Answer: B

Explanation: An AWS Organizations CloudTrail organization trail automatically enables CloudTrail in all accounts and delivers all events to a single S3 bucket in the management/logging account. Combining this with S3 Object Lock in compliance mode makes the logs tamper-proof (cannot be deleted or modified). Cross-Account CloudWatch Observability (C) is for metrics/logs, not specifically CloudTrail. Config aggregator (D) is for resource configuration data.

Answer: B

Explanation: SCPs in AWS Organizations can deny all actions in all regions except the allowed regions using the aws:RequestedRegion condition key. This provides a preventive guardrail that even account administrators cannot bypass. IAM policies (A) must be applied per user/role and can be overridden by account admins. VPC endpoint policies (C) restrict VPC traffic. CloudTrail alerting (D) is detective, not preventive.

Answer: B

Explanation: Amazon Aurora Global Database provides a single Aurora database spanning multiple regions with sub-second read replication lag and automatic failover in under 1 minute. It's designed for this exact use case - global reads with high availability. Aurora Global Database is specifically for relational workloads. DynamoDB Global Tables (C) is for NoSQL workloads. ElastiCache Global Datastore (D) is for caching, not primary database storage.

Answer: B

Explanation: An SCP can deny ec2:RunInstances when the instance type is not in the approved list using the ec2:InstanceType condition. This applies to all accounts in the OU/Organization with a single policy, requiring no per-account configuration. IAM policies (A) must be managed in each account. AWS Budgets (C) monitors costs but doesn't prevent launches. Config rules (D) are detective, not preventive, and require management in each account.

Answer: A

Explanation: For 10 TB over 1 Gbps, transfer would take about 22 hours - feasible but risky. Using Snowball Edge for the initial bulk data transfer followed by AWS DMS CDC (Change Data Capture) for ongoing replication is the safest approach. The Snowball transfers the bulk data, then DMS syncs changes. When changes are caught up, the cutover is minimal. DMS full-load over Direct Connect (B) is possible but riskier. pg_dump (C) is for PostgreSQL, not Oracle. DataSync (D) is for file transfers.

Answer: C

Explanation: This is the segmentation architecture for Transit Gateway. Create separate route tables: one for spokes (pointing default route to inspection VPC attachment) and one for the hub/inspection VPC (with routes back to all spokes). This forces all spoke-to-spoke traffic through the inspection VPC where security appliances (NGFW, IDS/IPS) are deployed. VPC peering (B) doesn't allow transit routing. PrivateLink (D) is for service connectivity.

Answer: B

Explanation: AWS Batch is designed for long-running compute jobs. Using Spot Instances reduces cost by up to 90%. SQS decouples the upload trigger from processing. Batch automatically manages the compute infrastructure. Lambda (A) has a 15-minute timeout limit - unsuitable for 8-hour jobs. EC2 Auto Scaling (C) with On-Demand is more expensive. Fargate (D) is good but doesn't provide the same cost optimization as Batch with Spot.

Answer: B

Explanation: The AWS recommended Landing Zone structure uses: Management Account (for billing and org management only), Security OU (containing security tooling account and logging account), and Workloads OU (containing dev/staging/prod accounts). Each OU has tailored SCPs. Using separate Organizations (C) prevents centralized governance. A single account (D) doesn't provide isolation. A flat structure (A) doesn't allow differentiated SCP application.

Answer: C

Explanation: AWS Cloud Map provides service discovery for AWS resources. ECS integrates natively with Cloud Map to automatically register/deregister service instances as they start/stop. Services can discover each other using DNS names through Cloud Map. Route 53 private hosted zones (B) require manual registration. Hard-coding IPs (A) breaks when tasks restart. ALB (D) for all inter-service communication adds latency and cost.

Answer: B

Explanation: The modern AWS data lake architecture uses S3 as the foundation (separate zones: raw, processed, curated). Kinesis Firehose handles streaming ingestion, Glue handles batch ETL and cataloging, Athena provides serverless SQL, SageMaker accesses S3 for ML. This architecture separates storage from compute and supports multiple access patterns without moving data. Redshift (C) is optimized for structured data warehousing. DynamoDB (D) is for operational NoSQL workloads.

