Free SAP-C02 Practice Questions – 2026 Updated

This solution provides an event-driven architecture with minimal operational overhead, directly addressing the question's requirements. Using Amazon S3 event notifications to trigger an Amazon EventBridge rule is an efficient replacement for the polling mechanism. EventBridge can then directly invoke an Amazon ECS task. Choosing the AWS Fargate launch type for ECS makes the compute layer serverless, eliminating the need to manage underlying EC2 instances. Fargate tasks can run for much longer than the required 25 minutes, making it a suitable choice for the long-running processing job. This combination optimizes the workflow and significantly reduces operational burdens.

B: AWS Lambda functions have a maximum execution timeout of 15 minutes. This is insufficient for the processing job that can take up to 25 minutes, causing it to fail.

C: An AWS Glue crawler is designed to discover data schemas and populate the AWS Glue Data Catalog, not to act as a real-time application trigger. This is an incorrect use of the service.

D: This option is incorrect for the same reason as option B. Deploying the container to AWS Lambda is not viable due to the 15-minute execution timeout limit, which is less than the 25-minute processing time.

1. AWS Lambda Quotas: The official AWS Lambda documentation states the maximum execution duration for a function.

Source: AWS Lambda Developer Guide

"Lambda quotas".

Reference: In the "Function configuration

deployment

and execution quotas" table

the "Timeout" resource has a maximum value of 900 seconds (15 minutes).

2. Invoking ECS Tasks from S3 Events: The AWS documentation outlines the event-driven pattern of using S3 events with EventBridge to start an ECS task

which is ideal for this scenario.

Source: AWS Compute Blog

"Introducing Amazon EventBridge integration for Amazon ECS".

Reference: The blog post details how "Amazon ECS is now a target for Amazon EventBridge

" allowing you to "run Amazon ECS tasks on a schedule

or in response to any EventBridge event." This includes S3 object creation events.

3. AWS Fargate for Long-Running Tasks: Fargate is a serverless compute engine suitable for containerized applications

including batch jobs that run longer than the Lambda timeout.

Source: AWS Fargate FAQs.

Reference: The FAQ page clarifies that Fargate is suitable for "batch workloads... that run for a short period of time

" which can be minutes or hours

thus easily accommodating the 25-minute requirement without the operational overhead of managing servers.

4. Purpose of AWS Glue Crawlers: The AWS Glue documentation specifies the intended use of crawlers

which does not align with triggering application logic.

Source: AWS Glue Developer Guide

"Defining Crawlers".

Reference: The guide states

"You use a crawler to populate the AWS Glue Data Catalog with tables. This is the primary method used by most AWS Glue users." This confirms its purpose is metadata discovery

not event-based invocation.

The most secure and operationally efficient method for providing cross-account access to AWS resources is by using an IAM role. This solution creates an IAM role in the resource-owning account (Sales) with policies that grant read access to the specific S3 bucket and decrypt permissions for the associated KMS key. The role's trust policy is configured to allow the QuickSight service role from the Marketing account to assume it. This approach provides temporary, auditable credentials to QuickSight without duplicating petabytes of data, thereby minimizing both cost and operational overhead, which directly aligns with the stated requirements.

A. Replicating petabytes of data is extremely expensive (storage, transfer, and replication costs) and introduces significant operational overhead and data latency, violating the core requirement.

B. Service Control Policies (SCPs) are used to set permission guardrails (deny actions) at an organizational level; they cannot be used to grant permissions.

C. The S3 bucket policy must be attached to the bucket in the resource-owning account (Sales), not the consumer account (Marketing), making this option's instruction incorrect.

1. AWS QuickSight User Guide

"Accessing S3 buckets in another AWS account": This document explicitly states the required pattern: "To connect to an S3 bucket in another account

you must create an IAM role in that account that provides access to Amazon QuickSight. You also need to grant Amazon QuickSight permissions to assume that role." This directly validates the approach in option D.

2. AWS IAM User Guide

"IAM tutorial: Delegate access across AWS accounts using IAM roles": This tutorial details the standard

recommended architecture for cross-account access. It describes creating a role in the resource-owning account (Account A

or Sales in this scenario) and establishing a trust policy that allows a principal in another account (Account B

or Marketing) to assume that role.

3. AWS Key Management Service Developer Guide

"Allowing users in other accounts to use a KMS key": Section "How to allow users in other accounts to use a KMS key" explains that to use a KMS key across accounts

you must use both an IAM policy and the key policy. The IAM role created in the Sales account would be granted kms:Decrypt permissions in its policy

and the KMS key's own policy must allow the role to be used. This is an integral part of the solution described in option D.

4. AWS Organizations User Guide

"Service control policies (SCPs)": This guide clarifies the function of SCPs

stating

"SCPs don't grant permissions. Instead

SCPs are JSON policies that specify the maximum permissions for the affected accounts." This confirms that SCPs cannot be used to grant access as suggested in option B.

The most effective and efficient way to prevent a specific API action across all accounts within an Organizational Unit (OU) is by using a Service Control Policy (SCP). An SCP with a Deny effect for the ec2:AuthorizeSecurityGroupIngress action provides a preventative guardrail. When this SCP is attached to the NonProd OU, it is inherited by all member accounts, ensuring that no IAM principal in those accounts can create a security group rule with the specified source, regardless of their individual IAM permissions. This centralized enforcement mechanism has the least operational overhead.

A. This is a reactive "detect and remediate" approach. It does not prevent the insecure rule from being created, leaving a window of vulnerability until the Lambda function executes.

B. AWS Config rules are a detective control used for auditing and identifying non-compliance. They report on non-compliant resources but do not prevent their creation.

C. Using an Allow statement in an SCP is not the standard or most effective way to create a restriction. An explicit Deny is stronger as it overrides any Allow permissions.

1. AWS Organizations User Guide

"Service control policies (SCPs)": This document explains that SCPs are a type of organization policy that you can use to manage permissions in your organization. It states

"SCPs offer central control over the maximum available permissions for all accounts in your organization." It also details the evaluation logic where an explicit deny in an SCP overrides any allow. (See the section "SCP evaluation").

2. AWS Identity and Access Management User Guide

"IAM JSON policy elements: Effect": This guide clarifies the policy evaluation logic

stating

"We recommend that you grant permissions by using a 'least-privilege' approach... You can also explicitly deny access to resources... An explicit deny statement always overrides an allow statement." This supports the choice of a Deny SCP over an Allow-based one for restriction.

3. AWS Identity and Access Management User Guide

"Actions

resources

and condition keys for Amazon EC2": This documentation lists the valid condition keys for EC2 actions. It shows that to filter based on the CIDR block being added to a rule

the correct condition key is ec2:Request/IpPermissions.IpRanges.CidrIp. While the question uses an incorrect key (aws:SourceIp)

the fundamental mechanism of using a Deny SCP (Option D) is the correct architectural pattern being tested.

An SCP is only a permissions filter; it never grants permissions by itself.

Because the shown SCP does not contain an explicit Deny for s3:CreateBucket, the action is still inside the account’s permission guard-rail.

Developers cannot create buckets because their IAM users/roles inside account 1111-1111-1111 lack an IAM policy that allows s3:CreateBucket.

Granting that permission in their IAM entities lets them create buckets while the SCP continues to apply to all other actions.

A. SCP “Allow” statements do not grant permissions; IAM must still permit the action.

B. Moving or re-attaching the identical SCP changes nothing about the missing IAM permission.

D. Detaching the SCP would work but removes the intended organizational control and is unnecessary; the problem is IAM, not the SCP.

1. AWS Organizations User Guide – “How SCPs Work”: “An SCP never grants permissions. Permissions must be granted with IAM policies.” (Guide version 2023-10-10

§‘Effects of SCPs’

para 2)

2. AWS Organizations User Guide – “Strategy for Using SCPs”: “A task is allowed only if it is permitted by both the SCP and the IAM policy.” (same guide

§‘Creating the right mix of policies’

para 1)

3. AWS IAM User Guide – “IAM Policies and Permissions”: “If no IAM policy allows the action

the request is denied.” (2023-11-15

§‘Policy evaluation logic’

step 4)

The most comprehensive source for AWS billing data is the AWS Cost and Usage Report (CUR). The CUR provides detailed, itemized data that can be delivered to an Amazon S3 bucket. To address the need for "meaningful groups," AWS Cost Categories allow the finance team to create custom rules to map costs to internal business structures, such as the different acquired companies, teams, or projects.

This raw data in S3 can be queried using Amazon Athena, a serverless interactive query service. Amazon QuickSight, a business intelligence service, can then connect to Athena as a data source. This enables the finance team to build their own custom dashboards and reports, fulfilling the requirement for a "self-managed application" for cost reporting.

B: AWS Cost Explorer is an AWS-managed visualization tool within the console. It does not meet the requirement for a "self-managed application" that the finance team can build upon.

C: The AWS Price List Query API provides the prices of AWS services. It does not provide information about an account's actual spending or usage, making it unsuitable for cost reporting.

D: This option has two flaws. The AWS Price List Query API does not provide account spending data, and AWS Cost Explorer does not meet the "self-managed application" requirement.

1. AWS Cost and Usage Reports (CUR): AWS Billing and Cost Management User Guide

"What are AWS Cost and Usage Reports?". It states

"The AWS Cost and Usage Reports (AWS CUR) contains the most comprehensive set of cost and usage data available." It also details delivery to an Amazon S3 bucket.

