
The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
2. B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
3. C. Upload the provisioned client certificate to an Amazon S3 bucke
4. D. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
5. E. Upload the provisioned client certificate private key to an Amazon S3 bucke
6. F. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
7. G. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucke
8. H. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.

Correct Answer: AE
Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private
CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.
References:
✑ Introducing mutual TLS authentication for Amazon API Gateway1.
✑ Configuring mutual TLS authentication for a REST API2.
✑ AWS Private Certificate Authority details3.
✑ AWS Certificate Manager Private Certificate Authority updates4.

A company uses AWS CodeArtifact to centrally store Python packages. The CodeArtifact repository is configured with the following repository policy.

A development team is building a new project in an account that is in an organization in AWS Organizations. The development team wants to use a Python library that has already been stored in the CodeArtifact repository in the organization. The development team uses AWS CodePipeline and AWS CodeBuild to build the new application. The CodeBuild job that the development team uses to build the application is configured to run in a VPC Because of compliance requirements the VPC has no internet connectivity.
The development team creates the VPC endpoints for CodeArtifact and updates the CodeBuild buildspec yaml file. However, the development team cannot download the Python library from the repository.
Which combination of steps should a DevOps engineer take so that the development team can use Code Artifact? (Select TWO.)

1. A. Create an Amazon S3 gateway endpoint Update the route tables for the subnets thatare running the CodeBuild job.
2. B. Update the repository policy's Principal statement to include the ARN of the role that the CodeBuild project uses.
3. C. Share the CodeArtifact repository with the organization by using AWS Resource Access Manager (AWS RAM).
4. D. Update the role that the CodeBuild project uses so that the role has sufficient permissions to use the CodeArtifact repository.
5. E. Specify the account that hosts the repository as the delegated administrator for CodeArtifact in the organization.

Correct Answer: AD
"AWS CodeArtifact operates in multiple Availability Zones and stores artifact data and metadata in Amazon S3 and Amazon DynamoDB. Your encrypted data is redundantly stored across multiple facilities and multiple devices in each facility, making it highly available and highly durable." https://aws.amazon.com/codeartifact/features/ With no internet connectivity, a gateway endpoint becomes necessary to access S3.

A DevOps engineer is building an application that uses an AWS Lambda function to query an Amazon Aurora MySQL DB cluster. The Lambda function performs only read queries. Amazon EventBridge events invoke the Lambda function.
As more events invoke the Lambda function each second, the database's latency increases and the database's throughput decreases. The DevOps engineer needs to improve the performance of the application.
Which combination of steps will meet these requirements? (Select THREE.)

1. A. Use Amazon RDS Proxy to create a prox
2. B. Connect the proxy to the Aurora cluster reader endpoin
3. C. Set a maximum connections percentage on the proxy.
4. D. Implement database connection pooling inside the Lambda cod
5. E. Set a maximum number of connections on the database connection pool.
6. F. Implement the database connection opening outside the Lambda event handler code.
7. G. Implement the database connection opening and closing inside the Lambda event handler code.
8. H. Connect to the proxy endpoint from the Lambda function.
9. I. Connect to the Aurora cluster endpoint from the Lambda function.

Correct Answer: ACE
To improve the performance of the application, the DevOps engineer should use Amazon RDS Proxy, implement the database connection opening outside the Lambda event handler code, and connect to the proxy endpoint from the Lambda function. References:
✑ Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure1. By using Amazon RDS Proxy, the DevOps engineer can reduce the overhead of opening and closing connections to the database, which can improve latency and throughput2.
✑ The DevOps engineer should connect the proxy to the Aurora cluster reader
endpoint, which allows read-only connections to one of the Aurora Replicas in the DB cluster3. This can help balance the load across multiple read replicas and improve performance for read-intensive workloads4.
✑ The DevOps engineer should implement the database connection opening outside the Lambda event handler code, which means using a global variable to store the database connection object5. This can enable connection reuse across multiple invocations of the Lambda function, which can reduce latency and improve performance.
✑ The DevOps engineer should connect to the proxy endpoint from the Lambda function, which is a unique URL that represents the proxy. This can allow the Lambda function to access the database through the proxy, which can provide benefits such as connection pooling, load balancing, failover handling, and enhanced security.
✑ The other options are incorrect because:

A company is using AWS to run digital workloads. Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations.
The company wants to enforce security standards across the entire organization. To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation. A production support team can modify resources in the production environment by using the AWS Management Console to troubleshoot and resolve application-related issues.
A DevOps engineer must implement a solution to identify in near real time any AWS
service misconfiguration that results in noncompliance. The solution must automatically remediate the issue within 15 minutes of identification. The solution also must track noncompliant resources and events in a centralized dashboard with accurate timestamps.
Which solution will meet these requirements with the LEAST development overhead?

1. A. Use CloudFormation drift detection to identify noncompliant resource
2. B. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediatio
3. C. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log grou
4. D. Configure an Amazon CloudWatch dashboard to use the log group for tracking.
5. E. Turn on AWS CloudTrail in the AWS account
6. F. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resource
7. G. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediatio
8. H. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.
9. I. Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resource
10. J. Enable AWS Security Hub with the ~no-enable-default-standards option in all the AWS account
11. K. Set up AWS Config managed rules and custom rule
12. L. Set up automatic remediation by using AWS Config conformance pack
13. M. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.
14. N. Turn on AWS CloudTrail in the AWS account
15. O. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resource
16. P. Use CloudWatch Logs filters for drift detectio
17. Q. Use Amazon EventBridge to invoke the Lambda function for remediatio
18. R. Stream filtered CloudWatch logs to Amazon OpenSearch Servic
19. S. Set up a dashboard on OpenSearch Service for tracking.

Correct Answer: C
The best solution is to use AWS Config and AWS Security Hub to identify and remediate noncompliant resources across multiple AWS accounts. AWS Config enables continuous monitoring of the configuration of AWS resources and evaluates them against desired configurations. AWS Config can also automatically remediate noncompliant resources by using conformance packs, which are a collection of AWS Config rules and remediation actions that can be deployed as a single entity. AWS Security Hub provides a comprehensive view of the security posture of AWS accounts and resources. AWS Security Hub can aggregate and normalize the findings from AWS Config and other AWS services, as well as from partner solutions. AWS Security Hub can also be used to create a dashboard for tracking noncompliant resources and events in a centralized location.
The other options are not optimal because they either require more development overhead, do not provide near real time detection and remediation, or do not provide a centralized dashboard for tracking.
Option A is not optimal because CloudFormation drift detection is not a near real time solution. Drift detection has to be manually initiated on each stack or resource, or scheduled using a cron expression. Drift detection also does not provide remediation
actions, so a custom Lambda function has to be developed and invoked. CloudWatch Logs and dashboard can be used for tracking, but they do not provide a comprehensive view of the security posture of the AWS accounts and resources.
Option B is not optimal because CloudTrail logs analysis using Athena is not a near real time solution. Athena queries have to be manually run or scheduled using a cron expression. Athena also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. Step Functions can be used to orchestrate the query and remediation workflow, but it adds more complexity and cost. QuickSight dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources.
Option D is not optimal because CloudTrail logs analysis using CloudWatch Logs is not a near real time solution. CloudWatch Logs filters have to be manually created or updated for each resource type and configuration change. CloudWatch Logs also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. EventBridge can be used to trigger the Lambda function, but it adds more complexity and cost. OpenSearch Service dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources. References:
✑ AWS Config conformance packs
✑ Introducing AWS Config conformance packs
✑ Managing conformance packs across all accounts in your organization