CLF-C02 Exam Dumps - AWS Certified Cloud Practitioner

Amazon RDS supports six database engines: Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server. Apache Cassandra, MongoDB, and Neo4j are not compatible with Amazon RDS. Therefore, the correct answer is D. You can learn more about Amazon RDS and its supported database engines

 AWS manages the encryption of the database clusters and database snapshots for Amazon Aurora, as well as the encryption keys. This is part of the AWS shared responsibility model, where AWS is responsible for the security of the cloud, and the customer is responsible for the security in the cloud. Encryption is one of the security features that AWS provides to protect the data at rest and in transit. For more information, see Amazon Aurora FAQs and AWS Shared Responsibility Model.

Amazon S3 is the AWS service that provides highly durable object storage. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This means that you can store your data with high confidence that it will not be lost. Amazon S3 also provides high availability, scalability, security, and performance for your data. You can use Amazon S3 to store and retrieve any amount of data, at any time, from anywhere on the web5.

AWS Compute Optimizer is the AWS service or tool that provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data. AWS Compute Optimizer analyzes the configuration and performance characteristics of the EC2 instances and delivers recommendations for optimal instance types, sizes, and configurations. AWS Compute Optimizer helps users improve performance, reduce costs, and eliminate underutilized resources

The design principles for reliability in the AWS Cloud are:

Test recovery procedures. The best way to ensure that systems can recover from failures is to regularly test them using simulated scenarios. This can help identify gaps and improve the recovery process.

Automatically recover from failure. By using automation, systems can detect and correct failures without human intervention. This can reduce the impact and duration of failures and improve the availability of the system.

Scale horizontally to increase aggregate system availability. By adding more redundant resources to the system, the impact of individual resource failures can be reduced. This can also improve the performance and scalability of the system.

Stop guessing capacity. By using monitoring and automation, systems can adjust the capacity based on the demand and performance metrics. This can prevent failures due to insufficient or excessive capacity and optimize the cost and efficiency of the system.

Manage change in automation. By using automation, changes to the system can be applied in a consistent and controlled manner. This can reduce the risk of human errors and configuration drifts that can cause failures. AWS Well-Architected Framework

The company should use Amazon RDS with a MySQL database to meet the requirements of moving its workload to AWS so that the tasks of patching the database and taking backup snapshots of the data in the clusters will be completed automatically. Amazon RDS is a managed service that simplifies the setup, operation, and scaling of relational databases in the AWS Cloud. Amazon RDS automates common database administration tasks such as patching, backup, and recovery. Amazon RDS also supports MySQL and other popular database engines5

 Security groups and network access control lists (network ACLs) are two AWS network services or features that allow CIDR block notation when providing an IP address range. Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. Both security groups and network ACLs use CIDR block notation to specify the IP address ranges that are allowed or denied

Amazon Rekognition is the AWS service that the company should use to build the capability of identifying and removing inappropriate photos. Amazon Rekognition is a service that uses deep learning technology to analyze images and videos for various purposes, such as face detection, object recognition, text extraction, and content moderation. Amazon Rekognition can help users detect unsafe or inappropriate content in images and videos, such as nudity, violence, or drugs, and provide confidence scores for each label. Amazon Rekognition does not require any machine learning expertise, and users can easily integrate it with other AWS services

Amazon Athena is the AWS service that the developer should use to write a simple query that can read all of the .csv files stored in an Amazon S3 bucket and generate a summary report. Amazon Athena is an interactive query service that allows users to analyze data in Amazon S3 using standard SQL. Amazon Athena does not require any server setup or management, and users only pay for the queries they run. Amazon Athena can handle various data formats, including .csv, and can integrate with other AWS services such as Amazon QuickSight for data visualization

The AWS shared responsibility model describes how AWS and the customer share responsibility for security and compliance of the AWS environment. AWS is responsible for the security of the cloud, which includes the physical security of AWS facilities, the infrastructure, hardware, software, and networking that run AWS services. The customer is responsible for security in the cloud, which includes the configuration of security groups, the encryption of customer data on AWS, the management of AWS Lambda infrastructure, and the management of network throughput of each AWS Region. One of the customer responsibilities is to ensure that Amazon EBS volumes are backed up.

Amazon RDS is the AWS service that will meet the requirements of migrating a relational database server to the AWS Cloud and minimizing administrative overhead of database maintenance tasks. Amazon RDS is a fully managed relational database service that handles routine database tasks, such as provisioning, patching, backup, recovery, failure detection, and repair. Amazon RDS supports several database engines, such as MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora5.

 VPC Flow Logs is the AWS service or feature that is used to troubleshoot network connectivity issues between Amazon EC2 instances. VPC Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in their VPC. VPC Flow Logs can help users monitor and diagnose network-related issues, such as traffic not reaching an instance, or an instance not responding to requests. VPC Flow Logs can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose for analysis and storage.

AWS customers are responsible for enabling encryption of data at rest for Amazon Elastic Block Store (Amazon EBS). Amazon EBS encryption offers a simple encryption solution for your EBS volumes that does not require you to build, maintain, and secure your own key management infrastructure. You can encrypt both the boot and data volumes of your EC2 instances. You can use AWS Key Management Service (AWS KMS) customer master keys (CMKs) or your own CMKs to encrypt your volumes2.

The correct answer is B because Amazon ElastiCache is a service that provides in-memory data storage. Amazon ElastiCache is a fully managed, scalable, and high-performance service that supports two popular open-source in-memory engines: Redis and Memcached. Amazon ElastiCache allows users to store and retrieve data from fast, low-latency, and high-throughput in-memory systems. Users can use Amazon ElastiCache to improve the performance of their applications by caching frequently accessed data, reducing database load, and enabling real-time data processing. The other options are incorrect because they are not services that provide in-memory data storage. Amazon DynamoDB is a service that provides key-value and document data storage. Amazon RDS is a service that provides relational data storage. Amazon Timestream is a service that provides time series data storage. Reference: Amazon ElastiCache FAQs

 Security groups are the service or feature that meets the requirement of establishing a security layer in a VPC that will act as a firewall to control subnet traffic. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Security groups are associated with network interfaces, and therefore apply to all the instances in the subnets that use those network interfaces. Routing tables are used to direct traffic between subnets and gateways, not to filter traffic. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level, but they are less granular and more cumbersome to manage than security groups. Amazon GuardDuty is a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity, not a firewall service.

The reliability pillar of the AWS Well-Architected Framework emphasizes building systems that can recover from failures and dynamically adjust to meet demand. This includes designing to automatically recover from failures and implementing mechanisms to manage capacity demands, avoiding manual guesswork. The other options do not align with core reliability principles, as operating in a single Availability Zone or preemptively adjusting quotas in a secondary region does not inherently improve reliability.

Elastic Load Balancing (ELB) distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, ensuring better application availability and fault tolerance. While ELB scales to meet traffic demands, it does not inherently scale compute resources themselves, span multiple regions, or balance traffic between internet gateways.

AWS Application Migration Service (AWS MGN) is the primary service for migrating Amazon EC2 instances and on-premises servers to AWS, and it supports migration from one AWS Region to another. It automates the process of replicating and converting the source servers (including their applications, configurations, and data) to run natively on AWS. AWS Database Migration Service (DMS) is for migrating databases, AWS DataSync is for data transfer, and AWS Migration Hub provides a single location to track migration tasks across multiple AWS services but does not perform the migration itself.

The company can use AWS Organizations to track the combined AWS usage costs of all of its linked accounts. AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you can manage centrally. You can use AWS Organizations to create a consolidated billing report that shows the charges incurred by each account in your organization as well as the total charges across all accounts. You can also use AWS Organizations to apply policies and controls to your accounts to help you manage costs and security5.

 The AWS account root user is the first sign-in identity that is available when an AWS account is created. It has complete access to all AWS services and resources in the account. The root user email address and password are the same credentials that are used to sign in to the AWS Management Console4. The root user should be used only to perform a few account and service management tasks. For day-to-day tasks, it is recommended to use AWS Identity and Access Management (IAM) users or roles instead.

 The duties that are the responsibility of a company that is using AWS Lambda are security inside of code and writing and updating of code. AWS Lambda is a serverless compute service that allows you to run code without provisioning or managing servers, scaling, or patching. AWS Lambda takes care of the security of the underlying infrastructure, such as the operating system, the network, and the firewall. However, the company is still responsible for the security of the code itself, such as encrypting sensitive data, validating input, and handling errors. The company is also responsible for writing and updating the code that defines the Lambda function, and choosing the runtime environment, such as Node.js, Python, or Java. AWS Lambda does not require the selection of CPU resources, as it automatically allocates them based on the memory configuration34

Savings Plans offer cost savings for predictable, steady workloads over a one or three-year term, with flexibility in instance family and size, making them suitable for critical workloads on EC2 instances that will run for a long term like three years. Spot Instances are more cost-effective but not suitable for critical, predictable workloads due to potential interruptions. Dedicated Hosts and On-Demand Instances would be more costly.

Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It allows you to launch virtual servers, called instances, with different configurations of CPU, memory, storage, and networking resources. AWS Compute Optimizer analyzes the specifications and utilization metrics of your Amazon EC2 instances and generates recommendations for optimal instance types that can reduce costs and improve performance. You can view the recommendations on the AWS Compute Optimizer console or the Amazon EC2 console12.

Amazon RDS, Amazon Lightsail, and AWS Step Functions are not supported by AWS Compute Optimizer. Amazon RDS is a managed relational database service that lets you set up, operate, and scale a relational database in the cloud. Amazon Lightsail is an easy-to-use cloud platform that offers everything you need to build an application or website, plus a cost-effective, monthly plan. AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly3 .

Architecture optimization is the best practice for cost governance that this example shows. Architecture optimization is the process of designing and implementing AWS solutions that are efficient, scalable, and cost-effective. By using specific AWS services to improve efficiency and reduce cost, the company is following the architecture optimization best practice. Some of the techniques for architecture optimization include using the right size and type of resources, leveraging elasticity and scalability, choosing the most suitable storage class, and using serverless and managed services2.

The statements that represent the cost-effectiveness of the AWS Cloud are:

Users can trade fixed expenses for variable expenses. By using the AWS Cloud, users can pay only for the resources they use, instead of investing in fixed and upfront costs for hardware and software. This can lower the total cost of ownership and increase the return on investment.

Users benefit from economies of scale. By using the AWS Cloud, users can leverage the massive scale and efficiency of AWS to access lower prices and higher performance. AWS passes the cost savings to the users through price reductions and innovations. AWS Cloud Value Framework

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines3.

AWS CloudTrail is an AWS service that enables users to accomplish the task of recording API calls made to AWS services. AWS CloudTrail is a service that tracks user activity and API usage across the AWS account. AWS CloudTrail records the details of every API call made to AWS services, such as the identity of the caller, the time of the call, the source IP address of the caller, the parameters and responses of the call, and more. Users can use AWS CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options are incorrect because they are not tasks that users can accomplish using AWS CloudTrail. Generating an IAM user credentials report is a task that users can accomplish using IAM, which is an AWS service that enables users to manage access and permissions to AWS resources and services. Assessing the compliance of AWS resource configurations with policies and guidelines is a task that users can accomplish using AWS Config, which is an AWS service that enables users to assess, audit, and evaluate the configurations of their AWS resources. Ensuring that Amazon EC2 instances are patched with the latest security updates is a task that users can accomplish using AWS Systems Manager, which is an AWS service that enables users to automate operational tasks, manage configuration and compliance, and monitor system health and performance. Reference: AWS CloudTrail FAQs

The correct answer to the question is D because AWS Trusted Advisor is an AWS service that can be used to accomplish the goal of identifying any security group that is allowing unrestricted incoming SSH traffic. AWS Trusted Advisor is a service that provides customers with recommendations that help them follow AWS best practices. Trusted Advisor evaluates the customer’s AWS environment and identifies ways to optimize their AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. One of the checks that Trusted Advisor performs is the Security Groups - Specific Ports Unrestricted check, which flags security groups that allow unrestricted access to specific ports, such as port 22 for SSH. Customers can use this check to review and modify their security group rules to restrict SSH access to only authorized sources. Reference: Security Groups - Specific Ports Unrestricted

The correct answer is B because placing the EC2 instances in two separate Availability Zones within the same AWS Region is the best way to meet the requirement. Availability Zones are isolated locations within an AWS Region that have independent power, cooling, and networking. Users can launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to increase the fault tolerance and resilience of their applications. Availability Zones within the same AWS Region are connected with low-latency, high-throughput, and highly redundant networking. The other options are incorrect because they are not the best ways to meet the requirement. Placing the EC2 instances in two separate AWS Regions connected with a VPC peering connection is not the best way to meet the requirement because AWS Regions are geographically dispersed and may have higher communication latency between them than Availability Zones within the same AWS Region. VPC peering connection is a networking connection between two VPCs that enables users to route traffic between them using private IP addresses. Placing one EC2 instance on premises and the other in an AWS Region, and then connecting them by using an AWS VPN connection is not the best way to meet the requirement because on-premises and AWS Region are geographically dispersed and may have higher communication latency between them than Availability Zones within the same AWS Region. AWS VPN connection is a secure and encrypted connection between a user’s network and their VPC. Placing both EC2 instances in a placement group for dedicated bandwidth is not the best way to meet the requirement because a placement group is a logical grouping of instances within a single Availability Zone that enables users to launch instances with specific performance characteristics. A placement group does not ensure that the instances are in separate data centers, and it does not provide low-latency communication between instances in different Availability Zones. Reference: [Regions, Availability Zones, and Local Zones], [VPC Peering], [AWS VPN], [Placement Groups]

 Pay-as-you-go pricing is the feature of the AWS Cloud that gives users the ability to pay based on current needs rather than forecasted needs. Pay-as-you-go pricing means that users only pay for the AWS services and resources they use, without any upfront or long-term commitments. This allows users to scale up or down their usage depending on their changing business requirements, and avoid paying for idle or unused capacity. Pay-as-you-go pricing also enables users to benefit from the economies of scale and lower costs of AWS as they grow their business5

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define2.

The correct answer is A because Amazon AppStream 2.0 is a service that will help the company deploy the application without investing in backend infrastructure or high end client hardware. Amazon AppStream 2.0 is a fully managed, secure application streaming service that allows customers to stream desktop applications from AWS to any device running a web browser. Amazon AppStream 2.0 handles the provisioning, scaling, patching, and maintenance of the backend infrastructure, and delivers high performance and responsive user experience. The other options are incorrect because they are not services that will help the company deploy the application without investing in backend infrastructure or high end client hardware. AWS AppSync is a service that enables customers to create flexible APIs for synchronizing data across multiple data sources. Amazon WorkLink is a service that enables customers to provide secure, one-click access to internal websites and web apps from mobile devices. AWS Elastic Beanstalk is a service that enables customers to deploy and manage web applications using popular platforms such as Java, .NET, PHP, and Node.js. Reference: [Amazon AppStream 2.0 FAQs]

AWS Lambda is a service that lets you run code without provisioning or managing servers. You can use Lambda to process event notifications from Amazon S3 when objects are uploaded or deleted. Lambda integrates directly with the event notification and invokes your code automatically. Therefore, the correct answer is A. 