2. AWS Cost Categories: AWS Billing and Cost Management User Guide

"Managing your costs with AWS Cost Categories". This section explains

"Cost Categories is a feature in the AWS Cost Management product suite that enables you to group your cost and usage information into meaningful categories."

3. Querying CUR with Athena: AWS Cost and Usage Reports User Guide

"Querying Cost and Usage Reports using Amazon Athena". This guide provides a step-by-step walkthrough of setting up an AWS CloudFormation template to integrate CUR with Athena for querying.

4. Visualizing CUR with QuickSight: AWS Big Data Blog

"Create a cost and usage dashboard with Amazon QuickSight". This official blog post outlines the architecture: "This post shows you how to build a serverless solution that uses AWS Glue to crawl your CUR data in Amazon S3

Amazon Athena to query the data

and Amazon QuickSight to visualize the data."

5. AWS Price List Service API: AWS Price List Service API Reference

"Welcome". The introduction states

"AWS Price List Service API (AWS Price List Service) is a centralized and convenient way to programmatically query AWS for services

products

and pricing information." This confirms it is for pricing

not spending.

The most effective and native method for implementing canary releases for an AWS Lambda function is by using Lambda versions and aliases. A new function version is created for the new code. An alias, which acts as a mutable pointer to a function version, is then updated with a RoutingConfig. This configuration allows you to specify what percentage of invocation traffic is sent to the new version versus the stable, existing version. This gradual traffic shifting is the essence of a canary release, allowing for monitoring and a quick rollback by simply redirecting all traffic back to the old version if issues arise.

B: Using Route 53 is an inefficient, coarse-grained approach for a single Lambda function. It operates at the DNS level and would require separate application stacks or endpoints, adding unnecessary complexity and cost.

C: This is technically incorrect. The routing-config parameter is associated with a Lambda alias (update-alias command), not the function configuration itself (update-function-configuration command).

D: While AWS CodeDeploy automates Lambda canary deployments, CodeDeployDefault.OneAtATime is a deployment configuration for EC2/On-Premises instances, not for Lambda. Lambda uses time- or percentage-based shifting configurations (e.g., Canary10Percent5Minutes).

1. AWS Lambda Developer Guide: In the section "Configuring aliases for traffic shifting

" the documentation states

"You can use an alias to route traffic to two function versions. For example

you can configure an alias to send a small percentage of traffic to a new version that you're testing." This directly supports the use of aliases and routing configurations for canary releases.

Source: AWS Lambda Developer Guide

"Lambda function aliases

" section "Configuring aliases for traffic shifting."

2. AWS CLI Command Reference: The documentation for the update-alias command shows the --routing-config parameter. This parameter is used to "split traffic between two versions of a function." Conversely

the documentation for update-function-configuration does not include this parameter

confirming option C is incorrect.

Source: AWS CLI Command Reference

lambda

update-alias.

3. AWS CodeDeploy User Guide: The section "Deployment configurations on a Lambda compute platform" lists the predefined configurations available for Lambda deployments

such as CodeDeployDefault.LambdaCanary10Percent5Minutes and CodeDeployDefault.LambdaLinear10PercentEvery1Minute. The CodeDeployDefault.OneAtATime configuration is not listed for the Lambda compute platform.

Source: AWS CodeDeploy User Guide

"Working with deployment configurations in CodeDeploy

" section "Deployment configurations on a Lambda compute platform."

4. AWS CloudFormation User Guide: The documentation for the AWS::Lambda::Alias resource includes the RoutingConfig property. This property allows you to define AdditionalVersionWeights to split traffic between two function versions

confirming that this canary release strategy is fully supported within CloudFormation stacks.

Source: AWS CloudFormation User Guide

"AWS::Lambda::Alias

" RoutingConfig property.

The scenario describes a predictable workload with a weekly 4-hour peak that is double the average load. To minimize costs for such a pattern, the best approach is to match capacity to the load dynamically. AWS Application Auto Scaling for DynamoDB is designed for this exact purpose, automatically increasing provisioned capacity for the peak and decreasing it afterward. This avoids paying for unused peak capacity 24/7. Furthermore, purchasing reserved capacity for the consistent, average load provides a significant discount compared to on-demand or standard provisioned pricing, further optimizing costs for the baseline workload.

B: On-demand capacity mode is ideal for unpredictable workloads. For a predictable, cyclical workload like this, provisioned capacity with auto scaling is more cost-effective.

C: DynamoDB Accelerator (DAX) is an in-memory cache that primarily benefits read-heavy workloads. The scenario explicitly states the application has "many more writes," so DAX would provide little to no cost benefit.

D: This option is incorrect for two reasons: DAX is not effective for a write-heavy workload, and on-demand mode is less cost-effective than auto scaling for a predictable traffic pattern.

1. AWS DynamoDB Developer Guide

"Managing throughput capacity automatically with DynamoDB auto scaling": "DynamoDB auto scaling uses Application Auto Scaling to dynamically adjust provisioned throughput capacity on your behalf

in response to actual traffic patterns. This enables a table or global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic

without throttling requests." This supports using Auto Scaling for traffic pattern changes.

2. AWS DynamoDB Developer Guide

"Read/write capacity mode": "Provisioned mode is a good option if... you have predictable application traffic [and] you can forecast capacity requirements to control costs." This confirms provisioned mode with auto scaling is best for predictable traffic. It contrasts with on-demand

which is for "unpredictable application traffic."

3. AWS DynamoDB Developer Guide

"Reserved capacity": "With DynamoDB reserved capacity

you pay a one-time upfront fee and commit to a minimum provisioned usage level over a period of time. By reserving your read and write capacity units ahead of time

you can realize significant cost savings compared to standard provisioned capacity prices." This supports using reserved capacity for the average baseline load.

4. AWS DynamoDB Developer Guide

"Amazon DynamoDB Accelerator (DAX)": "DAX is intended for applications that are read-intensive... DAX is not ideal for applications that are write-intensive". This directly refutes the use of DAX in options C and D for this write-heavy scenario.

AWS Control Tower uses guardrails to implement governance policies. Guardrails are categorized as mandatory, strongly recommended, or elective. The requirement is to detect non-compliant resources (unencrypted RDS instances), which calls for a detective control.

In AWS Control Tower, detective guardrails are implemented using AWS Config rules. The [CT.RDS.2] Require encryption for RDS database instances guardrail is a pre-defined detective control that checks if RDS instances are encrypted. While this specific guardrail is categorized as "elective," the operational process is to enable an optional (non-mandatory) guardrail and apply it to a specific Organizational Unit (OU), such as the production OU. This aligns perfectly with the mechanism described in option B.

A. Mandatory guardrails are enabled by default on the entire organization's root OU when the landing zone is set up and cannot be selectively applied to specific OUs.

C. Users cannot create new mandatory guardrails in AWS Control Tower. While custom AWS Config rules can be created, they are not integrated as native Control Tower guardrails through this process.

D. Service Control Policies (SCPs) are preventive controls that deny API actions. They would be used to prevent the creation of unencrypted RDS instances, not to detect existing ones as the question requires.

---

1. AWS Control Tower User Guide

"Guardrails in AWS Control Tower": This document explains the different types of guardrails. It states

"You can enable strongly recommended and elective guardrails on specific OUs." This confirms that optional guardrails can be targeted to OUs like the production OU.

2. AWS Control Tower User Guide

"Guardrail reference": This reference lists all available guardrails. The guardrail [CT.RDS.2] Require encryption for RDS database instances is listed with a "Detective" behavior and is implemented as an "AWS Config rule". This confirms the existence of a specific detective guardrail for the required check.

3. AWS Control Tower User Guide

"How guardrails work": This section details the implementation. It clarifies that detective guardrails "detect noncompliance in your resources and provide alerts through the dashboard

" which matches the requirement to "detect" non-encrypted instances. It also distinguishes them from preventive guardrails

which use SCPs.

This solution meets all the stringent Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements. AWS Elastic Disaster Recovery (DRS) uses continuous, block-level data replication for the EC2 instances, which can achieve an RPO of seconds, easily satisfying the 2-minute requirement. An Amazon RDS cross-Region read replica uses asynchronous replication, which typically has a lag of seconds to a few minutes, meeting the 5-minute database RPO. Promoting the read replica is a fast operation, meeting the 30-minute RTO. AWS Global Accelerator provides static IP addresses and intelligently routes traffic to the nearest healthy regional endpoint (the ALBs), ensuring rapid failover and optimal latency for users.

B: Amazon Data Lifecycle Manager (DLM) automates EBS snapshots, but the minimum creation frequency is one hour. This cannot meet the required 2-minute RPO for the application tier.

C: AWS Backup for EC2 instances is also based on snapshots, which have a minimum frequency of one hour, failing to meet the 2-minute RPO. CloudFront is a CDN, not the optimal service for this type of DR traffic routing.

D: This option fails for the same reason as option B. Amazon DLM's minimum snapshot frequency of one hour is insufficient to meet the 2-minute application RPO.

1. AWS Elastic Disaster Recovery (DRS): "AWS Elastic Disaster Recovery (DRS) minimizes downtime and data loss with fast

reliable recovery of on-premises and cloud-based applications... It enables an RPO of seconds and an RTO of minutes."

Source: AWS Documentation

"What is AWS Elastic Disaster Recovery?"

Introduction.

2. Amazon RDS Cross-Region Read Replicas: "You can reduce the risk of a regional disruption by using cross-Region read replicas as part of your disaster recovery strategy... In the event of a regional disruption

you can promote the read replica to be a new standalone DB instance."

