Free CLF-C02 Practice Exam – 2025 Updated

A. Basic Support: This plan offers customer service for account and billing questions but does not include a dedicated, proactive concierge team.

B. Developer Support: This plan focuses on providing technical support to developers and does not include advanced account management features like a concierge.

C. Business Support: While offering more comprehensive support than the Developer plan, the Business Support plan does not include the dedicated Concierge Support Team.

1. AWS Support. (n.d.). AWS Support Plans. Amazon Web Services. Retrieved from https://aws.amazon.com/premiumsupport/plans/.

Reference Detail: On the "Compare AWS Support plans" feature comparison table, the row "Concierge Support Team" has a checkmark only for the "Enterprise On-Ramp" and "Enterprise" plans. The description for this feature states, "The Concierge Support team are AWS billing and account experts that specialize in working with enterprise accounts."

2. AWS Whitepapers & Guides. (2023, September). AWS Support User Guide. Amazon Web Services.

Reference Detail: In the section "AWS Support plans," the description for the Enterprise plan explicitly mentions the Concierge Team as a key feature for handling billing and account inquiries. It is not listed as a feature for Basic, Developer, or Business plans.

A. AWS Lambda is a serverless compute service that runs code in response to events. It is a component of serverless applications, not a tool to visually design them.

B. AWS Batch is a fully managed service for running large-scale batch computing jobs. It is not used for designing interactive or event-driven serverless applications.

D. AWS App Runner is a managed service for quickly deploying containerized web applications and APIs. It simplifies deployment but is not a visual design or composition tool.

1. AWS Application Composer Developer Guide: "AWS Application Composer is a visual builder that you can use to design and build serverless applications from multiple AWS services. With Application Composer, you can drag and drop AWS services onto a visual canvas to create your application architecture." (Source: AWS Application Composer Developer Guide, "What is AWS Application Composer?", Introduction section).

2. AWS Lambda Developer Guide: "AWS Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources..." (Source: AWS Lambda Developer Guide, "What is AWS Lambda?", Introduction section).

3. AWS Batch User Guide: "AWS Batch enables you to run batch computing workloads on the AWS Cloud. Batch computing is a common way for developers, scientists, and engineers to access large amounts of compute resources." (Source: AWS Batch User Guide, "What is AWS Batch?", Introduction section).

4. AWS App Runner Developer Guide: "AWS App Runner is an AWS service that provides a fast, simple, and cost-effective way to deploy from source code or a container image directly to a scalable and secure web application." (Source: AWS App Runner Developer Guide, "What is AWS App Runner?", Introduction section).

A. AWS Partner Solutions Finder is a directory to locate AWS Partners for consulting or technology services, not a direct software purchasing platform.

B. AWS Support Center is for obtaining technical assistance, managing support cases, and handling billing inquiries, not for procuring software.

C. AWS Management Console is the broad web interface for managing AWS services, whereas AWS Marketplace is the specific service within it for software procurement.

1. AWS Marketplace Documentation. (n.d.). What is AWS Marketplace? AWS. Retrieved from https://docs.aws.amazon.com/marketplace/latest/buyerguide/what-is-marketplace.html. In the introductory paragraph, it states, "AWS Marketplace is a curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses."

2. AWS Marketplace Documentation. (n.d.). Finding products. AWS Marketplace Buyer Guide. Retrieved from https://docs.aws.amazon.com/marketplace/latest/buyerguide/finding-products.html. This section details how customers can search for and discover software from independent software vendors.

3. AWS Partner Network Documentation. (n.d.). Find an AWS Partner. AWS. Retrieved from https://aws.amazon.com/partners/find/. This source describes the tool's function as helping customers find partners for specific business needs, which is distinct from a software marketplace.

A. Managing and encrypting application data is a customer responsibility. AWS provides the tools, but the customer implements and manages data security.

B. The customer is responsible for the guest operating system, including applying security patches and updates.

D. Configuring security groups, which act as a virtual firewall for instances, is a fundamental customer security responsibility.

1. AWS Documentation, "Shared Responsibility Model": This official page clearly outlines the division of responsibilities. The diagram under the "Shared Responsibility Model" section shows that AWS is responsible for the "Hardware" and "Software" of the "AWS Global Infrastructure," while the customer is responsible for "Operating system, network & firewall configuration" and "Client-side data encryption." This directly supports that AWS manages infrastructure devices (C) and the customer manages the other options (A, B, D).

Source: AWS Documentation, https://aws.amazon.com/compliance/shared-responsibility-model/

2. AWS Whitepaper, "AWS Security Pillar - AWS Well-Architected Framework": This whitepaper details the shared responsibility model. In the section "Shared Responsibility Model," it states, "AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services." This confirms that infrastructure device configuration (C) is an AWS responsibility.

Source: AWS Well-Architected Framework, Security Pillar, Page 5, "Shared Responsibility Model" section.

3. Cornell University, CS 5412: Cloud Computing, Lecture 2: University courseware often clarifies these concepts. Materials for cloud computing courses explain that for IaaS (like EC2), the cloud provider (AWS) manages the physical layers up to the hypervisor. The user manages everything from the guest OS upwards. This aligns with AWS being responsible for the underlying infrastructure devices.

Source: Cornell University, Department of Computer Science, Course materials for CS 5412. (General reference to common academic curriculum on IaaS models).

A. How quickly an Amazon EC2 instance can be restarted relates to the availability and operational performance of a single resource, not the system's ability to scale capacity.

C. The maximum amount of RAM an Amazon EC2 instance can use is a static hardware specification of an instance type, not a dynamic characteristic of the cloud environment.

