AWS Marketplace is a curated digital catalog designed for Independent Software Vendors (ISVs) and consulting partners to list and sell their software and services to AWS customers. It provides a dedicated channel for vendors to deliver products, such as custom Amazon Machine Images (AMIs), to a broad audience. The service handles billing, deployment, and subscription management, making it the ideal solution for an ISV wanting to share and commercialize its software with prospective customers in a scalable and secure manner.

B. AWS Data Exchange: This service is specifically for finding, subscribing to, and using third-party data sets, not for distributing software applications like AMIs.

C. Amazon EC2: While AMIs are used to launch Amazon EC2 instances, EC2 is the compute service itself, not a commercial platform for distributing software to customers.

D. AWS Organizations: This is an account management service for consolidating and centrally governing multiple AWS accounts within a single entity, not for selling products to external parties.

---

1. AWS Marketplace Seller Guide: "What is AWS Marketplace?": "AWS Marketplace is a curated digital catalog that you can use to find

buy

deploy

and manage third-party software

data

and services... As a seller

you can sell your products on AWS Marketplace. AWS Marketplace offers a variety of benefits to help you build a successful business." This directly supports the use of Marketplace for selling software like AMIs.

2. AWS Documentation - "AMI product delivery": In the AWS Marketplace Seller Guide

under "Delivery methods

" it states: "For AMI products

you provide AWS Marketplace with a copy of your Amazon Machine Image (AMI)." This confirms that AMIs are a primary product type for distribution via AWS Marketplace.

3. AWS Data Exchange User Guide: "What is AWS Data Exchange?": "AWS Data Exchange makes it easy to find

subscribe to

and use third-party data in the cloud." This reference clearly distinguishes its purpose (data exchange) from software distribution.

4. AWS Organizations User Guide: "What is AWS Organizations?": "AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage." This confirms its role is for internal governance

not external sales.

AWS CloudFormation and the AWS Cloud Development Kit (AWS CDK) are Infrastructure as Code (IaC) offerings. They enable you to define and provision AWS infrastructure using code. By codifying your infrastructure, you can automate the creation of resources, ensuring they are deployed consistently and repeatably across multiple environments (e.g., development, staging, production). This automation eliminates the manual steps that often lead to configuration drift and human error. CloudFormation uses declarative templates (JSON/YAML), while the CDK allows you to use familiar programming languages to define resources, which are then synthesized into CloudFormation templates for deployment.

A. AWS Config is a service for assessing, auditing, and evaluating the configurations of your AWS resources for compliance, not for provisioning them.

B. AWS CodeStar is a unified UI for managing the entire software development lifecycle; while it uses CloudFormation for its project templates, it is not the primary IaC service itself.

E. AWS CodeBuild is a continuous integration service that compiles source code and runs tests. It does not provision the underlying infrastructure.

1. AWS CloudFormation User Guide: "AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources... You create a template that describes all the AWS resources that you want... CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure AWS resources and figure out what's dependent on what; CloudFormation handles all of that."

Source: AWS Documentation

What is AWS CloudFormation?

Introduction section.

2. AWS Cloud Development Kit (CDK) Developer Guide: "The AWS Cloud Development Kit (AWS CDK) is an open source software development framework to define your cloud application resources using familiar programming languages... The AWS CDK provisions your resources in a safe

repeatable manner through AWS CloudFormation."

Source: AWS Documentation

What is the AWS CDK?

Introduction section.

3. AWS Well-Architected Framework Whitepaper (Dec 2023): The Operational Excellence Pillar emphasizes performing operations as code. "With infrastructure as code

you can apply the same engineering discipline that you use for application code to your entire environment... AWS CloudFormation and the AWS Cloud Development Kit (AWS CDK) let you codify your infrastructure and applications..."

Source: AWS Whitepaper

AWS Well-Architected Framework

Page 29

"Perform operations as code".

4. AWS Config Developer Guide: "AWS Config is a service that enables you to assess

audit

and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations..."

Source: AWS Documentation

What Is AWS Config?

Introduction section.

Amazon EC2 is an Infrastructure as a Service (IaaS) offering. According to the AWS Shared Responsibility Model for IaaS, the customer is responsible for managing the guest operating system. This includes installing security patches, performing updates, and configuring the OS-level firewall and other security settings. AWS manages the underlying hardware, the physical data center, and the virtualization layer (hypervisor), but the OS on the virtual machine is the customer's responsibility. The other services listed are managed or serverless, where AWS handles OS maintenance.

A. Amazon DynamoDB is a fully managed NoSQL database service. AWS is responsible for managing the entire underlying infrastructure, including the operating system.

