A company is required to use cryptographic keys in its on-premises key manager.

The key manager is outside

of the AWS Cloud because of regulatory and compliance requirements. The company wants to manage
encryption and decryption by using cryptographic keys that are retained outside of the AWS Cloud and that
support a variety of external key managers from different vendors.

Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS CloudHSM key store backed by a CloudHSM cluster.
B. Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.
C. Use the default AWS Key Management Service (AWS KMS) managed key store.
D. Use a custom key store backed by an AWS CloudHSM cluster.
Question #: 681

when necessary. Configure the DynamoDB table as a global table. Configure DNS failover to point to the new DR
Region's ELB.
D. Create an Auto Scaling group and an ELB in the DR Region. Configure the DynamoDB table as a global table. Create an
Amazon CloudWatch alarm with an evaluation period of 10 minutes to invoke an AWS Lambda function that updates
Amazon Route 53 to point to the DR Region's ELB.
Question #: 873
A company has migrated a fleet of hundreds of on-premises virtual machines (VMs) to Amazon EC2 instances. The
instances run a diverse fleet of Windows Server versions along with several Linux distributions. The company wants a
solution that will automate inventory and updates of the operating systems. The company also needs a summary of
common vulnerabilities of each instance for regular monthly reviews.
What should a solutions architect recommend to meet these requirements?
A. Set up AWS Systems Manager Patch Manager to manage all the EC2 instances. Configure AWS Security Hub to
produce monthly reports.
B. Set up AWS Systems Manager Patch Manager to manage all the EC2 instances. Deploy Amazon Inspector, and
configure monthly reports.
C. Set up AWS Shield Advanced, and configure monthly reports. Deploy AWS Config to automate patch installations on
the EC2 instances.
D. Set up Amazon GuardDuty in the account to monitor all EC2 instances. Deploy AWS Config to automate patch
installations on the EC2 instances.
Question #: 646
A solutions architect needs to host a high performance computing (HPC) workload in the AWS Cloud. The workload will
run on hundreds of Amazon EC2 instances and will require parallel access to a shared file system to enable distributed
processing of large datasets. Datasets will be accessed across multiple instances simultaneously. The workload requires
access latency within 1 ms. After processing has completed, engineers will need access to the dataset for manual
postprocessing.
Which solution will meet these requirements?
A. Use Amazon Elastic File System (Amazon EFS) as a shared file system. Access the dataset from Amazon EFS.
B. Mount an Amazon S3 bucket to serve as the shared file system. Perform postprocessing directly from the S3 bucket.
C. Use Amazon FSx for Lustre as a shared file system. Link the file system to an Amazon S3 bucket for postprocessing.
D. Configure AWS Resource Access Manager to share an Amazon S3 bucket so that it can be mounted to all instances for
processing and postprocessing.
Question #: 876
A company hosts an application on Amazon EC2 instances that run in a single Availability Zone. The application is
accessible by using the transport layer of the Open Systems Interconnection (OSI) model. The company needs the
application architecture to have high availability.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)
A. Configure new EC2 instances in a different Availability Zone. Use Amazon Route 53 to route traffic to all instances.
B. Configure a Network Load Balancer in front of the EC2 instances.
C. Configure a Network Load Balancer for TCP traffic to the instances. Configure an Application Load Balancer for HTTP
and HTTPS traffic to the instances.
D. Create an Auto Scaling group for the EC2 instances. Configure the Auto Scaling group to use multiple Availability
Zones. Configure the Auto Scaling group to run application health checks on the instances.
E. Create an Amazon CloudWatch alarm. Configure the alarm to restart EC2 instances that transition to a stopped state.
Question #: 869
A company wants to enhance its ecommerce order-processing application that is deployed on AWS. The application
must process each order exactly once without affecting the customer experience during unpredictable traffic surges.
Which solution will meet these requirements?
A. Create an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Put all the orders in the SQS queue. Configure an
AWS Lambda function as the target to process the orders.
B. Create an Amazon Simple Notification Service (Amazon SNS) standard topic. Publish all the orders to the SNS standard
topic. Configure the application as a notification target.
C. Create a flow by using Amazon AppFlow. Send the orders to the flow. Configure an AWS Lambda function as the
target to process the orders.
D. Configure AWS X-Ray in the application to track the order requests. Configure the application to process the orders by
pulling the orders from Amazon CloudWatch.
Question #: 866
A company runs a web application on multiple Amazon EC2 instances in a VPC. The application needs to write sensitive
data to an Amazon S3 bucket. The data cannot be sent over the public internet.
Which solution will meet these requirements?
A. Create a gateway VPC endpoint for Amazon S3. Create a route in the VPC route table to the endpoint.
B. Create an internal Network Load Balancer that has the S3 bucket as the target.
C. Deploy the S3 bucket inside the VPCreate a route in the VPC route table to the bucket.
D. Create an AWS Direct Connect connection between the VPC and an S3 regional endpoint.
Question #: 861