The correct answers are A and B because Service Quotas console and AWS Trusted Advisor are AWS services or tools that can report on the quotas so that the company can improve the reliability of the application. Service Quotas console is an AWS tool that enables users to view and manage their quotas for AWS services from a central location. Users can use Service Quotas console to request quota increases, track quota usage, and set up alarms for approaching quota limits. AWS Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault tolerance. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other options are incorrect because they are not AWS services or tools that can report on the quotas so that the company can improve the reliability of the application. AWS Systems Manager is an AWS service that enables users to automate operational tasks, manage configuration and compliance, and monitor system health and performance. AWS Shield is an AWS service that protects users from distributed denial of service (DDoS) attacks. AWS Cost Explorer is an AWS tool that enables users to visualize, understand, and manage their AWS costs and usage. Reference: Service Quotas, AWS Trusted Advisor FAQs

AWS Control Tower uses AWS CloudFormation to create resources in your landing zone. AWS CloudFormation is a service that helps you model and set up your AWS resources using templates. AWS Control Tower supports creating AWS::ControlTower::EnabledControl resources in AWS CloudFormation. Therefore, the correct answer is A. You can learn more about AWS Control Tower and AWS CloudFormation

Amazon Simple Notification Service (Amazon SNS) is the AWS service or feature that is used to send both text and email messages from distributed applications. Amazon SNS is a fully managed pub/sub messaging service that enables the user to send messages to multiple subscribers or endpoints, such as email addresses, phone numbers, HTTP endpoints, AWS Lambda functions, and more. Amazon SNS can be used to send notifications, alerts, confirmations, and reminders from applications to users or other applications4.

 AWS Health API is available to a company that has an AWS Business Support plan. The AWS Health API provides programmatic access to the AWS Health information that is presented in the AWS Personal Health Dashboard. The AWS Health API can help users get timely and personalized information about events that can affect the availability and performance of their AWS resources, such as scheduled maintenance, network issues, or service disruptions. The AWS Health API can also integrate with other AWS services, such as Amazon CloudWatch Events and AWS Lambda, to enable automated actions and notifications. AWS Health API OverviewAWS Support Plans

Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers

AWS WAF is the AWS service or feature that offers HTTP attack protection to users running public-facing web applications. AWS WAF is a web application firewall that helps users protect their web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. Users can create custom rules to define the web traffic that they want to allow, block, or count. Users can also use AWS Managed Rules, which are pre-configured rules that are curated and maintained by AWS or AWS Marketplace Sellers. AWS WAF can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer, to provide comprehensive security for web applications. [AWS WAF Overview] AWS Certified Cloud Practitioner - aws.amazon.com

 The AWS services or features that can control VPC traffic are security groups and network ACLs. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level. You can associate one network ACL with each subnet in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon GuardDuty, and Amazon Connect are not services or features that can control VPC traffic. AWS Direct Connect is a service that establishes a dedicated network connection between your premises and AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact center solution.

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity. Availability Zones are part of the AWS global infrastructure, which consists of AWS Regions, Availability Zones, and edge locations. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures and connected by low-latency, high-throughput, and highly redundant networking. Each Availability Zone contains one or more data centers that house the servers and storage devices that run AWS services. Availability Zones enable users to design and operate fault-tolerant and high-availability applications on AWS. AWS Global InfrastructureAWS Certified Cloud Practitioner - aws.amazon.com

 The correct answers are B and E because AWS Online Tech Talks and AWS Classroom Training are options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Online Tech Talks are live, online presentations that cover a broad range of topics at varying technical levels. AWS Online Tech Talks are delivered by AWS experts and feature live Q&A sessions with the audience. AWS Classroom Training are in-person or virtual courses that are led by accredited AWS instructors. AWS Classroom Training offer hands-on labs, exercises, and best practices to help customers gain confidence and skills on AWS. The other options are incorrect because they are not options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Trusted Advisor is an AWS service that provides real-time guidance to help customers follow AWS best practices for security, performance, cost optimization, and fault tolerance. AWS Blog is an AWS resource that provides news, announcements, and insights from AWS experts and customers. AWS Forums are AWS resources that enable customers to interact with other AWS users and get feedback and support. Reference: AWS Online Tech Talks, AWS Classroom Training

The correct answer is C because Dedicated Hosts are Amazon EC2 instances that are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS. Dedicated Hosts are physical servers that are dedicated to a single customer. Dedicated Hosts allow customers to use their existing server-bound software licenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server, subject to their license terms. The other options are incorrect because they are not Amazon EC2 instances that are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS. Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from interruptions easily. Dedicated Instances are Amazon EC2 instances that run on hardware that is dedicated to a single customer, but not to a specific physical server. Dedicated Instances do not allow customers to use their existing server-bound software licenses. Reserved Instances are Amazon EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. Reserved Instances do not allow customers to use their existing server-bound software licenses. Reference: Dedicated Hosts, Amazon EC2 Instance Purchasing Options

AWS Trusted Advisor is the AWS service that provides real-time guidance for provisioning resources, based on AWS best practices related to security, cost optimization, and service limits. AWS Trusted Advisor inspects the user’s AWS environment and provides recommendations for improving performance, security, and reliability, reducing costs, and following best practices. AWS Trusted Advisor also alerts the user when they are approaching or exceeding their service limits, and helps them request limit increases3.

Testing recovery procedures is the design principle that is achieved by following the reliability pillar of the AWS Well-Architected Framework. The reliability pillar focuses on the ability of a system to recover from failures and prevent disruptions. Testing recovery procedures helps to ensure that the system can handle different failure scenarios and restore normal operations as quickly as possible. Testing recovery procedures also helps to identify and mitigate any risks or gaps in the system design and implementation. For more information, see [Reliability Pillar] and [Testing for Reliability].

 The correct answer is A because an Availability Zone consists of one or more data centers in a single location. An Availability Zone is an isolated location within an AWS Region that has independent power, cooling, and networking. Each Availability Zone has one or more data centers that host the physical servers and storage devices that run the AWS services. The other options are incorrect because they are not accurate descriptions of an Availability Zone. Two or more data centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within an AWS Region. One or more physical hosts in a single data center are not an Availability Zone, but rather the components of a data center within an Availability Zone. Two or more physical hosts in multiple data centers are not an Availability Zone, but rather the components of multiple data centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local Zones]

An Amazon Machine Image (AMI) is a deployable Amazon EC2 instance template that is prepackaged with software and security requirements. It provides the information required to launch an instance, which is a virtual server in the cloud. You can use an AMI to launch as many instances as you need. You can also create your own custom AMIs or use AMIs shared by other AWS users1.

 Increased business agility is a benefit of moving to the AWS Cloud in terms of improving time to market. Business agility refers to the ability of a company to adapt to changing customer needs, market conditions, and competitive pressures. Moving to the AWS Cloud enables business agility by providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By using the AWS Cloud, companies can launch new products and services, experiment with new ideas, and respond to customer feedback more quickly and efficiently. For more information, see [Benefits of Cloud Computing] and [Business Agility].

AWS Auto Scaling is the AWS service or tool that will meet the requirements of ensuring that the application can respond to changes in demand at the lowest possible cost. AWS Auto Scaling allows users to automatically adjust the number of Amazon EC2 instances based on the application’s performance and availability needs. AWS Auto Scaling can also optimize costs by helping users select the most cost-effective EC2 instances for their application1

 AWS CloudTrail is the service that will provide the information about the last time that a specific user accessed the AWS Management Console. AWS CloudTrail is a service that records the API calls and events made by or on behalf of your AWS account. You can use AWS CloudTrail to view, search, and download the history of AWS console sign-in events, which include the user name, date, time, source IP address, and other details of the sign-in activity. Amazon Cognito, Amazon Inspector, and Amazon GuardDuty are not services that will provide this information. Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. Amazon Inspector is a service that assesses the security and compliance of your applications running on AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity.

 AWS Artifact is the AWS service that can provide security and compliance documents for an upcoming audit. AWS Artifact is a self-service portal that allows users to access and download AWS compliance reports and agreements. These documents provide evidence of AWS’s compliance with global, regional, and industry-specific security standards and regulations

Outbound data transfers without acceleration and compute resources that are currently in use are the factors that affect costs in the AWS Cloud. Outbound data transfers without acceleration refer to the amount of data that is transferred from AWS to the internet, without using any service that can optimize the speed and cost of the data transfer, such as AWS Global Accelerator or Amazon CloudFront. Outbound data transfers are charged at different rates depending on the source and destination AWS Regions, and the volume of data transferred. Compute resources that are currently in use refer to the AWS services and resources that provide computing capacity, such as Amazon EC2 instances, AWS Lambda functions, or Amazon ECS tasks. Compute resources are charged based on the type, size, and configuration of the resources, and the duration and frequency of their usage.

 The correct answer is C because AWS Trusted Advisor is an AWS service or tool that provides users with the ability to monitor AWS service quotas. AWS Trusted Advisor is an online tool that provides users with real-time guidance to help them provision their resources following AWS best practices. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other options are incorrect because they are not AWS services or tools that provide users with the ability to monitor AWS service quotas. AWS CloudTrail is a service that enables users to track user activity and API usage across their AWS account. AWS Cost and Usage Reports is a tool that enables users to access comprehensive information about their AWS costs and usage. AWS Budgets is a tool that enables users to plan their service usage, costs, and reservations. Reference: [AWS Trusted Advisor FAQs]

Designing for automatic failover to healthy resources is an AWS best practice when designing AWS workloads to be operational even when there are component failures. This means that you should architect your system to handle the loss of one or more components without impacting the availability or performance of your application. You can use various AWS services and features to achieve this, such as Auto Scaling, Elastic Load Balancing, Amazon Route 53, Amazon CloudFormation, and AWS CloudFormation4.

 AWS IAM Identity Center (AWS Single Sign-On) is the AWS service that the company should use to meet the requirements of managing access and permissions for its third-party SaaS applications. AWS Single Sign-On is a cloud-based service that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications. You can use AWS Single Sign-On to enable your users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place4.

 AWS Organizations is a service that helps you centrally manage and govern your environment as you grow and scale your AWS resources. You can use AWS Organizations to create groups of accounts and apply policies to them. You can also use AWS Organizations to consolidate billing for multiple accounts. Therefore, the correct answer is B. You can learn more about AWS Organizations and its features .

 Amazon Rekognition is a service that provides deep learning-based image and video analysis. One of the benefits of Amazon Rekognition is the ability to detect objects that appear in pictures, such as faces, landmarks, animals, text, and scenes. This can enable applications to perform tasks such as face recognition, face verification, face comparison, face search, celebrity recognition, emotion detection, age range estimation, gender identification, facial analysis, facial expression recognition, and more. Amazon Rekognition OverviewAWS Certified Cloud Practitioner - aws.amazon.com

The correct answers are B and D because a virtual private gateway and a customer gateway are components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the VPN connection that attaches to the customer’s VPC. A customer gateway is the customer side of the VPN connection that resides in the customer’s network. The other options are incorrect because they are not components of an AWS Site-to-Site VPN connection. AWS Storage Gateway is a service that connects on-premises software applications with cloud-based storage. NAT gateway is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. Internet gateway is a service that enables communication between instances in a VPC and the internet. Reference: [What is AWS Site-to-Site VPN?]

 AWS Trusted Advisor and AWS Compute Optimizer are the AWS services that can provide information to the company about whether its newly imported Amazon EC2 instances are the appropriate size and type. AWS Trusted Advisor is an online tool that provides best practices recommendations in five categories: cost optimization, performance, security, fault tolerance, and service limits. AWS Trusted Advisor can help users identify underutilized or idle EC2 instances, and suggest ways to reduce costs and improve performance. AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of EC2 instances and delivers recommendations for optimal instance types, sizes, and configurations. AWS Compute Optimizer helps users improve performance, reduce costs, and eliminate underutilized resources

 Global reach is the benefit of AWS Cloud computing that provides lower latency between users and applications. Global reach means that AWS customers can deploy their applications and data in multiple regions around the world, and deliver them to users with high performance and availability. AWS has the largest global infrastructure of any cloud provider, with 25 geographic regions and 81 Availability Zones, as well as 216 Points of Presence in 84 cities across 42 countries. Customers can choose the optimal locations for their applications and data based on their business requirements, such as compliance, data sovereignty, and customer proximity. Agility, economies of scale, and pay-as-you-go pricing are other benefits of AWS Cloud computing, but they do not directly provide lower latency between users and applications. Agility means that AWS customers can quickly and easily provision and scale up or down AWS resources as needed, without upfront costs or long-term commitments. Economies of scale means that AWS customers can benefit from the lower costs and higher efficiency that AWS achieves by operating at a massive scale and passing the savings to the customers. Pay-as-you-go pricing means that AWS customers only pay for the AWS resources they use, without any upfront costs or long-term contracts.

To achieve high availability in the event of a natural disaster, the company should use EC2 instances in multiple AWS Regions. AWS Regions are geographically isolated areas that consist of multiple Availability Zones. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures. By using EC2 instances in multiple AWS Regions, the company can ensure that its applications can continue to run even if one Region is affected by a disaster. AWS Global InfrastructureAWS Well-Architected Framework

Scaling horizontally across multiple Availability Zones is a way to adopt a highly available architecture, as it increases the fault tolerance and resilience of the application. Scaling vertically to a larger EC2 instance size is a way to improve the performance of the application, but it does not improve the availability. Purchasing an EC2 Dedicated Instance is a way to isolate the instance from other AWS customers, but it does not improve the availability. Changing the EC2 instance family to a compute optimized instance is a way to optimize the instance type for the workload, but it does not improve the availability. These concepts are explained in the AWS Well-Architected Framework2.

Amazon ElastiCache is a service that offers fully managed in-memory data store and cache services that deliver sub-millisecond response times to applications. You can use Amazon ElastiCache to improve the performance of your applications by retrieving data from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases. Amazon Aurora is a relational database service that combines the performance and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases. Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud. Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. None of these services are in-memory data store services.

Amazon EC2 On-Demand Instances are instances that you pay for by the second, with no long-term commitments or upfront payments4. This option is suitable for applications that have unpredictable or intermittent workloads, such as the one described in the question. Amazon EC2 Standard Reserved Instances are instances that you purchase for a one-year or three-year term, and pay a lower hourly rate compared to On-Demand Instances. This option is suitable for applications that have steady state or predictable usage. AWS Wavelength is a service that enables developers to build applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. This option is not relevant for the application described in the question. Application Load Balancer is a type of load balancer that operates at the application layer and distributes traffic based on the content of the request. This option is not a service or feature to host the application, but rather to balance the traffic among multiple instances.

The AWS best practice for using the AWS account root user credentials is to use them only when they alone must be used to perform a required function. The AWS account root user credentials have full access to all the resources in the account, and therefore pose a security risk if compromised or misused. You should create individual IAM users with the minimum necessary permissions for everyday tasks, and use AWS Organizations to manage multiple accounts. You should also enable multi-factor authentication (MFA) and rotate the password for the root user regularly. Some of the functions that require the root user credentials are changing the account name, closing the account, changing the support plan, and restoring an IAM user’s access.

AWS Artifact is the AWS service or tool that provides on-demand access to AWS security and compliance reports and AWS online agreements. AWS Trusted Advisor is a tool that provides real-time guidance to help users provision their resources following AWS best practices. Amazon Inspector is a service that helps users improve the security and compliance of their applications. AWS Billing console is a tool that helps users manage their AWS costs and usage. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

AWS Systems Manager is a service that enables users to centralize and automate the management of their AWS resources. It provides a unified user interface to view operational data, such as inventory, patch compliance, and performance metrics. It also allows users to automate common and repetitive tasks, such as patching, backup, and configuration management, across all of their Amazon EC2 instances1. AWS Trusted Advisor is a service that provides best practices and recommendations to optimize the performance, security, and cost of AWS resources2. AWS CodeDeploy is a service that automates the deployment of code and applications to Amazon EC2 instances or other compute services3. AWS Elastic Beanstalk is a service that simplifies the deployment and management of web applications using popular platforms, such as Java, PHP, and Node.js4.

AWS Pricing Calculator is the AWS service or tool that the company should use to estimate its future AWS service costs before the migration. AWS Pricing Calculator is a web-based tool that allows the company to create cost estimates for various AWS services and scenarios. AWS Pricing Calculator helps the company to compare the costs of running the workload on premises versus on AWS, and to optimize the costs by choosing the best options for the workload. AWS Pricing Calculator also provides a detailed breakdown of the cost components and a downloadable report. For more information, see [AWS Pricing Calculator] and [Getting Started with AWS Pricing Calculator].

AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use AWS Service Catalog to centrally manage commonly deployed IT services and help your organization achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need1. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS software development kits (SDKs) are tools that enable you to easily integrate your applications with AWS services using your preferred programming language. AWS AppSync is a service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. None of these services can help you limit your employees’ AWS access to a portfolio of predefined AWS resources.

 Basing the selection of Amazon EC2 instance types on past utilization patterns is a way to right size the AWS resources and optimize the performance and cost. Using Amazon S3 Lifecycle policies to move objects that users access infrequently to lower-cost storage tiers is another way to reduce the storage costs and align them with the business value of the data. These two actions are recommended by the AWS Cost Optimization Pillar1. Switching from Amazon RDS to Amazon DynamoDB is not necessarily a cost-saving action, as it depends on the use case and the data model. Using Multi-AZ deployments for Amazon RDS is a way to improve the availability and durability of the database, but it also increases the cost. Replacing existing Amazon EC2 instances with AWS Elastic Beanstalk is a way to simplify the deployment and management of the application, but it does not affect the cost of the underlying EC2 instances.

 AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

 Identity and access management is the customer’s responsibility, according to the AWS shared responsibility model. This means that the customer is responsible for managing user access to the AWS resources, using tools such as AWS Identity and Access Management (IAM), AWS Single Sign-On (SSO), and AWS Organizations. The customer is also responsible for securing their data in transit and at rest, using encryption, key management, and other methods. Hard drive initialization, protection of data center hardware, and security of Availability Zones are AWS’s responsibility, as they are part of the infrastructure, physical security, and network security that AWS provides to the customer12

AWS CloudFormation is a service that allows you to model and provision your AWS and third-party application resources in a repeatable and predictable way. You can use AWS CloudFormation to create, update, and delete a collection of resources as a single unit, called a stack. You can also use AWS CloudFormation to manage your development and production environments in a consistent and efficient manner4.

The AWS service that is used to temporarily provide federated security credentials to a user is AWS Security Token Service (AWS STS). AWS STS is a service that enables customers to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that they authenticate (federated users). The company can use AWS STS to grant federated users access to AWS resources without creating permanent IAM users or sharing long-term credentials. AWS STS helps customers manage and secure access to their AWS resources for federated users. Amazon GuardDuty, AWS Secrets Manager, and AWS Certificate Manager are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and resources. AWS Secrets Manager is a service that helps customers manage and rotate secrets, such as database credentials, API keys, and passwords. AWS Certificate Manager is a service that helps customers provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. These services are more useful for different types of security and compliance tasks, rather than providing temporary federated security credentials to a user.

 The combination of AWS services that the application can use to migrate to a microservices-based application are Amazon Simple Queue Service (Amazon SQS) and AWS Lambda. Amazon SQS is a fully managed message queuing service that enables customers to decouple and scale microservices, distributed systems, and serverless applications. The application can use Amazon SQS to send, store, and receive messages between the microservices, ensuring that each message is processed only once and in the right order. AWS Lambda is a serverless compute service that allows customers to run code without provisioning or managing servers. The application can use AWS Lambda to create and deploy microservices as functions that are triggered by events, such as messages from Amazon SQS. AWS Migration Hub, AWS AppSync, and AWS Application Migration Service are not the best services to use for migrating to a microservices-based application. AWS Migration Hub is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions. AWS AppSync is a service that simplifies the development of GraphQL APIs for real-time and offline data synchronization. AWS Application Migration Service is a service that enables customers to migrate their on-premises applications to AWS without making any changes to the applications, servers, or databases.

Amazon Virtual Private Cloud (Amazon VPC) is the AWS service that allows customers to create multiple isolated networks in the same AWS account. A VPC is a logically isolated section of the AWS Cloud where customers can launch AWS resources in a virtual network that they define. Customers can create multiple VPCs within an AWS account, each with its own IP address range, subnets, route tables, security groups, network access control lists, gateways, and other components. AWS Transit Gateway, Internet gateway, and Amazon EC2 are not services or components that provide the functionality of creating multiple isolated networks in the same AWS account. AWS Transit Gateway is a service that enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway. An Internet gateway is a component that enables communication between instances in a VPC and the Internet. Amazon EC2 is a service that provides scalable compute capacity in the cloud34

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you can automate anomaly detection and get actionable findings to help you protect your AWS resources4.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config can help you determine when an EBS volume was removed from an EC2 instance by providing a timeline of configuration changes and compliance status. AWS Trusted Advisor, Amazon Timestream, and Amazon QuickSight do not provide the same level of configuration tracking and auditing as AWS Config. Source: AWS Config

 The most cost-effective EC2 instance purchasing option for the company that needs to host a web server on Amazon EC2 instances for at least 1 year and cannot tolerate interruption is Partial Upfront Reserved Instances. Reserved Instances are a pricing model that offer significant discounts compared to On-Demand Instances in exchange for a commitment to use a specific amount of compute capacity for a fixed period of time (1 or 3 years). Partial Upfront Reserved Instances require customers to pay a portion of the total cost upfront, and the remaining cost in monthly installments over the term. This option offers a lower effective hourly rate than No Upfront Reserved Instances, which require no upfront payment but have higher monthly payments. On-Demand Instances and Spot Instances are not the best options for the company. On-Demand Instances are a pricing model that offer the most flexibility and no long-term commitment, but have the highest hourly rate. Spot Instances are a pricing model that offer the lowest cost, but are subject to interruption based on supply and demand34

 Amazon CloudFront is the AWS service that offers a global content delivery network (CDN) that helps companies securely deliver websites, videos, applications, and APIs at high speeds with low latency. Amazon CloudFront is a web service that speeds up distribution of static and dynamic web content, such as HTML, CSS, JavaScript, and image files, to users. Amazon CloudFront uses a global network of edge locations, located near users’ geographic locations, to cache and serve content with high availability and performance. Amazon CloudFront also provides features such as AWS Shield for DDoS protection, AWS Certificate Manager for SSL/TLS encryption, AWS WAF for web application firewall, and AWS Lambda@Edge for customizing content delivery with serverless code. Amazon EC2, Amazon CloudWatch, and AWS CloudFormation are not services that offer a global CDN. Amazon EC2 is a service that provides scalable compute capacity in the cloud. Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and applications. AWS CloudFormation is a service that provides a common language to model and provision AWS resources and their dependencies.

 Access keys are long-term credentials that consist of an access key ID and a secret access key. You use access keys to sign programmatic requests that you make to AWS using the AWS CLI or AWS API1. User name and password are credentials that you use to sign in to the AWS Management Console or the AWS Management Console mobile app2. SSH public keys are credentials that you use to authenticate with EC2 instances that are launched from certain Linux AMIs3. AWS Key Management Service (AWS KMS) keys are customer master keys (CMKs) that you use to encrypt and decrypt your data and to control access to your data across AWS services and in your applications4.

AWS Online Tech Talks are online presentations that cover a broad range of topics at varying technical levels and provide a live Q&A session with AWS experts. They are a great resource for new AWS users who want to learn how to implement specific AWS services from other customer examples and ask questions to AWS experts. AWS documentation, AWS Marketplace, and AWS Health Dashboard do not offer the same level of interactivity and guidance as AWS Online Tech Talks. Source: AWS Online Tech Talks

 A is correct because Amazon RDS is the AWS service that provides a managed relational database service that supports various database engines, such as MySQL, PostgreSQL, Oracle, and SQL Server. B is incorrect because Amazon Redshift is the AWS service that provides a managed data warehouse service that is optimized for analytical queries. C is incorrect because Amazon ElastiCache is the AWS service that provides a managed in-memory data store service that supports Redis and Memcached. D is incorrect because Amazon Neptune is the AWS service that provides a managed graph database service that supports property graph and RDF models.

Pay-as-you-go pricing is one of the main benefits of AWS. With pay-as-you-go pricing, you pay only for what you use, when you use it. There are no long-term contracts, termination fees, or complex licensing. You replace upfront expenses with lower variable costs and pay only for the resources you consume.

 Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing, data analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply5. Convertible Reserved Instances are a type of Reserved Instances that provide a significant discount (up to 54%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and allow users to change the instance family, size, operating system, or tenancy during the term. Standard Reserved Instances are another type of Reserved Instances that provide a larger discount (up to 75%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and do not allow users to change the instance attributes during the term. Dedicated Hosts are physical servers with Amazon EC2 instance capacity fully dedicated to the user’s use. They are suitable for users who have specific server-bound software licenses or compliance requirements.

The company should deploy the EC2 instances across multiple Availability Zones to design a highly available application. Availability Zones are isolated locations within an AWS Region that are engineered to be fault-tolerant and operate independently of each other. By deploying the EC2 instances across multiple Availability Zones, the company can ensure that their application can withstand the failure of an entire Availability Zone and continue to operate with minimal disruption. Deploying the EC2 instances across multiple edge locations, VPCs, or AWS accounts will not provide the same level of availability and fault tolerance as Availability Zones. Edge locations are part of the Amazon CloudFront service, which is a content delivery network (CDN) that caches and serves web content to users. VPCs are virtual networks that isolate the AWS resources within an AWS Region. AWS accounts are the primary units of ownership and access control for AWS resources12

 Physical and environmental controls are entirely the responsibility of AWS, according to the AWS shared responsibility model. The AWS shared responsibility model defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical and environmental controls of the AWS global infrastructure, such as power, cooling, fire suppression, and physical access. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications. For more information, see [AWS Shared Responsibility Model] and [AWS Cloud Security].

The solution that meets the requirement of the company that runs a database on Amazon Aurora in the us-east-1 Region and has a disaster recovery requirement that the database be available in another Region with minimal disruption to the database operations is to deploy Aurora cross-Region read replicas. Aurora cross-Region read replicas are secondary Aurora clusters that are created in a different AWS Region from the primary Aurora cluster, and are kept in sync with the primary cluster using physical replication. The company can use Aurora cross-Region read replicas to improve the availability and durability of the database, as well as to reduce the recovery time objective (RTO) and recovery point objective (RPO) in case of a regional disaster. Performing an Aurora Multi-AZ deployment, creating Amazon EBS volume snapshots for Aurora and copying them to another Region, and deploying Aurora Replicas are not the best solutions for this requirement. An Aurora Multi-AZ deployment is a configuration that creates one or more Aurora Replicas within the same AWS Region as the primary Aurora cluster, and provides automatic failover in case of an Availability Zone outage. However, this does not provide cross-Region disaster recovery. Creating Amazon EBS volume snapshots for Aurora and copying them to another Region is a manual process that requires stopping the database, creating the snapshots, copying them to the target Region, and restoring them to a new Aurora cluster. This process can cause significant downtime and data loss. Deploying Aurora Replicas is a configuration that creates one or more secondary Aurora clusters within the same AWS Region as the primary Aurora cluster, and provides read scaling and high availability. However, this does not provide cross-Region disaster recovery.

 According to the AWS shared responsibility model, the customer is responsible for configuring logical access controls for resources, and protecting account credentials. This includes managing IAM user permissions, security group rules, network ACLs, encryption keys, and other aspects of access management1. AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud, such as the hardware, software, networking, and facilities. AWS is also responsible for configuring the security used by managed services, such as Amazon RDS, Amazon DynamoDB, and Amazon Aurora2.

AWS Trusted Advisor is a service that provides real-time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor provides recommended actions in five categories: cost optimization, performance, security, fault tolerance, and service quotas. Cost optimization helps you reduce your overall AWS costs by identifying idle and underutilized resources. Service quotas helps you monitor and manage your usage of AWS service quotas and request quota increases. Operating system patches, repetitive tasks, and account activity records are not categories that AWS Trusted Advisor provides recommended actions for. Source: [AWS Trusted Advisor]

Under the AWS shared responsibility model, AWS is responsible for ensuring the security of the internal network in the AWS data centers, as well as the physical security of the hardware and facilities that run AWS services. AWS customers are responsible for configuring the security group rules that determine which ports are open on an EC2 Linux instance, patching the guest operating system with the latest security patches on EC2, and turning on server-side encryption for S3 buckets. Source: AWS Shared Responsibility Model

 Server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and server-side encryption with AWS KMS managed keys (SSE-KMS) are the encryption types that can be used to protect objects at rest in Amazon S3. Server-side encryption means that Amazon S3 encrypts the objects before saving them on disks and decrypts them when they are downloaded. SSE-S3 uses one master key per bucket that is managed by Amazon S3. SSE-KMS uses a customer master key (CMK) that is stored in AWS Key Management Service (AWS KMS) and provides additional benefits, such as audit trails and key rotation. For more information, see Protecting Data Using Server-Side Encryption and Protecting Data Using Encryption.

 The common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform perspective are IT architects and engineers. The AWS CAF is a guidance that helps organizations design and travel an accelerated path to successful cloud adoption. The AWS CAF organizes the cloud adoption process into six areas of focus, called perspectives, which are business, people, governance, platform, security, and operations. Each perspective is divided into capabilities, which are further divided into skills and responsibilities. The platform perspective focuses on the provisioning and management of the cloud infrastructure and services that support the business applications. The platform perspective capabilities are design, implementation, and optimization. The stakeholders for the platform perspective are the IT architects and engineers who are responsible for designing, implementing, and optimizing the cloud platform. Chief financial officers (CFOs), chief information officers (CIOs), and chief data officers (CDOs) are not the common stakeholders for the AWS CAF platform perspective. CFOs are the common stakeholders for the AWS CAF business perspective, which focuses on the value realization of the cloud adoption. CIOs are the common stakeholders for the AWS CAF governance perspective, which focuses on the alignment of the IT strategy and processes with the business strategy and goals. CDOs are the common stakeholders for the AWS CAF security perspective, which focuses on the protection of the information assets and systems in the cloud.

AWS Auto Scaling is the AWS service that allows users to optimize the number of EC2 instances based on the usage pattern, as it automatically adjusts the capacity to maintain steady and predictable performance at the lowest possible cost. Spot Instances are a way to reduce the cost of EC2 instances by bidding on unused EC2 capacity, but they are not suitable for applications that require steady and reliable performance. Reserved Instances are a way to reduce the cost of EC2 instances by committing to a certain amount of usage for a period of time, but they are not flexible to adjust to the usage pattern. AWS CloudFormation is a way to automate the creation and management of AWS resources, but it does not optimize the number of EC2 instances based on the usage pattern. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

Decoupling the components of an application means reducing the dependencies and interactions between them, which can improve the application’s reliability, scalability, and performance. Decoupling can be achieved by using services such as Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), and AWS Lambda1

Customers share responsibility with AWS for security and compliance of AWS accounts and resources. This is part of the AWS shared responsibility model, which defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical and environmental controls of the AWS global infrastructure, such as power, cooling, fire suppression, and physical access. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications, such as identity and access management, encryption, firewall, and backup. For more information, see AWS Shared Responsibility Model and AWS Cloud Security.

 Amazon Relational Database Service (Amazon RDS) is the AWS service that the company should use to migrate its Microsoft SQL Server database management system from on premises to the AWS Cloud. Amazon RDS is a fully managed service that provides a scalable, secure, and high-performance relational database platform. Amazon RDS supports several database engines, including Microsoft SQL Server. Amazon RDS reduces the management overhead for the database environment by taking care of tasks such as provisioning, patching, backup, recovery, and monitoring. For more information, see What is Amazon Relational Database Service (Amazon RDS)? and Amazon RDS for SQL Server.

Amazon Lightsail is an easy-to-use cloud platform that offers you everything needed to build an application or website, plus a cost-effective, monthly plan. Whether you’re new to the cloud or looking to get on the cloud quickly with AWS infrastructure you trust, we’ve got you covered. Lightsail provides the simplest way for the company to establish a website on AWS.