D. The pay-as-you-go billing model is a financial benefit enabled by elasticity, but it is not the definition of elasticity itself. Elasticity is the technical capability.

1. AWS Whitepaper, "Overview of Amazon Web Services" (July 2023): In the section "Six advantages of cloud computing," it states, "With cloud computing, you don’t have to provision resources up front to handle peak levels of business activity in the future. Instead, you provision the amount of resources that you actually need. You can scale these resources up or down to instantly grow and shrink capacity as your business needs change. This is known as elasticity." (p. 4). This directly supports options B and E.

2. AWS Well-Architected Framework, "Performance Efficiency Pillar" (July 2023): Under the principle "Democratize advanced technologies," it explains, "In the cloud, you can provision the amount of resources that you actually need... You can easily scale your resources up or down to meet demand without long delays or lead times." (p. 6). This highlights the ease of procurement (E) and scaling to meet demand (B).

3. AWS Cloud Practitioner Essentials, Digital Training: The module on "Cloud Concepts Overview" defines elasticity as the ability to "acquire resources as you need them and release resources when you no longer need them." This concept directly maps to procuring resources when needed (E) and rightsizing as demand shifts (B).

A. PostgreSQL on Amazon EC2: This option has the highest management overhead, as the user is responsible for all database administration, patching, and backups.

B. Amazon RDS for PostgreSQL: While a managed service, it requires provisioning a specific instance size that runs continuously, which is not cost-effective or optimal for infrequent use.

C. Amazon Aurora PostgreSQL-Compatible Edition: This is a provisioned service. It requires manual capacity management and runs 24/7, incurring higher costs and management effort for an infrequent workload compared to the serverless version.

1. Amazon Aurora User Guide, "Amazon Aurora Serverless v2": "Aurora Serverless v2 is ideal for a broad set of applications. For example, it's well-suited for applications that have infrequent or unpredictable workloads... With Aurora Serverless v2, you don't have to provision, scale, and manage any database servers." This directly supports the choice for infrequent workloads and least management overhead.

2. AWS Documentation, "Databases on AWS": This page outlines the spectrum of database services. It positions self-managed databases on Amazon EC2 as requiring the most customer management, while managed services like Amazon RDS and Amazon Aurora reduce that burden. Aurora Serverless is presented as the option that further minimizes management by automating scaling and capacity.

3. AWS Documentation, "Amazon RDS features": Under "Easy to Manage," the documentation states that RDS "reduces your administrative burden," but it still involves provisioning and managing DB instances. This contrasts with Aurora Serverless, which automates this process entirely.

4. AWS Documentation, "Best practices for running PostgreSQL on Amazon EC2": This guide details the user's responsibilities, including "installing and maintaining the PostgreSQL software," "configuring high availability and disaster recovery," and "managing backups." This confirms it is the highest-overhead option.

A. Classify data: Data classification is always the customer's responsibility, as they own the data and understand its sensitivity.

B. Configure access permissions: The customer is responsible for defining and configuring who can access their DynamoDB tables using AWS IAM policies and roles.

C. Manage encryption options: The customer is responsible for choosing and configuring encryption settings for their data, such as selecting AWS owned, AWS managed, or customer managed keys.

1. AWS Shared Responsibility Model Documentation: AWS is responsible for the "Software" components of its managed services, which includes the underlying systems for services like DynamoDB, and the "Hardware/AWS Global Infrastructure," which includes the physical servers and networking. The customer is responsible for "Customer Data" and "Identity & Access Management."

Source: AWS Compliance, "AWS Shared Responsibility Model." (aws.amazon.com/compliance/shared-responsibility-model/)

2. Amazon DynamoDB Developer Guide: The documentation explicitly states, "AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud... You are responsible for maintaining control over your data that is hosted on this infrastructure. This includes the security configuration controls you use for your DynamoDB resources." This confirms that infrastructure (E) is an AWS responsibility, while configuration (B, C) and data management (A) are customer responsibilities.

Source: AWS Documentation, "Security in Amazon DynamoDB," Shared Responsibility Model section. (docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html)

3. University Courseware: Reputable university courses on cloud computing reinforce this model. For instance, course materials often illustrate that for "abstracted services" like DynamoDB, AWS manages the infrastructure, OS, and platform, while the user manages access control and their data.

Source: Patterson, D. A., & Armbrust, M. (2017). CS 61C: Great Ideas in Computer Architecture (Machine Structures), Lecture 26: Cloud Computing. University of California, Berkeley. Slide 33, "AWS Shared Responsibility Model."

A. Amazon EC2 provides scalable virtual server compute capacity in the cloud. It is used to run the application, not to perform DNS routing.

B. Amazon VPC provides a logically isolated section of the AWS Cloud. It is a foundational networking service, not a public DNS service for routing users.

D. Amazon RDS is a managed service for relational databases. It is used for storing and managing application data, not for directing user traffic.

1. Amazon Route 53 Documentation: "Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking."

Source: AWS Documentation, "What is Amazon Route 53?", Section: "Route 53 as a DNS service".

2. Overview of Amazon Web Services Whitepaper: "Amazon Route 53 provides a highly available and scalable Domain Name System (DNS)... It effectively connects user requests to infrastructure running in AWS—such as Amazon EC2 instances...—as well as to infrastructure outside of AWS."

Source: AWS Whitepapers, "Overview of Amazon Web Services", August 2022, Page 31.

3. Amazon EC2 Documentation: "Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster."

Source: AWS Documentation, "What is Amazon EC2?".

4. Amazon VPC Documentation: "Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center..."

Source: AWS Documentation, "What is Amazon VPC?".

A. Physical connectivity among Availability Zones is part of the AWS Global Infrastructure, which AWS manages and maintains.