Source: Amazon RDS User Guide

"Working with read replicas"

Section: "Cross-Region read replicas".

3. AWS Global Accelerator: "AWS Global Accelerator improves the availability and performance of your applications with local or global users... It provides static IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions... If there's a failure

Global Accelerator instantly directs traffic to the next available endpoint."

Source: AWS Documentation

"What Is AWS Global Accelerator?"

Introduction.

4. Amazon Data Lifecycle Manager (DLM): "You can create policies that create snapshots on a schedule. The schedule can be as frequent as every 1 hour."

Source: Amazon EC2 User Guide for Linux Instances

"Amazon Data Lifecycle Manager"

Section: "How Amazon DLM works".

This solution correctly establishes secure, private connectivity. Creating a private API Gateway endpoint makes the API accessible only from within a VPC, not from the public internet. An interface VPC endpoint for API Gateway (execute-api) creates a private network path from the EC2 instances' VPC to the API Gateway service, ensuring traffic does not traverse the public internet. Attaching a resource policy to the API that explicitly allows access only from the specified VPC endpoint provides a robust security layer, fulfilling all the company's requirements for private and secure communication.

A. An AWS Site-to-Site VPN connects a VPC to an on-premises network, not to a managed AWS service like API Gateway. This does not solve the private connectivity requirement.

C. IAM authentication provides authorization but does not make the API endpoint private. API Gateway cannot be "moved" into a VPC, and a transit gateway is for inter-VPC networking, not service access.

D. AWS Global Accelerator is designed to improve performance for public-facing applications by routing traffic over the AWS global network. It is for public, not private, endpoints.

1. AWS API Gateway Developer Guide

"Creating a private API in Amazon API Gateway": This guide states

"Private APIs are API endpoints that can only be accessed from your Amazon Virtual Private Cloud (VPC) through an interface VPC endpoint. This is an endpoint network interface that you create in your VPC." This directly supports using a private API endpoint type and a VPC endpoint.

2. AWS API Gateway Developer Guide

"Control access to a private API": This section details the use of resource policies. It explains

"To grant the access

you create a resource policy... and attach it to the API." It provides examples of policies that grant access based on the source VPC or VPC endpoint (aws:sourceVpce). This supports the resource policy and endpoint policy components of the answer.

3. AWS PrivateLink Guide

"Interface VPC endpoints (AWS PrivateLink)": This document explains the core technology. It states

"When you use an interface VPC endpoint

communication between your VPC and the AWS service is conducted entirely within the AWS network." This confirms that data does not traverse the public internet.

AWS Systems Manager (SSM) Session Manager provides a secure and auditable method for managing EC2 instances without needing to open inbound ports like SSH port 22. By attaching an IAM role with the AmazonSSMManagedInstanceCore policy, the EC2 instances can be managed by the Systems Manager service. Engineers can then connect via an encrypted tunnel initiated by the SSM Agent. This approach enhances security by eliminating the need for open ports in security groups and managing SSH keys. Crucially, Session Manager can be configured to log all session activity, including the commands executed and their output, to Amazon CloudWatch Logs or Amazon S3, directly fulfilling the auditing requirement.

A. EC2 Instance Connect simplifies SSH access using IAM but does not natively provide auditing for commands executed within the session. It only logs the API calls to connect via CloudTrail.

B. This approach still exposes the SSH port to the internet (or VPN), which is less secure than the Session Manager method. While OS audit logs can be sent to CloudWatch, it is a less integrated and more complex solution to manage compared to Session Manager's native logging.

C. AWS Config and Firewall Manager are used to audit and enforce the configuration of AWS resources, such as security groups. They do not provide any capability to audit the commands executed by users inside an EC2 instance.

1. AWS Systems Manager User Guide

Session Manager: "Session Manager provides secure and auditable instance management without the need to open inbound ports

manage SSH keys

or use bastion hosts." and "To meet security and operational requirements for your organization

you can choose to log session data in Amazon CloudWatch Logs or Amazon S3." (Source: AWS Documentation

AWS Systems Manager User Guide

"AWS Systems Manager Session Manager").

2. AWS Systems Manager User Guide

Logging and auditing session activity: This section details the configuration for logging session input and output. "You can audit session activity in your AWS account using AWS CloudTrail. You can also log session data in Amazon CloudWatch Logs or Amazon S3." (Source: AWS Documentation

AWS Systems Manager User Guide

"Logging and auditing session activity").

3. Amazon EC2 User Guide for Linux Instances

EC2 Instance Connect: This documentation explains that EC2 Instance Connect actions

such as SendSSHPublicKey

are logged as events in AWS CloudTrail. It does not mention logging of shell commands executed during the session. (Source: AWS Documentation

Amazon EC2 User Guide for Linux Instances

"Auditing EC2 Instance Connect using AWS CloudTrail").

4. AWS Security Blog

"Replacing a bastion host with Amazon EC2 Systems Manager": This official blog post outlines the security benefits of using Session Manager over traditional methods. It highlights the elimination of open inbound ports and the integrated logging features as key advantages for security and compliance. (Source: AWS Security Blog

"Replacing a bastion host with Amazon EC2 Systems Manager"

Nov 27

2018).

IAM Access Analyzer is a service specifically designed to identify resources, such as S3 buckets, that are shared with an external entity. When Access Analyzer detects that an S3 bucket's policy or Access Control List (ACL) has been modified to allow public access, it generates a "finding." These findings are automatically sent as events to Amazon EventBridge. By creating an EventBridge rule that listens for the Access Analyzer Finding event type and filters for findings where the isPublic attribute is true, the company can precisely capture the moment a bucket becomes publicly exposed. This rule can then be configured to send a notification to the existing SNS topic, fulfilling the requirement with a purpose-built and efficient solution.

A. Amazon S3 event notifications do not support an isPublic event type. They are designed to trigger on object-level operations (like s3:ObjectCreated:) or replication events, not on bucket-level policy changes.

C. This solution is incomplete and inaccurate. It only triggers on PutBucketPolicy API calls, missing other methods like ACL changes. More importantly, it cannot determine if the policy change actually resulted in public access.

D. While AWS Config can detect non-compliant public buckets, IAM Access Analyzer is the more direct and specialized service for identifying unintended external access. The event filtering in option B is more precise for this specific use case.

1. IAM Access Analyzer and EventBridge Integration: The AWS IAM User Guide explains how Access Analyzer findings are sent to EventBridge. It details the event pattern

which includes the isPublic boolean field within the detail object

allowing for precise filtering.

Source: AWS Identity and Access Management User Guide

"Monitoring IAM Access Analyzer findings with Amazon EventBridge"

Section: "Event pattern for an Access Analyzer finding".

2. IAM Access Analyzer Functionality: The documentation describes how Access Analyzer helps you identify resources shared with an external entity by analyzing resource-based policies. It uses logic-based reasoning to determine the potential for external and public access.

Source: AWS Identity and Access Management User Guide

"What is IAM Access Analyzer?".

3. Amazon S3 Event Notification Types: The official S3 documentation lists all supported event types for notifications. This list confirms the absence of any event type related to policy or ACL changes that would indicate a change in public accessibility.

Source: Amazon Simple Storage Service User Guide

"Amazon S3 event notifications"

Section: "Supported event types".

4. CloudTrail Events for S3: The CloudTrail documentation shows that API calls like PutBucketPolicy are logged

but the log entry itself does not contain an analysis of whether the policy grants public access. It only records that the API call occurred.

Source: AWS CloudTrail User Guide

"Logging Amazon S3 API calls by using AWS CloudTrail".

The application's primary constraint is its reliance on the SMTP protocol. To integrate with Amazon SES via SMTP, a secure, authenticated connection is mandatory. Amazon SES supports two encryption methods for its SMTP endpoint: STARTTLS and TLS Wrapper. Authentication is handled via SMTP credentials (a username and password) derived from an IAM user's access keys.

Option B correctly identifies a valid encryption mechanism (STARTTLS) and the correct authentication method (Amazon SES SMTP credentials). Although the legacy application does not natively support STARTTLS, the requirement to "modify the application" implies implementing a solution, such as a local SMTP relay, that can establish the required encrypted and authenticated connection to the SES endpoint on behalf of the application.

A. This option proposes using an IAM role for authentication. IAM roles attached to EC2 instances grant permissions for API calls, not for authenticating with the SES SMTP interface, which requires SMTP credentials.

C. This option suggests using the SES API, which violates the explicit requirement that the application can only use the SMTP protocol.

D. This option suggests using AWS SDKs. This is a form of API interaction and violates the constraint that the application is limited to using only the SMTP protocol.

---

1. Amazon SES Developer Guide - Connecting to an Amazon SES SMTP endpoint: This document specifies the connection requirements. It states

"To connect to the Amazon SES SMTP endpoint

your client application must support Transport Layer Security (TLS). We recommend that you use STARTTLS or TLS Wrapper." This supports the encryption part of option B.

Source: AWS Documentation

Amazon Simple Email Service Developer Guide

"Connecting to an Amazon SES SMTP endpoint".

2. Amazon SES Developer Guide - Obtaining Amazon SES SMTP credentials: This guide details the authentication process for the SMTP interface. It explains

"To authenticate with Amazon SES

you have to provide your SMTP credentials... You can't use your AWS access keys directly to authenticate with the SMTP server. You have to use a procedure to convert your AWS secret access key into an SMTP password." This confirms that SMTP credentials

not IAM roles directly

are required

making option B correct and A incorrect.

Source: AWS Documentation

Amazon Simple Email Service Developer Guide

"Obtaining Amazon SES SMTP credentials".