AWS Secrets Manager is an AWS service that can be used to securely store and encrypt passwords for a database. It allows users to manage secrets, such as database credentials, API keys, and tokens, in a centralized and secure way. It also provides features such as automatic rotation, fine-grained access control, and auditing. AWS Shield is an AWS service that provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources and services. It does not store or encrypt passwords for a database. AWS Identity and Access Management (IAM) is an AWS service that allows users to manage access to AWS resources and services. It can be used to create users, groups, roles, and policies that control who can do what in AWS. It does not store or encrypt passwords for a database. Amazon Cognito is an AWS service that provides user identity and data synchronization for web and mobile applications. It can be used to authenticate and authorize users, manage user profiles, and sync user data across devices. It does not store or encrypt passwords for a database.

The company follows the AWS Cloud design principle of ensuring traceability by using AWS CloudTrail. AWS CloudTrail is a service that records the API calls and events made by or on behalf of the AWS account. The company can use AWS CloudTrail to monitor, audit, and analyze the activity and changes in their AWS resources and applications. AWS CloudTrail helps the company to achieve compliance, security, governance, and operational efficiency. Recovering automatically, performing operations as code, and measuring efficiency are other AWS Cloud design principles, but they are not directly related to using AWS CloudTrail. Recovering automatically means that the company can design their cloud workloads to handle failures gracefully and resume normal operations without manual intervention. Performing operations as code means that the company can automate the creation, configuration, and management of their cloud resources using scripts or templates. Measuring efficiency means that the company can monitor and optimize the performance and utilization of their cloud resources and applications34

Provisioning additional EC2 instances in other Availability Zones is a way to make the application highly available, as it reduces the impact of failures and increases fault tolerance. Configuring an Application Load Balancer and assigning the EC2 instance as the ALB’s target is a way to distribute traffic among multiple instances, but it does not make the application highly available if there is only one instance. Using an Amazon Machine Image to create the EC2 instance is a way to launch a virtual server with a preconfigured operating system and software, but it does not make the application highly available by itself. Provisioning the application by using an EC2 Spot Instance is a way to use spare EC2 capacity at up to 90% off the On-Demand price, but it does not make the application highly available, as Spot Instances can be interrupted by EC2 with a two-minute notification.

Deploying the application by using multiple Availability Zones is the best way to increase resilience for the application. According to the Amazon RDS User Guide, "Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups."4 Deploying a copy of the application in another AWS account, using multiple VPCs, or using multiple subnets do not provide the same level of resilience as using multiple Availability Zones.

 Using EC2 instances across multiple Availability Zones in the same AWS Region is a solution that meets the requirements of sharing the same geographic area but using redundant underlying power sources. Availability Zones are isolated locations within an AWS Region that have independent power, cooling, and physical security. They are connected through low-latency, high-throughput, and highly redundant networking. By launching EC2 instances in different Availability Zones, users can increase the fault tolerance and availability of their applications. Amazon CloudFront is a content delivery network (CDN) service that speeds up the delivery of web content and media to end users by caching it at the edge locations closer to them. It is not a database service and cannot be used to store operational data for EC2 instances. Edge locations are sites that are part of the Amazon CloudFront network and are located in many cities around the world. They are not the same as Availability Zones and do not provide redundancy for EC2 instances. AWS OpsWorks is a configuration management service that allows users to automate the deployment and management of applications using Chef or Puppet. It can be used to create stacks that span multiple AWS Regions, but this would not meet the requirement of sharing the same geographic area.

AWS customer carbon footprint tool is an AWS service or tool that helps companies measure the environmental impact of their AWS usage. It allows users to estimate the carbon emissions associated with their AWS resources and services, such as EC2, S3, and Lambda. It also provides recommendations and best practices to reduce the carbon footprint and improve the sustainability of their AWS workloads4. AWS Compute Optimizer is an AWS service that helps users optimize the performance and cost of their EC2 instances and Auto Scaling groups. It provides recommendations for optimal instance types, sizes, and configurations based on the workload characteristics and utilization metrics. It does not help users measure the environmental impact of their AWS usage. Sustainability pillar is a concept that refers to the ability of a system to operate in an environmentally friendly and socially responsible manner. It is not an AWS service or tool that helps users measure the environmental impact of their AWS usage. OS-Climate (Open Source Climate Data Commons) is an initiative that aims to provide open source data, tools, and platforms to accelerate climate action and innovation. It is not an AWS service or tool that helps users measure the environmental impact of their AWS usage.

Compute Savings Plans are a flexible and cost-effective way to optimize long-term compute costs of AWS Lambda functions and Amazon EC2 instances. With Compute Savings Plans, customers can commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term and receive a discount of up to 66% compared to On-Demand prices3. Dedicated Hosts are physical servers with EC2 instance capacity fully dedicated to the customer’s use. They are suitable for customers who have specific server-bound software licenses or compliance requirements4. Reserved Instances are a pricing model that provides a significant discount (up to 75%) compared to On-Demand pricing and a capacity reservation for EC2 instances. They are available in 1-year or 3-year terms and different payment options5. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for customers who have flexible start and end times, can withstand interruptions, and can handle excess capacity.

 AWS Abuse team is the AWS group or team that the company should notify if it suspects that its AWS resources are being used for illegal activities. AWS Abuse team is a dedicated team that handles reports of abuse, such as spam, phishing, malware, denial-of-service attacks, and unauthorized access, involving AWS resources. The company can contact the AWS Abuse team by filling out the [Report Abuse of AWS Resources form] or sending an email to abuse@amazonaws.com. The company should provide as much information as possible, such as the source and destination IP addresses, timestamps, log files, and screenshots, to help the AWS Abuse team investigate and take appropriate actions. For more information, see [Reporting Abuse] and [AWS Acceptable Use Policy].

ACLs are an AWS service or feature that the developer can use to restrict read and write access to the S3 bucket. ACLs are access control lists that grant basic permissions to other AWS accounts or predefined groups. They can be used to grant read or write access to an S3 bucket or an object3. Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They are not a service or feature that can be used to restrict access to an S3 bucket. Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and applications. It can be used to collect and analyze metrics, logs, events, and alarms. It is not a service or feature that can be used to restrict access to an S3 bucket. AWS CloudTrail is a service that provides governance, compliance, and audit for AWS accounts and resources. It can be used to track and record the API calls and user activity in AWS. It is not a service or feature that can be used to restrict access to an S3 bucket.

 Spot Instances are instances that use spare EC2 capacity that is available for up to 90% off the On-Demand price. Because Spot Instances can be interrupted by EC2 with two minutes of notification when EC2 needs the capacity back, you can use them for applications that have flexible start and end times, or that can withstand interruptions5. This option is most cost-effective for the use case described in the question. Reserved Instances are instances that you purchase for a one-year or three-year term, and pay a lower hourly rate compared to On-Demand Instances. This option is suitable for applications that have steady state or predictable usage. Dedicated Instances are instances that run on hardware that’s dedicated to a single customer within an Amazon VPC. This option is suitable for applications that have stringent regulatory or compliance requirements. On-Demand Instances are instances that you pay for by the second, with no long-term commitments or upfront payments. This option is suitable for applications that have unpredictable or intermittent workloads.

 The AWS service that requires the customer to patch the guest operating system is Amazon EC2. Amazon EC2 is a service that provides scalable compute capacity in the cloud, and allows customers to launch and run virtual servers, called instances, with a variety of operating systems, configurations, and specifications. The customer is responsible for patching and updating the guest operating system and any applications that run on the EC2 instances, as part of the security in the cloud. AWS Lambda, Amazon OpenSearch Service, and Amazon ElastiCache are not services that require the customer to patch the guest operating system. AWS Lambda is a serverless compute service that allows customers to run code without provisioning or managing servers. Amazon OpenSearch Service is a fully managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon ElastiCache is a fully managed service that provides in-memory data store and cache solutions, such as Redis and Memcached. These services are managed by AWS, and AWS is responsible for patching and updating the underlying infrastructure and software.

The AWS service that will meet the requirements of the company that is hosting a web application on Amazon EC2 instances and wants to implement custom conditions to filter and control inbound web traffic is AWS WAF. AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources. The company can use AWS WAF to create custom rules that block malicious requests that match certain patterns, such as SQL injection or cross-site scripting. AWS WAF can be applied to web applications that are behind an Application Load Balancer, Amazon CloudFront, or Amazon API Gateway. Amazon GuardDuty, Amazon Macie, and AWS Shield are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and resources. Amazon Macie is a data security and data privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data stored in Amazon S3. AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards web applications running on AWS. These services are more useful for detecting and preventing different types of threats and attacks, rather than filtering and controlling inbound web traffic based on custom conditions.

 Amazon Elastic File System (Amazon EFS) is the AWS storage service that should be used for an application that runs on multiple Amazon EC2 instances that access a shared file system simultaneously. Amazon EFS is a fully managed service that provides a scalable, elastic, and highly available file system for Linux-based workloads. Amazon EFS supports the Network File System version 4 (NFSv4) protocol and allows multiple EC2 instances to read and write data to the same file system concurrently. Amazon EFS also integrates with other AWS services, such as AWS Backup, AWS CloudFormation, and AWS CloudTrail. For more information, see What is Amazon Elastic File System? and [Amazon EFS Use Cases].

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. You can use Spot Instances for various stateless, fault-tolerant, or flexible applications such as big data, containerized workloads, CI/CD, web servers, high-performance computing (HPC), and other test & development workloads. Spot Instances are well-suited for massively parallel computations, as they can provide large amounts of compute capacity at a low cost, and can be interrupted with a two-minute notice3

 A and B are correct because AWS CodeCommit is the AWS service that provides a fully managed source control service that hosts secure Git-based repositories1, and AWS CodeDeploy is the AWS service that automates code deployments to any instance, including Amazon EC2 instances and servers running on-premises2. These two services can be used together to store source code and update the running software when the code changes. C is incorrect because Amazon DynamoDB is the AWS service that provides a fully managed NoSQL database service that supports key-value and document data models3. It is not related to storing source code or updating software. D is incorrect because Amazon S3 is the AWS service that provides object storage through a web service interface4. It can be used to store source code, but it does not provide source control features or update software. E is incorrect because Amazon Elastic Container Service (Amazon ECS) is the AWS service that allows users to run, scale, and secure Docker container applications. It can be used to deploy containerized software, but it does not store source code or update software.

 AWS Trusted Advisor is the AWS service or tool that the company should use to identify areas for optimization. According to the AWS Trusted Advisor User Guide, “AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor checks help optimize your AWS infrastructure, increase security and performance, reduce your overall costs, and monitor service limits.” Amazon QuickSight, AWS Organizations, and AWS Budgets are not designed to provide optimization recommendations for the current AWS environment.

 The AWS service or tool that provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data is AWS Compute Optimizer. AWS Compute Optimizer is a service that analyzes the configuration and performance of the AWS resources, such as Amazon EC2 instances, and provides recommendations for optimal resource types and sizes based on the workload patterns and metrics. AWS Compute Optimizer helps users improve the performance, availability, and cost efficiency of their AWS resources. AWS Pricing Calculator, AWS App Runner, and AWS Systems Manager are not the best services or tools to use for this purpose. AWS Pricing Calculator is a tool that helps users estimate the cost of using AWS services based on their requirements and preferences. AWS App Runner is a service that helps users easily and quickly deploy web applications and APIs without managing any infrastructure. AWS Systems Manager is a service that helps users automate and manage the configuration and operation of their AWS resources and applications34

 AWS Config and service control policies (SCPs) are AWS services or features that the company can use to create and define controls (guardrails) in a newly created AWS Control Tower landing zone. AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. It can be used to create rules that check for compliance with the desired configurations and report any deviations. AWS Control Tower provides a set of predefined AWS Config rules that can be enabled as guardrails to enforce compliance across the landing zone1. Service control policies (SCPs) are a type of policy that can be used to manage permissions in AWS Organizations. They can be used to restrict the actions that the users and roles in the member accounts can perform on the AWS resources. AWS Control Tower provides a set of predefined SCPs that can be enabled as guardrails to prevent access to certain services or regions across the landing zone2. Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for AWS accounts and resources. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. AWS Identity and Access Management (IAM) is a service that allows users to manage access to AWS resources and services. It can be used to create users, groups, roles, and policies that control who can do what in AWS. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They can be used to allow or deny access to an EC2 instance based on the port, protocol, and source or destination. They are not a feature that can be used to create and define controls (guardrails) in a landing zone.

 Consolidated billing is an AWS feature that allows users to combine the usage and costs of multiple AWS accounts into a single bill. This enables users to obtain billing discounts that are based on the company’s use of AWS services, such as volume pricing tiers, Reserved Instance discounts, and Savings Plans discounts5. Resource tagging is an AWS feature that allows users to assign metadata to AWS resources, such as EC2 instances, S3 buckets, and Lambda functions. This enables users to organize, track, and manage their AWS resources, such as filtering, grouping, and reporting. Pay-as-you-go pricing is an AWS pricing model that allows users to pay only for the resources and services they use, without any upfront or long-term commitments. This enables users to lower their costs by scaling up or down as needed, and avoiding over-provisioning or under-utilization. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing, data analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply.

 C is correct because moving a workload from a local data center to an architecture that is distributed between the local data center and the AWS Cloud is an example of an on-premises to hybrid migration. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and public cloud services with orchestration between the platforms. A is incorrect because on-premises to cloud native migration is the process of moving a workload from a local data center to an architecture that is fully hosted and managed on the AWS Cloud. B is incorrect because hybrid to cloud native migration is the process of moving a workload from an architecture that is distributed between the local data center and the AWS Cloud to an architecture that is fully hosted and managed on the AWS Cloud. D is incorrect because cloud native to hybrid migration is the process of moving a workload from an architecture that is fully hosted and managed on the AWS Cloud to an architecture that is distributed between the local data center and the AWS Cloud.

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define2. You can use AWS WAF to create a custom rule that blocks SQL injection attacks on your website.

Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of use cases, including backup and archive, big data analytics, disaster recovery, and cloud applications. Amazon S3 offers 99.999999999% (11 9’s) of durability, meaning that data is designed to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes with different price and performance characteristics, such as S3 Glacier and S3 Glacier Deep Archive, which are ideal for long-term archival of data that is rarely accessed. AWS Snowball, AWS Storage Gateway, and Amazon Kinesis are not designed to provide the same level of durability and cost-effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3

AWS Shield Standard and AWS WAF are the AWS services or tools that are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks. According to the AWS Shield Developer Guide, "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection."5 According to the AWS WAF Developer Guide, “AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.” VPC endpoint, virtual private gateway, and AWS Config are not designed to protect a workload from these types of attacks.

Amazon Machine Image (AMI) is the option that the company can use during the launch process to configure the root volume of the EC2 instance. An AMI is a template that contains the software configuration, such as the operating system, applications, and settings, required to launch an EC2 instance. An AMI also specifies the volume size and type of the root device for the instance. The company can choose an AMI provided by AWS, the AWS Marketplace, or the AWS community, or create a custom AMI. For more information, see [Amazon Machine Images (AMI)] and [Launching an Instance Using the Launch Instance Wizard].

 Amazon Redshift Serverless is the AWS service that will meet the requirements of the company that wants to move its data warehouse application to the AWS Cloud and run and scale its analytics services without needing to provision and manage data warehouse clusters. Amazon Redshift Serverless is a new feature of Amazon Redshift, which is a fully managed data warehouse service that allows customers to run complex queries and analytics on large volumes of structured and semi-structured data. Amazon Redshift Serverless automatically scales the compute and storage resources based on the workload demand, and customers only pay for the resources they consume. Amazon Redshift Serverless also simplifies the management and maintenance of the data warehouse, as customers do not need to worry about choosing the right cluster size, resizing the cluster, or distributing the data across the nodes. Amazon Redshift provisioned data warehouse, Amazon Athena, and Amazon S3 are not the best services to meet the requirements of the company. Amazon Redshift provisioned data warehouse requires customers to choose the number and type of nodes for their cluster, and manually resize the cluster if their workload changes. Amazon Athena is a serverless query service that allows customers to analyze data stored in Amazon S3 using standard SQL, but it is not a data warehouse service that can store and organize the data. Amazon S3 is a scalable object storage service that can store any amount and type of data, but it is not a data warehouse service that can run complex queries and analytics on the data.