B. Network switch maintenance is a component of the physical data center infrastructure, for which AWS is solely responsible.

C. Hardware updates and firmware patches for the underlying physical servers are managed by AWS as part of their responsibility for the cloud infrastructure.

1. AWS Documentation, "Shared Responsibility Model": The official documentation clearly outlines the division of responsibilities. For IaaS services like Amazon EC2, the model shows that the customer is responsible for the "Guest Operating System (including updates and security patches)". AWS's responsibility ends at the hypervisor level.

Source: AWS Documentation, Shared Responsibility Model, aws.amazon.com/compliance/shared-responsibility-model/.

2. AWS Well-Architected Framework, Security Pillar (July 2023): This whitepaper reinforces the model. In the section "Understanding the shared responsibility model," it states, "For IaaS services, such as Amazon EC2, AWS manages the infrastructure... You are responsible for the guest operating system (including security patches and updates), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance."

Source: AWS Whitepaper, AWS Well-Architected Framework, Security Pillar, Page 6.

3. Amazon EC2 User Guide for Linux Instances, "Security and network concepts in Amazon EC2": The user guide specifies the customer's role in securing their instances. It states, "You are responsible for the security of your instances, including patching and maintaining the operating systems and applications, configuring the operating system firewall, and configuring the security groups and network ACLs."

Source: AWS Documentation, Amazon EC2 User Guide for Linux Instances, docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-concepts.html.

B. VPC peering is used to connect two Amazon VPCs together, not an on-premises data center to the AWS Cloud.

C. AWS VPN establishes a secure connection over the public internet using IPsec tunnels, not a dedicated, private physical connection.

D. Amazon Route 53 is a scalable Domain Name System (DNS) web service used for domain registration and routing traffic to resources, not for establishing network connectivity.

1. AWS Direct Connect User Guide. (2023). What is AWS Direct Connect? Amazon Web Services. "AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS."

2. AWS Site-to-Site VPN User Guide. (2023). What is AWS Site-to-Site VPN? Amazon Web Services. "AWS Site-to-Site VPN creates a secure connection between your data center or branch office and your AWS resources." This guide clarifies that the connection is made via IPsec tunnels over the internet.

3. Amazon VPC Peering Guide. (2023). What is VPC peering? Amazon Web Services. "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately."

4. Amazon Route 53 Developer Guide. (2023). What is Amazon Route 53? Amazon Web Services. "Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service."

A. Observability is a capability of the Platform Perspective, focusing on monitoring workloads to inform business outcomes.

B. Incident and problem management is a capability of the Operations Perspective, concerned with managing operational events and restoring normal service.

E. Availability and continuity is a focus area within the Operations Perspective, ensuring services are resilient and available.

1. AWS Prescriptive Guidance. (2024). The Security perspective. AWS Cloud Adoption Framework. Retrieved from https://docs.aws.amazon.com/whitepapers/latest/aws-cloud-adoption-framework/the-security-perspective.html

This document explicitly lists "Infrastructure protection" and "Incident response" as two of the five core capabilities of the Security Perspective.

2. AWS Prescriptive Guidance. (2024). The Operations perspective. AWS Cloud Adoption Framework. Retrieved from https://docs.aws.amazon.com/whitepapers/latest/aws-cloud-adoption-framework/the-operations-perspective.html

This source identifies "Incident and problem management" as a capability of the Operations Perspective.

3. AWS Prescriptive Guidance. (2024). The Platform perspective. AWS Cloud Adoption Framework. Retrieved from https://docs.aws.amazon.com/whitepapers/latest/aws-cloud-adoption-framework/the-platform-perspective.html

This document lists "Observability" as a capability within the Platform Perspective.

B. AWS IAM Identity Center (AWS Single Sign-On): This service centralizes single sign-on (SSO) access to multiple AWS accounts and applications; it does not generate detailed credential status reports for individual IAM users.

C. AWS Identity and Access Management Access Analyzer: This tool analyzes resource-based policies to identify resources shared with external entities. It does not report on the status of IAM user credentials like passwords or MFA.

D. AWS Cost and Usage Report: This is a billing and cost management tool that provides detailed data on AWS service usage and associated costs, not information about IAM user credentials.

1. AWS IAM User Guide: "Getting a credential report for your AWS account." This official documentation states, "The credential report lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices."

2. AWS IAM User Guide: "What is IAM Access Analyzer?" This guide explains that IAM Access Analyzer "helps you identify the resources in your organization and accounts... that are shared with an external entity." This confirms it does not audit user credentials.

3. AWS IAM Identity Center User Guide: "What is AWS IAM Identity Center?" The documentation describes it as the service to "centrally manage workforce access to multiple AWS accounts and applications." This highlights its focus on SSO, not credential reporting.

4. AWS Cost and Usage Reports User Guide: "What are AWS Cost and Usage Reports?" The guide defines the service as providing "the most comprehensive set of AWS cost and usage data available," confirming its purpose is financial, not security auditing of credentials.

A. "Go global in minutes" is a design principle of the Performance Efficiency pillar, which focuses on using computing resources efficiently to meet system requirements.

C. "Implement a strong foundation of identity and access management" is a core design principle of the Security pillar, which emphasizes protecting information, systems, and assets.

D. "Stop spending money on hardware infrastructure for data center operations" relates to the Cost Optimization pillar, which focuses on avoiding unneeded costs.

1. AWS Well-Architected Framework Whitepaper (July 2023). AWS.

Correct Answer B: Page 21, "Operational Excellence Pillar," under the "Design Principles" section, lists "Make frequent, small, reversible changes."

Incorrect Option A: Page 39, "Performance Efficiency Pillar," under the "Design Principles" section, lists "Go global in minutes."

