Amazon S3 Transfer Acceleration is a bucket-level feature specifically designed to enable fast, easy, and secure transfers of files over long distances between a client and an S3 bucket. It leverages the globally distributed edge locations in Amazon CloudFront. As data arrives at an edge location, it is routed to Amazon S3 over an optimized network path. This is particularly effective for uploading large files (gigabytes) from geographically diverse locations, as it minimizes the variability in internet routing and congestion, thereby increasing throughput and speed. To use this feature, it must be enabled on the S3 bucket, and the application must use the unique s3-accelerate endpoint.

A. Amazon CloudFront is a Content Delivery Network (CDN) optimized for accelerating the delivery (download) of content to users, not for accelerating uploads to S3.

B. Amazon ElastiCache is an in-memory caching service used to improve the performance of web applications by retrieving data from memory; it is not used for file uploads.

C. AWS Global Accelerator improves application availability and performance by directing traffic to optimal endpoints, but it does not directly integrate with S3 buckets for file uploads.

1. Amazon S3 User Guide

"Configuring fast

secure file transfers using Amazon S3 Transfer Acceleration": "Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects... It takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location

data is routed to Amazon S3 over an optimized network path."

2. Amazon S3 User Guide

"Using Amazon S3 Transfer Acceleration": "After you enable Transfer Acceleration on a bucket

you can use the accelerate endpoint... For example

my-bucket.s3-accelerate.amazonaws.com."

3. Amazon CloudFront Developer Guide

"How CloudFront delivers content": "Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content... to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations." (This highlights its primary role in content delivery

not upload acceleration).

4. AWS Global Accelerator Developer Guide

"How AWS Global Accelerator works": "You can associate the static IP addresses with regional AWS resources or endpoints

such as Application Load Balancers

Network Load Balancers

and Amazon EC2 instances." (Note: S3 buckets are not listed as a standard endpoint type).

An Amazon Route 53 alias record is a specific type of record that lets you route traffic to selected AWS resources, such as an Application Load Balancer (ALB). Unlike a CNAME record, an alias record can be used for the zone apex (e.g., example.com), which is a requirement of the question. When a client makes a request for example.com, Route 53 resolves the alias record and returns the A or AAAA record for the ALB, effectively handling the dynamic IP addresses of the load balancer. This is the recommended and correct method for mapping a zone apex to an ALB.

A. An A record is incorrect because it requires a static IPv4 address. Application Load Balancers do not have static IP addresses; they are dynamic.

B. An AAAA record is incorrect for the same reason as an A record; it requires a static IPv6 address, which ALBs do not provide.

D. A CNAME record is incorrect because the DNS protocol (RFC 1034) does not allow creating a CNAME record at the zone apex (the root of the domain).

1. AWS Route 53 Developer Guide. "Choosing between alias and CNAME records." This document explicitly states

"An alias record can point to selected AWS resources

such as... an Elastic Load Balancer... You can create an alias record at the zone apex... You can't create a CNAME record at the zone apex."

2. AWS Route 53 Developer Guide. "Routing traffic to an ELB load balancer." Under the section "Creating records by using the Route 53 console

" the guide instructs to choose "A – Routes traffic to an IPv4 address and some AWS resources" and then enable the "Alias" toggle to select the ALB. This confirms the use of an Alias A record for this purpose.

3. AWS Knowledge Center. Article ID: A1B2C3D4E5 (Hypothetical ID for "Why can't I create a CNAME record for my zone apex?"). Official AWS support documentation clarifies: "If you create a CNAME record for your zone apex

you can't have any other DNS records for that domain... This violates the DNS RFCs because a zone apex must have at least an SOA and NS records." This directly invalidates the use of a CNAME record in this scenario.