 The tasks that are the responsibility of AWS according to the AWS shared responsibility model are securing the access of physical AWS facilities and performing infrastructure patching and maintenance. The AWS shared responsibility model defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical security of the hardware, software, networking, and facilities that run the AWS services. AWS is also responsible for the maintenance and patching of the infrastructure that supports the AWS services. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications that they use. Configuring AWS Identity and Access Management (IAM), configuring security groups on Amazon EC2 instances, and patching applications that run on Amazon EC2 instances are tasks that are the responsibility of the customer, not AWS.

 To make a subnet public, the company should use an Amazon VPC internet gateway and an Amazon VPC route table. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. To enable internet access for a subnet, you need to attach an internet gateway to your VPC and add a route to the internet gateway in the route table associated with the subnet.

AWS Identity and Access Management (IAM) is a service that allows users to manage access to AWS resources and services. It enables users to create and manage users, groups, roles, and policies that control who can do what in AWS. IAM is always free of charge for users, as there is no additional cost for using IAM with any AWS service1. Amazon S3 is a storage service that provides scalable, durable, and secure object storage. Amazon S3 has a free tier that offers 5 GB of storage, 20,000 GET requests, and 2,000 PUT requests per month for one year. However, users are charged for any additional usage beyond the free tier limits2. Amazon Aurora is a relational database service that is compatible with MySQL and PostgreSQL. Amazon Aurora has a free tier that offers 750 hours of Aurora Single-AZ db.t2.small database usage and 20 GB of storage per month for one year. However, users are charged for any additional usage beyond the free tier limits3. Amazon EC2 is a compute service that provides resizable virtual servers. Amazon EC2 has a free tier that offers 750 hours of Linux and Windows t2.micro instances per month for one year. However, users are charged for any additional usage beyond the free tier limits4.

 Deploying the application in multiple Availability Zones is the best way to ensure high availability for the application. Availability Zones are isolated locations within an AWS Region that are engineered to be fault-tolerant from failures in other Availability Zones. By deploying the application in multiple Availability Zones, the company can reduce the impact of outages and increase the resilience of the application. Deploying the application in a single Availability Zone, on AWS Direct Connect, or on Reserved Instances does not provide the same level of high availability as deploying the application in multiple Availability Zones. Source: Availability Zones

 D is correct because security groups are the AWS service or feature that can be used to control inbound and outbound traffic on an Amazon EC2 instance. Security groups act as a virtual firewall for the EC2 instance, allowing users to specify which protocols, ports, and source or destination IP addresses are allowed or denied. A is incorrect because internet gateways are the AWS service or feature that enable communication between instances in a VPC and the internet. They do not control the traffic on an EC2 instance. B is incorrect because AWS Identity and Access Management (IAM) is the AWS service or feature that enables users to manage access to AWS services and resources securely. It does not control the traffic on an EC2 instance. C is incorrect because network ACLs are the AWS service or feature that provide an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They do not control the traffic on an EC2 instance.

 AWS Shield Standard is a service that provides protection against Distributed Denial of Service (DDoS) attacks for all AWS customers at no additional charge. It automatically detects and mitigates the most common and frequently occurring network and transport layer DDoS attacks that target AWS resources, such as Amazon EC2 instances, Elastic Load Balancers, Amazon CloudFront distributions, and Amazon Route 53 hosted zones. AWS Firewall Manager is a service that allows users to centrally configure and manage firewall rules across their AWS accounts and resources, such as AWS WAF web ACLs, AWS Shield Advanced protections, and Amazon VPC security groups. AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It analyzes the behavior of the applications and checks for vulnerabilities, exposures, and deviations from best practices.

Adding a department tag to each resource and configuring cost allocation tags is an action that can help you accomplish the goal of billing each department for its resource usage with the least operational overhead. Tags are simple labels consisting of a key and an optional value that you can assign to AWS resources. You can use tags to organize your resources and track your AWS costs on a detailed level. Cost allocation tags enable you to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs2. Moving each department resource to its own VPC or its own AWS account is an action that can help you isolate and control the resources for each department, but it would incur more operational overhead than using tags. Using AWS Organizations to get a billing report for each department is an action that can help you consolidate billing and payment across multiple AWS accounts, but it would not help you bill each department for its resource usage within a single VPC.

Cost optimization is the pillar of the AWS Well-Architected Framework that aligns with the requirements of not relying on elaborate forecasting and paying only for the resources that are used. The cost optimization pillar focuses on the ability of a system to deliver business value at the lowest price point. Cost optimization involves using the right AWS services and resources for the workload, measuring and monitoring the cost and usage, and continuously improving the cost efficiency. Cost optimization also leverages the benefits of the AWS Cloud, such as pay-as-you-go pricing, elasticity, and scalability. For more information, see [Cost Optimization Pillar] and [Cost Optimization].

 The perspective of the AWS Cloud Adoption Framework (AWS CAF) that connects technology and business is governance. The governance perspective focuses on the alignment of the IT strategy and processes with the business strategy and goals, as well as the management of the IT budget, risk, and compliance. The governance perspective capabilities are portfolio management, business performance management, and IT governance. The governance perspective helps organizations ensure that their cloud adoption delivers the expected business value and outcomes, and that their cloud solutions are secure, reliable, and compliant. Operations, people, and security are other perspectives of the AWS CAF, but they do not directly connect technology and business. The operations perspective focuses on the management and monitoring of the cloud resources and applications, as well as the automation and optimization of the operational processes. The people perspective focuses on the development and empowerment of the human resources, as well as the transformation of the organizational culture and structure. The security perspective focuses on the protection of the information assets and systems in the cloud, as well as the implementation of the security policies and controls.

 Amazon CloudWatch and AWS CloudTrail are the AWS services that allow users to monitor and retain records of account activities that include governance, compliance, and auditing. Amazon CloudWatch is a service that collects and tracks metrics, collects and monitors log files, and sets alarms. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Amazon GuardDuty, AWS Shield, and AWS WAF are AWS services that provide security and protection for AWS resources, but they do not monitor and retain records of account activities. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

AWS performs some tasks automatically to help you manage and secure your AWS resources. One of these tasks is patching Amazon EC2 instances. AWS provides two options for patching your EC2 instances: managed instances and patch baselines. Managed instances are a group of EC2 instances or on-premises servers that you can manage using AWS Systems Manager. Patch baselines define the patches that AWS Systems Manager applies to your instances. You can use AWS Systems Manager to automate the process of patching your instances based on a schedule or a maintenance window.

AWS Elastic Beanstalk is a fully managed service designed for developers who want to deploy and manage their applications without having to provision and manage the underlying infrastructure themselves. Developers can simply upload their code, and Elastic Beanstalk automatically handles the deployment, including provisioning the necessary resources (such as EC2 instances, load balancers, and auto-scaling).

A. AWS CloudFormation: Incorrect, as it is an infrastructure-as-code service for defining and provisioning AWS resources but does not directly deploy applications.

B. AWS CodeBuild: Incorrect, as it is a service for building and testing code, not for deploying applications.

D. AWS CodeDeploy: Incorrect, as it is specifically designed for automating software deployments to a variety of compute services, including EC2, but it does not manage the underlying infrastructure.

AWS Cloud References:

AWS Elastic Beanstalk

AWS Outposts is a service that offers fully managed and configurable compute and storage racks built with AWS-designed hardware that allow you to run your workloads on premises and seamlessly connect to AWS services in the cloud. AWS Outposts is ideal for workloads that require low latency, local data processing, or local data storage. With AWS Outposts, you can use the same AWS APIs, tools, and infrastructure across on premises and the cloud to deliver a truly consistent hybrid experience5. Availability Zones are isolated locations within each AWS Region that are engineered to be fault-tolerant and provide high availability. AWS Local Zones are extensions of AWS Regions that are placed closer to large population, industry, and IT centers where no AWS Region exists today. AWS Wavelength is a service that enables developers to build applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. None of these services or features can help you host a critical application with minimum latency at a remote site that has a slow internet connection.

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center, which can support the requirement of retaining certain data on-premises due to legal obligations5.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting1.

 AWS Shield is an AWS service that provides protection against distributed denial of service (DDoS) attacks for applications that run in the AWS Cloud. DDoS attacks are attempts to make an online service unavailable by overwhelming it with traffic from multiple sources. AWS Shield provides two tiers of protection: AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional charge. It provides protection against common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection against larger and more sophisticated DDoS attacks. AWS Shield Advanced also provides access to 24/7 DDoS response team, cost protection, and enhanced detection and mitigation capabilities

The company should use the AWS Billing console to access a report about the estimated environmental impact of the company’s AWS usage. The AWS Billing console provides customers with various tools and reports to manage and monitor their AWS costs and usage. One of the reports available in the AWS Billing console is the AWS Sustainability Dashboard, which shows the estimated carbon footprint and energy mix of the customer’s AWS usage. The company can use this dashboard to measure and improve the sustainability of their cloud workloads. AWS Organizations, IAM policy, and Amazon Simple Notification Service (Amazon SNS) are not services or features that can provide a report about the estimated environmental impact of the company’s AWS usage. AWS Organizations is a service that enables customers to centrally manage and govern their AWS accounts. IAM policy is a document that defines the permissions for an IAM identity (user, group, or role) or an AWS resource. Amazon SNS is a fully managed pub/sub messaging service that enables customers to send messages to subscribers or other AWS services.

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS provides the physical and environmental controls, the service and communications protection, and the awareness and training for its employees, while the customer provides the patch and configuration management, the identity and access management, the data encryption, and the firewall configuration for its resources3.

 AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

 Create annotated documentation is the design principle that is included in the operational excellence pillar of the AWS Well-Architected Framework. According to the AWS Well-Architected Framework whitepaper, creating annotated documentation means "documenting your workload so that the team understands the architecture, how to operate the workload, and how the workload delivers value to customers."3 Anticipate failure, ensure performance efficiency, and optimize costs are design principles that belong to other pillars of the AWS Well-Architected Framework, such as reliability, performance efficiency, and cost optimization.

AWS Direct Connect provides a dedicated private network connection from on-premises data centers directly to the AWS Cloud, bypassing the public internet. This setup is ideal for reducing network costs, increasing bandwidth throughput, and providing a more consistent network experience compared to standard internet connections. Other services, such as Amazon VPC, relate to networking but do not establish a private network connection from on-premises to AWS.

Amazon RDS and Amazon Aurora are both managed AWS services that support the PostgreSQL database engine. Amazon RDS makes it easier to set up, operate, and scale PostgreSQL deployments on the cloud, while Amazon Aurora is a cloud-native database engine that is compatible with PostgreSQL and offers higher performance and availability. Amazon Athena is a serverless query service that does not support PostgreSQL, but can analyze data in Amazon S3 using standard SQL. Amazon EC2 is a compute service that allows users to launch virtual machines, but does not provide any database management features. Amazon DynamoDB is a NoSQL database service that is not compatible with PostgreSQL, but offers fast and consistent performance at any scale. References: Hosted PostgreSQL - Amazon RDS for PostgreSQL - AWS, Amazon RDS for PostgreSQL - Amazon Relational Database Service, AWS PostgreSQL: Managed or Self-Managed? - NetApp, AWS Announces Amazon Aurora Supports PostgreSQL 12 - InfoQ, Amazon Aurora vs PostgreSQL | What are the differences? - StackShare

A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud (VPC). Network ACLs can be configured with rules that allow or deny traffic based on the source and destination IP addresses, ports, and protocols1. AWS Security Hub is a service that provides a comprehensive view of the security posture of AWS accounts and resources2. Security groups are features that act as firewalls for controlling traffic at the instance level3. AWS WAF is a web application firewall that helps protect web applications from common web exploits4.

AWS provides an Attestation of Compliance (AOC) report for specific AWS services to assist companies in achieving Payment Card Industry Data Security Standard (PCI DSS) compliance in the cloud. This report demonstrates that AWS services meet the necessary PCI DSS requirements. AWS does not offer physical inspections of data centers by appointment, nor does it provide certifications for any application running on AWS. Additionally, AWS does not provide professional PCI compliance services; companies must manage their PCI compliance in their environment.

The concept of granting access only to the resources needed to perform a task is known as least privilege access. This is a security best practice in IAM that helps to reduce the risk of unauthorized or malicious actions. By applying least privilege access, you can limit the permissions of your IAM users, groups, and roles to the minimum required for their specific tasks. You can also use conditions, permissions boundaries, and IAM Access Analyzer to further restrict and verify access. References: Security best practices in IAM, Policies and permissions in IAM, Use IAM policies to grant the least privileges required to access Amazon RDS resources, How to Design a Least Privilege Architecture in AWS, 12 Azure & AWS IAM Security Best Practices

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). You can use AWS Artifact to download the applicable report for AWS security controls and provide it to the auditor.

Using EC2 instances in multiple Availability Zones is an AWS infrastructure solution that meets the requirements of migrating a high performance computing (HPC) application to AWS with fault tolerance and failover capabilities, and with the least latency between components. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. EC2 instances within the same Region can communicate with each other using low-latency private IP addresses. By using EC2 instances in multiple Availability Zones, the company can achieve fault tolerance and failover for their HPC application, because they can distribute the workload and data across different locations that are independent of each other. If one Availability Zone becomes unavailable or impaired, the company can redirect the traffic and data to another Availability Zone without affecting the performance and availability of the application5

One of the primary advantages of the AWS Cloud is the ability to provision resources on demand. Users no longer need to over-provision or guess the capacity needed for infrastructure, which helps optimize costs and improve agility. AWS handles infrastructure scaling dynamically based on the actual usage. Options B, C, and D are incorrect as users do not maintain sole ownership of IT hardware or control of underlying infrastructure, and while they do maintain some control over the operating system in some cases, it is not an advantage specific to the cloud.

Amazon S3 is the AWS service that offers object storage. Object storage is a technology that stores and manages data in an unstructured format called objects. Each object consists of the data, metadata, and a unique identifier. Object storage is ideal for storing large amounts of unstructured data, such as photos, videos, email, web pages, sensor data, and audio files1. Amazon S3 provides industry-leading scalability, data availability, security, and performance for object storage2.

Amazon RDS is the AWS service that offers relational database storage. Relational database storage is a technology that stores and manages data in a structured format called tables. Each table consists of rows and columns that define the attributes and values of the data. Relational database storage is ideal for storing structured or semi-structured data, such as customer records, inventory, transactions, and analytics3.

Amazon Elastic File System (Amazon EFS) is the AWS service that offers file storage. File storage is a technology that stores and manages data in a hierarchical format called files and folders. Each file consists of the data and metadata, and each folder consists of files or subfolders. File storage is ideal for storing shared data that can be accessed by multiple users or applications, such as home directories, content repositories, media libraries, and configuration files4.

Amazon DynamoDB is the AWS service that offers NoSQL database storage. NoSQL database storage is a technology that stores and manages data in a flexible format called documents or key-value pairs. Each document or key-value pair consists of the data and metadata, and can have different attributes and values depending on the schema. NoSQL database storage is ideal for storing dynamic or unstructured data that requires high performance, scalability, and availability, such as web applications, social media, gaming, and IoT.