Incorrect Option C: Page 27, "Security Pillar," under the "Design Principles" section, lists "Implement a strong identity foundation."

Incorrect Option D: Page 45, "Cost Optimization Pillar," under the "Design Principles" section, lists "Stop spending money on undifferentiated heavy lifting," which is the principle behind this statement.

A. Amazon Elastic Block Store (Amazon EBS) is a persistent block storage service. Data on an EBS volume persists independently of the instance's lifecycle, even when the instance is stopped.

C. Amazon Elastic File System (Amazon EFS) is a persistent, scalable file storage service. It is designed to be accessed by multiple EC2 instances and is not tied to any single instance's lifecycle.

D. Amazon S3 is a highly durable, persistent object storage service. Data is stored independently of any compute resources like EC2 instances and remains until explicitly deleted.

1. Amazon EC2 User Guide for Linux Instances: "An instance store provides temporary block-level storage for your instance... The data on an instance store volume persists only during the life of the instance. If you stop, hibernate, or terminate an instance, any data on instance store volumes is lost." (Section: "Storage", Subsection: "Amazon EC2 instance store").

2. Amazon EBS User Guide: "Amazon EBS provides persistent block-level storage volumes for use with Amazon EC2 instances. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability." (Section: "Amazon EBS volumes").

3. Amazon EFS User Guide: "Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system... It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, so you don't need to manage storage." (Section: "What is Amazon Elastic File System?").

4. Amazon S3 User Guide: "Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance... Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world." (Section: "What is Amazon S3?").

A. An on-premises model exclusively uses private infrastructure. Outposts is an extension of the public AWS cloud, managed by AWS, making the model inherently hybrid.

B. Serverless is an operational model for building applications without managing underlying servers. It is not an infrastructure deployment model like cloud, on-premises, or hybrid.

C. Cloud-native is an architectural approach for designing applications to leverage cloud services. It does not define the physical location or ownership model of the infrastructure.

1. AWS Documentation, "What is AWS Outposts?". AWS Outposts User Guide. Retrieved from https://docs.aws.amazon.com/outposts/latest/userguide/what-is-outposts.html. The first paragraph states, "AWS Outposts is a fully managed service that... [provides] a truly consistent hybrid experience."

2. AWS Official Product Page, "AWS Outposts". Retrieved from https://aws.amazon.com/outposts/. The main heading describes Outposts as a solution for a "truly consistent hybrid experience."

3. AWS Whitepaper, "Hybrid Cloud with AWS". (July 2021). Page 10, Section: "AWS Outposts". The section describes how Outposts extends AWS infrastructure to customer premises, which is the core of a hybrid strategy.

A. Amazon DynamoDB is a fully managed NoSQL database service. It does not manage or scale Amazon EC2 compute instances.

B. Amazon EC2 Spot Instances are a pricing model for obtaining spare EC2 capacity at a discount, not a service that automates scaling based on workload.

C. AWS Snow Family is a collection of physical devices used for migrating large amounts of data into and out of AWS, unrelated to compute scaling.

1. Amazon EC2 Auto Scaling User Guide. (n.d.). AWS Documentation. In "What is Amazon EC2 Auto Scaling?", the service is defined: "Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define."

2. Amazon EC2 Auto Scaling. (n.d.). AWS Product Page. The page states, "Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application."

3. Amazon DynamoDB. (n.d.). AWS Product Page. This service is described as a "fast and flexible NoSQL database service for any scale," confirming it is a database, not a compute scaling service.

4. Amazon EC2 Spot Instances. (n.d.). AWS Product Page. This page describes Spot Instances as a way to "take advantage of unused EC2 capacity in the AWS cloud" at a discount, identifying it as a pricing option.

5. AWS Snow Family. (n.d.). AWS Product Page. The service is defined as providing "edge computing, data migration, and edge storage devices," confirming its purpose is unrelated to dynamic EC2 instance scaling.

A. AWS Organizations is a service for central governance and management of multiple AWS accounts, not for provisioning user desktops.

B. AWS Fargate is a serverless compute engine for containers. It is used to run applications, not to provide interactive desktop environments for end-users.

C. AWS WAF (Web Application Firewall) is a security service that protects web applications from common web exploits, and it is not used for desktop provisioning.

1. Amazon WorkSpaces Documentation: "Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe."

Source: AWS Documentation, "What Is Amazon WorkSpaces?", Section: "What Is Amazon WorkSpaces?".

2. AWS Organizations Documentation: "AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources..."

Source: AWS Documentation, "What is AWS Organizations?", Section: "AWS Organizations".

3. AWS Fargate Documentation: "AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers."

Source: AWS Documentation, "What is AWS Fargate?", Section: "AWS Fargate".

4. AWS WAF Documentation: "AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that can affect availability, compromise security, or consume excessive resources."

Source: AWS Documentation, "What is AWS WAF?", Section: "AWS WAF".

B. AWS Trusted Advisor: This service provides recommendations to optimize your AWS environment across cost, performance, security, and fault tolerance, but it does not aggregate findings from other security services.

C. Amazon EventBridge: This is a serverless event bus service used for routing events between AWS services, custom applications, and SaaS applications. It is not a security-specific aggregation or posture management service.

D. Amazon GuardDuty: This is a threat detection service that generates its own security findings based on monitoring network and account activity. It is a source of findings for Security Hub, not an aggregator of them.

---

1. AWS Security Hub Documentation, "What is AWS Security Hub?": "AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation... Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends..."