Answer: B

Explanation: Route 53 Resolver inbound endpoints are IP addresses in the VPC that on-premises DNS servers can forward queries to. When on-premises DNS queries for a Route 53 private hosted zone name, it forwards to the inbound endpoint IP, which resolves using Route 53. Outbound endpoints (C) are for forwarding AWS DNS queries to on-premises DNS. Public resolver (A) doesn't resolve private hosted zone names.

Answer: B

Explanation: Amazon Macie uses ML to automatically discover, classify, and protect sensitive data in S3, including PII (names, credit card numbers, SSNs, etc.). It continuously monitors S3 and generates findings. Macie provides data discovery and classification at scale. AWS Config (A) monitors resource configurations. Inspector (C) scans for vulnerabilities. Security Hub (D) aggregates findings.

Answer: C

Explanation: For 99.99% availability (requiring multi-region), ElastiCache Redis Global Datastore provides replication across multiple AWS regions with sub-second replication lag and automatic failover. A single node (A) has no redundancy. Multi-AZ (B) provides ~99.95% availability within a region. Global Datastore (C) provides the highest availability by spanning regions. Local in-memory cache (D) is not shared across instances.

Answer: B

Explanation: AWS Instance Scheduler is an AWS solution that automatically starts and stops EC2 and RDS instances on a defined schedule. It supports multiple schedules, time zones, and can manage instances across multiple accounts and regions. EC2 Auto Scaling scheduled actions (D) work for ASGs but not standalone instances. Manual start/stop (A) is unreliable. CloudWatch alarms (C) are for metric-based actions, not time-based.

Answer: B

Explanation: AWS Migration Hub provides a central location to track migration progress. AWS Application Discovery Service (part of Migration Hub) collects data on on-premises servers and applications, including performance data and network connections (dependencies). This data helps prioritize migrations. The Well-Architected Tool (C) evaluates architectures against best practices. Inspector (D) scans for security vulnerabilities.

Answer: B

Explanation: Separate AWS accounts for EU customers, with SCPs restricting allowed regions to only EU regions (aws:RequestedRegion not in EU regions = deny), ensures data sovereignty at the organizational policy level. This prevents even admin users from accidentally storing data outside EU regions. A single account (A) relies on IAM controls which can be complex to enforce consistently. CloudFront routing (C) handles traffic but not data storage. IAM conditions (D) must be in every policy and can be missed.

Answer: B

Explanation: For Direct Connect primary with VPN backup, configure BGP so Direct Connect is preferred. On the on-premises side, advertise a longer AS-PATH for the VPN routes (making them less preferred). On the AWS side, use BGP Community attributes to influence route preference. The BGP MED (Multi-Exit Discriminator) or AS-PATH prepending achieves this. Route 53 health checks (C) are for DNS-based failover. Static routes (D) don't provide dynamic failover.

Answer: B

Explanation: The recommended architecture: (1) Create Route 53 Resolver outbound endpoint rules in a shared services account that forward queries to on-premises DNS. (2) Associate private hosted zones with VPCs using Route 53 Resolver. (3) Share Resolver rules via AWS RAM so all accounts can use them. This centralizes DNS management while making it available across all accounts. Per-account Route 53 deployment (A) duplicates management. EC2 DNS servers (D) require infrastructure management.

Answer: B

Explanation: Cognito Identity Pools can map authenticated users to IAM roles based on their Cognito group membership (tenant group). IAM policies can restrict DynamoDB access using the dynamodb:LeadingKeys condition, limiting access to only items with the tenant's prefix. This implements fine-grained access control at the IAM level. Separate accounts per tenant (A) is too expensive for many tenants. Application-level isolation (D) relies on application code correctness.

Answer: B

Explanation: Using DynamoDB with conditional writes to track message IDs implements idempotent processing. Before processing a message, check if the ID exists in DynamoDB; if it does, skip processing. The conditional write ensures only one instance processes each message even with at-least-once delivery. SQS FIFO (A) provides exactly-once within the queue but messages from SNS may still be duplicated. Removing SNS (C) changes the architecture unnecessarily. Message timers (D) don't prevent duplication.

