Correct option:

Opt for Amazon EC2 Dedicated Host

An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server. Hence, is the right choice for the current requirement.

Differences between Dedicated Hosts and Dedicated Instances: 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html

Incorrect options:

Opt for Amazon EC2 Dedicated Instance - Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that's dedicated to a single customer. Dedicated Instances that belong to different AWS accounts are physically isolated at a hardware level, even if those accounts are linked to a single payer account. However, Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances.

Opt for On-Demand instances that are highly available and require no prior planning

Opt for Reserved Instances that allow you to plan and help install the necessary software

You cannot install your own software that needs socket level programming on On-Demand or Reserved Instances.

References:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html

Correct option:

Look at the X-Forwarded-For header

The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header. Elastic Load Balancing stores the IP address of the client in the X-Forwarded-For request header and passes the header to your server.

Incorrect options:

Modify the front-end of the website so that the users send their IP in the requests - When a user makes a request the IP address is sent with the request to the server and the load balancer intercepts it. There is no need to modify the application.

Look at the X-Forwarded-Proto header - The X-Forwarded-Proto request header helps you identify the protocol (HTTP or HTTPS) that a client used to connect to your load balancer.

Look at the client's cookie - For this, we would need to modify the client-side logic and server-side logic, which would not be efficient.

Reference:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

Correct option:

Enable S3 Replication Time Control (S3 RTC), which allows you to set up notifications for eligible objects that failed replication

S3 Replication Time Control (S3 RTC) helps you meet compliance or business requirements for data replication and provides visibility into Amazon S3 replication times. S3 RTC replicates most objects that you upload to Amazon S3 in seconds, and 99.99 percent of those objects within 15 minutes.

S3 RTC by default includes S3 replication metrics and S3 event notifications, with which you can monitor the total number of S3 API operations that are pending replication, the total size of objects pending replication, and the maximum replication time.

You can track replication time for objects that did not replicate within 15 minutes by monitoring specific event notifications that S3 Replication Time Control (S3 RTC) publishes. These events are published when an object that was eligible for replication using S3 RTC didn't replicate within 15 minutes, and when that object replicates to the destination Region.

Replication events are available within 15 minutes of enabling S3 RTC. Amazon S3 events are available through Amazon SQS, Amazon SNS, or AWS Lambda.

Incorrect options:

Enable S3 Replication with Notification, which allows you to set up notifications for objects that failed replication - This is a made-up option and given only as a distractor.

Use Amazon Simple Queue Service (Amazon SQS) queue to copy objects from one S3 bucket to the other. If replication fails, messages in the queue can be configured to send notifications using SNS - Amazon S3 offers a direct replication feature. Hence, a custom logic to do the same does not make sense.

Amazon S3 publishes object events to CloudWatch. Configure Amazon Simple Notification Service (Amazon SNS) to send notifications for replication failure of objects - Amazon S3 replication events are only published if you have enabled S3 Replication Time Control, for replication.

Reference:

https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-time-control.html#using-s3-events-to-track-rtc

Correct option:

CloudTrail

With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. You can use AWS CloudTrail to answer questions such as - “Who made an API call to modify this resource?”. CloudTrail provides event history of your AWS account activity thereby enabling governance, compliance, operational auditing, and risk auditing of your AWS account. You cannot use CloudTrail to maintain a history of resource configuration changes.

How CloudTrail Works: 

https://aws.amazon.com/cloudtrail/

Exam Alert:

You may see scenario-based questions asking you to select one of CloudWatch vs CloudTrail vs Config. Just remember this thumb rule -

Think resource performance monitoring, events, and alerts; think CloudWatch.

Think account-specific activity and audit; think CloudTrail.

Think resource-specific history, audit, and compliance; think Config.

Incorrect options:

CloudWatch Metrics - CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

Amazon CloudWatch allows you to monitor AWS cloud resources and the applications you run on AWS. Metrics are provided automatically for several AWS products and services. CloudWatch cannot help determine the source for KMS API calls.

X-Ray - AWS X-Ray helps developers analyze and debug distributed applications. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. X-Ray cannot help determine the source for KMS API calls.

Config - AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. You can use Config to answer questions such as - “What did my AWS resource look like at xyz point in time?”. AWSConfig cannot help determine the source for KMS API calls.

References:

https://aws.amazon.com/config/

https://aws.amazon.com/cloudwatch/

https://aws.amazon.com/cloudtrail/

Correct option:

Add a common tag to each bucket. Activate the tag as a cost allocation tag. Use the AWS Cost Explorer to create a cost report for the tag

Before you begin, your AWS Identity and Access Management (IAM) policy must have permission to: Access the Billing and Cost Management console, Perform the actions s3:GetBucketTagging and s3:PutBucketTagging.

Start by adding a common tag to each bucket. Activate the tag as a cost allocation tag. Use the AWS Cost Explorer to create a cost report for the tag. After you create the cost report, you can use it to review the cost of each bucket that has the cost allocation tag that you created.

You can set up a daily or hourly AWS Cost and Usage report to get more Amazon S3 billing details. However, these reports won't show you who made requests to your buckets. To get more information on certain Amazon S3 billing items, you must enable logging ahead of time. Then, you'll have logs that contain Amazon S3 request details.