Source: AWS Documentation. AWS Security Hub User Guide. Retrieved from https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html

2. AWS Security Hub Documentation, "AWS Security Finding Format (ASFF)": "AWS Security Hub consumes, aggregates, and analyzes findings from various AWS services... and from third-party partner products. Security Hub normalizes the findings from all of these providers into a standard JSON format called the AWS Security Finding Format (ASFF)."

Source: AWS Documentation. AWS Security Hub User Guide. Retrieved from https://docs.aws.amazon.com/securityhub/latest/userguide/asff-what-is.html

3. AWS Trusted Advisor Documentation, "How AWS Trusted Advisor works": "Trusted Advisor inspects your AWS environment and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps."

Source: AWS Documentation. AWS Trusted Advisor User Guide. Retrieved from https://docs.aws.amazon.com/awssupport/latest/user/how-trusted-advisor-works.html

4. Amazon GuardDuty Documentation, "What is Amazon GuardDuty?": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation."

Source: AWS Documentation. Amazon GuardDuty User Guide. Retrieved from https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html

A. Amazon Workspaces is a managed Desktop-as-a-Service (DaaS) solution for end-users and is not used for building application architectures.

C. Amazon Connect is a cloud contact center service. It is a business application, not a foundational service for decoupling system components.

D. AWS Trusted Advisor is an advisory tool that provides recommendations on best practices; it does not implement architectural patterns.

1. AWS Well-Architected Framework, Reliability Pillar (July 2023): Page 29, under "Decouple components," states, "Services such as Amazon SQS and Amazon SNS are used to decouple components." This directly supports the use of SQS for loose coupling.

2. Amazon SQS Developer Guide: In the "What is Amazon SQS?" section, it states, "You can use queues to decouple heavyweight processes and to buffer and batch work... By decoupling your components, you can run and fail them independently, which increases the overall fault tolerance of your system."

3. AWS Step Functions Developer Guide: In the "What is AWS Step Functions?" section, it describes the service as a "serverless orchestration service that lets you combine AWS Lambda functions and other AWS services to build business-critical applications." This orchestration decouples the individual steps from the overall workflow logic.

4. AWS Documentation - What Is Amazon WorkSpaces?: The introductory paragraph defines Amazon WorkSpaces as "a managed, secure Desktop-as-a-Service (DaaS) solution," confirming it is an end-user computing service.

A. AWS Outposts is an extension of AWS infrastructure to an on-premises location and requires a stable, high-bandwidth network connection back to an AWS Region.

B. AWS Transfer Family provides managed file transfer services over network protocols (SFTP, FTPS, FTP), which inherently require internet connectivity to function.

D. AWS Migration Hub is a service for planning and tracking the progress of application migrations; it does not provide the physical means for data collection or transfer.

1. AWS Snow Family Documentation, "What Is the AWS Snow Family?": "The AWS Snow Family helps customers that need to run operations in austere, non-data center environments, and in locations where there's a lack of consistent network connectivity... You can use these services to locally and cost-effectively access the storage and compute power of the AWS Cloud in places where connecting to the internet might not be an option."

2. AWS Snow Family Documentation, "Common use cases": Under the "Data migration" section, it states, "You can use the Snow Family to move large amounts of data from on-premises storage platforms and servers to Amazon S3." This includes scenarios where network transfer is not feasible.

3. AWS Outposts Documentation, "AWS Outposts FAQs": "Outposts is connected to the nearest AWS Region through the AWS Outposts service link... This connection is required for normal Outposts operations." This confirms the need for persistent connectivity.

4. AWS Transfer Family Documentation, "How AWS Transfer Family works": The service architecture diagrams clearly show that clients connect to a Transfer Family server endpoint over the internet to transfer files to Amazon S3 or Amazon EFS, confirming its reliance on network connectivity.

A. Placement groups are an Amazon EC2 feature used to influence the physical placement of instances to optimize for high performance or high availability, not for billing separation.

C. Edge locations are part of the AWS global infrastructure used by services like Amazon CloudFront to cache content closer to users, which is unrelated to workload or cost separation.

D. AWS Config is a service for auditing and evaluating resource configurations for compliance and governance, not for separating workloads or managing billing.

1. AWS Organizations User Guide: "Consolidated billing is a feature of AWS Organizations. You can use it to consolidate payment for multiple AWS accounts... You can see a combined view of AWS charges incurred by all of your accounts, and you can get a cost report for each individual account." (Source: AWS Organizations User Guide, "Consolidated billing" section).

2. AWS Whitepaper, "Organizing your AWS Environment Using Multiple Accounts" (July 2023): "Separate accounts per department, business unit, or project can simplify the process of allocating AWS costs to the respective cost centers... AWS Organizations helps you to centrally govern your environment as you grow and scale your workloads on AWS. You can use AWS Organizations to centrally manage billing..." (p. 5, "Benefits of Using a Multi-Account Strategy").

3. AWS Billing and Cost Management User Guide: "If you use the consolidated billing feature in AWS Organizations, you can view the charges for both the management account and all the member accounts. The management account is billed for all the charges of the member accounts." (Source: AWS Billing and Cost Management User Guide, "Managing an account with AWS Organizations" section).

A. Contacting the AWS Compliance team is not the standard procedure for obtaining routine reports; AWS Artifact provides a direct, self-service solution.

C. Opening a case with AWS Support is intended for technical troubleshooting and operational issues, not for retrieving compliance documentation.

D. Amazon Macie is a data security service that discovers and protects sensitive data within a customer's S3 buckets; it does not generate AWS's corporate compliance reports.

1. AWS Artifact User Guide. (2023). What is AWS Artifact? AWS Documentation. "AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements."

2. AWS Compliance. (n.d.). AWS Compliance Programs. AWS Documentation. The page frequently directs users to AWS Artifact as the source for obtaining reports related to specific compliance standards like SOC, PCI DSS, and ISO.