Answer: B

Explanation: A single CodePipeline with sequential stages achieves ordered deployment: deploy to primary region → run automated tests → deploy to secondary region → run tests. The pipeline can assume cross-account/cross-region roles to deploy. Testing gates between stages prevent promotion if tests fail. Separate pipelines per region (A) require manual coordination. CodeDeploy (C) doesn't provide the pipeline orchestration needed. Lambda coordination (D) adds custom complexity.

Answer: B

Explanation: Taints on dedicated production nodes (e.g., dedicated=production:NoSchedule) prevent non-production pods from scheduling there. Tolerations on production pods allow them to schedule on tainted nodes. Node affinity rules ensure production pods prefer/require production nodes. This combination ensures production workload isolation. Resource quotas (A) limit resource consumption but don't prevent scheduling on same nodes. HPA (D) scales pods but doesn't control placement.

Answer: B

Explanation: The FinOps practice on AWS uses: Cost Allocation Tags to tag resources by business unit/team, Cost Explorer to analyze spending by tags/services, Budgets to set alerts when spending exceeds thresholds per team/project, and Compute Optimizer to identify rightsizing opportunities. CloudTrail (C) is for API logging. Trusted Advisor (D) provides some cost checks but isn't comprehensive for FinOps. The AWS Billing console alone (A) doesn't provide granular allocation.

Answer: B

Explanation: Kinesis Data Streams can handle 10,000+ events per second. Lambda (triggered by Kinesis) evaluates fraud rules in real-time. ElastiCache provides sub-millisecond feature lookup (account history, velocity checks). DynamoDB stores results with high throughput. This architecture handles the scale and latency requirements. Batch processing (A) doesn't meet millisecond requirements. SQS → EC2 (C) has higher operational overhead. API Gateway → RDS (D) doesn't handle the throughput.

Answer: B

Explanation: AWS Control Tower automates the setup of a multi-account AWS environment based on best practices. It provisions accounts with pre-configured security controls (guardrails), sets up a landing zone, and ensures new accounts (vended through Account Factory) are automatically provisioned with required controls. CloudFormation (A) in each account doesn't handle account vending automation. Config (C) monitors but doesn't automate account setup. Manual setup (D) doesn't scale.

Answer: B

Explanation: RDS Proxy maintains persistent connection pools to the database and multiplexes application connections. During rolling ECS updates, new tasks connect to the Proxy while old tasks drain - the Proxy handles the connection management transparently. It prevents connection exhaustion during deployments by pooling and reusing connections. Increasing DB size (A) or max connections (D) are temporary fixes. Blue/green (C) switches all at once, which can cause a connection spike.

Answer: B

Explanation: VPC Reachability Analyzer is a network diagnostic tool that analyzes the network configuration between two endpoints without generating actual traffic. It identifies exactly which component (security group rule, route table, NACL, etc.) is blocking connectivity and explains why. Security group checks (A) are manual and time-consuming. Flow Logs (C) require traffic to be generated. CloudTrail (D) shows what changed but doesn't diagnose current connectivity.

Answer: C

Explanation: Athena charges based on data scanned. Proper partitioning (by date, region, etc.) reduces the data scanned per query. Athena result caching reuses query results for identical queries. Glue partition indexes speed up partition pruning. S3 Intelligent-Tiering (B) reduces storage costs but doesn't reduce Athena query costs. Moving to Redshift (D) changes the architecture significantly. Copying data (A) increases storage costs.

Answer: B

Explanation: The Strangler Fig pattern involves gradually replacing parts of the monolith with new microservices. New functionality is built as microservices, existing functionality is gradually migrated. A facade (like API Gateway) routes requests to either the monolith or microservices. This minimizes risk as you can always route back to the monolith if a service fails. Big-bang (A) has high risk. Lift-and-shift then refactor (C) is the "strangler fig light" approach. Running both forever (D) doubles operational costs.

