A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance.
Which of the below mentioned entries is not required in NAT's security group for the database servers to connect to the Internet for software updates?

• A.For Outbound allow Destination: 0.0.0.0/0 on port 443
• B.For Inbound allow Source: 20.0.1.0/24 on port 80
• C.For Inbound allow Source: 20.0.0.0/24 on port 80
• D.For Outbound allow Destination: 0.0.0.0/0 on port 80

Comment: *

Name: *

Email: *

Verification: *

A company uses Amazon S3 to host a web application. Currently, the company uses a continuous integration tool running on an Amazon EC2 instance that builds and deploys the application by uploading it to an S3 bucket. A Solutions Architect needs to enhance the security of the company's platform with the following requirements:
* A build process should be run in a separate account from the account hosting the web application.
* A build process should have minimal access in the account it operates in
* Long-lived credentials should not be used.
As a start the Development team created two AWS accounts: one for the application named web account, and one for the build process named build account. Which solution should the Solutions Architect use to meet the security requirements?

• A.In the build account, create a new IAM role, which can be assumed by Amazon EC2 only Attach the role to the EC2instance running the continuous integration process. Create an IAM policy to allow s3.PutObject calls on the S3 bucket in the web account. In the web account, create an S3 bucket policy attached to the S3 bucket that allows the build account to use s3:PutObject calls.
• B.In the build account modify the continuous integration process to perform a lookup of the IAM user credentials from AWSSecrets Manager. In the web account create a new IAM user. Store the access key and secret access key in SecretsManager. Attach the PowerUser Access IAM policy to the IAM user.
• C.In the build account, create a new IAM user. Store the access key and secret access key in AWS Secrets Manager.Modify the continuous integration process to perform a lookup of the IAM user credentials from Secrets Manager. Createan IAM policy to allow s3: PutObject calls on the S3 bucket in the web account and attach it to the user. In the webaccount, create an S3 bucket policy attached to the S3 bucket that allows the newly created IAM user to use s3 PutObjectcalls.
• D.In the build account, create a new IAM role which can be assumed by Amazon EC2 only. Attach the role to the EC2instance running the continuous integration process Create an IAM policy to allow s3 PutObject calls on the S3 bucket in the web account. In the web account create an S3 bucket policy attached to the S3 bucket that allows the newly createdIAM role to use s3 PutObject calls.

Comment: *

Name: *

Email: *

Verification: *

A company has an application that uses Amazon EC2 instances in an Auto Scaling group. The Quality Assurance (QA) department needs to launch a large number of short-lived environments to test the application.
The application environments are currently launched by the Manager of the department using an AWS CloudFormation template. To launch the stack, the Manager uses a role with permission to use CloudFormation, EC2 and Auto Scaling APIs. The Manager wants to allow testers to launch their own environments, but does not want to grant broad permission to each user. Which set up would achieve these goals?

• A.Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to assume the Manager's role and add a policy that restricts the permissions to the template and the resources it creates. Train users to launch the template from the CloudFormation console.
• B.Create an AWS Service Catalog product form the environment template. Add a launch constraint to the product with the existing role. Give users in the QA department permission to use AWS Service Catalog APIs only. Train users to launch the templates form the AWS Service Catalog console.
• C.Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to use CloudFormation and S3 APIs, with conditions that restrict the permission to the template and the resources it creates. Train users to launch the template form the CloudFormation console.
• D.Create an AWS Elastic Beanstalk application from the environment template. Give users in the QA department permission to use Elastic Beanstalk permissions only. Train users to launch Elastic beanstalk environments with the Elastic Beanstalk CLI, passing the existing role to the environment as a service role.

Comment: *

Name: *

Email: *

Verification: *

A solutions architect is troubleshooting an application that runs on Amazon EC2 instances. The EC2 instances runs in an Auto Scaling group. The application needs to access user data in an Amazon DynamoDB table that has fixed provisioned capacity.
To match the increased workload, the solutions architect recently doubled the maximum size of the Auto Scaling group. New, when many instances launch at the same time, some application components are throttled when the component scan the DynamoDB table. The Auto Scaling group terminates the falling instances and starts new instances unit all applications are running.
A solution architect must implement a solution to mitigate the throttling issue in the MOST cost-effective manner.
Which solution will these requirements?

• A.Doubles the provisioned read capacity of the DynamoDB table.
• B.Set the DynamoDB table to on-demand mode.
• C.Duplicate the DynamoDB table Configure the running copy of the application to select at random which table it accesses.
• D.Add DynamoDB Accelerator (DAX) to the table.

Comment: *

Name: *

Email: *

Verification: *

A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts AWS Site-to-Site VPN connections are configured between all of the company's global offices and the transit account. The company has AWS Config enacted on all of its accounts.
The company's networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices. Developers will reference this list to gain access to their applications Securely.
Which solution meets these requirements with the LEAST amount of operational overhead?

• A.Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure ar Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address
• B.Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.
• C.In the transit account, create a VPC prefix list with all of the internal IP address ranges Use AWS Resource Access Manage* to share the prefix list with all of the other accounts Use the snored prefix list to configure security group rules in the other accounts.
• D.In the transit account, create a security group with all of the internal IP address ranges Configure the security groups in the other accounts to reference the transit account's security group by using a nested security group reference of "<transit-account-id>/sg-1a2b3c4d".

Comment: *

Name: *

Email: *

Verification: *