You can create a public virtual interface to connect to public resources or a private virtual interface to connect to your VPC. You can configure multiple virtual interfaces on a single AWS Direct Connect connection, and you'll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key. See the image below: Option A is CORRECT because, as mentioned above, it creates a public virtual interface to connect to S3 endpoint. Option B is incorrect because to connect to S3 endpoint, a public virtual interface needs to be created, not VPN. Option C is incorrect because to connect to S3 endpoint, a public virtual interface needs to be created, not private. Option D is incorrect because this setup will not help connecting to the S3 endpoint. For more information on virtual interfaces, please visit the below URL http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html The correct answer is: Configure a public virtual interface to connect to a public S3 endpoint resource.

Option A is incorrect because IAM Roles are preferred over IAM Users, because IAM Users have to access the AWS resources using access and secret keys, which is a security concern. Option B is this is not a feasible configuration. Option C is CORRECT because it (a) creates an IAM Role with the needed permissions to connect to DynamoDB, (b) it authenticates the users with Web Identity Federation, and (c) the application accesses the DynamoDB with temporary credentials that are given by STS. Option D is incorrect because the step to create the Active Directory (AD) server and using AD for authenticating is unnecessary and costly. See the image below for more information on AssumeRoleWithWebIdentity API For more information on AssumeRolewithWebIdentity, please visit the below URL http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html The correct answer is: Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebIdentity, when the user signs in, granting temporary security credentials using STS.

Option A is incorrect because, there are some legacy application that will not work on AWS platform. So creating VPC for such applications will not be possible. Option B is incorrect because the scenario explicitly mentions that there are some components of the application (legacy part) that will not work with AWS. So, it is highly presumptuous that the legacy application can be run by an AWS Machine Image (legacy application may consist of more than just AMIs). Option C is CORRECT because it uses hybrid approach - where the legacy application stays on-premises. It should definitely work as the remaining infrastructure would be on AWS. The communication between the two infrastructures would be taken care by establishing the VPN connection. This is certainly the most viable, time and cost saving solution among the given options. Option D is incorrect because it is the least feasible solution. First of all, de-comissioning the legacy application may not be possible for the client; especially when the scenario says that the legacy application is almost surely not going to work on AWS. Still, even if they agree, it would be a big impact on the client in terms of time, cost and efforts to re-architect the solution to replace the legacy application. More information on the hybrid setup: The best option is to have a dual mode wherein you have the legacy apps running on-premise and start migrating the apps which have compatibility in the cloud. Have a VPN connection from the on-premise to the cloud for ensuring communication can happen from each environment to the other. For the full fundamentals on AWS networking options, please visit the URL: https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/ The correct answer is: Create a hybrid cloud by configuring a VPN tunnel to the on-premises location of the Data Center.

Tip for the exam: You can encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance (only certain EC2 instance types support encryption, more information is given below). Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, Read Replicas, and snapshots. Option A is incorrect because the RDS instance encryption supports only those Master Keys that are created and managed by KMS. Option B is CORRECT because once the encryption is enabled, its automated backups, read replicas, and snapshots are automatically encrypted without need of any addition settings. Option C is incorrect because no additional configurations need to be made from client side, once the encryption is enabled. Option D is incorrect because, as mentioned above, the snapshots get automatically encrypted once the encryption is turned-on on the RDS instance. For more information on RDS encryption, please visit the below url http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html See the list of instance types that support the encryption: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Availability The correct answer is: Encryption can be enabled on RDS instances to encrypt the underlying storage, and this will by default also encrypt snapshots as they are created. No additional configuration needs to be made on the client side for this to work.

To stop the users from manipulating any AWS resources, you can either create the applicable (allow/deny) resource level permissions and apply them to those users, or create an individual or group policy which explicitly denies the action on that resource and apply it to the individual user or the group. Option A is CORRECT because it (a) identifies the instances with proper tag, and (b) creates a resource level permission and explicitly denies the user the terminate option. Option B is CORRECT because it (a) identifies the instances with proper tag, and (b) creates a policy with explicit deny of terminating the instances and applies that policy to the group which contains the employees (who are not supposed to have the access to terminate the instances). Option C and D are incorrect because MFA is an additional layer of security given to the users for logging into AWS and accessing the resources. However, either enabling or disabling MFA cannot prevent the users from performing resource level actions. More information on Tags Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define. For more information on tagging AWS resources please refer to the below URL http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag., Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.