B. Amazon S3 is a managed object storage service. Customers do not interact with or manage the underlying operating systems; this is handled entirely by AWS.

D. AWS Lambda is a serverless compute service. AWS manages the complete compute environment, including the operating system, patching, and scaling, allowing customers to run code without managing servers.

1. AWS Shared Responsibility Model Documentation: AWS outlines that for Infrastructure as a Service (IaaS) like Amazon EC2

the customer is responsible for the "Guest operating system (including updates and security patches)" and "application software." In contrast

for managed services

AWS's responsibility extends further up the stack.

Source: AWS Documentation

"Shared Responsibility Model

" section "Shared Responsibility Model diagram."

2. Amazon EC2 User Guide: The documentation for EC2 states that customers select an Amazon Machine Image (AMI) to launch an instance

which contains the operating system. The customer is then responsible for managing that instance.

Source: AWS Documentation

"Amazon EC2 User Guide for Linux Instances

" section "What is Amazon EC2?

" paragraph 1.

3. AWS Lambda Developer Guide: The documentation explicitly states that Lambda is a serverless service where you "run code without provisioning or managing servers." This confirms that AWS manages the underlying OS.

Source: AWS Documentation

"AWS Lambda Developer Guide

" section "What is AWS Lambda?

" paragraph 1.

4. Amazon DynamoDB Developer Guide: The service is described as "a fully managed

serverless

key-value NoSQL database

" indicating that AWS manages all underlying infrastructure

including servers and operating systems.

Source: AWS Documentation

"Amazon DynamoDB Developer Guide

" section "What is Amazon DynamoDB?

" paragraph 1.

This scenario is a direct application of the AWS Shared Responsibility Model for compliance. AWS is responsible for the compliance of the cloud infrastructure, and the customer is responsible for the compliance of their application running in the cloud. To achieve full compliance for a credit card application (which implies PCI DSS), the company must perform two key actions. First, they must obtain proof of AWS's infrastructure compliance, which is available via AWS Artifact. Second, they must have their own application and its configuration independently assessed and certified, typically by a Qualified Security Assessor (QSA) or an internal assessor.

A. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS; it does not submit applications for formal certification.

B. Under the shared responsibility model, AWS is responsible for the underlying hardware components. The customer's responsibility is to verify this through AWS reports, not manage it directly.

E. AWS Security Hub provides a view of security posture and checks against compliance standards, but it does not provide formal certification for an application.

1. AWS Artifact Documentation: "AWS Artifact is your go-to

central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements." This supports using Artifact to get AWS's compliance documents.

Source: AWS Artifact

"What is AWS Artifact?"

AWS Documentation.

2. AWS Compliance - PCI DSS: "AWS is a PCI DSS compliant Level 1 Service Provider... Customers can access the AWS PCI Attestation of Compliance (AOC) and Responsibility Summary through AWS Artifact... Customers are responsible for ensuring that they achieve PCI DSS compliance for their in-scope AWS accounts." This supports both using Artifact (C) and the customer's responsibility for their own certification (D).

Source: AWS Compliance Programs

"PCI DSS Level 1"

AWS Documentation.

3. AWS Shared Responsibility Model: "AWS is responsible for 'Security of the Cloud'... The customer is responsible for 'Security in the Cloud'." This model is the foundation for understanding why the customer must handle their application's compliance (D) while relying on AWS for infrastructure compliance (C).

Source: AWS Shared Responsibility Model

AWS Documentation.

4. Amazon Inspector Documentation: "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure." This confirms it is not a certification tool.

Source: Amazon Inspector

"What is Amazon Inspector?"

AWS Documentation.

The AWS Well-Architected Framework provides architectural best practices across six pillars for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems in the cloud. The six pillars are: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. Operational Excellence focuses on running and monitoring systems to deliver business value and continually improving supporting processes and procedures. The other options are concepts or design patterns that fall within these pillars, but are not pillars themselves.

A. Redundancy is a design principle used to achieve high availability and fault tolerance, which is a core concept within the Reliability pillar, not a pillar itself.

C. Availability is a measure of a system's uptime and a key objective of the Reliability pillar, which focuses on ensuring a workload performs its function correctly.

D. Multi-Region is an architectural strategy for achieving high availability and disaster recovery, falling under the design principles of the Reliability pillar.

1. AWS Well-Architected. (2023). AWS Well-Architected Framework (Whitepaper). Amazon Web Services

Inc. Retrieved from https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html. In the "The Six Pillars of the Framework" section

the document explicitly lists "Operational Excellence" as one of the six pillars.