3. Amazon SES Developer Guide - Integrating Amazon SES with your existing email server: This document provides a solution for the exact scenario in the question

where a legacy application needs to connect to SES. It describes configuring an SMTP relay (like Postfix) which connects to the SES SMTP endpoint using TLS and authenticates with SMTP credentials. This validates the overall approach implied by option B.

Source: AWS Documentation

Amazon Simple Email Service Developer Guide

"Integrating Amazon SES with your existing email server".

This solution correctly implements an automated pilot light disaster recovery (DR) strategy. Amazon Route 53 with a failover routing policy is the standard mechanism for directing traffic to a backup region when a primary endpoint becomes unhealthy. The Route 53 health check provides the automated failure detection needed to trigger the failover.

Upon failure detection, an Amazon SNS notification triggers an AWS Lambda function. This function automates the recovery steps: promoting the Amazon RDS read replica to a standalone, writable primary instance and updating the Auto Scaling group's desired, minimum, and maximum capacity to scale out the application tier. This combination of services provides a robust, automated failover that meets the sub-15-minute Recovery Time Objective (RTO) without the cost of an active-active architecture.

A. Latency-based routing is designed for active-active configurations to route users to the lowest-latency region, which contradicts the budget constraint against an active-active strategy.

C. This creates a warm standby or hot standby environment by pre-provisioning instances, violating the budget constraint. Additionally, using snapshot replication for RDS has a higher RTO than promoting a read replica.

D. AWS Global Accelerator with equal weighted targets is used for active-active load balancing across regions, not the required active-passive failover scenario.

1. AWS Whitepaper

"Disaster Recovery of Workloads on AWS: Recovery in the Cloud": This paper describes the pilot light approach. It states

"The core infrastructure is running in the DR Region... In the case of disaster

you can rapidly provision a full-scale production environment around the critical core." It also mentions automating the provisioning of the infrastructure

which the Lambda function in option B accomplishes. (See section: "Pilot light")

2. Amazon Route 53 Developer Guide

"Configuring DNS failover": "You can configure DNS failover for an active-passive configuration

in which one resource (for example

a web server) serves traffic and a second resource is on standby." This directly supports the use of a failover routing policy with health checks for the described scenario. (See section: "Active-passive failover")

3. Amazon RDS User Guide

"Promoting a read replica to be a standalone DB instance": The documentation details the process of promoting a read replica

which is a key step in the failover process. It notes

"You can promote a read replica into a standalone DB instance. When you promote a read replica

the DB instance is rebooted before it becomes available." This is the action the Lambda function would perform. (See section: "Promoting a read replica")

4. AWS Well-Architected Framework

"Reliability Pillar" whitepaper: This document discusses DR strategies. It highlights the use of health checks for failure detection and automated recovery actions. "Automate recovery: Use health checks to detect failures and automatically route around the failure... Use services like Route 53... to automate your recovery." (See section: "REL 12: How do you plan for disaster recovery (DR)?")

The most precise source of chargeable usage is the AWS Cost and Usage Report (CUR).

For resources in an AWS Organization, a user-defined tag must be activated in the management (payer) account before it appears in all member accounts’ cost data. After activation, the consolidated CUR that the management account creates and stores in an S3 bucket contains line-item costs broken down by that tag, allowing the company to sum the costCenter = compliance lines and cross-charge the compliance team accurately.

B. Member accounts cannot activate cost allocation tags; separate CURs and a Lambda aggregation add unnecessary complexity and possible inaccuracies.

C. Tag activation must be done in the management account, not in members; otherwise the tag data will not appear in the CUR.

D. Trusted Advisor provides optimization checks, not detailed cost reports by tag; it cannot generate a billing summary filtered on user-defined tags.

1. AWS Billing and Cost Management User Guide – “Activating user-defined cost allocation tags” (Only the management account can activate tags for the organization) – 2023-11-15

Section “Cost allocation tags”.

2. AWS Cost and Usage Reports User Guide – “Using Cost Allocation Tags in CUR” (CUR includes tag columns once activated) – 2023-10-05

Paragraph 2.

3. AWS Organizations Documentation – “Consolidated Billing and Cost allocation tags” (Tag activation in payer account applies to all member accounts) – 2023-09-12

Section “Sharing cost data across the organization”.

This solution provides a near-real-time, serverless, and scalable pipeline for streaming network traffic data to Splunk. VPC Flow Logs capture the required IP traffic information. Publishing these logs to CloudWatch Logs enables the use of a Subscription Filter, which forwards log events in near-real time to a Kinesis Data Firehose delivery stream. Kinesis Data Firehose is designed for this purpose and has a native, managed destination for Splunk. The optional Lambda function within Firehose allows for in-flight transformation of the log data to decompress and format it correctly for ingestion by Splunk, completing the end-to-end streaming architecture.

A. Exporting logs from CloudWatch to Amazon S3 is a batch process that can have significant delays (up to 12 hours), which violates the near-real-time requirement.

C. This approach is overly complex, relies on application-level logging instead of network-level data, and uses a multi-step batch process (S3 export, Athena query) that does not meet the near-real-time requirement.

D. This option unnecessarily adds Amazon Kinesis Data Analytics for anomaly detection. The requirement is to monitor which instances are connected, not to detect anomalies, making this solution overly complex and misaligned with the goal.

1. Amazon Kinesis Data Firehose Developer Guide: The guide explicitly details using Splunk as a destination. It states

"Amazon Kinesis Data Firehose can send data to Splunk as a destination... Kinesis Data Firehose sends data to Splunk HTTP Event Collector (HEC) in a serverless and scalable way." This supports the core mechanism in the correct answer. (See: Developer Guide -> Choosing a Destination for Your Amazon Kinesis Data Firehose Delivery Stream -> Splunk Destination)

2. Amazon CloudWatch Logs User Guide: This document explains how subscription filters provide a real-time feed of log events. "You can use subscription filters to get a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an... Amazon Kinesis Data Firehose stream... for custom processing

analysis

or loading to other systems." This confirms the near-real-time streaming capability. (See: User Guide -> Subscriptions -> Real-time processing of log data with subscriptions)

3. Amazon VPC User Guide: This document confirms that VPC Flow Logs can be published to CloudWatch Logs

which is the first step in the correct pipeline. (See: User Guide -> VPC Flow Logs -> Publish flow logs to CloudWatch Logs)

4. AWS Documentation - Data transformation with AWS Lambda: This document describes the pattern of using a Lambda function for data transformation within a Kinesis Data Firehose stream

which is a necessary step for processing CloudWatch Logs data. "You can enable Kinesis Data Firehose data transformation to invoke your Lambda function to transform incoming source data and deliver the transformed data to destinations." (See: Amazon Kinesis Data Firehose Developer Guide -> Data Transformation with AWS Lambda)

The scenario requires a solution that can handle millions of small record ingestions per minute with low-latency retrieval and automatic deletion after 120 days, all while being cost-effective. Amazon DynamoDB is a fully managed NoSQL database service that provides single-digit millisecond latency at any scale, making it ideal for this high-throughput use case. Its Time to Live (TTL) feature allows for the automatic, no-cost deletion of items after a specified timestamp, perfectly matching the 120-day data retention requirement. This combination of performance, scalability, and built-in lifecycle management makes it the most suitable and cost-effective choice.

A. Storing millions of individual small files in Amazon S3 is inefficient and costly due to the high number of PUT requests. It does not provide low-latency indexed retrieval for individual records.

C. An Amazon RDS database would be expensive to scale for this level of write throughput. Running a nightly DELETE query on a massive table is resource-intensive and can severely impact database performance.

D. While batching improves S3 write costs, retrieving a single small record from within a larger batched object is not a low-latency operation and is more complex than a direct database lookup.

1. Amazon DynamoDB Developer Guide - Time to Live (TTL): "DynamoDB Time to Live (TTL) allows you to define a per-item timestamp to determine when an item is no longer needed... DynamoDB deletes expired items automatically without consuming any write throughput." This directly supports the cost-effective

automatic deletion requirement. (Source: AWS Documentation

Amazon DynamoDB Developer Guide

section "Time to Live (TTL)").

2. AWS Whitepaper - "Streaming Data Solutions on AWS with Amazon Kinesis": This paper often discusses patterns where high-volume streaming data is persisted to DynamoDB for real-time access. It states

"Amazon DynamoDB is a fast and flexible NoSQL database service for any scale... It is a great fit for mobile

web

gaming

ad-tech

and IoT use cases that need low-latency data access." This aligns with the question's performance requirements. (Source: AWS Whitepapers & Guides).

3. Amazon S3 User Guide - "Best practices design patterns: optimizing Amazon S3 performance": The documentation advises against using a large number of small objects

stating that batching smaller files into larger objects is a recommended pattern to optimize performance and cost

which contradicts the approach in option A and highlights the retrieval latency issue in option D. (Source: AWS Documentation

Amazon S3 User Guide

section "Best practices design patterns: optimizing Amazon S3 performance").

4. Amazon RDS User Guide - "Best practices for Amazon RDS": RDS is optimized for relational

transactional workloads. The guide focuses on scaling for complex queries and data consistency

not the high-velocity

ephemeral key-value ingestion pattern described in the question

which would be cost-prohibitive on RDS. (Source: AWS Documentation

Amazon RDS User Guide

section "Best practices for Amazon RDS").