The AWS CloudTrail service provides with an option to deliver the log files for all the regions in a single S3 bucket. This feature is very useful when you need to access the logs related to all the resources in multiple regions for all the AWS accounts via single S3 bucket. Please see the images below: Option A is incorrect because delivering the logs in multiple buckets is an unnecessary overhead. Instead, you can have CloudTrail deliver the logs to a single S3 bucket. Option B is incorrect because consolidated billing will not help the auditor to get the records of all the API events in AWS.  Option C is incorrect because there is no consolidated logging feature in AWS CloudTrail. Option D is CORRECT because it it delivers the logs pertaining to different AWS accounts to a single S3 bucket in the primary account and grants the auditor the access to it. For more information on Cloudtrail please refer to the below URL https://aws.amazon.com/cloudtrail/ The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and grant the auditor access to that single bucket in the primary account.

Key pairs across regions is not possible. In order to use key pairs across regions you need to import the key pairs in the respective regions. You need to go the respective region and from the EC2 dashboard , click on Import Key pair and choose the relevant key pair. Option A is incorrect because key pair is region specific – not global. Option B is incorrect because keys cannot be copied across different regions, they need to be imported. Option C is CORRECT because import key pair functionality enables migrating an EC2 instance from one region to another and use the same PEM key.  Option D is incorrect because PEM keys cannot be copied to another region as part of the AMI. For more information on bringing your own key pair, please refer to the below URL https://aws.amazon.com/blogs/aws/new-amazon-ec2-feature-bring-your-own-keypair/ The correct answer is: Using import key-pair feature using AWS web console

Option A is incorrect because just creating a role in not sufficient. CloudTrail logging needs to be enabled as well. Option B is incorrect because sending the logs via email is not a good architecture. Option C is incorrect because granting the auditor access to AWS resources is not AWS's responsibility. It is the AWS user or account owner's responsibility. Option D is CORRECT because you need to enable the CloudTrail logging in order to generate the logs with information about all the activities related to the AWS account and resources. It also creates an IAM user that has permissions to read the logs that are stored in the S3 bucket. More information on AWS CloudTrail AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting. For more information on CloudTrail, please visit the below URL: https://aws.amazon.com/cloudtrail/ The correct answer is: Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.

Tip: In exam, if the question presents a scenario, where the media is to be streamed globally in MP4 format, on multiple platform devices, always think about using Elastic Transcoder. Option A is incorrect because (a) provisioning of streaming EC2 instances is a costly solution, (b) the videos are to be delivered on-demand, not live streaming. Option B is incorrect because the videos are to be delivered on-demand, not live streaming. So, streaming server is not required. Option C is CORRECT because it (a) it uses Elastic Transcoder for transcoding the videos to different formats, (b) it uses CloudFront distribution with download option for streaming the on demand videos using HLS on any mobile, and (c)  it uses S3 as origin, so keeps the cost low. Option D is incorrect because it uses CloudFront distribution with streaming option which does not work on all platforms; where as, it should use download option. More information on Elastic Transcoder: Amazon Elastic Transcoder manages all aspects of the media transcoding process for you transparently and automatically. There’s no need to use administer software, scale hardware, tune performance, or otherwise manage transcoding infrastructure. You can simply create a transcoding “job” specifying the location of your source media file and how you want it transcoded. Amazon Elastic Transcoder also provides transcoding presets for popular output formats, which means that you don’t need to guess about which settings work best on particular devices.  For more information on Elastic transcoder, please see the below link https://aws.amazon.com/elastictranscoder/ The correct answer is: Upload the MP4 files to S3 and create an Elastic Transcoder job that transcodes the MP4 source into HLS chunks. Store the HLS output in S3 and create a media streaming CloudFront distribution with download option to serve the HLS files to end users.

