Management & Governance Flashcards

A financial institution is designing the architecture for a new data processing platform on AWS. The institution uses organizational units (OUs) in AWS Organizations to manage its accounts. To comply with regulatory requirements, all Amazon EC2 instances must include a compliance-level tag with values of compliant or noncompliant. IAM users must not be allowed to create EC2 instances without this tag or modify the tag after creation.

Which combination of steps will meet these requirements?

(Select TWO.)

1. In AWS Organizations, create a service control policy (SCP) to deny the creation of EC2 instances if the compliance-level tag is not specified. Attach the SCP to the appropriate OU.
2. In AWS Organizations, create a tag policy to enforce the use of the compliance-level tag with the required values. Attach the tag policy to the appropriate OU to ensure EC2 instances adhere to the tagging requirements.
3. Use AWS Config to check for compliance-level tags on EC2 instances. Configure AWS Config to remediate noncompliant resources by automatically adding the required tags to EC2 instances.
4. Create an IAM policy that denies the deletion of tags on EC2 instances. Assign this policy to all IAM users who manage EC2 resources in the organization’s accounts.
5. Use AWS Lambda with an EventBridge rule to trigger a function whenever a new EC2 instance is created. Configure the function to terminate any instance that does not include the compliance-level tag with the correct values.

A retail company operates a multi-tier application that includes a web server layer running on Amazon EC2 instances and a database layer hosted on Amazon RDS. The company is preparing for an annual sales event and anticipates a significant surge in traffic to its application. The operations team wants to monitor the performance of the EC2 instances and database, analyzing metrics with a granularity of 1 minute to ensure quick detection of bottlenecks during the event.

What should the solutions architect do to meet this requirement?

1. Enable detailed monitoring on all EC2 instances and use Amazon CloudWatch metrics for analysis.
2. Configure Amazon CloudWatch Logs Insights to aggregate application logs for both the EC2 instances and Amazon RDS. Use Amazon QuickSight for detailed visualization.
3. Configure an Amazon CloudWatch Events rule to trigger an AWS Lambda function that collects custom metrics from the EC2 instances and Amazon RDS. Use Amazon CloudWatch dashboards to display the metrics.
4. Use AWS Systems Manager to collect logs from the EC2 instances and Amazon RDS. Store the logs in Amazon S3 and use Amazon Athena to query performance data.

A company is launching a new internal platform for managing multiple independent projects. Each project will require its own dedicated AWS account for isolation. The company needs a solution that automates account creation, applies mandatory security guardrails, and centrally manages shared networking resources such as VPNs and subnets for the accounts. The solution must minimize manual effort and ensure compliance with security standards.

Which solution will meet these requirements with the LEAST operational overhead?

1. Use AWS Control Tower to automate account provisioning. Create a dedicated networking account with a centralized VPC. Use AWS Resource Access Manager (AWS RAM) to share subnets with project accounts. Enforce security guardrails by using AWS Control Tower guardrails.
2. Use AWS Organizations to create project accounts manually. Deploy a VPC in a centralized networking account. Use AWS RAM to share subnets. Manually configure security policies in each account.
3. Use AWS Control Tower to set up accounts with pre-configured VPCs in each project account. Connect these VPCs to a central networking account through a transit gateway. Enforce security controls with AWS Config.
4. Use AWS Organizations to create accounts for each project. Deploy a shared VPC in a centralized account. Configure AWS Firewall Manager to enforce security controls. Manually configure routing for project account traffic through the shared VPC.

An Architect needs to find a way to automatically and repeatably create many member accounts within an AWS Organization. The accounts also need to be moved into an OU and have VPCs and subnets created.

What is the best way to achieve this?

1. Use the AWS Organizations API
2. Use CloudFormation with scripts
3. Use the AWS Management Console
4. Use the AWS CLI

A financial services company manages its web application on Amazon EC2 instances. The EC2 instances are registered in an IP address-type target group behind an Application Load Balancer (ALB). The company uses AWS Systems Manager for patching and routine maintenance of the instances.

To meet security compliance requirements, the company must ensure that EC2 instances are temporarily removed from service during patching to prevent serving traffic. During a recent patching attempt, the company experienced application errors and traffic disruptions.