Incorrect options:

Configure AWS Budgets to see the cost against each S3 bucket in the AWS account - AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your metrics drop below the threshold you define. It cannot showcase the cost of each S3 bucket.

Use AWS Simple Monthly Calculator to check the cost against each S3 bucket in your AWS account - The AWS Simple Monthly Calculator is an easy-to-use online tool that enables you to estimate the monthly cost of AWS services for your use case based on your expected usage. This useful tool helps estimate the cost of resources, but the current use case is not about estimations but being able to understand which bucket is incurring the maximum cost.

Use AWS Trusted Advisor's rich set of best practice checks to configure cost utilization for individual S3 buckets. Trusted Advisor also provides recommendations based on the findings derived from analyzing your AWS cloud architecture - AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories. For Amazon S3 buckets, Trusted Advisor offers checks the following -

1) Checks buckets in Amazon S3 that have open access permissions 2) Checks the logging configuration of Amazon S3 buckets- whether it is enabled and for what duration 3) Checks for Amazon S3 buckets that do not have versioning enabled.

Trusted Advisor cannot however generate reports for costs incurred on S3 buckets.

References:

https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-bucket-cost/

https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/

https://aws.amazon.com/getting-started/hands-on/control-your-costs-free-tier-budgets/

Correct option:

Run the AWSSupport-TroubleshootS3PublicRead automation document on AWS Systems Manager to help diagnose issues with accessing objects from a public S3 bucket

Run the AWSSupport-TroubleshootS3PublicRead automation document on AWS Systems Manager to help you diagnose issues with accessing objects from a public S3 bucket. This document analyzes some permissions settings that affect the bucket and objects, such as the bucket policy and object access control lists (ACLs), among others.

The AWSSupport-TroubleshootS3PublicRead document analyzes 403 errors from publicly readable objects. The document doesn't evaluate permissions for private objects.

Complete Steps to run the AWSSupport-TroubleshootS3PublicRead automation document using the Systems Manager console: https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403-public-read/

Incorrect options:

Explicit deny statement in the bucket policy can cause forbidden-access errors. Check the bucket policy of the S3 bucket

AWS Organizations service control policy doesn't allow access to Amazon S3 bucket that the developer is trying to access. Service policy needs to be changed using AWS Organizations

Either of these two options could be true. To know exactly what is causing the error, AWS provides AWSSupport-TroubleshootS3PublicRead automation document on AWS Systems Manager. This is the optimal way of troubleshooting the current issue.

The resource owner which is the AWS account that created the S3 bucket, has access to the bucket. This is an error in creation, delete the S3 bucket and re-create it again - It is not mentioned in the use-case if it is the resource owner trying to access the S3 bucket.

Reference:

https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403-public-read/

Correct option:

!ImportValue

The intrinsic function Fn::ImportValue returns the value of an output exported by another stack. You typically use this function to create cross-stack references.

Incorrect options:

!Ref - Returns the value of the specified parameter or resource.

!GetAtt - Returns the value of an attribute from a resource in the template.

!Sub - Substitutes variables in an input string with values that you specify.

Reference:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html

Correct option:

ALB access logs

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default.

Access logs for your Application Load Balancer:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Incorrect options:

CloudTrail logs - Elastic Load Balancing is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Elastic Load Balancing. CloudTrail captures all API calls for Elastic Load Balancing as events. You can use AWS CloudTrail to capture detailed information about the calls made to the Elastic Load Balancing API and store them as log files in Amazon S3. You can use these CloudTrail logs to determine which API calls were made, the source IP address where the API call came from, who made the call, when the call was made, and so on.

CloudWatch metrics - Elastic Load Balancing publishes data points to Amazon CloudWatch for your load balancers and your targets. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time-series data, known as metrics. You can use metrics to verify that your system is performing as expected. This is the right feature if you wish to track a certain metric.

ALB request tracing - You can use request tracing to track HTTP requests. The load balancer adds a header with a trace identifier to each request it receives. Request tracing will not help you to analyze latency specific data.

Reference:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-monitoring.html

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Correct option:

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and define under what conditions this applies.

Trust policy - Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. An IAM role is both an identity and a resource that supports resource-based policies. For this reason, you must attach both a trust policy and an identity-based policy to an IAM role. The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.

Incorrect options:

AWS Organizations Service Control Policies (SCP) - If you enable all features of AWS organization, then you can apply service control policies (SCPs) to any or all of your accounts. SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). The SCP limits permissions for entities in member accounts, including each AWS account root user. An explicit deny in any of these policies overrides the allow.

Access control list (ACL) - Access control lists (ACLs) are service policies that allow you to control which principals in another account can access a resource. ACLs cannot be used to control access for a principal within the same account. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs.

Permissions boundary - AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

Correct option:

SSE-S3

Using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Incorrect options:

SSE-C - You manage the encryption keys and Amazon S3 manages the encryption as it writes to disks and decryption when you access your objects.

Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

SSE-KMS - Similar to SSE-S3 and also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself.

Reference:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html