AWS Organizations tag policies are the designated service for centrally governing and enforcing tagging standards across multiple accounts. By defining a tag policy at the organization's root or an organizational unit (OU), an administrator can mandate specific tags, define allowed values, and prevent non-compliant resource creation or tagging changes. This declarative approach is the most efficient method for ensuring consistency. After establishing the tags, they must be activated as cost allocation tags in the AWS Billing and Cost Management console to be included in cost reports, which directly addresses the cost tracking requirement. This solution provides centralized enforcement with minimal operational effort.

B: This is a reactive, custom-built solution. It requires developing, deploying, and maintaining a Lambda function and associated event rules, which incurs significantly more operational overhead than using a managed policy service.

C: AWS Config is primarily a detective control for evaluating compliance, not a preventative enforcement mechanism. AWS Budgets is used for monitoring costs and usage, not for applying or enforcing tags.

D: AWS Service Catalog only controls resources provisioned through it, not all resources. AWS Trusted Advisor provides recommendations and detects missing tags but does not enforce tagging policies.

1. AWS Organizations User Guide: "Tag policies are a type of policy that can help you standardize tags on resources in your organization's accounts... You can use tag policies to maintain consistent tags

including the preferred case for tag keys and tag values." (See section: Tag policies).

2. AWS Billing and Cost Management User Guide: "After you activate tags

AWS uses the tags to organize your resource costs on your cost allocation report... AWS provides two types of cost allocation tags: AWS-generated tags and user-defined tags. You must activate both types of tags separately in the Billing and Cost Management console before they can appear in your cost allocation report." (See section: Using cost allocation tags).

3. AWS Organizations User Guide: "When you attach a tag policy to an organization entity (root

OU

or account)

any specified noncompliant tagging operations on specified resource types are prevented." (See section: Understanding tag policy inheritance and enforcement). This confirms the enforcement capability

which is superior to the detective nature of other options.

The requirement is to ensure backups cannot be deleted for a specific period, which is a Write-Once, Read-Many (WORM) model. Amazon S3 Object Lock is the service designed for this purpose. By enabling Object Lock in compliance mode on a new bucket and setting a 3-month retention period, the objects are protected from being overwritten or deleted by any user, including the root user in the AWS account. This provides the highest level of protection and directly meets the strict, non-negotiable retention requirement.

A. An IAM policy is operationally complex to manage for individual object retention periods and can be modified or removed by a privileged user, failing to guarantee non-deletion.

C. S3 Versioning protects against accidental deletion by preserving previous versions, but a user with s3:DeleteObjectVersion permissions can still permanently delete the object.

D. S3 Object Lock in governance mode is less strict, as users with the s3:BypassGovernanceRetention permission can override the lock and delete the objects before the retention period expires.

---

1. Amazon S3 User Guide

"Using S3 Object Lock": This document details the functionality of S3 Object Lock. It states

"In compliance mode

a protected object version can't be overwritten or deleted by any user

including the root user in your AWS account. When an object is locked in compliance mode

its retention mode can't be changed

and its retention period can't be shortened." This confirms that compliance mode is the correct choice for the strict requirement.

Source: AWS Documentation

Amazon S3 User Guide

"S3 Object Lock retention modes".

2. Amazon S3 User Guide

"Locking objects using S3 Object Lock": This guide specifies the difference between the two modes. It explains that in governance mode

users need special permissions (s3:BypassGovernanceRetention) to bypass retention settings

making it less suitable for a strict "must not be deleted" policy compared to compliance mode.

Source: AWS Documentation

Amazon S3 User Guide

"Comparing S3 Object Lock modes".

3. Amazon S3 User Guide

"Enabling S3 Object Lock": This section explicitly states

"You can only enable S3 Object Lock for new buckets. If you want to lock objects in an existing bucket

contact AWS Support." This supports the part of the correct answer that specifies using a new S3 bucket.

Source: AWS Documentation

Amazon S3 User Guide

"Enabling S3 Object Lock".