Which combination of solutions will resolve these issues?

(Select TWO.)

1. Change the target type of the target group from IP address type to instance type and re-register the instances.
2. Use the Systems Manager Maintenance Windows feature to schedule patching and automatically deregister instances from the ALB during updates.
3. Implement the AWSEC2-PatchLoadBalancerInstance Systems Manager Automation document to manage the patching process for EC2 instances behind the ALB.
4. Configure ALB health checks to automatically remove unhealthy instances during patching. Use Systems Manager Run Command to apply the patches manually.
5. Use Systems Manager State Manager to schedule patching jobs and ensure instances are deregistered and re-registered with the ALB after patching is complete.

A financial institution with many departments wants to migrate to the AWS Cloud from their data center. Each department should have their own established AWS accounts with preconfigured, Limited access to authorized services, based on each team’s needs, by the principle of least privilege.

What actions should be taken to ensure compliance with these security requirements?

1. Use AWS CloudFormation to create new member accounts and networking and use IAM roles to allow access to approved AWS services.
2. Deploy a Landing Zone within AWS Control Tower. Allow department administrators to use the Landing Zone to create new member accounts and networking. Grant the department’s AWS power user permissions on the created accounts.
3. Configure AWS Organizations with SCPs and create new member accounts. Use AWS CloudFormation templates to configure the member account networking.
4. Deploy a Landing Zone within AWS Organizations. Allow department administrators to use the Landing Zone to create new member accounts and networking. Grant the department’s AWS power user permissions on the created accounts.

As part of a company’s shift to the AWS cloud, they need to gain an insight into their total on-premises footprint. They have discovered that they are currently struggling with managing their software licenses. They would like to maintain a hybrid cloud setup, with some of their licenses stored in the cloud with some stored on-premises.

What actions should be taken to ensure they are managing the licenses appropriately going forward?

1. Use AWS Secrets Manager to store the licenses as secrets to ensure they are stored securely
2. Use the AWS Key Management Service to treat the license key safely and store it securely
3. Use AWS License Manager to manage the software licenses
4. Use Amazon S3 with governance lock to manage the storage of the licenses

A company has divested a single business unit and needs to move the AWS account owned by the business unit to another AWS Organization.

How can this be achieved?

1. Create a new account in the destination AWS Organization and migrate resources
2. Create a new account in the destination AWS Organization and share the original resources using AWS Resource Access Manager
3. Migrate the account using AWS CloudFormation
4. Migrate the account using the AWS Organizations console

A large company is currently using multiple AWS accounts as part of its cloud deployment model, and these accounts are currently structured using AWS Organizations. A Solutions Architect has been tasked with limiting access to an Amazon S3 bucket to only users of accounts that are enrolled with AWS Organizations. The Solutions Architect wants to avoid listing the many dozens of account IDs in the Bucket policy, as there are many accounts the frequent changes.

Which strategy meets these requirements with the LEAST amount of effort?

1. Use Attribute Based Access Control by referencing Tags of accounts which are either enrolled as part of AWS Organizations, or not.
2. Use the global key of AWS Organizations within a bucket policy using the aws:PrincipalOrgID key to allow access only to accounts which are part of the Organization.
3. Use AWS Config and AWS Lambda functions to make remediations to the bucket policy as and when new accounts are created and tagged as not being part of AWS Organizations. Update the S3 bucket policy accordingly.
4. Add all the non-organizational accounts to an Organizational Unit (OU) and attached a Service Control Policy (SCP) which denies access to the specific Amazon S3 bucket.

A financial services company has a large, multi-Region footprint on AWS. A recent security audit highlighted some issues that must be addressed. The company must track all configuration changes affecting AWS resources and have detailed records of who has accessed the AWS environment. The data should include information such as which user has logged in and which API calls they made.

What actions should a Solutions Architect take to meet these requirements?

1. Use Amazon CloudWatch to track configuration changes and AWS Config to record API calls and track access patterns in the AWS Cloud.
2. Use AWS Config to track configuration changes and AWS CloudTrail to record API calls and track access patterns in the AWS Cloud.
3. Use AWS Config to track configuration changes and Amazon EventBridge to record API calls and track access patterns in the AWS Cloud.
4. Use Amazon Macie to track configuration changes and Amazon CloudTrail to record API calls and track access patterns in the AWS Cloud.