3. Amazon Macie User Guide. (2023). What is Amazon Macie? AWS Documentation. "Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching..." This confirms its purpose is data discovery, not providing AWS compliance reports.

4. AWS Support. (n.d.). Compare AWS Support Plans. AWS Documentation. The service description outlines its function as providing technical assistance and expertise, which does not include the distribution of compliance reports.

B. AWS CLI: This is a unified command-line tool for interacting with AWS services, not a web interface.

C. AWS SDK: These are software development kits that enable programmatic access to AWS services from within applications, not a direct web management interface.

D. AWS Cloud: This is the overarching term for the entire platform and its services, not a specific management tool.

1. AWS Documentation, "What is the AWS Management Console?": "The AWS Management Console is a web application for managing Amazon Web Services." This document explicitly defines the console as the web-based tool for AWS management. (Source: AWS Management Console Getting Started Guide).

2. AWS Whitepapers, "Overview of Amazon Web Services," Section: "Accessing AWS": This official whitepaper describes the three primary ways to interact with AWS. It states, "You can access AWS services in three ways: through the AWS Management Console, through the Command Line Interface (CLI), or by using Software Development Kits (SDKs)." It defines the console as "a simple and intuitive web-based user interface." (p. 10).

3. AWS Cloud Practitioner Essentials (Official AWS Training): Module 2, "Cloud Concepts Overview," consistently presents the AWS Management Console as the primary web-based interface for managing AWS services, contrasting it with programmatic access via the CLI and SDKs.

A. Amazon Elastic File System (Amazon EFS): This service provides a managed file system for Linux-based workloads and uses the Network File System (NFS) protocol, not SMB natively.

B. Amazon FSx for Lustre: This is a high-performance file system designed for compute-intensive workloads like high-performance computing (HPC) and machine learning, not for general-purpose Windows file sharing.

D. Amazon Elastic Block Store (Amazon EBS): EBS provides block-level storage volumes for use with a single EC2 instance. It is not a managed, shared file server service.

1. Amazon FSx for Windows File Server Documentation: "Amazon FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration."

Source: AWS Documentation, What is Amazon FSx for Windows File Server?, Document History section.

2. Amazon EFS User Guide: "Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources."

Source: AWS Documentation, Amazon EFS User Guide, "What is Amazon Elastic File System?", Introduction.

3. Amazon FSx for Lustre Documentation: "Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance, scalable storage for compute workloads... FSx for Lustre is ideal for high-performance computing (HPC), machine learning, and media data processing workflows."

Source: AWS Documentation, Amazon FSx for Lustre, "What is Amazon FSx for Lustre?".

4. Amazon EBS User Guide: "Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, high-performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale."

Source: AWS Documentation, Amazon EBS User Guide, "Amazon Elastic Block Store (Amazon EBS)".

B. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. Its primary function is to mitigate network and transport layer (Layer 3/4) DDoS attacks, not application-layer exploits.

C. Network ACLs are stateless firewalls that operate at the subnet level. They filter traffic based on IP address, protocol, and port number, but cannot inspect the content of the traffic for malicious code.

D. Security groups are stateful firewalls that operate at the instance level. Like Network ACLs, they control traffic based on IP, protocol, and port, and do not perform application-layer inspection.

1. AWS WAF Developer Guide: In the "What is AWS WAF?" section, the documentation states, "AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources... Based on the conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, you can allow or block web requests... you can protect your web applications from common web exploits, like SQL injection and cross-site scripting (XSS)."

Source: AWS WAF Developer Guide, "What is AWS WAF?", Document History, Page 1.

2. AWS Documentation - Security groups for your VPC: The documentation explains, "A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic." It details rules based on protocol, port range, and source/destination, with no mention of application content inspection.

Source: Amazon VPC User Guide, "Control traffic to resources using security groups", Document History, Page 203.

3. AWS Documentation - Network ACLs: The documentation states, "A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." The rules are based on protocol, port range, and IP address.

Source: Amazon VPC User Guide, "Control traffic to subnets using network ACLs", Document History, Page 223.

4. AWS Documentation - AWS Shield: The official product page states, "AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS." This confirms its primary purpose is DDoS mitigation.

Source: AWS Shield Features, "How AWS Shield works".

A. Amazon Elastic File System (Amazon EFS) is a managed network file system for use with AWS cloud services and on-premises resources. It does not provide a virtual tape library interface.

B. Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. It is not designed to integrate with on-premises backup tape libraries.

C. Amazon S3 is an object storage service that provides the destination for the virtual tapes. However, AWS Storage Gateway is the service that provides the necessary VTL interface and integration.

1. AWS Storage Gateway User Guide: "Tape Gateway – A tape gateway provides your on-premises backup application with a virtual tape library (VTL)... You can continue to use your existing backup applications and workflows while writing to a virtually unlimited collection of virtual tapes."

Source: AWS Storage Gateway User Guide, "What is AWS Storage Gateway?", "How Storage Gateway works" section.

2. AWS Storage Gateway Product Page: "Tape Gateway replaces physical tapes on premises with virtual tapes in AWS without changing backup workflows. It supports all leading backup applications and caches virtual tapes on premises for low-latency data access."

Source: AWS Storage Gateway official product page, "Use cases" section, under "Backup and recovery".

3. AWS Documentation - What is Tape Gateway?: "By deploying a Tape Gateway, you can have a limitless collection of virtual tapes. Each virtual tape is stored in Amazon Simple Storage Service (Amazon S3). When you no longer need immediate or frequent access to data on a virtual tape, you can have your backup application archive it from your VTL to Amazon S3 Glacier or Amazon S3 Glacier Deep Archive."