This solution correctly addresses both multi-region ingestion and storage for business continuity. For ingestion, creating custom domain configurations for AWS IoT Core in each region and using an Amazon Route 53 failover routing policy with health checks provides a robust, automated failover mechanism. If the primary region's IoT endpoint becomes unhealthy, Route 53 will automatically redirect sensor traffic to the secondary region. For storage, converting the Amazon DynamoDB table to a global table is the standard, fully managed solution for maintaining a multi-region, multi-active database. It automatically handles data replication between the specified regions, ensuring data is available in both locations as required.

A. Migrating to Amazon Aurora is an unnecessary architectural change; the requirement is to make the existing DynamoDB-based solution multi-region.

B. Latency-based routing optimizes for performance, not for failover, which is the core business continuity requirement. It also incorrectly suggests migrating to MemoryDB.

D. Latency-based routing is inappropriate for a failover scenario. While DynamoDB Streams can be used for replication, global tables are the superior, managed solution for this use case.

1. AWS IoT Core Multi-Region with Failover: The AWS IoT Blog describes this exact pattern: "To achieve this

you can use Amazon Route 53 with a failover routing policy. You can create a health check that monitors the health of your primary region’s endpoint. If the health check fails

Route 53 automatically routes traffic to your secondary region’s endpoint."

Source: AWS IoT Blog

"Implementing multi-region AWS IoT Core with disaster recovery"

Section: "Solution overview".

2. DynamoDB Global Tables: The official documentation states that global tables are the recommended solution for multi-region

multi-active workloads. "Amazon DynamoDB global tables provide a fully managed solution for deploying a multi-region

multi-active database...".

Source: AWS DynamoDB Developer Guide

"Global Tables"

Introduction section.

3. Route 53 Failover Routing Policy: The documentation clarifies the use case for failover routing. "Failover routing lets you route traffic to a resource when the resource is healthy or to a different resource when the first resource is unhealthy." This is distinct from latency routing.

Source: Amazon Route 53 Developer Guide

"Choosing a routing policy"

Section: "Failover routing".

4. AWS IoT Core Custom Domains: Using custom domains is a prerequisite for managing endpoints with Route 53 for failover. "Domain configurations for AWS IoT Core allow you to create a custom domain and use it for your device data endpoint."

Source: AWS IoT Core Developer Guide

"Custom domains"

Introduction section.

A Lambda function connected to a VPC is placed in a private subnet and does not have a public IP address, preventing it from accessing the internet directly. To meet the requirement of a single, static public source IP for an external service's allow list, a NAT gateway is the appropriate solution. The NAT gateway is deployed in a public subnet and is assigned a static Elastic IP address. The route table for the private subnet where the Lambda function resides is then configured to send all outbound internet traffic (0.0.0.0/0) to the NAT gateway. This ensures all egress traffic from the Lambda function originates from the single, predictable Elastic IP address of the NAT gateway.

B. An egress-only internet gateway is used to provide outbound internet access for resources with IPv6 addresses, not IPv4 as required by the question.

C. An Elastic IP address cannot be directly associated with an internet gateway. It is associated with a network interface, such as one on a NAT gateway or an EC2 instance.

D. An internet gateway provides two-way internet access for resources in a public subnet but does not provide a single, static source IP for a scalable resource like a Lambda function.

1. AWS Documentation - NAT gateways: "You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services

but prevent the internet from initiating a connection with those instances... To create a NAT gateway

you must specify the public subnet in which to create the NAT gateway and an Elastic IP address to associate with the NAT gateway." (AWS Documentation

VPC User Guide

"NAT gateways"

Introduction section).

2. AWS Documentation - Configure a Lambda function to access resources in a VPC: "If your function needs to access the internet

you can use a network address translation (NAT) device... To give your function internet access

route outbound traffic to a NAT gateway in a public subnet." (AWS Documentation

AWS Lambda Developer Guide

"Configuring a Lambda function to access resources in a VPC"

Internet and service access for VPC-connected functions section).

3. AWS Documentation - Elastic IP addresses: "An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account

and is yours until you release it." (AWS Documentation

Amazon EC2 User Guide for Linux Instances

"Elastic IP addresses"

Elastic IP addresses section).

Service Control Policies (SCPs) are the most operationally efficient mechanism for enforcing permission guardrails across all accounts in an AWS Organization. By applying an SCP at the organization's root, you can centrally mandate that any attempt to create an S3 access point (s3:CreateAccessPoint action) will fail unless its network origin is restricted to a VPC. This is achieved by using the s3:AccessPointNetworkOrigin condition key with a value of VPC. This single policy is inherited by all accounts, providing a non-overridable, scalable, and efficient governance solution without requiring configuration in individual accounts.

A. An S3 access point resource policy controls access permissions to an existing access point, not the permissions required for its creation.

C. While CloudFormation StackSets can deploy IAM policies, this is less efficient and secure than an SCP. It requires managing policy attachments and can be overridden by administrators within member accounts.

D. An S3 bucket policy governs access to the bucket and its objects. It cannot be used to control the account-level s3:CreateAccessPoint action.

1. AWS Organizations User Guide

Service Control Policies (SCPs): "SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization." (See the "Service Control Policies (SCPs)" section).

2. AWS Identity and Access Management User Guide

Actions

resources

and condition keys for Amazon S3: The documentation for the s3:AccessPointNetworkOrigin condition key states

"Filters access by the network origin of the access point. This key can be used to allow access point creation only if the network origin is VPC." (See the "Condition keys for Amazon S3" section).

3. Amazon S3 User Guide

Example — Requiring VPC-only S3 access points: This guide provides a direct example of the required SCP: "To require that all S3 access points created in the organization are VPC-only access points

you can use a service control policy (SCP) in AWS Organizations." The example policy provided is a direct solution to the question's scenario. (See the "Managing access to S3 access points" section).

AWS Serverless Application Model (SAM) combined with AWS CodeDeploy provides a robust framework for automating serverless deployments. This solution directly addresses the requirements by enabling gradual deployments (Canary or Linear) for AWS Lambda functions. This strategy shifts traffic incrementally to the new version, minimizing the impact of potential errors. CodeDeploy can be configured with pre-traffic and post-traffic test functions to validate the deployment at different stages. Crucially, it integrates with Amazon CloudWatch alarms to automatically trigger a rollback to the previous stable version if error metrics exceed a defined threshold, significantly reducing the time to detect and revert failures.

A. AWS CloudFormation change sets allow for previewing changes but do not provide gradual traffic shifting or automated, alarm-based rollbacks for Lambda functions.

C. Refactoring the CLI script is a minor improvement to the existing manual process and does not introduce gradual deployment or automated rollback capabilities based on monitoring.

D. Creating a new API Gateway and changing the CloudFront origin for each deployment is slow, operationally complex, and inefficient, increasing deployment and rollback times.

1. AWS Lambda Developer Guide: In the section "Deploying serverless applications gradually

" it states

"AWS SAM uses AWS CodeDeploy to automate the process of shifting traffic between two function versions... You can configure CloudWatch alarms to monitor for errors and trigger an automatic rollback if an alarm is tripped." This directly supports the use of SAM

CodeDeploy

and CloudWatch alarms for safe

automated deployments. (Source: AWS Lambda Developer Guide

Chapter: "Deploying Lambda-based applications"

Section: "Deploying serverless applications gradually").

2. AWS Serverless Application Model (SAM) Developer Guide: The DeploymentPreference property of the AWS::Serverless::Function resource is used to specify deployment settings. It includes options for Type (e.g.

Canary10Percent5Minutes)

Alarms (a list of CloudWatch alarms to trigger a rollback)

and Hooks (PreTraffic and PostTraffic for validation Lambda functions). (Source: AWS SAM Developer Guide

Section: "AWS::Serverless::Function"

Property: DeploymentPreference).

3. AWS CodeDeploy User Guide: The section "Automated rollbacks for Lambda deployments" explains

"You can configure a deployment group to automatically roll back deployments when a CloudWatch alarm that you have specified is activated." This confirms the automated rollback mechanism central to the correct answer. (Source: AWS CodeDeploy User Guide

Section: "Working with deployments in CodeDeploy"

Subsection: "Automated rollbacks for Lambda deployments").

This solution correctly uses a Network Load Balancer (NLB), which is designed for high-performance TCP traffic (Layer 4) and is highly available by default across multiple Availability Zones. A key feature of the NLB is its ability to be assigned a static Elastic IP (EIP) address per Availability Zone. This provides the fixed, predictable IP addresses required for other companies to add to their allow lists. Using an Amazon Route 53 alias record to point the custom domain name (myservice.com) to the NLB's DNS name is the recommended, efficient, and highly available method for DNS resolution.

A. This architecture is not highly available. Pointing the DNS record directly to the EC2 instances' EIPs bypasses the load balancer, meaning if an instance fails, traffic will still be sent to its IP, causing an outage.

B. This option describes an incorrect configuration. You register targets (like instances or IP addresses), not an "ECS cluster name," with a target group. Furthermore, ECS tasks on Fargate or EC2 with dynamic port mapping do not have fixed public IPs.

D. An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and is not the optimal choice for generic TCP traffic. Crucially, ALBs do not support static EIPs; their IP addresses change, which violates the fixed address requirement.

1. AWS Documentation

Network Load Balancer User Guide: "A Network Load Balancer provides a single point of contact for clients. [...] If you enable a subnet for the load balancer

Elastic Load Balancing creates a load balancer node in the Availability Zone. [...] For an internet-facing load balancer

you can optionally associate one Elastic IP address per subnet." This confirms that NLBs can have a static EIP per AZ. (Source: Elastic Load Balancing User Guide

Section: "Network Load Balancers"

Sub-section: "Load balancer nodes").

2. AWS Documentation

Network Load Balancer User Guide: "You can create a TCP listener

which checks for connection requests from clients using the protocol and port that you configure." This confirms NLB is the correct choice for TCP traffic. (Source: Elastic Load Balancing User Guide

Section: "Listeners for your Network Load Balancer"

Sub-section: "Listener configuration").

3. AWS Documentation

Amazon Route 53 Developer Guide: "Route 53 alias records provide a Route 53–specific extension to DNS functionality. Alias records let you route traffic to selected AWS resources

such as [...] Elastic Load Balancing load balancers. [...] Unlike a CNAME record

you can create an alias record at the zone apex (e.g.

example.com)." This supports using an Alias record to point to the NLB. (Source: Amazon Route 53 Developer Guide

Chapter: "Working with records"

Section: "Choosing between alias and non-alias records").

4. AWS Documentation

Application Load Balancer User Guide: "An Application Load Balancer operates at the request level (layer 7)

routing traffic to targets [...] based on the content of the request." The guide also implicitly confirms the lack of static IP support

as this feature is exclusive to NLBs. (Source: Elastic Load Balancing User Guide

Section: "What is an Application Load Balancer?").

The primary performance issue is the large number of database connections opened by the Lambda function under high load, which can exhaust database resources.

Amazon RDS Proxy is a fully managed, highly available database proxy that is designed to solve this problem. It establishes and manages a pool of database connections, allowing Lambda functions to reuse connections from the pool. This significantly reduces the stress on the database and improves scalability. Using the reader endpoint with RDS Proxy correctly directs read-only queries to the read replicas.

Additionally, moving the database connection logic outside the Lambda function's event handler is a critical best practice. This allows the connection to be established during the execution environment's initialization phase and reused across multiple invocations, reducing the overhead and frequency of creating new connections.

A. The cluster endpoint directs traffic to the primary (writer) instance. Sending read-only queries here would bypass the read replicas, failing to utilize them and potentially overloading the writer.

C. Provisioned Concurrency reduces cold start latency by keeping function instances warm. It does not solve the underlying problem of connection exhaustion and could even worsen it by enabling more concurrent connections.

E. An edge-optimized API Gateway endpoint is for geographically distributed users. The scenario states users are close to the deployment Region, making the current Regional endpoint the more performant choice.

1. Amazon RDS Proxy: AWS Documentation

"Managing connections with Amazon RDS Proxy

" states

"RDS Proxy allows applications to pool and share connections established with the database. This improves database efficiency and application scalability... It is especially well-suited for serverless applications such as those built on AWS Lambda".

Source: AWS Documentation

Amazon RDS User Guide

"Using Amazon RDS Proxy

" "Managing connections with Amazon RDS Proxy."

2. Lambda Connection Management: AWS Documentation

"Best practices for working with AWS Lambda functions

" advises

"Initialize database connections outside of the function handler... subsequent invocations processed by the same instance of your function can reuse these resources."

Source: AWS Documentation

AWS Lambda Developer Guide

"Best practices for working with AWS Lambda functions

" "Manage database connections."

3. Aurora Endpoints: AWS Documentation explains that the reader endpoint provides load-balancing for read-only connections across Aurora Replicas. The cluster endpoint connects to the primary instance for write operations.

Source: AWS Documentation

Amazon Aurora User Guide

"Amazon Aurora connection management

" "Aurora endpoints."

4. API Gateway Endpoints: AWS Documentation clarifies that Regional endpoints are best for clients in the same AWS Region

while edge-optimized endpoints are better for geographically distributed clients.

Source: AWS Documentation

Amazon API Gateway Developer Guide

"Choosing an API Gateway API endpoint type to set up

" "Comparing edge-optimized and Regional API endpoints."

This solution follows the principle of least privilege and standard AWS best practices for cross-account access within an organization. The OrganizationAccountAccessRole provides administrative access from the management account into member accounts. This administrative role should be used to provision a new, separate IAM role in each member account with only the required read-only permissions. This new role's trust policy is configured to explicitly allow the security account to assume it. This separates administrative setup from routine auditing, ensuring the security team has only the access they need, and the process can be automated and managed centrally from the management account.

A. A trust relationship is established with an IAM principal (like a role), not an IAM policy. Policies define permissions and are attached to principals.

C. The OrganizationAccountAccessRole exists in member accounts to be assumed by the management account, not the other way around. The role is not present in the management account.

D. The default trust policy for the OrganizationAccountAccessRole only allows the management account to assume it. The security account would be denied access without modifying this trust policy first.

1. AWS IAM User Guide

"Tutorial: Delegate access across AWS accounts using IAM roles": This tutorial details the standard procedure for creating a role in a target account (the member account) that trusts a principal in another account (the security account) to assume it. This directly supports the methodology described in the correct answer (B).

2. AWS Organizations User Guide

"Accessing and administering the member accounts in your organization": This section explains that when you create a member account

AWS Organizations creates the OrganizationAccountAccessRole within that member account. The documentation states

"By default

only the management account can assume this role." This directly refutes the viability of option D.

3. AWS IAM User Guide

"Role terms and concepts"

Section: "Trust policy": This section clarifies that a role trust policy is a required part of an IAM role that "defines which principals (accounts

users

roles

and federated users) can assume the role." This confirms that trust is established with a role

not a policy

invalidating the premise of option A.

https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html

- Export an OVF Template

- Create / use an Amazon S3 bucket for storing the exported images. The bucket must be in the

Region where you want to import your VMs.

- Create an IAM role named vmimport.

- You'll use AWS CLI to run the import commands.

https://aws.amazon.com/premiumsupport/knowledge-center/import-instances/

To deploy a CloudFormation template across all accounts in an AWS Organization, a StackSet must be created in the management account. Since trusted access with AWS Organizations is enabled, the solutions architect should use service-managed permissions. This model simplifies deployment by allowing AWS CloudFormation to automatically create the necessary IAM service-linked roles in the target accounts. The deployment target should be set to the entire organization to ensure all current and future member accounts are included. Enabling automatic deployment ensures that when a new account joins the organization, the CloudFormation stack is automatically deployed to it, fulfilling the requirement to have the SNS topic in all accounts.

A. StackSets are created in the administrator (management) account, not in the member accounts. Drift detection is a monitoring feature, not a deployment mechanism.

B. This option incorrectly suggests creating individual stacks instead of a StackSet for automation. It also incorrectly recommends self-service permissions when service-managed is appropriate given trusted access is enabled.

D. This option incorrectly refers to creating "stacks" in the management account for organization-wide deployment, which is the function of a "stack set".

1. AWS CloudFormation User Guide: "With service-managed permissions

you can deploy stack sets to AWS accounts in your organization by using a service-linked role. The necessary IAM roles are deployed automatically in the target accounts... You can create stack sets with service-managed permissions only from the organization's management account."

Source: AWS CloudFormation User Guide

Section: "Create a stack set with service-managed permissions".

2. AWS CloudFormation User Guide: "When you create a stack set with service-managed permissions

you can specify that stacks are automatically deployed to accounts that are added to the target organization or organizational units (OUs) in the future. This is managed by the AutoDeployment property."

Source: AWS CloudFormation User Guide

Section: "Create a stack set with service-managed permissions"

Sub-section: "Automatic deployment".

3. AWS Organizations User Guide: "When you enable trusted access with an AWS service

that service can create a service-linked role in every account in your organization... AWS CloudFormation StackSets uses service-linked roles to let you deploy stacks to accounts throughout your organization."

Source: AWS Organizations User Guide

Section: "Using AWS Organizations with other AWS services"

Sub-section: "AWS CloudFormation StackSets".

Migration Evaluator is a complimentary AWS service specifically designed to create a data-driven business case for migrating to AWS. It analyzes on-premises server inventory and utilization data to provide a projected total cost of ownership (TCO) and right-sizing recommendations. The service directly supports importing data from existing sources, such as a CMDB export, using a provided data import template. This aligns perfectly with the scenario's requirements and is the most cost-effective method as the service itself is offered at no charge.

A. The AWS Well-Architected Tool is used to review existing or planned AWS workloads against best practices, not to create a migration business case from on-premises inventory data.

C. This describes a manual, custom-built solution. It would require significant development effort to create matching rules and integrate with the API, making it far from the most cost-effective option.

D. AWS Application Discovery Service is used to collect data about on-premises servers. Since the CMDB data is already available, this service is not needed for the primary task of analysis and business case generation.

1. AWS Migration Evaluator Documentation: "Migration Evaluator helps you create a data-driven business case for AWS cloud planning and migration... You can import data from any source using our import template

including inventory and performance data from your configuration management database (CMDB)... Migration Evaluator is offered to all AWS customers at no charge."

Source: AWS Migration Evaluator

"How it works" and "FAQs" sections.

2. AWS Well-Architected Tool Documentation: "The AWS Well-Architected Tool (AWS WA Tool) helps you review the state of your workloads and compares them to the latest AWS architectural best practices."

Source: AWS Well-Architected Tool

"What is the AWS Well-Architected Tool?" section.

3. AWS Application Discovery Service Documentation: "AWS Application Discovery Service helps you plan your migration to the AWS Cloud by collecting usage and configuration data about your on-premises servers."

Source: AWS Application Discovery Service

"What is AWS Application Discovery Service?" section.

4. AWS Price List Service API Documentation: "The AWS Price List Service API (AWS Price List Service) is a centralized and convenient way to programmatically query AWS for services

products

and pricing information."