A financial services company is currently using 500 Amazon EC2 instances to run batch-processing workloads to analyze financial information on a periodic basis. The organization needs to install a third-party tool on all these instances as quickly and as efficiently as possible and will have to carry out similar tasks on an ongoing basis going forward. The solution also needs to scale for the addition of future EC2 instances.

What should a solutions architect do to meet these requirements in the easiest way possible?

1. Create an AWS Lambda Function which will make configuration changes to all the EC2 instances. Validate the tool has been installed using another Lambda function.
2. Use AWS Systems Manager Patch Manager to install the tool on all the EC2 instances within a single patch.
3. Use AWS Systems Manager Maintenance Windows to install the tool on all the EC2 instances within a set period of time.
4. Use AWS Systems Manager Run Command to run a custom command that installs the tool on all the EC2 instances.

A company stores its application logs in an Amazon CloudWatch Logs log group. A new policy requires the company to store all application logs in Amazon OpenSearch Service (Amazon Elasticsearch Service) in near-real time.

Which solution will meet this requirement with the LEAST operational overhead?

1. Configure a CloudWatch Logs subscription to stream the logs to Amazon OpenSearch Service (Amazon Elasticsearch Service).
2. Create an AWS Lambda function. Use the log group to invoke the function to write the logs to Amazon OpenSearch Service (Amazon Elasticsearch Service).
3. Create an Amazon Kinesis Data Firehose delivery stream. Configure the log group as the delivery stream’s source. Configure Amazon OpenSearch Service (Amazon Elasticsearch Service) as the delivery stream’s destination.
4. Install and configure Amazon Kinesis Agent on each application server to deliver the logs to Amazon Kinesis Data Streams. Configure Kinesis Data Streams to deliver the logs to Amazon OpenSearch Service (Amazon Elasticsearch Service).

To trace a recent production incident a product manager needs to view logs in the Amazon CloudWatch logs. These logs are linked to events over the course of a week and may be needed in the future if incidents occur again. The product manager doesn’t have administrative access to the AWS account as it is managed by a third-party management company.

According to principal of least privilege, which option out of the below will fulfill the requirement to provide the necessary access for the product manager?

1. Share the dashboard from the CloudWatch console. Enter the client’s email address and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
2. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
3. Create an IAM user for the company’s employees. Attach the ViewOnly Access AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
4. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.

A digital marketing agency manages numerous client websites and apps on AWS. Each AWS resource is supposed to be tagged by the account for tracking and backup purposes. The agency wants to ensure that all AWS resources, including untagged ones, are backed up properly to minimize data loss risks.

Which solution will meet these requirements with the LEAST operational overhead?

1. Use AWS Config to identify all untagged resources and tag them programmatically. Then, use AWS Backup to automate the backup of all AWS resources based on tags.
2. Manually search for all untagged resources in each AWS service. Once identified, tag them appropriately and set up AWS Backup for each service separately.
3. Rely on each account owner to identify their untagged resources and then use AWS Backup for backing up.
4. Use AWS Lambda to periodically scan for untagged resources, add necessary tags, and then set up AWS Backup.

A multinational enterprise plans to transition from numerous independent AWS accounts to a structured, multi-account AWS setup. The enterprise anticipates creating multiple AWS accounts to cater to various departments. The enterprise seeks to authenticate access to these AWS accounts using a centralized corporate directory service.

What combination of steps should a solutions architect suggest to meet these needs?

(Select TWO.)

1. Create a new AWS Organizations entity with all features enabled. Create the new AWS accounts within the organization.
2. Install and configure AWS Control Tower for centralized account management. Incorporate AWS Identity Center to manage identity.
3. Deploy AWS Directory Service and integrate it with the corporate directory service. Set up AWS Identity Center for authentication across accounts.
4. Set up an Amazon Cognito identity pool and configure AWS Identity Center to accept Amazon Cognito authentication.
5. Establish an AWS Transit Gateway for centralized network management, linking AWS accounts.