2. AWS Well-Architected. (2023). Reliability Pillar - AWS Well-Architected Framework (Whitepaper). Amazon Web Services

Inc. Retrieved from https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html. The "Design Principles" section discusses achieving availability and using redundancy (e.g.

"Scale horizontally to increase aggregate workload availability") and multi-location strategies ("Deploy the workload to multiple locations"). This confirms that Redundancy

Availability

and Multi-Region are concepts within the Reliability pillar.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. A key feature is its ability to provide a detailed history of resource configuration changes, which directly addresses the need for a report on how Amazon EC2 instances were modified over the past month.

A. AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS, focusing on governance and provisioning, not historical change tracking.

C. Amazon CloudWatch is a monitoring and observability service that collects metrics, logs, and events. It is used for performance monitoring, not for detailed configuration change history.

D. AWS Artifact is a central resource for compliance-related information, providing on-demand access to AWS's security and compliance reports, not a customer's resource modification history.

1. AWS Config Developer Guide: In the section "What Is AWS Config?"

the documentation states

"AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time."

2. AWS Well-Architected Framework - Security Pillar (July 2023): In the section "SEC 04: How do you detect and investigate security events?"

page 31 discusses detective controls. It mentions

"Use services such as AWS Config to record and report on configuration changes of your AWS resources."

3. AWS Service Catalog Administrator Guide: The "What is AWS Service Catalog?" section explains

"AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS." This confirms its purpose is unrelated to auditing past changes.

4. Amazon CloudWatch User Guide: The "What is Amazon CloudWatch?" section describes it as "a monitoring and observability service... CloudWatch collects monitoring and operational data in the form of logs

metrics

and events." This highlights its focus on operational data

not configuration history.

The AWS Business Support plan is the most cost-effective option that fulfills the company's requirements. It is the lowest-tier plan that provides 24/7 access to Cloud Support Engineers via chat, email, and phone. The AWS Developer plan does not offer 24/7 access, and the AWS Basic plan includes no technical support. While the AWS Enterprise plan also meets the 24/7 access requirement, it is more expensive and includes features like Infrastructure Event Management, which the question explicitly states is not needed. Therefore, the Business plan is the most appropriate and cost-effective choice.

A. AWS Enterprise Support is not the most cost-effective choice because it is more expensive than the Business plan and includes features the company does not require.

C. AWS Developer Support does not meet the 24/7 access requirement, as it only provides email access to Cloud Support Associates during business hours.

D. AWS Basic Support offers no access to technical support engineers, only support for billing and account issues.

1. AWS Support Plans. (n.d.). AWS. Retrieved from https://aws.amazon.com/premiumsupport/plans/

Reference Details: On the "Compare AWS Support plans" feature comparison table

under the "Technical support" section

it shows that "24x7 access to Cloud Support Engineers via email

chat

and phone" begins with the Business plan. The Developer plan is limited to "Email access to Cloud Support Associates during business hours."

2. AWS Support Documentation. (n.d.). AWS Support Features. AWS. Retrieved from https://docs.aws.amazon.com/awssupport/latest/user/features.html

Reference Details: The "Technical support" section details the communication channels for each plan. It explicitly states that for the Business plan

"You can have an unlimited number of contacts that can open an unlimited number of cases. These contacts have 24/7 access to Cloud Support Engineers through email

chat

and phone." This confirms it meets the question's requirements.

Changing the AWS Support plan is an account-level administrative action that directly impacts billing and the contractual agreement with AWS. For security and accountability, AWS restricts this specific task, along with others like closing an AWS account or changing root user credentials, to the AWS account root user. IAM users, even those with full administrative privileges (AdministratorAccess policy), cannot perform this action. This restriction ensures that only the account owner can make fundamental changes to the account's service and support structure.

A. Making changes to production resources is a standard administrative task that should be performed by an IAM user or role with appropriate permissions, following the principle of least privilege.

C. Access to AWS Cost and Usage Reports can be delegated to IAM users. The root user must first enable "IAM User and Role Access to Billing Information" in the account settings.

D. Granting auditors access is a security best practice performed by creating a specific IAM role or user with read-only or audit-specific permissions, not by sharing root credentials.

1. AWS Identity and Access Management User Guide. "Tasks that require root user credentials." This official documentation explicitly lists "Change your AWS Support plan" as a task that can only be performed by the root user.

2. AWS Identity and Access Management User Guide. "IAM best practices." This guide states

"Don't use the root user for your everyday tasks

even the administrative ones. Instead

adhere to the best practice of using the root user only to create your first IAM user." This directly refutes option A.