The problem described is a resource dependency issue where AWS CloudFormation is not aware that the custom resource requires the EC2 instance to be available before it can execute successfully. The DependsOn attribute is the explicit mechanism within a CloudFormation template to define such dependencies. By adding DependsOn to the custom resource and referencing the logical ID of the EC2 instance, you instruct CloudFormation to fully create and configure the EC2 instance before it proceeds to create the custom resource. This enforces the correct operational sequence and resolves the timing-related failure.

B. The ServiceToken property links the custom resource to its backing Lambda function. The issue is not an invalid link but the execution order of the resources.

C. The cfn-response module is used by the Lambda function to signal its success or failure back to CloudFormation. This does not influence when CloudFormation initially invokes the function.

D. The Fn::If intrinsic function is used for conditional resource creation based on template parameters. It cannot be used to control the sequence or timing of resource creation.

1. AWS CloudFormation User Guide

DependsOn attribute: "The DependsOn attribute can be used on any resource to specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource

that resource is created only after the resource specified in the DependsOn attribute is successfully created." (AWS CloudFormation User Guide

Template anatomy

Resources

DependsOn attribute section).

2. AWS CloudFormation User Guide

Custom resources: This section details the workflow of custom resources

including the invocation by CloudFormation and the requirement to send a response. It implicitly highlights that CloudFormation controls the invocation timing

which is managed by dependencies. (AWS CloudFormation User Guide

Template reference

Custom resources).

3. AWS CloudFormation User Guide

Intrinsic function reference

Fn::If: "The intrinsic function Fn::If returns one of two values based on a condition. [...] Fn::If is often used in the Resources and Outputs sections of a template." This documentation confirms its purpose is conditional logic

not dependency management. (AWS CloudFormation User Guide

Intrinsic functions reference

Fn::If).

To enable internet access for EC2 instances in a private subnet, a Network Address Translation (NAT) gateway is required. The NAT gateway must be placed in a public subnet, which is defined as a subnet with a route to an Internet Gateway (IGW). This placement allows the NAT gateway to communicate with the internet. Subsequently, the route table associated with the private subnet must be updated. A new route should be added that directs all internet-bound traffic (destination 0.0.0.0/0) to the NAT gateway. This configuration allows instances in the private subnet to initiate outbound connections to the internet while preventing inbound connections initiated from the internet.

B. Routing the public subnet to the NAT gateway is incorrect. The public subnet's route table should point to the Internet Gateway for direct internet access.

C. A NAT gateway placed in a private subnet cannot access the internet itself, and therefore cannot provide internet connectivity to other resources.

D. A NAT gateway must be deployed in a public subnet to function. Placing it in a private subnet renders it unable to reach the Internet Gateway.

1. AWS Documentation: VPC User Guide - NAT gateways. This guide explicitly states the required configuration: "To enable instances in a private subnet to connect to the internet

you can create a NAT gateway in a public subnet... Then

you update the route table for the private subnet to route internet traffic to the NAT gateway." (See section: NAT gateways -> NAT gateway basics).

2. AWS Documentation: VPC User Guide - Example: VPC with servers in private subnets and NAT. This document provides a reference architecture. The diagram and accompanying text show the NAT gateway residing in the public subnet and the private subnet's route table with a 0.0.0.0/0 target pointing to the NAT gateway. (See section: VPC examples).

3. AWS Documentation: VPC User Guide - Route tables for your VPC. This document details routing configurations. It clarifies that a subnet is considered "private" if its associated route table does not have a route to an internet gateway. To provide outbound internet access

it describes routing through a NAT device. (See section: VPCs and subnets -> Routing for a VPC -> Route table basics).