AWS Artifact is a service that provides on-demand access to security and compliance reports from AWS and Independent Software Vendors (ISVs) who sell their products on AWS Marketplace. You can use AWS Artifact to download auditor-issued reports, certifications, accreditations, and other third-party attestations of AWS compliance with various standards and regulations, such as PCI-DSS, HIPAA, FedRAMP, GDPR, and more1234. You can also use AWS Artifact to review, accept, and manage your agreements with AWS and apply them to current and future accounts within your organization2. References: 1: Cloud Compliance - Amazon Web Services (AWS), 2: Security Compliance Management - AWS Artifact - AWS, 3: AWS Compliance Contact Us - Amazon Web Services, 4: AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

AWS Trusted Advisor is a service that provides real-time guidance to help optimize AWS resources, improve security, and maximize performance. It includes a Security category that can identify security group configurations that allow unrestricted access to specific ports. It offers recommendations and alerts to help remediate misconfigurations and ensure proper security practices1. References:

Amazon CLF-C02: Which AWS service monitor for misconfigured security groups allowing unrestricted access to specific ports - PUPUWEB

The AWS Pricing Calculator is a web-based tool that allows customers to estimate their monthly AWS costs by configuring and projecting the costs of different AWS services. The calculator is specifically designed to help customers plan their AWS spending based on their specific architecture and usage patterns. The other options are not correct because:

B. Calculate historical AWS costs: This is incorrect as the AWS Pricing Calculator does not track or calculate historical costs. For historical costs, AWS Cost Explorer is used.

C. Provide in-depth information about AWS pricing strategies: While the AWS Pricing Calculator provides cost estimations, it does not provide detailed insights into AWS pricing strategies.

D. Provide users with access to their monthly bills: This is incorrect; AWS Billing and Cost Management provides access to actual billing information.

AWS Cloud References:

AWS Pricing Calculator

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast container management service that allows you to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances or a serverless environment powered by AWS Fargate. It provides secure, reliable, and scalable operations for containers, allowing users to deploy containers in a highly secure and reliable manner. Amazon Aurora is a relational database service, Amazon Athena is an interactive query service, and Amazon Polly is a text-to-speech service. Therefore, the correct answer is Amazon ECS.References:

AWS Documentation on Amazon ECS

 AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes consolidated billing and account management capabilities that enable you to better meet the budgetary, security, and compliance needs of your business1.

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines2. SCPs are available only in an organization that has all features enabled2.

AWS CloudTrail is the service that can be used to meet these requirements. AWS CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service1. You can use CloudTrail to track the activity in your AWS accounts, such as who made an API call, when it was made, and what resources were affected. You can also use CloudTrail to monitor the compliance, security, and governance of your AWS environment2. The other services are not designed to track the activity and API calls in your AWS accounts. Amazon CloudWatch is a service that monitors and collects metrics, logs, and events from your AWS resources and applications. You can use CloudWatch to set alarms, visualize data, and automate actions based on predefined thresholds or rules3. Amazon Inspector is a service that helps you improve the security and compliance of your applications running on AWS. Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices4. AWS IAM is a service that enables you to manage access to AWS services and resources securely. IAM allows you to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. References: AWS CloudTrail, AWS CloudTrail – Capture AWS API Activity, Amazon CloudWatch, Amazon Inspector, [AWS IAM]

Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. It offers integrated Jupyter notebooks for data exploration, pre-built algorithms, and automatic model tuning to optimize hyperparameters.

Why other options are not suitable:

A. Amazon Personalize: A managed machine learning service that provides personalized recommendations, but does not offer the full suite of ML tools for building, training, and deploying models.

B. Amazon Comprehend: A natural language processing (NLP) service, not a general-purpose ML model building and deployment service.

C. Amazon Forecast: A managed service specifically for creating accurate forecasts using machine learning, not for general-purpose ML model development.

References:

Amazon SageMaker Documentation

AWS Direct Connect is a service that provides a dedicated network connection from on premises to the AWS Cloud. It can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. It can also provide low latency for applications that require real-time data transfer4. Amazon VPC is a service that provides a logically isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that they define. Amazon Kinesis Data Streams is a service that provides a scalable and durable stream of data records for real-time data processing. Amazon OpenSearch Service is a service that provides a fully managed, scalable, and secure search and analytics solution that is compatible with Elasticsearch.

Global reach is a cloud computing advantage that a company can apply when it uses AWS Regions to increase application availability to users in different countries. Global reach refers to the ability to deploy applications and services in multiple geographic locations around the world, and to serve customers with low latency and high performance. AWS has the largest and most reliable global infrastructure of any cloud provider, with 25 Regions and 81 Availability Zones across the Americas, Europe, Asia Pacific, Africa, and the Middle East123. By using AWS Regions, a company can choose the best location for its application based on customer proximity, compliance requirements, and disaster recovery strategies23. References: 1: AWS Global Infrastructure - Amazon Web Services (AWS), 2: Regions and Availability Zones - Amazon Elastic Compute Cloud, 3: AWS Infrastructure: Regions and Availability Zones Explained

Amazon RDS is a fully managed relational database service that supports several database engines, including PostgreSQL. Amazon RDS can run a managed PostgreSQL database that provides online transaction processing (OLTP), which is a type of database workload that handles frequent read and write operations on small amounts of data. Amazon RDS for PostgreSQL offers high performance, availability, scalability, security, and compatibility with the PostgreSQL community edition. Amazon RDS also provides automated backups, point-in-time recovery, encryption, monitoring, and maintenance for PostgreSQL databases. References:

Hosted PostgreSQL - Amazon RDS for PostgreSQL

OLTP Database, MySQL And PostgreSQL Managed Database - Amazon Aurora

PostgreSQL options on AWS: Self- managed, managed, and serverless

One of the key advantages of cloud computing is the ability to trade fixed expenses (like data centers and physical servers) for variable expenses. With AWS, companies pay only for the compute power, storage, and other resources they use, rather than investing heavily in on-premises infrastructure upfront. This reduces capital expenditure and helps lower overall costs.

Why other options are not suitable:

A. Go global in minutes: Refers to the ability to quickly deploy applications around the world, but does not directly reduce upfront costs.

B. Increase speed and agility: Refers to the ability to quickly scale and deploy resources, but is not directly related to cost reduction.

C. Benefit from massive economies of scale: Refers to AWS's ability to lower costs by leveraging its scale, but the primary advantage for reducing upfront costs is moving from fixed to variable expenses.

References:

AWS Cloud Economics

The correct answer is B and C. EC2 Amazon Machine Images (AMIs) and Amazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that provide disaster recovery solutions for Amazon EC2 instances.

EC2 AMIs are preconfigured templates that contain the software configuration and data required to launch an EC2 instance. You can create AMIs from your running EC2 instances and use them to launch new instances in the same or different AWS Regions. This way, you can quickly recover your EC2 instances in case of a disaster that affects your primary Region or Availability Zone1.

Amazon EBS snapshots are incremental backups of your Amazon EBS volumes. You can create snapshots of your volumes and store them in Amazon S3, which is a highly durable and scalable storage service. You can use snapshots to restore your volumes to a previous point in time or to create new volumes from snapshots. Snapshots can also be copied across AWS Regions, enabling you to recover your data in another Region in case of a disaster2.

The other options are not directly related to disaster recovery for EC2 instances:

EC2 Reserved Instances are a pricing model that allows you to reserve EC2 capacity for a specific period of time and receive a discount on the hourly charge. Reserved Instances do not provide any disaster recovery benefits, as they are only a billing option3.

AWS Shield is a managed service that protects your AWS resources from distributed denial-of-service (DDoS) attacks. AWS Shield provides basic protection for all AWS customers at no additional charge, and advanced protection for customers who need higher levels of detection and mitigation. AWS Shield does not provide any disaster recovery benefits, as it is only a security service4.

Amazon GuardDuty is a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon GuardDuty analyzes various data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs, to identify potential threats and alert you via Amazon CloudWatch Events or AWS Lambda. Amazon GuardDuty does not provide any disaster recovery benefits, as it is only a monitoring service5.

Amazon Aurora is a fully managed MySQL-compatible database that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open-source databases. Amazon Aurora is part of the Amazon Relational Database Service (Amazon RDS) family, which means it inherits the benefits of a fully managed service, such as automated backups, patches, scaling, monitoring, and security. Amazon Aurora also offers up to five times the throughput of standard MySQL, as well as high availability, durability, and fault tolerance with up to 15 read replicas, cross-Region replication, and self-healing storage. Amazon Aurora is compatible with the latest versions of MySQL, as well as PostgreSQL, and supports various features and integrations that enhance its functionality and usability123

References: Amazon Aurora, Amazon RDS, AWS — Amazon Aurora Overview

AWS Migration Hub assists users in planning and tracking the progress of their server and application migrations. It centralizes migration tracking across various AWS services, providing visibility into application inventory and migration status. While AWS Application Migration Service also assists with migrations, Migration Hub is specifically designed for tracking migration data comprehensively.

The AWS account root user is the email address that you used to sign up for AWS. The root user has complete access to all AWS services and resources in the account. You should use the root user only to perform a few account and service management tasks. One of these tasks is changing AWS Support plans, which requires root user credentials. For other tasks, you should create an IAM user or role with the appropriate permissions and use that instead of the root user.

According to the AWS shared responsibility model, the customer is responsible for the security in the cloud, which includes configuring firewalls and networks. AWS provides security groups and network access control lists (NACLs) as firewall features that customers can use to control the traffic to and from their AWS resources. Customers are also responsible for managing their own virtual private clouds (VPCs), subnets, route tables, internet gateways, and other network components. AWS is responsible for the security of the cloud, which includes the physical security of the facilities, the host operating system and virtualization layer, and the AWS global network infrastructure12. References:

Shared Responsibility Model - Amazon Web Services (AWS)

Shared responsibility model - Amazon Web Services: Risk and Compliance

 This is a design principle of the operational excellence pillar of the AWS Well-Architected Framework. Performing operations as code means using scripts, templates, or automation tools to perform routine tasks, such as provisioning, configuration, deployment, and monitoring. This reduces human error, increases consistency, and enables faster recovery from failures. You can learn more about the operational excellence pillar from this whitepaper or this digital course.

Using multiple Availability Zones within the same AWS Region meets the requirements for having instances in different locations with independent power and networking. Availability Zones are distinct physical locations within a region, each with separate power sources and networking. Edge locations are used for content delivery, and Amazon Connect and AWS Artifact locations are not relevant to EC2 deployment and infrastructure.

The AWS Cloud is cost-effective for dynamic workloads because of its elasticity, allowing resources to scale up or down based on demand, and its pay-as-you-go pricing, which enables companies to pay only for what they use. Reliability, security, and high availability are also benefits of AWS, but they do not specifically relate to cost-effectiveness in the context of dynamic workloads.

AWS Organizations is an AWS service that enables you to centrally manage and govern your AWS Cloud environments across multiple business units. AWS Organizations allows you to create an organization that consists of AWS accounts that you create or invite to join. You can group your accounts into organizational units (OUs) and apply service control policies (SCPs) to them. SCPs are a type of policy that specify the maximum permissions for the accounts in your organization, and can help you enforce compliance and security requirements. AWS Organizations also simplifies billing processes by enabling you to consolidate and pay for all member accounts with a single payment method. You can also use AWS Organizations to automate the creation of AWS accounts by using APIs or AWS CloudFormation templates. References: What is AWS Organizations?, Policy-Based Management - AWS Organizations

 Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level. Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service that lets you register domain names, route traffic to resources, and check the health of your resources. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. Amazon EC2, Amazon CloudFront, and Amazon DynamoDB are AWS services that can be configured at the global level or the Availability Zone level .

AWS Enterprise Support provides strategic planning assistance, infrastructure event management, and real-time support, which are necessary for business-critical applications. Trusted Advisor and APN do not offer direct strategic support, and while AWS Professional Services can assist with complex solutions, Enterprise Support specifically includes ongoing operational support and event management.

 Realigning teams to focus on products and value streams, and using agile methods to rapidly iterate and evolve are tasks that the company should perform to meet the requirements of becoming more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS CAF organizes guidance into six areas of focus, called perspectives: business, people, governance, platform, security, and operations. Each perspective is divided into capabilities, which describe the skills and processes to execute the transition effectively. The people perspective helps you prepare your organization for cloud adoption, and includes capabilities such as organizational change management, staff skills and readiness, and organizational alignment. The business perspective helps you align IT strategy with business strategy, and includes capabilities such as business case development, value proposition, and product ownership. Creating new value propositions with new products and services is a task that belongs to the business perspective, but it is not directly related to the requirement of becoming more responsive to customer inquiries and feedback. Using a new data and analytics platform to create actionable insights is a task that belongs to the platform perspective, which helps you design, implement, and optimize the architecture of the AWS environment. However, it is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback. Migrating and modernizing legacy infrastructure is a task that belongs to the operations perspective, which helps you enable, run, use, operate, and recover IT workloads to the level agreed upon with your business stakeholders. However, it is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback.

 Elasticity in the AWS Cloud refers to the ability to acquire resources as you need them and release resources when you no longer need them. In the cloud, you want to do this automatically1. This means that you can rightsized resources as demand shifts, and you can easily procure resources when they are needed. Elasticity is not related to how quickly an Amazon EC2 instance can be restarted, the maximum amount of RAM an Amazon EC2 instance can use, or the pay-as-you-go billing model. These are aspects of scalability, performance, and cost, respectively2.

For more information on elasticity, you can refer to the following sources:

Elasticity - AWS Well-Architected Framework

Elastic - Reactive Systems on AWS

What is the difference between scalability and elasticity?

Amazon Elastic File System (Amazon EFS) is a scalable, fully managed, shared file storage service that is accessible from multiple Amazon EC2 instances. EFS is designed to provide highly available and durable file storage that can be mounted across multiple instances, making it ideal for shared file access.

Why other options are not suitable:

A. AWS Direct Connect: A network service to establish a dedicated network connection to AWS, not a file-sharing solution.

B. AWS Snowball Edge: A data transfer device for migrating data to and from AWS, not for ongoing file sharing.

C. AWS Backup: A service for centralized backup management, not for sharing files between EC2 instances.

References:

Amazon EFS Documentation

The AWS Well-Architected Framework is a set of six pillars and lenses that help cloud architects design and run workloads in the cloud. The six pillars are: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. Each pillar has a set of design principles and best practices that guide the architectural decisions. High availability is not a separate pillar, but a quality that can be achieved by applying the principles of the reliability pillar. Going global in minutes and continuous development are not pillars of the framework, but possible benefits of using AWS services and following the framework’s recommendations. References: AWS Well-Architected - Build secure, efficient cloud applications, AWS Well-Architected Framework, The 6 Pillars of the AWS Well-Architected Framework

A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud (VPC). AWS Security Hub is a service that provides a comprehensive view of the security posture of AWS accounts and resources. Security groups are features that act as firewalls for controlling traffic at the instance level. AWS WAF is a web application firewall that helps protect web applications from common web exploits.

By implementing AWS CloudTrail, a company is adhering to the AWS Cloud design principle of activating traceability. AWS CloudTrail provides detailed logs of all API calls made in an AWS account, which helps monitor, troubleshoot, and detect unusual activity, thereby improving security and compliance. This supports the principle of "activating traceability" by enabling continuous monitoring and auditing of all actions and changes within the AWS environment.

B. Use serverless compute architectures: Incorrect, as this principle encourages the use of managed services that handle infrastructure, such as AWS Lambda, and is not directly related to CloudTrail.

C. Perform operations as code: Incorrect, as this principle emphasizes the use of code and automation for infrastructure management.

D. Go global in minutes: Incorrect, as this principle relates to the global deployment of applications and services.

AWS Cloud References:

AWS Well-Architected Framework

AWS CloudTrail

AWS Cost Explorer is the AWS service or tool that helps users visualize, understand, and manage spending and usage over time. AWS Cost Explorer is a web-based interface that allows users to access interactive graphs and tables that display their AWS costs and usage data. Users can create custom reports that analyze cost and usage data by various dimensions, such as service, region, account, tag, and more. Users can also view historical data for up to the last 12 months, forecast future costs for up to the next 12 months, and get recommendations for cost optimization. AWS Cost Explorer also provides preconfigured views that show common cost and usage scenarios, such as monthly spend by service, daily spend by linked account, and Reserved Instance utilization. Users can use AWS Cost Explorer to monitor their AWS spending and usage trends, identify cost drivers and anomalies, and optimize their resource allocation and budget planning. References: Cloud Cost Analysis - AWS Cost Explorer - AWS, Analyzing your costs with AWS Cost Explorer

The approach that will achieve the goal of designing a reliable web application that is hosted on Amazon EC2 is to spread EC2 instances across more than one Availability Zone. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. By spreading EC2 instances across multiple Availability Zones, users can increase the fault tolerance and availability of their web applications, as well as reduce latency for end users2. Launching large EC2 instances in the same Availability Zone, spreading EC2 instances across more than one security group, or using an Amazon Machine Image (AMI) from AWS Marketplace are not sufficient to ensure reliability, as they do not provide redundancy or resilience in case of an outage in one Availability Zone.

