Phase 4 Exam: Production Readiness

A security audit reveals that several S3 buckets in a production account do not have default encryption enabled. The security team wants to detect this misconfiguration automatically and receive notifications when any S3 bucket is created without encryption. Which AWS service should the team use to continuously evaluate S3 bucket configurations against an encryption requirement?

A company runs a microservices application with API Gateway, Lambda, DynamoDB, and SQS. Users report intermittent slow responses on one API endpoint, but CloudWatch metrics show that overall Lambda error rates and DynamoDB latency are normal. The team needs to identify which specific service in the request chain is causing the delay for the affected endpoint. Which approach is most effective?

A company stores 100 TB of log data in S3 Standard. The data is accessed daily for the first 7 days, occasionally for the next 90 days, and must be retained for 7 years for compliance but is almost never accessed after 90 days. The company wants to minimize storage costs. Which S3 lifecycle configuration is most cost-effective?

A solutions architect is designing a disaster recovery strategy for a financial trading application. The application must have near-zero downtime and near-zero data loss if an entire AWS Region becomes unavailable. Which DR strategy should the architect recommend?

A development team receives 60 CloudWatch alarm notifications per day. Most are for brief CPU spikes on EC2 instances that resolve within 2 minutes. The team has started ignoring all notifications, including legitimate alerts. Which TWO changes should the team make to improve their alerting strategy? (Select TWO.)Select multiple

A company uses AWS KMS to encrypt data in S3 and RDS. A compliance requirement mandates that the company must control its own encryption keys, rotate them annually, and be able to audit every use of the keys. Which KMS key type meets all three requirements?

A team is evaluating whether to use AWS Secrets Manager or AWS Systems Manager Parameter Store for storing database credentials. The credentials must be rotated automatically every 30 days, and the rotation must update both the secret value and the database password without application downtime. Which service should the team choose, and why?

A company runs 20 EC2 instances of type `m5.2xlarge` (8 vCPUs, 32 GB RAM) for a production workload. AWS Compute Optimizer reports that all instances average 15% CPU utilization and 10 GB memory usage. The company also has no commitment-based pricing in place. Which TWO actions should the company take to optimize costs? (Select TWO.)Select multiple

A solutions architect is reviewing a web application's monitoring setup. The application runs on ECS Fargate behind an ALB. The current dashboard shows only ECS CPU utilization and memory utilization. The architect wants the dashboard to follow the four golden signals framework. Which metrics should the architect add to the dashboard to cover all four signals?

A company's RDS PostgreSQL database runs in a Single-AZ deployment. The database stores order data that the business cannot afford to lose. The operations team wants to protect against AZ-level failures with automatic failover and also needs the ability to restore the database to any point within the last 7 days. Which TWO configurations should the team implement? (Select TWO.)Select multiple

A Lambda function processes payment transactions. The function calls a third-party payment API that occasionally experiences outages lasting 5 to 10 minutes. During these outages, the Lambda function retries the API call repeatedly, consuming concurrency and causing other Lambda functions in the account to be throttled. Which resilience pattern should the team implement to prevent this cascading failure?

A security team wants a single dashboard that aggregates findings from GuardDuty, Inspector, Config, and Macie across multiple AWS accounts. The dashboard should normalize findings into a standard format and run automated compliance checks against the CIS AWS Foundations Benchmark. Which service provides this capability?

A company runs a web application behind an ALB. The application has been targeted by SQL injection attacks and HTTP flood attacks (thousands of requests per second from distributed IP addresses). Which TWO AWS services should the company use together to protect against both types of attacks? (Select TWO.)Select multiple

A team is configuring CloudWatch Logs for a production Lambda function. The function generates 20 GB of log data per month, most of which is DEBUG-level output. The team wants to reduce logging costs while retaining the ability to troubleshoot production issues. Which TWO changes should the team make? (Select TWO.)Select multiple

Place the following steps in the correct order for responding to a GuardDuty finding that indicates an EC2 instance is communicating with a known cryptocurrency mining pool. 1. Isolate the compromised instance by modifying its security group to deny all inbound and outbound traffic. 2. Review the GuardDuty finding details to identify the affected instance, the malicious IP address, and the time of first communication. 3. Investigate the root cause by examining CloudTrail logs for unauthorized access and checking the instance for malware. 4. Remediate by terminating the compromised instance and launching a clean replacement from a known-good AMI.

A startup wants to implement cost monitoring for their AWS account. They have a monthly budget of $2,000 and want to be alerted at 50%, 80%, and 100% of the budget. They also want to automatically prevent new resource creation if spending exceeds 90% of the budget. Which AWS Budgets configuration meets these requirements?

A solutions architect is comparing the four disaster recovery strategies for a SaaS application. The application has an RTO of 4 hours and an RPO of 1 hour. The company wants to minimize DR costs while meeting these objectives. Which strategy is the most cost-effective choice that meets the requirements?

A company enables AWS CloudTrail in their production account. After one month, the security team wants to investigate whether any IAM user has called the `DeleteBucket` API in the past 30 days. Which approach allows the team to query CloudTrail events efficiently?

A company runs an Auto Scaling group of EC2 instances behind an ALB in two Availability Zones. The team wants to validate that the architecture recovers correctly when an entire AZ becomes unavailable. They want to test this in a controlled manner during a maintenance window. Which approach should the team use?

A solutions architect is designing a monitoring and alerting strategy for a production web application. The application runs on ECS Fargate behind an ALB. The architect wants to create alarms that minimize false positives while catching real incidents. Which alarm configuration follows best practices?

A company stores database credentials in AWS Secrets Manager. A developer accidentally commits the secret ARN and a hardcoded copy of the password to a Git repository. The security team discovers the exposure 2 hours later. Which THREE actions should the security team take immediately? (Select THREE.)Select multiple

A company runs a production workload on 10 EC2 instances that run 24/7 with predictable, steady utilization. The company also runs a data analytics workload on Lambda that processes files uploaded to S3, with highly variable invocation patterns. The company wants to reduce costs using commitment-based pricing. Which combination of pricing models is most appropriate?

A team enables Amazon GuardDuty in their AWS account. After one week, GuardDuty generates a High-severity finding: `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`. The finding indicates that EC2 instance credentials are being used from an IP address outside of AWS. What does this finding mean, and what should the team do?

A solutions architect is reviewing the cost of a production environment. The environment includes 5 unattached EBS volumes (500 GB total), 3 unused Elastic IP addresses, an idle NAT Gateway processing no traffic, and CloudWatch Logs with no retention policy (accumulating 50 GB per month indefinitely). Which optimization provides the largest immediate cost reduction?

A company is designing a highly available architecture for a customer-facing API. The API must remain available if a single AZ fails, must recover from a Region-level disaster within 30 minutes, and must lose no more than 5 minutes of data. The company wants to balance cost and reliability. Which architecture meets all requirements?