Source: AWS Storage Gateway User Guide, "Managing Your Gateway", "Managing Your Tapes", "What is Tape Gateway?" section.

A. Running MySQL on Amazon ECS requires the user to manage the database software, including its configuration for resiliency and replication, within the container.

B. Running MySQL on Amazon EC2 is an unmanaged approach, making the user responsible for all administrative tasks, including hardware, OS, and database management.

D. Amazon ElastiCache for Redis is a managed in-memory NoSQL data store, not a relational database, and therefore does not meet the core requirement.

1. Amazon RDS User Guide: In the section "What is Amazon RDS?", the documentation states, "Amazon RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks."

2. Amazon RDS FAQs: Under the question "What does Amazon RDS manage on my behalf?", the documentation lists: "server maintenance, and software or OS patching... automated backups... high availability through Multi-AZ deployments." This confirms that RDS handles the specific tasks the user wants to avoid.

3. AWS Documentation - Databases on AWS: This overview document contrasts different database options. It positions Amazon RDS as the primary managed service for relational databases, while running a database on Amazon EC2 is presented as the option for customers who require more control and are willing to take on the management responsibilities. (See the section "Relational" for service descriptions).

A. AWS Fargate is a serverless compute engine for containers that operates within AWS Regions and Availability Zones, not at global edge locations.

D. AWS Wavelength embeds AWS services within 5G networks. While a form of edge computing, it is distinct from the global edge location network used by CloudFront.

E. Amazon VPC is a regional service that provides a logically isolated section of the AWS Cloud; it does not operate at the global edge.

1. AWS. (n.d.). Global Infrastructure. AWS. Retrieved from https://aws.amazon.com/about-aws/global-infrastructure/. In the "AWS Global Edge Network" section, it explicitly states, "The AWS Global Edge Network is a network of secure data centers... This global network currently supports Amazon CloudFront, AWS Global Accelerator..."

2. Amazon Web Services. (2023). What Is Amazon CloudFront? - Amazon CloudFront Developer Guide. Retrieved from https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html. The introduction states, "Amazon CloudFront is a content delivery network (CDN) service... It delivers your content through a worldwide network of data centers called edge locations."

3. Amazon Web Services. (2024). What is AWS Global Accelerator? - AWS Global Accelerator Developer Guide. Retrieved from https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html. The documentation explains, "AWS Global Accelerator uses the vast, congestion-free AWS global network to route TCP and UDP traffic to a healthy application endpoint in the closest AWS Region to the user. It uses a global network of edge locations..."

4. Amazon Web Services. (2024). What is Amazon Virtual Private Cloud? - Amazon VPC User Guide. Retrieved from https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html. The guide specifies, "A virtual private cloud (VPC) is a virtual network... that spans all of the Availability Zones in the Region." This confirms its regional scope.

A. Amazon SQS is a message queuing service used to decouple application components; it does not monitor metrics like CPU utilization to initiate scaling actions.

B. Amazon SNS is a publish/subscribe notification service. While it can be a target for a CloudWatch alarm, it does not itself monitor metrics or trigger scaling.

C. AWS Systems Manager is an operational management service for tasks like patching and configuration management, not for triggering scaling based on performance metrics.

1. Amazon EC2 Auto Scaling User Guide: In the section "Dynamic scaling for Amazon EC2 Auto Scaling," it states, "To configure dynamic scaling, you create a scaling policy that tells Amazon EC2 Auto Scaling what to do when the load on your application changes. The scaling policy uses Amazon CloudWatch alarms to monitor a metric for your Auto Scaling group."

2. Amazon CloudWatch User Guide: Under the topic "Using Amazon CloudWatch alarms," the documentation lists available alarm actions. It explicitly states, "You can create an alarm that automatically initiates an action for an Amazon EC2 instance or an Amazon EC2 Auto Scaling group."

3. AWS Well-Architected Framework - Performance Efficiency Pillar (Whitepaper): In the section "Select the best performing architecture," the principle "Use data to identify the key performance indicators (KPIs) for your workload, and configure metrics, monitoring, and alarms based on these KPIs. Use these alarms to trigger automated actions to scale your resources" is described. This directly links monitoring and alarms (CloudWatch) to automated scaling (Auto Scaling). (Page 13, "Use data to identify performance indicators").

B. Amazon Virtual Private Cloud (Amazon VPC) flow logs: This service captures and logs IP traffic information for monitoring and troubleshooting; it does not actively block any network traffic.

D. Amazon CloudWatch: This is a monitoring and observability service that collects metrics, logs, and events. It does not have the capability to block network traffic.

E. AWS CloudTrail: This service records AWS API calls for auditing and governance purposes. It tracks account activity but does not control or block network traffic.

1. AWS Documentation: Security groups for your VPC. "A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic." (AWS, Amazon VPC User Guide, "Security", "Security groups for your VPC" section).

2. AWS Documentation: Network ACLs. "A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." (AWS, Amazon VPC User Guide, "Security", "Network ACLs" section).

3. AWS Documentation: VPC Flow Logs. "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC." (AWS, Amazon VPC User Guide, "Logging IP traffic using VPC Flow Logs" section).

4. AWS Documentation: What Is AWS CloudTrail? "CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account." (AWS, AWS CloudTrail User Guide, "Overview" section).

5. AWS Documentation: What is Amazon CloudWatch? "Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time." (AWS, Amazon CloudWatch User Guide, "Overview" section).

A. VPC endpoints enable private connections from a VPC to supported AWS services or endpoint services, not to another VPC.

B. Amazon Route 53 is a Domain Name System (DNS) service; it resolves domain names to IP addresses but does not create network connections.