The AWS service that the company should use to meet these requirements is A. AWS Snowmobile.

AWS Snowmobile is a service that allows you to migrate large amounts of data to AWS using a 45-foot long ruggedized shipping container that can store up to 100 petabytes of data. AWS Snowmobile is designed for situations where you need to move massive amounts of data to the cloud in a fast, secure, and cost-effective way. AWS Snowmobile has the least possible operational overhead because it eliminates the need to buy, configure, or manage hundreds or thousands of storage devices12.

AWS Snowball Edge is a service that allows you to migrate data to AWS using a physical device that can store up to 80 terabytes of data and has compute and storage capabilities to run applications on the device. AWS Snowball Edge is suitable for situations where you have limited or intermittent network connectivity, or where bandwidth costs are high. However, AWS Snowball Edge has more operational overhead than AWS Snowmobile because you need to request multiple devices and transfer your data onto them using the client3.

AWS Data Exchange is a service that allows you to find, subscribe to, and use third-party data in the cloud. AWS Data Exchange is not a data migration service, but rather a data marketplace that enables data providers and data consumers to exchange data sets securely and efficiently4.

AWS Database Migration Service (AWS DMS) is a service that helps migrate databases to AWS. AWS DMS does not migrate file storage data, but rather supports various database platforms and engines as sources and targets5.

References:

1: AWS Snowmobile – Move Exabytes of Data to the Cloud in Weeks 2: AWS Snowmobile - Amazon Web Services 3: Automated Software Vulnerability Management - Amazon Inspector - AWS 4: AWS Data Exchange - Find, subscribe to, and use third-party data in … 5: AWS Database Migration Service – Amazon Web Services

Amazon Kinesis Data Firehose is a fully managed service that delivers real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk. You can use Amazon Kinesis Data Firehose to capture, transform, and load streaming data from multiple sources, such as web applications, mobile devices, IoT sensors, and social media.

Agility in AWS Cloud computing means the ability to rapidly provision and deprovision AWS resources as needed, and the ability to experiment quickly with new ideas and solutions. Agility helps businesses to respond to changing customer demands, market opportunities, and competitive threats, and to innovate faster and cheaper. Agility also reduces the risk of failure, as businesses can test and validate their assumptions before committing to large-scale deployments. Some of the benefits of agility in AWS Cloud computing are:

The speed at which AWS resources are implemented: AWS provides a variety of services and tools that allow you to create, configure, and launch AWS resources in minutes, using the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS Software Development Kits (AWS SDKs), or the AWS CloudFormation templates. You can also use the AWS Cloud Development Kit (AWS CDK) to define your AWS resources as code using familiar programming languages, and synthesize them into AWS CloudFormation templates. You can also use the AWS Service Catalog to create and manage standardized portfolios of AWS resources that meet your organizational policies and best practices. AWS also offers on-demand, pay-as-you-go pricing models, so you only pay for the resources you use, and you can scale them up or down as your needs change12345

The ability to experiment quickly: AWS enables you to experiment quickly with new ideas and solutions, without having to invest in upfront capital or long-term commitments. You can use AWS to create and test multiple prototypes, hypotheses, and minimum viable products (MVPs) in parallel, and measure their performance and feedback. You can also use AWS to leverage existing services and solutions, such as AWS Marketplace, AWS Solutions, and AWS Quick Starts, that can help you accelerate your innovation process. AWS also supports a culture of experimentation and learning, by providing tools and resources for continuous integration and delivery (CI/CD), testing, monitoring, and analytics.

References: Six advantages of cloud computing - Overview of Amazon Web Services, AWS Cloud Development Kit (AWS CDK), AWS Service Catalog, AWS Pricing, AWS CloudFormation, [Experimentation and Testing - AWS Well-Architected Framework], [AWS Marketplace], [AWS Solutions], [AWS Quick Starts], [AWS Developer Tools]

VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet. VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on-premises networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each connected network. AWS Transit Gateway supports transitive routing, which means that any network that is attached to the transit gateway can communicate with any other network that is attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering - Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud, : [AWS Transit Gateway - Amazon Web Services], : [Connect VPCs using AWS Transit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]

The AWS services that are supported by Savings Plans are:

Amazon EC2: Amazon EC2 is a service that provides scalable computing capacity in the AWS cloud. You can use Amazon EC2 to launch virtual servers, configure security and networking, and manage storage. Amazon EC2 is eligible for both Compute Savings Plans and EC2 Instance Savings Plans12.

Amazon SageMaker: Amazon SageMaker is a service that helps you build and deploy machine learning models. You can use Amazon SageMaker to access Jupyter notebooks, use common machine learning algorithms, train and tune models, and deploy them to a hosted environment. Amazon SageMaker is eligible for SageMaker Savings Plans13.

The other options are not supported by Savings Plans. Amazon RDS, Amazon Redshift, and Amazon DynamoDB are database services that are eligible for Reserved Instances, but not Savings Plans4.

EC2 Instance Savings Plans are a flexible pricing model that offer discounted hourly rates on Amazon EC2 instance usage for a 1 or 3 year term. EC2 Instance Savings Plans provide savings up to 72% off On-Demand rates, in exchange for a commitment to a specific instance family in a chosen AWS Region (for example, M5 in Virginia). These plans automatically apply to usage regardless of size (for example, m5.xlarge, m5.2xlarge, etc.), OS (for example, Windows, Linux, etc.), and tenancy (Host, Dedicated, Default) within the specified family in a Region. With an EC2 Instance Savings Plan, you can change your instance size within the instance family (for example, from c5.xlarge to c5.2xlarge) or the operating system (for example, from Windows to Linux), or move from Dedicated tenancy to Default and continue to receive the discounted rate provided by your EC2 Instance Savings Plan4567. References: 4: Compute Savings Plans – Amazon Web Services, 5: What are Savings Plans? - Savings Plans, 6: How To Cut Your AWS Bill With Savings Plans (and avoid some common …, 7: AWS Savings Plans vs Reserved Instances - GorillaStack

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience1. AWS Outposts enables customers to run workloads on premises using the same AWS APIs, tools, and services that they use in the cloud2. Dedicated Hosts are physical servers with EC2 instance capacity fully dedicated to a customer’s use3. Availability Zones are one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities within an AWS Region4. AWS Wavelength is an AWS Infrastructure offering optimized for mobile edge computing applications.

AWS CloudFormation allows developers to create, manage, and deploy AWS resources using templates, ensuring a standardized and repeatable infrastructure setup. It’s ideal for setting up development, test, and production environments consistently. AWS Cloud Map, CloudFront, and CloudTrail do not provide templated infrastructure management capabilities.

This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing failure scenarios regularly and validating the understanding of the impact of potential failures. The operational excellence pillar covers the best practices for designing, running, monitoring, and improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the system’s resilience, reliability, and recovery. You can learn more about the operational excellence pillar from this whitepaper or this digital course.

 Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. Amazon RDS supports six popular database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. Amazon RDS can support running a copy of a MySQL database in the AWS Cloud, as it offers compatibility, scalability, and availability features.

Amazon Simple Queue Service (Amazon SQS) is a service that provides fully managed message queues for asynchronous communication between microservices. It helps developers use loose coupling and reliable messaging by allowing them to send, store, and receive messages between distributed components without losing them or requiring each component to be always available1. Elastic Load Balancing is a service that distributes incoming traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. Amazon Simple Notification Service (Amazon SNS) is a service that provides fully managed pub/sub messaging for event-driven and push-based communication between microservices. Amazon CloudFront is a service that provides a fast and secure content delivery network (CDN) for web applications.

Amazon Elastic File System (Amazon EFS) is a fully managed, scalable, and serverless NFS (Network File System) file system specifically designed for use with AWS services and on-premises resources. It enables companies to create and configure file systems that can be accessed from multiple Amazon EC2 instances simultaneously, making it ideal for use cases that require shared file storage for AWS compute services.

Why Amazon EFS Fits the Requirements:

Managed Service: Amazon EFS is a fully managed file storage service that simplifies the process of setting up and managing NFS file systems.

Scalability and Elasticity: EFS automatically scales to accommodate the storage needs of applications, without the need to provision or manage storage capacity.

NFS Compatibility: Amazon EFS natively supports the NFSv4 protocol, making it compatible with a wide range of applications and workloads that require NFS access.

Integration with AWS Compute Services: EFS integrates seamlessly with Amazon EC2 and other AWS services, providing a shared file storage solution across multiple instances and services within the AWS cloud environment.

Why Other Options Do Not Fit:

A. Amazon Elastic Block Store (Amazon EBS): While EBS provides block-level storage that can be attached to individual EC2 instances, it is not a file system, nor does it provide managed NFS file storage capabilities. EBS is designed for single-instance access rather than shared file access across multiple instances.

B. AWS Storage Gateway Tape Gateway: Tape Gateway is designed for archival purposes and allows companies to store virtual tape backups in Amazon S3 or Glacier. It does not support NFS file storage and is not intended for regular compute access.

C. Amazon S3 Glacier Flexible Retrieval: Amazon S3 Glacier is optimized for data archiving and long-term storage of infrequently accessed data, but it does not provide NFS file system capabilities, nor is it suitable for high-performance access needs associated with compute services.

For more details, you can refer to the AWS Cloud Practitioner Essentials content, specifically the modules on Storage Services where Amazon EFS is covered as the managed NFS file storage solution offered by AWS.

The pillar of the AWS Well-Architected Framework that is supported by the goals of protecting AWS Cloud information, systems, and assets while performing risk assessment and mitigation tasks is security. Security is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. The security pillar covers topics such as identity and access management, data protection, infrastructure protection, detective controls, incident response, and compliance

The solution that achieves the goal of having Amazon EC2 instances share the same geographic area but use multiple independent underlying power sources is to use EC2 instances in multiple Availability Zones in the same AWS Region. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. An AWS Region is a geographical area that consists of two or more Availability Zones. By using multiple Availability Zones, users can increase the fault tolerance and resilience of their applications, as well as reduce latency for end users3. Using EC2 instances in a single Availability Zone, multiple AWS Regions, or the same edge location and the same AWS Region would not meet the requirement of having multiple independent power sources.

 Using AWS Artifact to access AWS documents about the compliance of the services, and getting the compliance of the application certified by a company assessor are actions that the company should take to meet the requirements of complying with credit card regulatory requirements. AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. AWS Artifact can help you demonstrate compliance with credit card regulatory requirements by providing you with proof that the AWS services and deployment are in compliance. Getting the compliance of the application certified by a company assessor is an action that the company should take to ensure that the application meets the specific requirements of the credit card industry. A company assessor is an independent third-party entity that is qualified to assess the compliance of the application with the relevant standards and regulations. Using Amazon Inspector to submit the application for certification is not an action that the company should take, because Amazon Inspector is a service that helps you improve the security and compliance of your applications deployed on AWS by automatically assessing them for vulnerabilities and deviations from best practices, but it does not provide certification for the applications. Ensuring that the application’s underlying hardware components comply with requirements is not an action that the company should take, because the application is deployed on AWS, and AWS is responsible for the security and compliance of the underlying hardware components. This is part of the shared responsibility model, where AWS is responsible for security of the cloud, and customers are responsible for security in the cloud. Using AWS Security Hub to certify the compliance of the application is not an action that the company should take, because AWS Security Hub is a service that gives you a comprehensive view of your security posture across your AWS accounts and helps you check your environment against security industry standards and best practices, but it does not provide certification for the applications.

 Amazon Neptune is a fully managed graph database service on AWS. A graph database is a type of database that stores and queries data as a network of nodes and edges, representing entities and relationships. Graph databases are useful for applications that deal with highly connected data, such as social networks, recommendation engines, fraud detection, and knowledge graphs45. Amazon Neptune is a fast, reliable, and scalable graph database service that supports two popular graph models: property graphs and RDF. Amazon Neptune also supports two open standards for querying graphs: Apache TinkerPop Gremlin and SPARQL. Amazon Neptune handles the heavy lifting of managing the database, such as provisioning, patching, backup, recovery, encryption, and replication456. References: 4: Managed Graph Database - Amazon Neptune - AWS, 5: Amazon Neptune – A Fully Managed Graph Database Service, 6: Working with AWS Neptune. Neptune is a fully-managed graph … - Medium

 AWS Cost Explorer is an AWS service or tool that the company can use to periodically review its AWS account for cost optimization opportunities. AWS Cost Explorer is a tool that enables the company to visualize, understand, and manage their AWS costs and usage over time. The company can use AWS Cost Explorer to access interactive graphs and tables that show the breakdown of their costs and usage by service, region, account, tag, and more. The company can also use AWS Cost Explorer to forecast their future costs, identify trends and anomalies, and discover potential savings by using Reserved Instances or Savings Plans.

According to the AWS shared responsibility model, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, such as data centers, hardware, software, networking, and facilities1. This includes the configuration of infrastructure devices, such as routers, switches, firewalls, and load balancers2. Customers are responsible for managing their data, applications, operating systems, security groups, and other aspects of their AWS environment1. Therefore, options A, B, and D are customer responsibilities, not AWS responsibilities. References: 1: AWS Well-Architected Framework - Elasticity; 2: Reactive Systems on AWS - Elastic

Amazon EC2 is an AWS service that provides scalable, secure, and resizable compute capacity in the cloud. Amazon EC2 allows customers to launch and manage virtual servers, called instances, that run a variety of operating systems and applications. Customers have full control over the configuration and management of their instances, including the guest operating system. Therefore, customers are responsible for updating and patching the guest operating system on their EC2 instances, as well as any other software or utilities installed on the instances. AWS provides tools and services, such as AWS Systems Manager and AWS OpsWorks, to help customers automate and simplify the patching process. References: Shared Responsibility Model, Shared responsibility model, [Amazon EC2]

Migration Evaluator is a cloud-based service that provides organizations with a comprehensive assessment of their current IT environment and estimates the cost savings and performance improvements that can be achieved by migrating to AWS. Migration Evaluator helps users build a data-driven business case for AWS by discovering over-provisioned on-premises instances, providing recommendations for cost-effective AWS alternatives, and analyzing existing licenses and cost comparisons of Bring Your Own License (BYOL) and License Included (LI) options

IAM credential report is a feature that allows you to generate and download a report that lists all IAM users in your AWS account and the status of their various credentials, including access keys and MFA devices. You can use this report to audit the security status of your IAM users and ensure that they follow the best practices for using AWS1.

AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys to protect your data. It does not provide information about IAM users or their credentials2.

IAM Access Analyzer is a feature that helps you identify the resources in your AWS account, such as S3 buckets or IAM roles, that are shared with an external entity. It does not provide information about IAM users or their credentials3.

Amazon CloudWatch is a service that monitors and collects metrics, logs, and events from your AWS resources and applications. It does not provide information about IAM users or their credentials4.

References:

Getting credential reports for your AWS account - AWS Identity and Access Management

AWS Key Management Service - Amazon Web Services

IAM Access Analyzer - AWS Identity and Access Management

Amazon CloudWatch - Amazon Web Services

The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the email address and password that were used to create the account1. The root user should be protected and used only for a few account and service management tasks that require it1. Therefore, the following actions are best practices for an AWS account root user:

Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that requires users to provide two or more pieces of information to authenticate themselves, such as a password and a code from a device. MFA adds an extra layer of protection for the root user credentials, which can access sensitive information and perform critical operations in the account2.

Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user. IAM is a service that helps customers manage access to AWS resources for users and groups. Customers can create IAM users and assign them permissions to perform specific tasks on specific resources. Customers can also create IAM roles and policies to delegate access to other AWS services or external entities3. By creating an IAM user with administrator privileges, customers can avoid using the root user for everyday tasks and reduce the risk of accidental or malicious changes to the account1.

AWS Outposts is a service that delivers AWS infrastructure and services to virtually any on-premises or edge location for a truly consistent hybrid experience. AWS Outposts allows you to extend and run native AWS services on premises, and is available in a variety of form factors, from 1U and 2U Outposts servers to 42U Outposts racks, and multiple rack deployments. With AWS Outposts, you can run some AWS services locally and connect to a broad range of services available in the local AWS Region. Run applications and workloads on premises using familiar AWS services, tools, and APIs2. AWS Outposts is the only AWS service that supports a hybrid architecture that gives users the ability to extend AWS infrastructure, AWS services, APIs, and tools to data centers, co-location environments, or on-premises facilities. References: On-Premises Infrastructure - AWS Outposts Family

Amazon AppStream 2.0 and Amazon WorkSpaces are AWS services that can be used to provide managed Windows virtual desktops and applications to remote employees over secure network connections. Amazon AppStream 2.0 is a fully managed application streaming service that allows users to access Windows desktop applications from any device, without installing or managing any software. Amazon AppStream 2.0 delivers applications over an encrypted connection and isolates them from the underlying infrastructure, ensuring security and compliance1. Amazon WorkSpaces is a fully managed desktop virtualization service that allows users to access Windows or Linux desktops from any device, with a consistent user experience. Amazon WorkSpaces provides persistent, cloud-based virtual desktops that can be customized and scaled according to the user’s needs. Amazon WorkSpaces also offers encryption, backup, and monitoring features to ensure security and reliability2. References:

Amazon AppStream 2.0

Amazon WorkSpaces

AWS CodePipeline is a continuous delivery and deployment service that automates the release process of software applications across different stages, such as source code, build, test, and deploy2. AWSAppSync, AWS Cloud9, and AWS CodeCommit are other AWS services related to application development, but they do not provide continuous delivery and deployment solutions34 .

AWS Site-to-Site VPN and AWS Direct Connect are AWS services that are connectivity services for a VPC. AWS Site-to-Site VPN is a service that enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can establish VPN connections over the internet or over AWS Direct Connect1. AWS Direct Connect is a service that lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using AWS Direct Connect, you can create a private connection between AWS and your datacenter, office, or colocation environment, which can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections2. Amazon Connect is a service that lets you set up and manage a contact center in the cloud, but it does not provide network connectivity between the VPC and your on-premises network. AWS Key Management Service (AWS KMS) is a service that makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications, but it does not provide network connectivity between the VPC and your on-premises network. AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely, but it does not provide network connectivity between the VPC and your on-premises network.

AWS Elastic Beanstalk is a service that enables you to quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. You simply upload your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring. Elastic Beanstalk supports several platform configurations for Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web applications that can run on familiar servers such as Apache, Nginx, Passenger, and IIS. You can also use Elastic Beanstalk to launch a virtual machine (VM) and MySQL database on AWS with the least operational effort. Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables you to easily run, scale, and secure Docker containerized applications on AWS. However, it requires more operational effort than Elastic Beanstalk, as you need to define your application architecture and the specifications of the containers that run it. Amazon Lightsail is an easy-to-use cloud platform that offers everything you need to build an application or website, plus a cost-effective, monthly plan. It is designed for developers who have little or no prior cloud experience and want to launch and manage applications on AWS with minimal complexity. However, it does not support MySQL databases, and it requires more operational effort than Elastic Beanstalk, as you need to configure your VM and database settings. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It allows you to launch a virtual machine (VM) and MySQL database on AWS, but it requires the most operational effort, as you need to provision, monitor, and manage your EC2 instances and database.

 Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data sources, such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious activities and unauthorized actions, such as reconnaissance, instance compromise, account compromise, and data exfiltration. Amazon GuardDuty can also detect threats to your data stored in Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon GuardDuty generates findings that summarize the details of the detected threats and provides recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are not the best services to meet this requirement. AWS Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows you to centrally configure and manage firewall rules across your accounts and resources. Amazon Inspector is a service that assesses the security and compliance of your applications running on EC2 instances.

When you run a NoSQL database on Amazon EC2 instances, you are responsible for managing the database layer and the guest operating system of the instances. This means that you need to perform tasks such as updating the operating system, maintaining high availability, and configuring the security group firewall. AWS is responsible for managing the physical infrastructure that hosts the EC2 instances. This means that AWS ensures that the hardware and firmware of the servers, routers, switches, and other devices are updated and secure. AWS also handles the power, cooling, networking, and security of the data centers12. References: CLF-C02: Which task is responsibility of AWS to run NoSQL database on …, Best Practices for Hosting NoSQL Databases on Amazon EC2

AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. Users can download reports such as AWS ISO certifications, PCI reports, SOC reports, and GDPR DPA, and review and accept agreements such as BAA and NDA. AWS Artifact helps users to understand and meet compliance requirements for various standards and regulations that apply to AWS services and infrastructure. AWS Artifact is the best resource for a user to find compliance-related information and reports about AWS, whereas the other options are not

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) attestation of compliance, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). AWS Artifact helps you answer the most frequently asked security and compliance questions that AWS receives from its users. References: Compliance FAQ, Compliance Solutions Guide

AWS Software Development Kit (SDK) is a set of platform-specific tools for developers that let them integrate AWS service features directly into their applications. AWS SDKs provide libraries, code samples, documentation, and other resources to help developers write code that interacts with AWS APIs. AWS SDKs support various programming languages, such as Java, Python, Ruby, .NET, Node.js, Go, and more. AWS SDKs make it easier for developers to access AWS services, such as Amazon S3, Amazon EC2, Amazon DynamoDB, AWS Lambda, and more, from their applications. AWS SDKs also handle tasks such as authentication, error handling, retries, and data serialization, so developers can focus on their application logic.

Consolidated billing is a feature of AWS Organizations that enables customers to consolidate billing and payment for multiple AWS accounts. With consolidated billing, customers can group multiple AWS accounts under one payer account, making it easier to manage billing and track costs across multiple accounts. Consolidated billing also offers benefits such as volume discounts, Reserved Instance discounts, and Savings Plans discounts. Consolidated billing is offered at no additional cost.

Multiple AWS accounts is a feature of AWS Organizations that enables customers to create and manage multiple AWS accounts from a central location. With multiple AWS accounts, customers can isolate workloads for different departments, projects, or environments, and apply granular access controls and policies to each account. Multiple AWS accounts also helps customers improve security, compliance, and governance of their AWS resources56. References: 5: Consolidated billing for AWS Organizations - AWS Billing, 6: Understanding Consolidated Bills - AWS Billing, 7: AWS Consolidated Billing: Tutorial & Best Practices, 8: Simplifying Your Bills With Consolidated Billing on AWS - Aimably, 9: AWS Consolidated Billing - W3Schools

 The correct answer is D because AWS Security Hub is a service that aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer. The other options are incorrect because they are not services that aggregate security alerts and findings from multiple AWS services. Amazon Detective is a service that helps users analyze and visualize security data to investigate and remediate potential issues. Amazon Inspector is a service that helps users find security vulnerabilities and deviations from best practices in their Amazon EC2 instances. Amazon Macie is a service that helps users discover, classify, and protect sensitive data stored in Amazon S3. Reference: AWS Security Hub FAQs

 The AWS service that the company should use for the data warehouse is Amazon Redshift. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that is optimized for analytical queries. It can integrate with various data sources and business intelligence tools to provide fast and cost-effective insights. Amazon Redshift also offers high availability, scalability, security, and compliance features. [Amazon Redshift Overview]

The statement that is true regarding pricing for these eight instances is: four instances will be charged as RIs, and four will be charged as regular instances. Amazon EC2 Reserved Instances (RIs) are a pricing model that allows users to reserve EC2 instances for a specific term and benefit from discounted hourly rates and capacity reservation. RIs are purchased for a specific AWS Region, and can be shared across multiple accounts in an organization in AWS Organizations for consolidated billing. However, RIs are applied on a first-come, first-served basis, and there is no guarantee that all instances in the organization will be charged at the RI rate. In this case, Account A has purchased five RIs and has four instances running, so all four instances will be charged at the RI rate. Account B has not purchased any RIs and also has four instances running, so all four instances will be charged at the regular rate. The remaining RI in Account A will not be applied to any instance in Account B, and will be wasted.

 Availability Zones contain multiple data centers. This is a characteristic of the AWS global infrastructure, which consists of AWS Regions, Availability Zones, and edge locations. AWS Regions are geographically isolated areas that contain multiple Availability Zones. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures and connected by low-latency, high-throughput, and highly redundant networking. Each Availability Zone contains one or more data centers that house the servers and storage devices that run AWS services. Edge locations are sites that are located closer to the end users and provide caching and content delivery services. AWS Global InfrastructureAWS Certified Cloud Practitioner - aws.amazon.com

Amazon EC2 Auto Scaling is the AWS service or tool that can help the company launch the number of EC2 instances that will be needed to handle the workload. Amazon EC2 Auto Scaling automatically adjusts the capacity of the EC2 instances based on the demand and the predefined scaling policies. Amazon EC2 Auto Scaling also helps to improve availability and reduce costs by scaling in and out as needed. For more information, see What is Amazon EC2 Auto Scaling? and [Getting Started with Amazon EC2 Auto Scaling].

The correct answers are A and D because network infrastructure and virtualization of infrastructure and physical security of hardware are AWS responsibilities according to the AWS shared responsibility model. The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the virtualization layer that separates the customer instances and storage. The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management, the firewall configuration, and the encryption. The other options are incorrect because they are not AWS responsibilities according to the AWS shared responsibility model. Security of application data, guest operating systems, and credentials and policies are customer responsibilities according to the AWS shared responsibility model. Reference: [AWS Shared Responsibility Model]

 The correct answers are A and C because Amazon EC2 Auto Scaling and resources that are distributed across multiple Availability Zones are AWS services and features that will improve availability and reduce the impact of failures for the web application. Amazon EC2 Auto Scaling is a service that enables users to automatically adjust the number of Amazon EC2 instances in response to changes in demand or performance. Amazon EC2 Auto Scaling helps users to maintain optimal availability and performance of their applications by adding or removing instances as needed. Resources that are distributed across multiple Availability Zones are AWS features that enable users to increase the fault tolerance and resilience of their applications. Availability Zones are isolated locations within an AWS Region that have independent power, cooling, and networking. Users can launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to protect their applications from the failure of a single location. The other options are incorrect because they are not AWS services and features that will improve availability and reduce the impact of failures for the web application. VPC subnet ACLs are AWS features that enable users to control the inbound and outbound traffic to and from their subnets within a VPC. VPC subnet ACLs do not check the health of a service, but rather filter the network traffic based on rules. Configuration of AWS Server Migration Service (AWS SMS) is an AWS service that enables users to migrate their on-premises servers to AWS. Configuration of AWS SMS does not help to move the Amazon EC2 instances to a different AWS Region, but rather to migrate the servers from the source environment to AWS. Resources that are distributed across multiple AWS points of presence are AWS features that enable users to deliver content to their end users with low latency and high performance. AWS points of presence are edge locations that are part of the AWS Global Infrastructure. Users can use services such as Amazon CloudFront and AWS Global Accelerator to distribute their content across multiple AWS points of presence. Reference: Amazon EC2 Auto Scaling, [Regions, Availability Zones, and Local Zones]

AWS Security Token Service (AWS STS) is a service that enables applications to request temporary, limited-privilege credentials for authentication with other AWS APIs. AWS STS can be used to grant access to AWS resources to users who are federated (using IAM roles), switched (using IAM users), or cross-account (using IAM roles). AWS STS can also be used to assume a role within the same account or a different account. The credentials issued by AWS STS are short-term and have a limited scope, which can enhance the security and compliance of the application. AWS STS OverviewAWS Certified Cloud Practitioner - aws.amazon.com

The design principles that support the reliability pillar of the AWS Well-Architected Framework are: automatically scale to meet demand, and automatically recover from failure. These principles help users design systems that can handle changes in load, avoid disruptions, and resume normal operations quickly. Automatically scaling to meet demand means adjusting the capacity of the system based on the current and anticipated workload, using services such as AWS Auto Scaling, Amazon EC2, and AWS Lambda. Automatically recovering from failure means detecting and resolving issues, using services such as Amazon CloudWatch, AWS CloudFormation, and AWS CloudTrail

The AWS services and features that are provided to all customers at no charge are VPC and AWS Identity and Access Management (IAM). VPC is a service that allows you to launch AWS resources in a logically isolated virtual network that you define. You can create and use a VPC at no additional charge, and you only pay for the resources that you launch in the VPC, such as EC2 instances or EBS volumes. IAM is a service that allows you to manage access and permissions to AWS resources. You can create and use IAM users, groups, roles, and policies at no additional charge, and you only pay for the AWS resources that the IAM entities access. Amazon Aurora, Amazon SageMaker, and Amazon Polly are not free services, and they charge based on the usage and features that you choose5

Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures. Each Availability Zone has independent power, cooling, and physical security, and is connected to other Availability Zones in the same Region by a low-latency network. Therefore, the correct answers are A and D. You can learn more about Availability Zones and their characteristics

The costs that the company will eliminate with this migration are the cost of application licensing and the cost of physical server hardware. The cost of application licensing is the fee that the company has to pay to use the software applications on its on-premises servers. The cost of physical server hardware is the expense that the company has to incur to purchase, maintain, and upgrade the servers and related equipment. By migrating to the AWS Cloud, the company can avoid these costs by using the AWS services and resources that are already licensed and managed by AWS. For more information, see [Cloud Economics] and [AWS Total Cost of Ownership (TCO) Calculator].

 The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. The concept of elasticity represents a system’s ability to adapt to changes in demand by scaling resources up or down automatically. Therefore, the correct answer is B. You can learn more about the AWS Well-Architected Framework and its pillars

The correct answer is A because Amazon CloudFront is an AWS service that provides secure delivery of data, videos, applications, and APIs to users globally with low latency and high transfer speeds. Amazon CloudFront is a fast content delivery network (CDN) that integrates with other AWS services, such as Amazon S3, Amazon EC2, AWS Lambda, and AWS Shield. Amazon CloudFront delivers content through a worldwide network of edge locations that are located close to the end users. The other options are incorrect because they are not AWS services that provide secure delivery of data, videos, applications, and APIs to users globally with low latency and high transfer speeds. Elastic Load Balancing is an AWS service that distributes incoming traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. Amazon S3 is an AWS service that provides object storage for data of any size and type. Amazon Elastic Transcoder is an AWS service that converts media files from their original source format into different formats that will play on various devices. Reference: Amazon CloudFront FAQs

 Designing loosely coupled components is a design principle that should be considered when architecting in the AWS Cloud. Loose coupling is a way of designing systems to reduce interdependencies and minimize the impact of changes. Loose coupling allows components to interact with each other through well-defined interfaces, rather than direct references. This reduces the risk of failures and errors propagating across the system, and enables greater scalability, availability, and maintainability5.

 Amazon Relational Database Service (Amazon RDS) is a service that provides fully managed relational database engines. Amazon RDS supports several database engines, including Oracle, MySQL, PostgreSQL, MariaDB, SQL Server, and Amazon Aurora. Amazon RDS can be used to migrate an application that includes an Oracle database to AWS without rewriting the application, as long as the application is compatible with the Oracle version and edition supported by Amazon RDS. Amazon RDS can also provide benefits such as high availability, scalability, security, backup and restore, and performance optimization. [Amazon RDS Overview] AWS Certified Cloud Practitioner - aws.amazon.com