Whenever the question gives you scenario where, in Redshift, there are two processes - one fast and one slow, and you are asked to ensure that there is no impact on the queries of a process, always think about creating two separate workload management groups. Option A is incorrect because Redshift does not have read replicas. Option B is incorrect because this will affect the performance of the current Redshift cluster. Option C is incorrect because queries cannot be paused in Redshift. Option D is CORRECT because the best solution - without any effect on performance - is to create two separate workload management groups - one for each department and run the queries on them. See the image below: More information on Amazon Redshift Workload Management Amazon Redshift Workload Management (WLM) enables users to flexibly manage priorities within workloads so that short, fast-running queries won't get stuck in queues behind long-running queries. Amazon Redshift WLM creates query queues at runtime according to service classes, which define the configuration parameters for various types of queues, including internal system queues and user-accessible queues. From a user perspective, a user-accessible service class and a queue are functionally equivalent. For consistency, this documentation uses the term queue to mean a user-accessible service class as well as a runtime queue. For more information on redshift workload management, please refer to the below url http://docs.aws.amazon.com/redshift/latest/dg/c_workload_mngmt_classification.html The correct answer is: Create two separate workload management groups and assign them to respective teams

Options A and C are incorrect because they will just add to the overhead administration for the additional VPC’s. Option D is incorrect because it attains permissions for EC2 instances only. For more information on VPC and subnets, please visit the below URL http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html The correct answer is: Create a VPC with four subnets, and allow access to each subnet for the individual IAM user.

Option A is incorrect because each VPC has its own purpose (responsibility) and setting of the resources inside - such as NACL, Security Groups, EC2 instances, NAT Instance/Gateway, Routing Tables etc., So merging into single VPC would defeat its purpose. Option B is CORRECT because VPC peering allows the resources in peer VPCs to communicate with each other and in this case, can validate the identities of the resources. See the image below. Also, VPCs from different regions can be peered as well (Inter-Region VPC Peering). Option C is incorrect because Direct Connect should be used when there is a need for dedicated connection between a customer data center and AWS/VPC. Option D is incorrect because VPN should be used when there is a need for connecting customer data center to AWS/VPC resources via customer gateway. More information on VPC Peering A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection). For more information on VPC Peering please see the below link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html https://aws.amazon.com/blogs/aws/new-almost-inter-region-vpc-peering/ The correct answer is: Create a VPC peering connection with the central VPC

When the idea comes to scalability then SQS is the best option. Normally DynamoDB is scalable, but since one is looking for a cost-effective solution, the messaging in SQS can assist in managing the situation mentioned in the question. Option A is incorrect because as DynamoDB is a managed service, autoscaling part of it is AWS's responsibility. You can only adjust the provisioned capacity as needed.  Option B is incorrect because even though increasing the write capacity would solve the issue, it is not cost efficient. Option C is CORRECT because SQS is a scalable and very cost effective solution where it can store the data as messages in a queue for DynamoDB to be processed later when it has the sufficient capacity. This way the application would not lose any data due to sudden increase in the traffic. Option D is incorrect because there is no configuration for multi-AZ deployment of DynamoDB. More information on SQS Amazon Simple Queue Service (SQS) is a fully-managed message queuing service for reliably communicating among distributed software components and microservices at any scale. Building applications from individual components that each perform a discrete function improve scalability and reliability, and is the best practice design for modern applications. SQS makes it simple and cost-effective to decouple and coordinate the components of a cloud application. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be always available. For more information on SQS, please refer to the below url https://aws.amazon.com/sqs/ The correct answer is: Create a service that pulls SQS messages and writes these to DynamoDB to handle sudden spikes in dynamo db

For the exam, remember the usage of the following AD options: SimpleAD: Microsoft Active Directory compatible directory from AWS Directory Service and supports common features of an active directory. AWS Directory Service for Microsoft Active Directory: Managed Microsoft Active Directory that is hosted on AWS cloud. AD Connector: Proxy service for connecting your on-premises Microsoft Active Directory to the AWS cloud. Option A is incorrect because SimpleAD does not connect existing on-premises AD to AWS. Option B is incorrect because AWS Directory Service for Microsoft AD is an AWS managed service that is hosted on the AWS cloud, it does not connect your AD with AWS. Option C is CORRECT because AD Connector helps connecting your on-premises Microsoft Active Directory to the AWS cloud. Option D is incorrect because none of the options above are acceptable except AD Connector. For an example of setup of AD connector, please visit the below URL http://docs.aws.amazon.com/workspaces/latest/adminguide/prep_connect.html The correct answer is: AD Connector

Option A, B, and D are incorrect because you cannot modify the DHCP options - neither via the console nor via CLI. Option C is CORRECT because once you create a set of DHCP options, you cannot modify them. You must create a new set of DHCP options and associate it with your VPC. For more information on DHCP Options set please see the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html The correct answer is: You must create a new set of DHCP options and associate them with your VPC.