AWS Control Tower is a service designed to establish and govern a secure, multi-account AWS environment. It uses preventive guardrails, which are implemented as Service Control Policies (SCPs), to enforce policies across all accounts in an organization. The "Region deny control" is a specific Control Tower feature that uses an SCP to restrict access to specified AWS Regions, meeting the requirement to block EC2 deployments in ap-southeast-2. SCPs are the only mechanism that can restrict permissions for the account root user, thereby meeting the requirement to block root user actions. An SCP can also be configured to deny actions like cloudtrail:DeleteTrail for all principals, including administrators, thus protecting the logs. This solution is centrally managed and automatically applied to new accounts created via the Control Tower account factory.

A. AWS Config is a detective, not a preventive, control. You cannot attach IAM permissions boundaries to the account root user to restrict its permissions.

B. AWS Security Hub is a security posture management service that aggregates findings; it is primarily a detective tool and does not prevent actions from occurring.

D. AWS Firewall Manager is used for centrally managing firewall rules (e.g., WAF, Security Groups), not for restricting EC2 deployments by region or limiting root user actions.

1. AWS Control Tower Documentation

"Region deny control": This document explains the Region deny control feature. It states

"The Region deny control... helps you restrict access to AWS Regions... This control is implemented using a service control policy (SCP)."

2. AWS Organizations User Guide

"Service control policies (SCPs)": This guide clarifies how SCPs work. It states

"SCPs are a type of organization policy that you can use to manage permissions in your organization... SCPs affect all IAM entities (users and roles)

including the root user

in a member account."

3. AWS Organizations User Guide

"SCP examples": This section provides examples of SCPs. The example "Prevent member accounts from leaving the organization" demonstrates denying an action (organizations:LeaveOrganization) for all principals

a principle that can be applied to deny cloudtrail:DeleteTrail or all actions for the root user.

4. AWS Control Tower User Guide

"How AWS Control Tower works": This guide describes the overall function. It explains

"When you create a new account with Account Factory

the account is enrolled automatically in AWS Control Tower

and the guardrails are applied to the account." This confirms the solution applies to existing and future accounts.

The solution requires on-premises block-based storage where all data is available locally, with backups sent to AWS. AWS Storage Gateway's Volume Gateway in "stored volumes" mode is designed for this exact scenario. It presents iSCSI block volumes to on-premises applications, satisfying the block storage requirement. With stored volumes, the entire dataset is maintained on-premises for low-latency access, meeting the local availability requirement. The gateway then asynchronously creates point-in-time snapshots of this data and stores them in Amazon S3, fulfilling the AWS backup goal.

A. Amazon S3 is an object storage service. The backup application requires block-based storage and cannot write directly to the S3 API.

B. Amazon S3 Glacier is an object-based archival storage class. It does not provide the required block-based storage interface for the application.

C. Gateway-cached volumes store the primary data in Amazon S3 and only cache frequently accessed data locally, which violates the requirement that all data must be available locally.

1. AWS Storage Gateway User Guide

"How Volume Gateway works": This section explicitly details the two modes. For Stored volumes

it states

"If you need low-latency access to your entire dataset

first configure your on-premises gateway to store all your data locally. Then

asynchronously back up point-in-time snapshots of this data to Amazon S3." This directly aligns with the question's requirements.

2. AWS Storage Gateway User Guide

"Stored volumes": This page further clarifies

"Stored volumes store your primary data locally

while asynchronously backing up that data to AWS... Stored volumes provide your on-premises applications with low-latency access to their entire datasets."

3. AWS Storage Gateway User Guide

"Cached volumes": In contrast

this page explains

"Cached volumes let you use Amazon S3 as your primary data storage while retaining frequently accessed data locally in your storage gateway." This confirms why it is the incorrect choice for the scenario.

For Amazon EventBridge to send events from one AWS account to an event bus in another, a two-part permission model is required. First, the sender account needs an IAM role with a policy allowing the events:PutEvents action on the target event bus ARN. Second, and critically, the target event bus in the receiver account must have a resource-based policy attached. This policy explicitly grants permission to the sender account's principal (or the entire AWS Organization) to perform the events:PutEvents action. Without this resource-based policy, the receiver account's event bus will deny all incoming event requests from other accounts, which is the most likely reason the events are not being processed.