Source: AWS Price List Service API Reference

"Welcome" section. This reference highlights its nature as a programmatic tool for developers

implying custom effort is required.

The most effective solution is to use a Lambda@Edge function triggered by an origin-response event. This event occurs after CloudFront receives the image from the S3 origin but before it caches the object and sends it to the user. This is the ideal point to execute the Python detection logic. If the image is found to be corrupt, the Lambda function can modify the response in real-time, for instance, by replacing it with a default "image not available" placeholder or returning an error. This approach directly prevents the corrupt image from being served to the user or stored in the CloudFront cache, ensuring a good user experience with minimal latency during the serving process.

A. A viewer-response event is triggered after the response has been sent to the viewer. It is too late to inspect or change the image content at this stage.

C. An S3 event notification is asynchronous. A user could request and CloudFront could cache the corrupt image before the Lambda function finishes its check, failing to prevent the poor user experience.

D. Using Step Functions with an S3 event notification adds unnecessary complexity and latency for a simple validation task. It shares the same fundamental timing issue as option C.

1. AWS Documentation - Lambda@Edge Function Triggers: The documentation describes the four types of CloudFront events. For the origin-response event

it states

"This event occurs when the CloudFront server receives a response from the origin... You can use this event to modify the object that is returned by the origin before CloudFront caches the object." This confirms that this is the correct trigger to inspect and alter content from the origin.

Source: AWS Documentation

Developer Guide: Lambda@Edge

Section: "Using CloudFront events to trigger a Lambda function".

2. AWS Documentation - Invoking Lambda@Edge functions in response to events: This guide details the request and response flow. The diagram for an "Origin-response event" clearly shows the Lambda function executing after the response is received from the origin (S3) and before the response is sent to the viewer

which is precisely what is required.

Source: AWS Documentation

Developer Guide: CloudFront

Section: "How Lambda@Edge works with CloudFront".

3. AWS Documentation - Using AWS Lambda with Amazon S3: This document explains that S3 event notifications invoke Lambda functions asynchronously. "Amazon S3 invokes your function asynchronously with an event that contains details about the object." This asynchronicity creates a potential race condition where a corrupt object could be served before it is checked

making it less suitable than the synchronous Lambda@Edge approach for this use case.

Source: AWS Documentation

Developer Guide: AWS Lambda

Section: "Using AWS Lambda with Amazon S3".

The core problem is the on-premises data center's internet bandwidth being saturated by remote employees accessing on-premises Windows file shares. The optimal solution is to move both the file shares and the VPN access point to AWS.

Migrating the home directories to Amazon FSx for Windows File Server (B) moves the data to a fully managed, native Windows file system on AWS. This eliminates the need for an on-premises file server.

Migrating remote users to AWS Client VPN (D) provides a managed VPN solution that allows users to connect directly to the AWS environment.

Combining these two steps means remote users connect via AWS Client VPN to access their files on Amazon FSx, completely bypassing the on-premises data center. This directly reduces data center bandwidth usage, supports growth, and minimizes operational overhead by using managed services.

A. A Volume Gateway provides block storage to an on-premises server; users would still connect to the on-premises data center, not solving the bandwidth issue.

C. Amazon FSx for Lustre is a high-performance file system for workloads like HPC and is not the appropriate service for general-purpose Windows home directories.

E. AWS Direct Connect establishes a dedicated connection between the on-premises data center and AWS but does not solve the ingress bandwidth bottleneck from remote users.

1. Amazon FSx for Windows File Server Documentation: "Amazon FSx for Windows File Server provides fully managed

highly reliable

and scalable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol. ... Common use cases include home directories

user shares

and application file shares."

Source: AWS Documentation

"What is Amazon FSx for Windows File Server?"

Introduction.

2. AWS Client VPN Documentation: "AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN

you can access your resources from any location using an OpenVPN-based VPN client."

Source: AWS Documentation

"What is AWS Client VPN?"

Introduction.

3. Comparing Amazon FSx for Windows File Server and Amazon FSx for Lustre: "FSx for Windows File Server is designed for a broad set of Windows-based applications and workloads... FSx for Lustre is designed for speed and is ideal for high-performance computing (HPC)

machine learning

and media data processing workflows."

Source: AWS Documentation

"Amazon FSx - FAQs"

"When should I use Amazon FSx for Windows File Server vs. Amazon FSx for Lustre?".

4. AWS Storage Gateway (Volume Gateway) Documentation: "A volume gateway represents the family of gateways that support block-based volumes

previously referred to as gateway-cached and gateway-stored volumes. ... You can back up your local data to the volumes in AWS." This confirms it provides block storage to on-premises applications

not a direct file access solution for remote users.

Source: AWS Documentation

"How Volume Gateway works".

This solution directly addresses all the requirements with the least development effort. Creating an Auto Scaling group with an Application Load Balancer makes the stateless application tier highly available and scalable, resolving the 100% CPU issue. Migrating the database to Amazon Aurora MySQL provides high availability for the data tier with minimal application changes, as Aurora is wire-compatible with MySQL. Including the AWS Systems Manager (SSM) Agent in the new AMI allows for automated patching using Patch Manager, which eliminates the downtime caused by manual patching. This approach modernizes the infrastructure without requiring significant application code refactoring, thus minimizing development time.

A. Migrating the application to AWS Lambda and the database to Amazon DocumentDB (NoSQL) would require a complete application rewrite and data model redesign, which is a significant development effort.

B. Migrating the database from MySQL to Amazon DynamoDB (NoSQL) would require substantial application code changes to adapt to a different data model, violating the "least development time" requirement.

C. Containerizing the application with Docker/ECS and migrating the database to Amazon Neptune (a graph database) are both major architectural changes that demand extensive development time and are inappropriate for a standard relational workload.

1. Amazon Aurora & MySQL Compatibility: AWS Documentation states

"Amazon Aurora is a MySQL and PostgreSQL-compatible relational database... The code

applications

and drivers you already use today with your MySQL databases can be used with Aurora with little or no change." This supports the low-effort database migration.

Source: AWS Documentation

"Amazon Aurora

" Features section.

2. Auto Scaling Groups for High Availability: AWS Documentation explains that Auto Scaling groups help ensure application availability by maintaining a desired number of instances and automatically replacing unhealthy ones.

Source: AWS Documentation

"What is Amazon EC2 Auto Scaling?

" Auto Scaling groups section.

3. AWS Systems Manager Patch Manager: The official documentation specifies that the SSM Agent is a prerequisite for using Patch Manager to automate the process of patching managed nodes. This directly addresses the manual patching problem.

Source: AWS Documentation

"AWS Systems Manager User Guide

" Section: "Patch Manager prerequisites."

4. Application Load Balancer with Auto Scaling: The documentation details how an Application Load Balancer distributes incoming traffic across multiple targets

such as EC2 instances in an Auto Scaling group

which is a standard pattern for achieving high availability and scalability.

Source: AWS Documentation

"Elastic Load Balancing User Guide

" Section: "What Is an Application Load Balancer?" and "Tutorial: Create an Application Load Balancer."

The most effective and standard solution is to use AWS Resource Access Manager (AWS RAM) to share the Transit Gateway from the shared services account with the development account. Once the resource share is accepted, the development team can see the shared Transit Gateway and create VPC attachments to it from within their own account. Enabling the "auto-accept shared attachments" feature on the Transit Gateway streamlines this process by automatically approving these connection requests. This architecture directly empowers the development team to manage their own connectivity as resources are recreated, fulfilling all the requirements with a native, scalable, and secure AWS pattern.

A. Transit Gateway peering is for connecting two separate Transit Gateways, typically across regions. Creating a new Transit Gateway in the development account is unnecessary cost and complexity for this use case.

C. A VPC endpoint (using AWS PrivateLink) is designed to provide private access to specific services, not for establishing general network routing between entire VPCs, which is the function of a Transit Gateway.

D. This proposes a complex, custom-coded solution using EventBridge and Lambda to replicate functionality that is already built into the Transit Gateway's "auto-accept shared attachments" feature, making it unnecessarily complicated.

1. AWS Documentation: Transit Gateway Guide

"Share a transit gateway": "To share a transit gateway that you own with other AWS accounts

you can use AWS Resource Access Manager (AWS RAM). AWS RAM is a service that enables you to share your AWS resources with any AWS account or through AWS Organizations." This document outlines the exact process described in the correct answer.

2. AWS Documentation: Transit Gateway Guide

"Work with transit gateway attachments": Under the "Accept a VPC attachment" section

it states

"To automatically accept cross-account attachments

the transit gateway owner can enable auto-accept shared attachments for the transit gateway." This directly supports the automation aspect of the correct answer.

3. AWS Documentation: AWS Resource Access Manager User Guide

"Sharing your AWS resources": This guide provides the foundational concepts for sharing resources like Transit Gateways. It explains that the consumer account (the development account) can work with the shared resource as if it were their own.

4. AWS Whitepaper: "Building a Scalable and Secure Multi-VPC AWS Network Infrastructure": This whitepaper describes the hub-and-spoke model using a central Transit Gateway. It explicitly details the use of AWS RAM to share the Transit Gateway from a central networking account to spoke accounts (p. 15-16)

establishing this as a best-practice architecture.

The scenario describes a user-specific failure in a SAML 2.0 federation setup. Since the architect's access works, the fundamental connection between the on-premises Identity Provider (IdP) and AWS is functional. The issue likely lies in the configuration specific to the test users.