Answer: B

Explanation: Customer Managed KMS Keys (CMKs) with automatic annual rotation enabled provides auditable, customer-managed encryption. CloudTrail automatically logs all KMS API calls (including each encrypt/decrypt operation) to the key's key policy. CMKs give full control over the key policy, rotation, and usage. AWS-managed keys (A) cannot have custom key policies. SSE-C (C) requires managing keys outside AWS. Client-side encryption (D) increases application complexity and auditability challenges.

Answer: D

Explanation: Both Route 53 latency routing with health checks (A) and Global Accelerator (C) can implement multi-region active-active routing. Route 53 uses DNS-based routing with TTL-dependent failover (slower). Global Accelerator uses AWS anycast IP addresses and routes at the network level (faster failover, typically sub-minute). The choice depends on requirements: applications needing fast failover prefer Global Accelerator; DNS-based routing is simpler and already used for most web applications.

Answer: B

Explanation: Amazon EventBridge provides an event bus where order events are published. Different event rules route to separate targets (Lambda, SQS queues, Step Functions) for inventory, payment, and notifications. Each consumer processes independently and failures in one don't affect others. EventBridge provides retry and dead-letter queue support. Synchronous API calls (A) create tight coupling. A single SQS queue (C) means only one consumer per message. SNS with one topic (D) fans out but lacks EventBridge's routing and schema filtering capabilities.

Answer: C

Explanation: Warm Standby keeps a scaled-down but fully functional version running in the DR region. For 5-minute RPO, database replication must be near-real-time (Aurora Global Database or DMS CDC). For 30-minute RTO, you only need to scale up existing resources (no provisioning time). Backup and Restore (A) typically has hours of RTO. Pilot Light (B) requires starting and provisioning servers (potentially > 30 minutes for complex apps). Multi-Site (D) meets the requirement but is more expensive.

Answer: D

Explanation: All three tools serve different purposes for IAM analysis: (1) IAM Access Analyzer identifies resources shared externally and generates least-privilege policies based on CloudTrail access activity. (2) CloudTrail last accessed information shows when IAM entities last used services/actions, helping identify unused permissions. (3) IAM Policy Simulator tests what API actions a policy allows/denies. For a comprehensive least-privilege analysis, use all three together.

Answer: B

Explanation: AWS Service Catalog allows publishing standardized products (CloudFormation stacks) that customers can self-service deploy into their accounts. For account-level isolation, Control Tower Account Factory (and its Terraform variant AFT) automates account vending with consistent configurations. Service Catalog enforces standardization while enabling self-service. Manual deployment (A, D) doesn't scale. Terraform alone (C) requires additional orchestration.

Answer: D

Explanation: The robust approach: when a Spot interruption notice is received (2 minutes before termination), save the checkpoint to S3, then change the SQS message visibility timeout to 0 (making it immediately visible for another consumer). This ensures no work is lost. Using multiple Spot pools (C) reduces interruption frequency but doesn't handle them when they occur. Draining and releasing (B) is part of the solution but checkpointing ensures resumability.

Answer: B

Explanation: PCI DSS requires strict isolation of the CDE. Separate AWS accounts provide the strongest isolation - different blast radius, separate audit trail, dedicated IAM and network controls. SCPs ensure the CDE account cannot be misconfigured to reduce security. Dedicated connectivity (Direct Connect virtual interface) for CDE traffic avoids sharing network paths with non-CDE workloads. Security groups (A) and NACLs (C) provide some isolation but not the level required for PCI compliance.

Answer: C

Explanation: Amazon Kinesis Data Streams guarantees ordering within a shard. By using a partition key that maps related events to the same shard, you ensure ordered processing for that group while still using multiple shards for scale. SQS FIFO (B) guarantees ordering per message group within a single queue but is limited to 300 TPS per API action. Kinesis supports much higher throughput with ordering guarantees per shard. SQS Standard (A) doesn't guarantee order. SNS (D) doesn't guarantee order.

Answer: C

Explanation: An SCP can deny actions that would make buckets public. Additionally, an SCP can mandate that s3:PutAccountPublicAccessBlock must always have BlockPublicAcls: true (and other Block Public Access settings). This prevents any account admin from disabling Block Public Access. Config rules (D) detect but don't prevent. Per-account S3 settings (A) can be changed by account admins. The SCP approach (C) prevents the change at the organizational level.

Answer: B

Explanation: Zero-trust requires authentication and authorization for all service-to-service communication. AWS App Mesh provides a service mesh with mutual TLS (mTLS) for certificate-based authentication between services. IAM Roles for Service Accounts (IRSA for EKS) or ECS task roles provide identity for service-level authorization. Together, these ensure all communication is authenticated and authorized. Security groups (A) provide network-level controls but not application-layer identity. PrivateLink (D) provides private connectivity but not mutual authentication.

Answer: B

Explanation: EMR clusters have core nodes (store data in HDFS, must be stable) and task nodes (add compute capacity, stateless). Using Spot Instances for task nodes (where interruption doesn't lose data) provides up to 90% cost savings on the majority of cluster cost. Core and master nodes should use On-Demand for reliability. EMR Serverless (D) is also a good option for batch workloads as it eliminates cluster management, but the question specifically asks about cost reduction on EMR clusters.

Answer: C

Explanation: AWS Managed Microsoft AD is a fully managed Microsoft Active Directory service that supports LDAP, Kerberos, and other AD protocols. It can be used as the primary directory or in a trust relationship with existing on-premises AD. Applications can join the same AD domain. Cognito (A) is for consumer identity management. IAM Identity Center (B) is for AWS access management using SAML/SCIM. Simple AD (D) is a Samba-based implementation that doesn't support all AD features.

Answer: B

Explanation: Provisioned Concurrency keeps Lambda instances initialized and ready, eliminating cold starts for critical paths. Lambda Power Tuning helps find the optimal memory/CPU configuration for best performance/cost. Reserved Concurrency (C) limits the maximum concurrency but doesn't eliminate cold starts. EC2 (D) requires managing servers. Large memory alone (A) reduces cold start duration but doesn't eliminate it like provisioned concurrency does.

Answer: B

Explanation: Aurora Blue/Green Deployments creates a staging environment synchronized with production. You apply schema changes to the staging (green) environment, test them, and then perform a managed switchover. The switchover is fast (typically seconds) and Aurora handles connection draining and switching. It provides a tested, safe way to apply database changes with minimal downtime and easy rollback. Read replica promotion (A) has longer downtime. Dump/restore (C) has significant downtime. DMS (D) adds operational complexity.

Answer: B

Explanation: AWS X-Ray provides end-to-end distributed tracing across Lambda, ECS, EC2, and other AWS services. The X-Ray SDK instruments applications to create trace segments that show the complete request path, timing, and any errors. The X-Ray Service Map visualizes service dependencies and identifies bottlenecks. CloudWatch Logs (A) require manual correlation. VPC Flow Logs (C) capture network-level data. CloudWatch Application Insights (D) uses patterns for monitoring but doesn't provide request-level tracing.

Answer: B

Explanation: The Database-per-Service pattern separates the shared database into service-specific databases. DMS with CDC or Kafka can synchronize data between databases during transition. This eliminates contention and allows services to choose optimal database types. While not a "zero rewrite" solution, it's less risky than a complete rewrite. More read replicas (A) helps reads but not write contention. Increasing size (C) is a temporary fix. Caching (D) reduces read load but not write contention.

Answer: B

Explanation: AWS Control Tower provides a landing zone that automatically provisions new accounts with security best practices including CloudTrail, Config, GuardDuty, and Security Hub. It uses CloudFormation StackSets under the hood but provides a higher-level abstraction with account factory, guardrails (detective and preventive), and a management dashboard. StackSets alone (A) require manual orchestration. Config Aggregator (C) provides visibility. Organizations (D) provides the structure but not automatic security tooling.

Answer: D

Explanation: Apache Iceberg (supported in Athena) provides schema evolution - you can add columns, rename columns, and change compatible types without rewriting data. It maintains schema versions and handles different file schemas transparently. Glue Schema Registry (B) validates schemas for streaming data. Glue ETL (C) can normalize schemas but requires processing all data before querying. S3 Select (A) is for filtering within individual objects.