D. AWS Direct Connect establishes a dedicated private network connection from an on-premises environment to AWS, not between two AWS VPCs.

1. AWS Documentation, Amazon VPC User Guide: "What is VPC peering?" - This section states, "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."

2. AWS Documentation, AWS Transit Gateway User Guide: "What is a transit gateway?" - This document explains, "An AWS Transit Gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks."

3. AWS Documentation, Amazon VPC User Guide: "VPC endpoints" - The introduction clarifies, "A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink..."

4. AWS Documentation, AWS Direct Connect User Guide: "What is AWS Direct Connect?" - The guide states, "AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS."

A. AWS Config is a service for assessing, auditing, and evaluating the configurations of AWS resources for compliance and governance, not for creating CI/CD pipelines.

B. Amazon Cognito is an identity management service that provides user sign-up, sign-in, and access control for web and mobile applications, unrelated to CI/CD.

C. AWS DataSync is a data transfer service used to move large amounts of data between on-premises storage and AWS Storage services, not for software development pipelines.

1. AWS CodeStar User Guide: In the "What Is AWS CodeStar?" section, the documentation states, "With AWS CodeStar, you can set up your entire continuous integration and continuous delivery (CI/CD) toolchain in minutes, allowing you to start releasing code faster."

Source: AWS CodeStar User Guide, "What Is AWS CodeStar?".

2. AWS Config Developer Guide: The guide's introduction clarifies its purpose: "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources."

Source: AWS Config Developer Guide, "What Is AWS Config?".

3. Amazon Cognito Developer Guide: The "What Is Amazon Cognito?" section defines the service: "Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps."

Source: Amazon Cognito Developer Guide, "What Is Amazon Cognito?".

4. AWS DataSync User Guide: The introduction explains the service's function: "AWS DataSync is a secure, online service that automates and accelerates moving data between on-premises and AWS Storage services."

Source: AWS DataSync User Guide, "What is AWS DataSync?".

A. Amazon EC2 provides virtual server instances but does not, by itself, orchestrate the deployment of a complete, multi-resource environment in a repeatable manner.

C. Amazon QuickSight is a business intelligence (BI) service used for creating interactive dashboards and data visualizations; it is not used for deploying infrastructure.

D. Amazon Elastic Container Service (Amazon ECS) is a container orchestration service. While it could run the application, it does not provision the entire environment's underlying infrastructure.

---

1. AWS CloudFormation User Guide. "What is AWS CloudFormation?" AWS CloudFormation lets you model, provision, and manage AWS and third-party resources by treating infrastructure as code. [...] CloudFormation provisions your resources in a safe, repeatable manner, allowing you to build and rebuild your infrastructure and applications, without having to perform manual actions or write custom scripts.

Source: AWS Documentation, AWS CloudFormation User Guide, "What is AWS CloudFormation?", Introduction section.

2. AWS Documentation on Amazon EC2. "What is Amazon EC2?" Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Source: AWS Documentation, Amazon EC2 User Guide for Linux Instances, "What is Amazon EC2?", Introduction section.

3. AWS Documentation on Amazon QuickSight. "What Is Amazon QuickSight?" Amazon QuickSight is a cloud-scale business intelligence (BI) service that you can use to deliver easy-to-understand insights to the people who you work with, wherever they are.

Source: AWS Documentation, Amazon QuickSight User Guide, "What Is Amazon QuickSight?", Introduction section.

A. Amazon Connect is a cloud-based contact center service for customer service operations, not a network connectivity service.

B. Amazon Route 53 is a scalable Domain Name System (DNS) web service; it resolves domain names to IP addresses but does not establish a private network connection.

D. VPC peering is a networking feature that connects two AWS Virtual Private Clouds (VPCs) together, not an on-premises network to AWS.

1. AWS Documentation. (2023). What is AWS Direct Connect? AWS Direct Connect User Guide. "AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS."

2. AWS Documentation. (2023). AWS Hybrid Connectivity. AWS Whitepapers. Page 6, "AWS Direct Connect" section. "AWS Direct Connect enables you to privately connect your data center, office, or colocation environment to your AWS account..."

3. AWS Documentation. (2023). What is Amazon VPC? Amazon VPC User Guide. "Peering connections" section. "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."

4. AWS Documentation. (2023). What is Amazon Connect? Amazon Connect Administrator Guide. "Amazon Connect is an easy-to-use omnichannel cloud contact center that helps you provide superior customer service at a lower cost."

A. AWS Service Catalog allows organizations to create and manage catalogs of approved IT services, focusing on standardized provisioning, not security analysis of existing resources.

B. AWS Systems Manager is an operational management service for tasks like patching, automation, and configuration management across AWS and hybrid environments.

D. AWS Organizations is a service for centrally managing and governing multiple AWS accounts, but it does not itself analyze resource policies for external sharing.

1. AWS IAM Access Analyzer User Guide: "IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk." (Source: AWS Documentation, IAM Access Analyzer User Guide, "What is IAM Access Analyzer?", Introduction section).

2. AWS Service Catalog Administrator Guide: "AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS." (Source: AWS Documentation, AWS Service Catalog Administrator Guide, "What is AWS Service Catalog?", Introduction section).

3. AWS Systems Manager User Guide: "AWS Systems Manager is the operations hub for your AWS applications and resources and a secure end-to-end management solution for hybrid and multicloud environments that enables automated operations." (Source: AWS Documentation, AWS Systems Manager User Guide, "What is AWS Systems Manager?", Introduction section).

4. AWS Organizations User Guide: "AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage." (Source: AWS Documentation, AWS Organizations User Guide, "What is AWS Organizations?", Introduction section).