The three critical checkpoints for this scenario are:

1. IdP Assertion Mapping (F): The on-premises IdP must be configured to generate a SAML assertion that includes claims mapping the authenticated test users (or their groups) to a specific IAM role. A failure here means AWS never receives the instruction to grant the test users a role.

2. IAM Role Trust Policy (B): The destination IAM role must have a trust policy that explicitly designates the SAML provider as a trusted principal. This allows the role to be assumed by users authenticated by that IdP.

3. STS API Call (D): The federated web portal must correctly use the SAML assertion from the IdP to call the AssumeRoleWithSAML API, passing the correct role ARN and provider ARN. This is the action that exchanges the assertion for temporary AWS credentials.

A. SAML federation is for authenticating external identities, not for granting permissions to existing IAM users. This concept is misapplied.

C. The specific group name "AWSFederatedUsers" is arbitrary. The core issue is the correct mapping of any group to a role, not membership in a specifically named group.

E. The authentication flow does not require AWS to connect to the on-premises IdP. The user's browser mediates the communication between the IdP and AWS endpoints.

1. AWS Identity and Access Management User Guide. "Configuring a role for SAML 2.0 federation." This guide specifies that the role's trust policy must identify the SAML provider as the principal. This supports option B. The example policy shows: "Principal": { "Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME" }.

2. AWS Identity and Access Management User Guide. "Configuring SAML assertions for the authentication response." This section details the required claims within the SAML assertion

such as https://aws.amazon.com/SAML/Attributes/Role

which maps the user to an IAM role and SAML provider. This directly supports option F.

3. AWS Security Token Service API Reference. "AssumeRoleWithSAML." The documentation for this API action confirms that it is the mechanism used to obtain temporary security credentials using a SAML assertion. It requires the RoleArn

PrincipalArn (the SAML provider ARN)

and the SAMLAssertion as parameters

which supports the check described in option D.

4. AWS Security Blog. "How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS." The blog post outlines the end-to-end flow

stating

"The application then calls the AWS STS AssumeRoleWithSAML API and passes the SAML assertion

the ARN of the SAML provider

and the ARN of the IAM role to assume." This confirms the process described in options B

D

and F.

AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages. It can be configured with an external connection to public repositories like the Python Package Index (PyPI). By creating a CodeArtifact repository and connecting it to PyPI, you create a private, managed proxy for the required packages.

Access to this CodeArtifact repository can be secured within the VPC using an interface VPC endpoint. This allows the SageMaker instances to pull packages from your CodeArtifact repository without requiring any route to the public internet, thus satisfying the strict requirement that the instances remain isolated. The Python client (pip) on the instances is then configured to use the CodeArtifact repository endpoint instead of the public PyPI URL.

A: AWS CodeCommit is a source control service, not a package repository. Manually synchronizing packages would be operationally complex and is not the intended use of the service.

B: A NAT gateway provides general outbound internet access, which directly violates the requirement that the SageMaker instances remain isolated from the internet.

C: A NAT instance, like a NAT gateway, provides a route to the public internet, which contradicts the core security requirement of keeping the instances isolated.

1. AWS CodeArtifact User Guide

"Connect a CodeArtifact repository to a public repository": This document explains how to configure a CodeArtifact repository with an external connection to public repositories such as PyPI. It states

"When you connect a CodeArtifact repository to a public repository... CodeArtifact can fetch packages from the public repository on demand."

2. AWS CodeArtifact User Guide

"Using CodeArtifact with VPC endpoints": This section details how to use interface VPC endpoints to connect directly to CodeArtifact from within a VPC without traversing the internet. It notes

"You can improve the security of your build and deployment processes by configuring AWS PrivateLink for CodeArtifact. By creating interface VPC endpoints

you can connect to CodeArtifact from your VPC without sending traffic over the public internet."

3. AWS Documentation

"VPC endpoints": This documentation clarifies the purpose of interface VPC endpoints. "An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service." This confirms that traffic stays on the AWS network.

4. Amazon SageMaker Developer Guide

"Connect to SageMaker Through a VPC Interface Endpoint": This guide describes the pattern of using VPC endpoints to allow SageMaker resources in a private VPC to access AWS services without internet access

which is the same architectural pattern proposed in the correct answer for accessing CodeArtifact.

The primary constraint is the limited internet bandwidth, making a 60 TB data transfer over the network infeasible within the required timeframe. The most time-efficient solution for a large, one-time data transfer is to use a physical transport device.

The AWS Snowball Edge device is designed for this exact scenario. The company can export the 60 TB MySQL database to backup files, copy them to the Snowball Edge device over their fast local network, and ship it to AWS. Once at AWS, the data is loaded into an Amazon S3 bucket. From S3, AWS Database Migration Service (DMS) can efficiently perform the full load of the database data into the target Amazon Aurora MySQL instance. This entire process bypasses the slow internet connection for the bulk data transfer, making it the fastest overall solution.

A. Provisioning a new AWS Direct Connect connection typically takes several weeks to months, which would likely exceed the time required for a Snowball-based transfer, making it slower overall for a one-time migration.

B. AWS DataSync is designed for file and object data, not for migrating a relational database like MySQL. Furthermore, AWS Application Migration Service (MGN) migrates entire servers to EC2, not databases to a managed service like Aurora.

D. AWS Application Migration Service (MGN) is the incorrect tool for this task. It is used for lift-and-shift server migrations to EC2, not for migrating a database to a managed platform like Amazon Aurora.

---

1. AWS Snowball Edge Documentation: "AWS Snowball is a service that provides secure

rugged devices

so you can bring AWS computing and storage capabilities to your edge environments

and transfer data into and out of AWS. [...] For large-scale data transfers

Snowball is a more time- and cost-effective solution than high-speed internet."

Source: AWS Snowball User Guide

"What Is AWS Snowball?".

2. AWS Database Migration Service (DMS) Documentation: "You can migrate data from any of the supported data sources to any of the supported data targets. [...] You can use an Amazon S3 bucket as a source for a migration to any AWS DMS-supported target database. [...] For a full load

your data must be in comma-separated value (.csv) format."

Source: AWS Database Migration Service User Guide

"Sources for data migration" and "Using an Amazon S3 bucket as a source for AWS DMS".

3. AWS Direct Connect Documentation: "Establishing a new connection can take a month or more." This setup time makes it unsuitable for a time-critical

one-time migration compared to the faster turnaround of a Snowball device.

Source: AWS Prescriptive Guidance

"Building a data lake on AWS with a hybrid cloud architecture"

Section: "Network connectivity".

4. AWS Application Migration Service (MGN) Documentation: "AWS Application Migration Service (AWS MGN) is the primary migration service recommended for lift-and-shift migrations to AWS. [...] Application Migration Service allows you to quickly realize the benefits of migrating applications to the cloud without changes and with minimal downtime." This confirms its purpose is for migrating servers to EC2

not databases to Aurora.

Source: AWS Application Migration Service User Guide

"What is AWS Application Migration Service?".

Amazon Data Lifecycle Manager (DLM) is a managed service designed to automate the creation, retention, and deletion of Amazon EBS snapshots. A key feature of DLM is the ability to define policies that automatically copy snapshots to other AWS Regions for disaster recovery purposes. This approach directly meets the requirements of copying snapshots to two additional Regions while imposing the lowest possible operational overhead, as it is a fully managed, "set-and-forget" solution that does not require writing or maintaining custom code.

B. This is a viable but less optimal solution. It requires writing, deploying, and maintaining a custom AWS Lambda function, which results in higher operational overhead compared to using a managed service like DLM.

C. This option is technically incorrect. While AWS Backup can create and copy EBS snapshots, you cannot use Amazon S3 cross-Region replication (CRR) directly on EBS snapshots, as they are not stored in user-managed S3 buckets.

D. Amazon EC2 Image Builder is a service for creating and managing golden Amazon Machine Images (AMIs), not for backing up individual EBS volumes. Using it for this purpose is inefficient and misaligned with the stated requirement.

---

1. Amazon Data Lifecycle Manager User Guide: "With Amazon Data Lifecycle Manager

you can automate the creation

retention

and deletion of snapshots taken of your Amazon EBS volumes... You can also set up policies to create EBS-backed AMIs and to copy snapshots to other Regions for disaster recovery." (Source: AWS Documentation

Amazon Data Lifecycle Manager User Guide

"What is Amazon Data Lifecycle Manager?")

2. Amazon Data Lifecycle Manager User Guide

Cross-Region copy: "For disaster recovery purposes

you can create snapshot lifecycle policies that automatically copy snapshots to up to three AWS Regions." This section details the configuration steps

confirming it as a built-in

low-overhead feature. (Source: AWS Documentation

Amazon Data Lifecycle Manager User Guide

"Cross-Region copy")

3. Amazon EBS User Guide

Copy an Amazon EBS snapshot: "When you copy a snapshot

you create a new

identical snapshot in the destination of your choice... You can copy snapshots within the same AWS Region or from one Region to another." This describes the underlying API action (CopySnapshot) that services like DLM and AWS Backup use

and it makes no mention of S3 CRR. (Source: AWS Documentation

Amazon EBS User Guide

"Copy an Amazon EBS snapshot")

4. AWS Backup Developer Guide

Copying a backup: "You can copy backups to other AWS Regions... A copy can be created on-demand or automatically as part of a scheduled backup plan." This confirms AWS Backup's capability but does not validate the incorrect mechanism (S3 CRR) proposed in option C. (Source: AWS Documentation

AWS Backup Developer Guide

"Copying a backup")