Answer: B

Explanation: AWS Transfer Family provides managed SFTP, FTPS, and FTP servers backed by S3 or EFS. It supports fixed IP addresses (static Elastic IPs or custom hostname), user management (IAM or custom identity providers), and logical directory mapping (home directories per user). EC2 with SSH (A) requires managing server infrastructure and patching. S3 presigned URLs (C) don't provide SFTP protocol support. DataSync SFTP (D) is for copying data from an existing SFTP server to AWS.

Answer: B

Explanation: DynamoDB Global Tables automatically replicates data across multiple AWS regions with low-latency reads and writes in each region. For configuration that changes infrequently but needs global availability with low latency, Global Tables are ideal. S3 with CRR (A) has higher latency (file-based). Parameter Store (C) in each region requires manual synchronization. CloudFormation StackSets (D) deploys resources, not configuration storage.

Answer: B

Explanation: AWS Secrets Manager supports automatic rotation via Lambda rotation functions and can be accessed from on-premises servers via HTTPS (through the internet or via VPC endpoint if using Direct Connect/VPN). KMS (A) manages encryption keys, not application secrets. SSM Parameter Store (C) supports SecureString but lacks built-in automatic rotation for arbitrary secrets. IAM roles (D) are for AWS resources, not on-premises servers (though IAM Roles Anywhere extends this capability).

Answer: B

Explanation: AWS Global Accelerator uses AWS's global network infrastructure and anycast IP addresses to route users to the optimal endpoint. It provides sub-second failover (doesn't depend on DNS TTL) and consistently routes users to the lowest-latency endpoint using the AWS backbone network. Route 53 (A) relies on DNS TTL which means failover can take minutes. CloudFront (C) is optimized for HTTP/HTTPS CDN workloads. ELB (D) is regional only.

Answer: B

Explanation: Step Functions provides orchestration with retry logic and error handling. EventBridge routes S3 events to Step Functions. The workflow can: validate the file, run a Glue ETL job for transformation, use Redshift COPY command for efficient bulk loading, handle errors with retry and dead-letter logic. Lambda directly writing to Redshift (A) doesn't handle large datasets efficiently. SQS → Lambda → Redshift (C) lacks orchestration. Kinesis Firehose (D) requires streaming data, not S3 events.

Answer: B

Explanation: DynamoDB Streams captures a time-ordered sequence of all item-level changes (inserts, updates, deletes) including the old and new item values. By processing the stream with Lambda and writing to CloudWatch Logs (or S3), you create an audit trail of all changes. For read auditing, you'd need application-level logging. PITR (A) is for recovery, not auditing. Backup (C) creates snapshots. Encryption (D) protects data at rest.

Answer: B

Explanation: Deploying each tier across at least 3 AZs ensures the application survives any single AZ failure. AWS guarantees at least 3 AZs per region, and ALB/NLB automatically route around unhealthy AZs. Each tier (web, app, database) must have replicas in all AZs to avoid a single point of failure. Single AZ deployment (A, D) is not resilient. Partial deployment (C) makes the DB tier a single point of failure.

Answer: B

Explanation: STS AssumeRole allows generating temporary credentials with a defined expiration (minimum 15 minutes, maximum 12 hours). Adding an MFA condition (aws:MultiFactorAuthPresent: true) ensures the developer authenticated with MFA before assuming the role. CloudTrail logs the AssumeRole call and all subsequent API calls. This is secure, auditable, and automatically expiring. Sharing credentials (A, D) is a security risk. Temporary IAM users (C) still create long-lived credentials.

Answer: B

Explanation: KEDA (Kubernetes Event-Driven Autoscaling) supports scaling Kubernetes workloads based on many event sources including SQS queue depth, CloudWatch metrics, Prometheus metrics, etc. Alternatively, the Kubernetes Custom Metrics Adapter allows exposing custom CloudWatch metrics to HPA. Both approaches enable custom metric-based autoscaling beyond CPU/memory. HPA with only CPU/memory (A) doesn't meet the requirement. Node group scaling (C) scales the cluster, not individual services.