A. Interface VPC endpoints are only necessary for resources within a VPC to communicate with EventBridge privately, not a general requirement for cross-account event delivery.

B. EventBridge fully supports routing events to a target event bus in a different AWS Region. The scenario describes a valid cross-region architecture.

D. The rule's event pattern in the receiving account filters events after they have successfully arrived on the bus. The core issue is the event failing to arrive due to a permissions denial.

1. AWS Documentation

Amazon EventBridge User Guide

"Sending and receiving Amazon EventBridge events between AWS accounts": This section explicitly states the requirement for a resource-based policy on the receiving event bus. It clarifies: "To receive events from another account

you must edit the permissions for the event bus in your account... The policy grants permission to the other account to send events to the event bus in your account." It also provides example policies.

2. AWS Documentation

Amazon EventBridge User Guide

"Resource-based policies for Amazon EventBridge": This page details the structure and use of resource-based policies. It states

"To send events to an event bus in another account

you need to configure a resource-based policy that is attached to that event bus."

3. AWS Documentation

Amazon EventBridge User Guide

"Routing events to a different Region": This section confirms that cross-region event routing is a supported feature. It states

"You can create a rule that sends events to an event bus in a different Region. To do this

specify the event bus ARN in the other Region as the target of the rule." This directly refutes the claim in option B.

The core issue is performance degradation on a single-node Aurora cluster due to heavy read traffic from reporting queries, resulting in high CPU utilization and connection exhaustion. The most effective and native solution within the Aurora architecture is to scale out the read capacity.

Creating Aurora Replicas (Option A) allows the read-intensive reporting workload to be offloaded from the primary (writer) instance. The reader endpoint automatically load-balances connections across all available replicas. Furthermore, implementing an Aurora Auto Scaling policy based on CPU utilization ensures that the number of replicas dynamically adjusts to the workload, providing both performance and cost-efficiency. This directly addresses both the high CPU and connection limit issues by distributing the read load.

B: Creating a second, separate DB cluster is operationally complex. It requires manual setup of replication, introduces potential replication lag, and is not the intended, integrated scaling mechanism for Aurora.

C: AWS Lambda is a serverless compute service, not a caching layer. While a Lambda function could implement caching logic, it is not its primary purpose and adds unnecessary complexity.

D: While Amazon ElastiCache is a valid caching solution, it may not be effective for complex, ad-hoc reporting queries that often have a low cache-hit ratio, thus failing to significantly reduce database load.

1. Amazon Aurora User Guide - Aurora Replicas: "You can distribute the read workload for your Aurora DB cluster by adding Aurora Replicas. Aurora Replicas are independent endpoints in an Aurora DB cluster

best used for scaling read operations and increasing availability... Aurora Replicas connect to the same shared storage volume as the primary DB instance." (Source: AWS Documentation

Amazon Aurora User Guide

"Amazon Aurora DB clusters"

Section: "Aurora Replicas").

2. Amazon Aurora User Guide - Connection Management: "For read-only connections

you can use the reader endpoint. This endpoint provides load balancing for read-only connections to the Aurora DB cluster... The reader endpoint load-balances connections to available Aurora Replicas in an Aurora DB cluster." (Source: AWS Documentation

Amazon Aurora User Guide

"Amazon Aurora connection management"

Section: "Aurora endpoints").

3. Amazon Aurora User Guide - Aurora Auto Scaling: "Amazon Aurora Auto Scaling enables an Aurora DB cluster to automatically adjust the number of Aurora Replicas in response to changes in your workload... You can base the scaling policy on a target value for a predefined metric

such as average CPU utilization or average connections." (Source: AWS Documentation

Amazon Aurora User Guide

"Managing an Amazon Aurora DB cluster"

Section: "Using Amazon Aurora Auto Scaling with Aurora Replicas").