1. A security team to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permission can be maintained.What should a solutions architect do to accomplish this?

A) Create a service control policy in the root organizational unit to deny access to the services or actions.
B) Create an ACL to provide access to the services or actions.
C) Create a security group to allow accounts and attach it to user groups.
D) Create cross-account roles in each account to deny access to the services or actions.



2. A company allows its developers to attach existing IAM policies to existing IAM roles to enable faster experimentation and agility. However, the security operations team is concerned that the developers could attach the existing administrator policy, which would allow the developers to circumvent any other security policies.How should a solutions architect address this issue?

A) Use service control policies to disable IAM activity across all accounts in the organizational unit.
B) Create an Amazon SNS topic send an alert every time a developer creates a new policy.
C) Set an IAM permissions boundary on the developer IAM role that explicitly denies attaching the administrator policy.
D) Prevent the developers from attaching any policies and assign all IAM duties to the security operations team.



3. A recently acquired company is required to build its own infrastructure on AWS and migrate multiple applications to the cloud within a month. Each application has approximately 50 TB of data to be transferred. After the migration is complete, this company and its parent company will both require secure network connectivity with consistent throughput from their data centers to the applications. A solution architect must ensure one-time data migration and ongoing network connectivity.Which solution will meet these requirements?

A) AWS Snowball for the initial transfer and AWS Direct Connect for ongoing connectivity
B) AWS Site-to-Site VPN for both the initial transfer and ongoing connectivity.
C) AWS Direct Connect for both the initial transfer and ongoing connectivity.
D) AWS Snowball for the initial transfer and AWS Site-to-Site VPN for ongoing connectivity



4. A web application is deployed in the AWS Cloud. It consists of a two-tier architecture that includes a web layer and a database layer. The web server is vulnerable to cross-site scripting (XSS) attacks. What should a solutions architect do to remediate the vulnerability?

A) Create an Application Load Balancer. Put the web layer behind the load balancer and use AWS Shiled Standard.
B) Create an Application Load Balancer. Put the web layer behind the load balancer and enable AWS WAF
C) Create a Network Load Balancer. Put the web layer behind the load balancer and enable AWS WAF
D) Create a Classic Load Balancer. Put the web layer behind the load balancer and enable AWS WAF



5. A company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. On the first day of every month at midnight, the application becomes much slower when the month-end financial calculation batch executes. This causes the CPU utilization of the EC2 instances to immediately peak to 100%, which disrupts the application. What should a solutions architect recommend to ensure the application is able to handle the workload and avoid downtime?

A) Configure an EC2 Auto Scaling scheduled scaling poilicy based on the monthly schedule.
B) Configure an Amazon CloudFront distribution in front of the ALB.
C) Configure an EC2 Auto Scaling simple scaling policy based on CPU utilization.
D) Configure Amazon ElastiCache to remove some of the workload from the EC2 instances.