Answer: B

Explanation: AWS Organizations provides consolidated billing across all accounts. Cost Allocation Tags (applied to resources by business unit, team, environment) enable granular cost attribution. AWS Cost Categories allow creating rules to categorize costs (e.g., map specific accounts to business units). Cost Explorer provides visualization and reporting across all accounts. Manual review (A) doesn't scale. Trusted Advisor (C) provides recommendations but not detailed cost allocation. Separate billing (D) loses consolidated billing benefits.

Answer: B

Explanation: EC2 Cluster Placement Groups place instances physically close together in the same AZ, minimizing network latency (single-digit microseconds). Enhanced Networking (SR-IOV) provides lower latency and higher throughput. Elastic Fabric Adapter (EFA) provides HPC-level networking for ultra-low latency. Multiple AZs (A) increase latency as cross-AZ traffic traverses more network hops. Lambda (C) has cold start latency. Multiple regions (D) dramatically increase latency.

Answer: B

Explanation: Circular dependencies occur when Resource A depends on Resource B and Resource B depends on Resource A. The solution is to break the cycle by extracting one resource into a separate stack and referencing it via CloudFormation Exports or SSM Parameter Store. Stack events identify which resources have the circular dependency. Stack deletion (A) risks data loss. Re-running the update (C) won't fix a circular dependency. Manual updates (D) create drift.

Answer: B

Explanation: AWS PrivateLink allows creating interface VPC endpoints to access SaaS services that publish their endpoints as PrivateLink services. Traffic stays on the AWS network without requiring internet access. For SaaS providers that don't support PrivateLink, a NAT Gateway provides internet connectivity without exposing the VPC directly. VPN/Direct Connect (C, D) to each SaaS provider is operationally complex and many SaaS providers don't offer dedicated connectivity.

Answer: B

Explanation: Fan-out on write precomputes timelines when posts are created. When User A posts, Lambda/Kinesis writes the post to each of A's followers' timeline caches. Read performance is O(1) - just read the cached timeline. This trades write complexity for read simplicity, which is optimal for read-heavy social media. Fan-in on read (A) queries all followed accounts at read time - too slow for 500 follows. Athena (C) has minutes of latency. Neptune graph traversal (D) works but has higher latency than cached timelines.

Answer: B

Explanation: A sidecar pattern (for containers) or a background process (for EC2) can retrieve secrets from Secrets Manager and write them to the expected configuration file location. When Secrets Manager rotates the secret, the sidecar detects the change and updates the file. The legacy application continues to read from its expected file location without modification. Manual updates (A) are error-prone. S3 storage (C) doesn't provide the rotation management. EC2 instance profiles (D) provide AWS API credentials, not application-specific credentials.

Answer: B

Explanation: CodePipeline's Manual Approval action pauses the pipeline and sends an SNS notification to the configured approvers. The designated people review the staging deployment and explicitly approve or reject promotion. The approval includes a URL to review deployment details. This implements the "explicit sign-off" requirement. Automatic promotion (A) doesn't provide sign-off. Separate pipelines (C) require manual triggering of the production pipeline. CloudWatch alarms (D) are metric-based, not human sign-off.

Answer: C

Explanation: An S3 Gateway VPC Endpoint with an endpoint policy can restrict which S3 buckets can be accessed through the endpoint. Using the aws:ResourceAccount condition in the endpoint policy restricts access to buckets owned by specific account IDs. This prevents EC2 instances from using the VPC endpoint to access buckets in other accounts (exfiltration to external buckets). IAM policies (B) can restrict access to specific buckets but a misconfigured policy could allow others. Bucket policies (A) are per-bucket. NACLs (D) can't distinguish between S3 buckets.

Answer: B

Explanation: For petabytes of data within 30 days: at 1 Gbps fully utilized, you can transfer ~2.7 PB in 30 days - this might be sufficient for some amounts but not petabytes efficiently. AWS Snowball Edge devices hold up to 80 TB each. For large amounts, multiple devices can be shipped in parallel, each loaded concurrently. The physical data transfer bypasses network constraints. DataSync over 1 Gbps WAN (A) may be too slow for petabytes. Direct Connect upgrade (C) takes months to provision. Direct internet upload (D) is slower.