3. AWS Billing and Cost Management User Guide. "Controlling access to billing information using IAM." This document details the process for the root user to activate IAM access to the Billing and Cost Management console

thereby enabling IAM users to perform tasks like accessing reports

which refutes option C.

4. AWS Security Best Practices Whitepaper. "AWS Identity and Access Management." This whitepaper emphasizes using IAM to create users and roles for specific duties

such as for auditors

which directly contradicts the approach suggested in option D.

AWS Budgets is the service designed to enhance planning and cost control by allowing users to set custom budgets for their AWS costs and usage. It provides the functionality to monitor spending against these budgets and sends alerts via Amazon SNS or email when actual or forecasted costs and usage exceed the user-defined thresholds. This enables proactive management of cloud spending to stay within financial limits.

A. AWS Organizations is used for central governance and management of multiple AWS accounts, including consolidated billing, but it does not set custom budget alerts itself.

C. Cost Explorer is a tool for visualizing, understanding, and forecasting your AWS costs and usage over time. It is used for analysis, not for setting proactive alerts on budget thresholds.

D. AWS Trusted Advisor provides real-time guidance to help you provision resources following AWS best practices, including cost optimization, but it does not set user-defined budget alerts.

1. AWS Documentation - AWS Budgets: "AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount."

Source: AWS Billing and Cost Management User Guide

"Managing your costs with AWS Budgets

" Section: "What is AWS Budgets?".

2. AWS Documentation - AWS Cost Explorer: "AWS Cost Explorer has an easy-to-use interface that lets you visualize

understand

and manage your AWS costs and usage over time."

Source: AWS Billing and Cost Management User Guide

"Analyzing your costs with AWS Cost Explorer

" Section: "What is AWS Cost Explorer?".

3. AWS Documentation - AWS Organizations: "AWS Organizations helps you to centrally manage and govern your environment as you grow and scale your AWS resources."

Source: AWS Organizations User Guide

"What is AWS Organizations?".

4. AWS Documentation - AWS Trusted Advisor: "Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks."

Source: AWS Support User Guide

"AWS Trusted Advisor

" Section: "How Trusted Advisor works".

AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. It is specifically designed for workloads that require low-latency access to on-premises systems, local data processing, and data residency. By deploying an Outposts rack in their factories, the company can run applications with local interdependencies on AWS-managed hardware, achieving the necessary low latency while maintaining a consistent development and operational experience with the AWS Cloud.

A. AWS IoT Greengrass is an edge runtime and cloud service for building and managing IoT applications on devices. It is not designed to provide the broad, general-purpose compute and storage infrastructure required.

B. AWS Lambda is a serverless compute service that runs in an AWS Region, not on-premises. It cannot meet the low-latency requirements for applications with local system interdependencies within a factory.

D. AWS Snowball Edge is primarily a device for large-scale data transfer and edge computing in rugged or disconnected environments. While it has compute capabilities, Outposts provides a more permanent, integrated extension of the AWS Region.

1. AWS Outposts Documentation: "AWS Outposts is a family of fully managed solutions delivering AWS infrastructure and services to virtually any on-premises or edge location for a truly consistent hybrid experience... Outposts is ideal for workloads that require low latency access to on-premises systems

local data processing

data residency

and migration of applications with local system interdependencies."

Source: AWS Outposts

"What is AWS Outposts?"

Retrieved from https://aws.amazon.com/outposts/

2. AWS Lambda Documentation: "AWS Lambda is a serverless

event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers."

Source: AWS Lambda

"What is AWS Lambda?"

Retrieved from https://aws.amazon.com/lambda/

3. AWS IoT Greengrass V2 Developer Guide: "AWS IoT Greengrass is an Internet of Things (IoT) open source edge runtime and cloud service that helps you build

deploy

and manage IoT applications on your devices."

Source: AWS IoT Greengrass V2 Developer Guide

"What is AWS IoT Greengrass?"

Section: "What is AWS IoT Greengrass?".

4. AWS Snowball Documentation: "AWS Snowball is an edge computing

data migration

and edge storage device that comes in two options. Snowball Edge Storage Optimized devices provide both block storage and Amazon S3-compatible object storage

and 40 vCPUs... Snowball Edge Compute Optimized devices provide 52 vCPUs

block and object storage

and an optional GPU for use cases like advanced machine learning and full motion video analysis in disconnected environments."

Source: AWS Snowball

"What is AWS Snowball?"

Retrieved from https://aws.amazon.com/snowball/