In the CloudFormation template, the developer should create a parameter with the list of approved

EC2 instance types as AllowedValues. This way, users can select the instance type they want to use

when launching the CloudFormation stack, but only from the approved list.

API Gateway Mocking: This feature is built for decoupling development dependencies. Here's the

process:

Create resources and methods in your API Gateway.

Set the integration type to 'MOCK'.

Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).

Deployment and Use:

Create a deployment stage for the API.

Frontend teams can call this API and get the mocked responses without a real backend.

Reference:

Mocking API Gateway APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/howto-mock-integration.html

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

✅ Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A . Athena + filtering

❌ Athena is a query engine; it doesn’t detect sensitive data automatically

✅ B . Macie + Financial finding type

✅ Correct

Designed for this use case

C . Macie + Personal finding type

❌ Personal maps to names, addresses, etc., not credit cards

D . Athena + Financial

❌ Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

Why Option B is Correct:

The pilot light strategy keeps a minimal version of the environment in another Region and scales up

during a disaster. It achieves an RTO and RPO of hours at a low cost and complexity.

Why Other Options are Incorrect:

Option A: Warm standby is more expensive as it keeps a scaled-down, fully functioning version

running in another Region.

Option C: Backup and restore has a longer RTO and RPO than hours.

Option D: Multi-site active-active is costly and more complex than required.

AWS Documentation Reference:

Disaster Recovery Strategies on AWS

DynamoDB distributes throughput across partitions based on the hash key. A hot partition (caused by

high usage of a specific hash key) can result in a ProvisionedThroughputExceededException, even if

overall usage is below the provisioned capacity.

Why Option B is Correct:

Partition-Level Limits: Each partition has a limit of 3,000 read capacity units or 1,000 write capacity

units per second.

Hot Partition: Excessive use of a single hash key can overwhelm its partition.

Why Not Other Options:

Option A: DynamoDB storage size does not affect throughput.

Option C: Provisioned scaling operations are unrelated to throughput errors.

Option D: Sort keys do not impact partition-level throughput.

Reference:

DynamoDB Partition Key Design Best Practices

Comprehensive and Detailed Step-by-Step

Option D: AWS AppConfig with CloudWatch Application Signals

AWS AppConfig is designed for managing and deploying application configurations dynamically,

without redeployment.

CloudWatch Application Signals provide automatic rollback mechanisms in case of an unhealthy

application state due to bad configuration changes.

This solution meets the requirements with minimal operational overhead by ensuring both dynamic

updates and rollback functionality.

Why Other Options Are Incorrect:

Option A and B: AWS Secrets Manager is designed for secrets management, not dynamic application

configuration. Custom Config rules add unnecessary complexity.

Option C: While CloudWatch alarms can monitor application changes, using alarms for rollback

requires manual setup and lacks the automatic rollback provided by Application Signals.

Reference:

AWS AppConfig Documentation

:

This solution allows the API to invoke the Lambda function asynchronously, which means that the API

will return an immediate response without waiting for the function to complete. The X-Amz-

Invocation-Type header specifies the invocation type of the Lambda function, and setting it to ‘Event’

means that the function will be invoked asynchronously. The function can then use Amazon Simple

Email Service (SES) to send an email message when the report processing is complete.

Reference: [Asynchronous invocation], [Set up Lambda proxy integrations in API Gateway]

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = "MobileApp"

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

❌ Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

❌ Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

❌ Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

✅ ✅ BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where

OrderSource = "MobileApp".

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table

schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-queryscan.html

: