1. A security team wants to limit access to specific service or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained. What should a solutions architect do to accomplish this?

A) Create an ACL to provide access to the services or actions.
B) Create cross-account roles in each account to deny access to the services or actions.
C) Create a service control policy in the root organizational unit to deny access to the services or actions.
D) Create a security group to allow accounts and attach it to user groups.



2. A company built a food ordering application that captures user data and stores it for future analysis. The application's static front end is deployed on an Amazon EC2 instance. The front-end application sends the requests to the backend application running on separate EC2 instance. The backend application then stores the data is Amazon RDS.What should a solution architect do to decouple the architecture and make it scalable?

A) Use Amazon S3 to serve the front-end application, which sends requests to Amazon EC2 to execute the backedn application. The backend application will process and store the data in Amazon RDS.
B) Use Amazon S3 to serve the static front-end application and send requests to Amazon API Gateway, which writes the request to an Amazon SQS queue. Place the backend instances in an Auto Scaling group, and scale based on the queue depth to process and store the data in Amazon RDS.
C) Use an EC2 instance to serve the front end and write requests to an Amazon SQS queue. Place the backend instance in an Auto Scaling group, and scale based on the queue depth to process and store the data in Amazon RDS.
D) Use Amazon S3 to serve the front-end application and write requests to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe Amazon EC2 instances to the HTTP/HTTPS endpoint of the topic, and process andstore the data in Amazon RDS



3. An application hosted on AWS is experiencing performance problems, and the application vendor wants to perform an analysis of the log file to troubleshoot further. The log file is stored on Amazon S3 and is 10 GB in size. The application owner will make the log file available to the vendor for a limited time.What is the MOST secure way to do this?

A) Upload the file to Amazon WorkDocs and share the public link with the vendor.
B) Create an IAM user for the vendor to provide access to the S3 bucket and the application. Enforce multi-factor authentication.
C) Generate a presigned URL and have the vendor download the log file before it expires.
D) Enable public read on the S3 object and provide the link to the vendor.



4. A solution architect is implementing a document review application using an Amazon S3 bucket for storage. The solution must prevent accidental deletion of the documents and ensure that all versions of the documents are available. Users must be able to download, modify, and upload documents.Which combination of actions should be taken to meet these requirements? (Select two)(Select 2answers)

A) Enable versioning on the bucket
B) Encrypt the bucket using AWS KMS
C) Attach an IAM policy to the bucket
D) Enable MFA Delete on the bucket
E) Enable a read-only bucket ACL


5. A company's website is used to sell products to the public. The site runs on Amazon EC2 instances in Auto Scaling group behind an Application Load Balancer (ALB). There is also an Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.What should a solutions architect do to protect the application?

A) Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
B) Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
C) Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.
D) Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.