Answer: A

Explanation: Lambda functions can be configured to run inside a VPC with specific security groups. The VPC configuration restricts which network resources Lambda can access and which resources can access Lambda. Security groups control inbound/outbound traffic. When a Lambda is in a VPC with a specific security group, it inherits the network controls of that security group. Lambda resource policies (B) control who can invoke the Lambda. Lambda URL with IAM (C) is for HTTP invocations. Layer for validation (D) is application-level, not infrastructure-level.

Answer: B

Explanation: The AWS Well-Architected Tool provides a systematic framework for reviewing workloads. For scale: use the API to programmatically create and submit reviews, custom lenses for company-specific standards, and integrate with AWS Trusted Advisor for automated real-time checks across all accounts. Manual reviews (A) don't scale to 100+ workloads. Only reviewing new workloads (C) misses existing issues. Cost Explorer (D) is for cost analysis.

Answer: B

Explanation: For maximum resilience, AWS recommends two Direct Connect connections from different physical DX locations, connecting to different AWS Direct Connect routers (to avoid single router failure). This provides both geographic redundancy (different DX locations) and hardware redundancy (different AWS routers). Same location (A) has geographic single point of failure. DX + VPN (C) provides backup but not the same bandwidth redundancy. LAG (D) combines connections from the same location, no geographic redundancy.

Answer: B

Explanation: VPC Interface Endpoints for SQS and SNS create private IP addresses in your VPC that resolve to SQS/SNS. When connected via Direct Connect (with private virtual interface routing to the VPC), on-premises applications can access SQS and SNS through the Direct Connect connection without internet traversal. The DNS for the endpoint resolves to private IPs accessible via Direct Connect. NAT Gateway (A) routes through internet. On-premises equivalents (C) are not AWS services. S3 as a broker (D) is a completely different architecture.

Answer: B

Explanation: IAM Roles for Service Accounts (IRSA) associates IAM roles with Kubernetes service accounts using OIDC federation. Pods using the service account get temporary AWS credentials via the projected service account token, without needing static credentials or relying on the node-level EC2 instance profile. This implements least-privilege at the pod level. Static credentials in Kubernetes secrets (A) or environment variables (D) are security risks. EC2 instance profiles (C) give all pods on the node the same permissions, violating least privilege.

Answer: B

Explanation: AWS Private CA creates a private CA hierarchy that issues private certificates for internal resources. ACM integrates with Private CA to automatically renew and deploy certificates. Applications can use the AWS ACM API to request certificates for internal hostnames. ACM Public certificates (D) are only for public-facing HTTPS endpoints (ALB, CloudFront). Self-signed certificates (A) require manual management. Let's Encrypt (C) requires public domain names and may not be appropriate for internal services.

Answer: C

Explanation: The most robust solution: (1) Create an S3 Gateway VPC endpoint; (2) The S3 bucket policy denies access unless it comes through the VPC endpoint (using aws:SourceVpce condition); (3) On-premises access goes through Direct Connect to the VPC, then through the VPC endpoint. This ensures all access, both from AWS and on-premises, goes through controlled network paths. IP-based conditions (B) can be spoofed and are harder to maintain as IP ranges change. ACLs (A) are legacy and limited.

Answer: B

Explanation: SageMaker Training Jobs provision GPU compute only for the duration of the training job and automatically terminate the instances after. You pay only for the time the job runs. No instance management is needed. EC2 Spot in ASG (C) can scale to zero but requires managing the scaling triggers and cluster setup. AWS Batch (D) with GPU is also good for batch ML workloads but requires cluster management. Always-on instances (A) are most expensive.

Answer: B

Explanation: CfCT (Customizations for Control Tower) allows deploying custom AWS Config rules, SCPs, and other resources to all accounts managed by Control Tower. Deploying a Config rule with an SSM Automation remediation document to all accounts ensures: (1) the rule checks all S3 buckets, (2) non-compliant buckets are automatically remediated by enabling logging. This scales automatically to new accounts created through Control Tower. Manual Config rule creation (A) doesn't scale. SCPs (C) are preventive but can't retroactively fix existing buckets. Security Hub (D) aggregates findings but doesn't directly remediate.