Module 4: Designing a solution following account governance and management best practices

Looking for ‘Architecting Solutions on AWS module 4 answers’?

In this post, I provide complete, accurate, and detailed explanations for the answers to Module 4: Designing a solution following account governance and management best practices of  Course 2: Architecting Solutions on AWS

Whether you’re preparing for quizzes or brushing up on your knowledge, these insights will help you master the concepts effectively. Let’s dive into the correct answers and detailed explanations for each question!

Final Assessment

Graded Assignment

1. A solutions architect must design a solution to help manage their customer’s containerized applications. Currently, the customer workload runs in Docker containers on top of Amazon Elastic Compute Cloud (Amazon EC2) instances and on-premises servers that run a hybrid Kubernetes cluster. The customer wants to migrate part of their hybrid Kubernetes deployment to the cloud with a minimum amount of effort, and they want to keep all the native features of Kubernetes. The customer also wants to reduce their operational overhead for managing their Kubernetes cluster. Which managed AWS service should the solutions architect suggest to best satisfy these requirements?

  • AWS Fargate with Amazon Elastic Container Service (Amazon ECS)
  • AWS Fargate with Amazon Elastic Kubernetes Service (Amazon EKS)
  • Amazon Elastic Container Service (Amazon ECS)
  • Amazon Elastic Kubernetes Service (Amazon EKS) ✅

Explanation:
Best fit for migrating Kubernetes workloads with minimal effort and maintaining native Kubernetes features while reducing operational overhead.

2. An application needs to process events that are received through an API. Multiple consumers must be able to process the data concurrently. Which AWS managed service would best meet this requirement in the most cost-effective way?

  • Amazon Simple Notification Service (Amazon SNS) with a fan-out strategy ✅
  • Amazon Simple Queue Service (Amazon SQS) with FIFO queues
  • Amazon EventBridge with rules
  • Amazon Elastic Compute Cloud (Amazon EC2) with Spot Instances

Explanation:
SNS fan-out allows multiple consumers to process the same event concurrently, ideal for event-driven architectures.

3. True or False: Amazon Relational Database Service (Amazon RDS) is more suitable for databases that handle structured or relational data, where users can count with features like auto-increment and table joins. Amazon DynamoDB is more suitable for NoSQL database workloads, where tables are collection of items that have their own attributes.

  • True ✅
  • False

Explanation:
RDS is for structured, relational data; DynamoDB is for NoSQL workloads — both designed for different data models.

4. Amazon DynamoDB is designed for scale and performance. In most cases, the DynamoDB response times can be measured in single-digit milliseconds. However, there are certain use cases that require response times in microseconds. For these use cases, DynamoDB Accelerator (DAX) delivers fast response times for accessing eventually consistent data. Which statements about DAX are correct? (Choose THREE.)

  • DAX reduces operational and application complexity by providing a managed service that is compatible with the DynamoDB API. ✅
  • Although using DAX has a cost, it can reduce the consumption of DynamoDB table capacity. If the data is read intensive (that is, millions of requests per second), DAX can result in cost savings by caching the data while also providing better read latency, being beneficial for scenarios in need of repeated reads for individual keys. ✅
  • DAX does not support server-side encryption (SSE).
  • DAX is not designed for applications that are write-intensive. It can also add cost to applications that do not perform much read activity. ✅
  • DAX does not support encrypting data in transit, which means that communication between an application and DAX cannot be encrypted.

Explanation:
DAX accelerates read-heavy applications. It does support encryption in transit and at rest.

5. True or False: AWS Lambda is a compute service that runs code without the need to provision or manage servers. Lambda runs code on a high-availability compute infrastructure. It also performs all the administration of compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging. Lambda can run code for virtually any type of application or backend service.

  • True ✅
  • False

Explanation:
AWS Lambda handles compute without server management, with built-in scalability and high availability.

6. True or False: Amazon Simple Storage Service (Amazon S3) is better than Amazon Elastic Block Store (Amazon EBS) because it is designed to provide a higher level of data durability.

  • True
  • False ✅

Explanation:
No service is “better” universally; S3 is more durable, but EBS provides block storage. The right service depends on use case.

7. Which set of AWS services is the BEST fit for the “Object, file, and block storage” category (which means that the services are dedicated to storing data in a durable way)?

  • AWS DataSync, AWS Snow Family Amazon Simple Storage Service (Amazon S3),
  • Amazon Elastic File System (Amazon EFS), Amazon Elastic Block Store (Amazon EBS), Amazon FSx ✅
  • AWS Storage Gateway, AWS Snow Family
  • AWS Elastic Disaster Recovery, AWS Backup

Explanation:
These services are the core storage types: object, file, and block storage.

8. True or False: When creating data lakes for analytics on AWS, Amazon Simple Storage Service (Amazon S3) would be a preferred service. Users can use data in an S3 bucket with an independent data-processing or visualization layer, such as Amazon QuickSight, Amazon Athena, or Amazon EMR.

  • True ✅
  • False

Explanation:
S3 is a preferred choice for data lakes; integrates with Athena, QuickSight, EMR for analytics and visualization.

9. Which statements about AWS Storage Gateway are correct? (Choose THREE.)

  • AWS Storage Gateway is a set of hybrid cloud storage services that provide on-premises access to virtually unlimited cloud storage. ✅
  • AWS Storage Gateway offers virtually unlimited cloud storage to users and applications, at the cost of new storage hardware.
  • AWS Storage Gateway delivers data access to on-premises applications while taking advantage of the agility, economics, and security capabilities of the AWS Cloud. ✅
  • AWS Storage Gateway is limited to only on-premises applications, which means that it cannot be used from cloud to cloud.
  • AWS Storage Gateway helps support compliance requirements through integration with AWS Backup to manage the backup and recovery of Volume Gateway volumes, which simplifies backup management. ✅
  • AWS Storage Gateway can only work as an Amazon S3 File Gateway.

Explanation:
It’s not limited to S3 File Gateway and doesn’t require new storage hardware.

10. What are some benefits of using multiple AWS accounts with AWS Organizations? (Choose THREE.)

  • Grouping workloads based on business purpose and ownership ✅
  • Using different payment methods per account
  • Limiting the scope of impact from adverse events ✅
  • Distributing AWS service quotas and API request rate limits ✅
  • Having multiple account root users with unrestricted access on each account

Explanation:
Payment methods are consolidated, not per-account.

11. True or False: A service control policy (SCP) statement with an explicit deny prevents even the account root user from performing API calls.

  • True ✅
  • False

Explanation:
SCPs with explicit deny override even root user permissions within AWS Organizations.

12. A solutions architect is designing a solution that provides single sign-on (SSO) to authenticate into AWS accounts that are in AWS Organizations. Which AWS service can the solutions architect use to implement identity federation with existing identity providers, such as Microsoft Active Directory?

  • AWS Identity and Access Management (IAM) users
  • Amazon CloudWatch
  • AWS IAM Identity Center (successor to AWS Single Sign-On) ✅
  • AWS CloudTrail

Explanation:
This service enables SSO and identity federation with Active Directory or other IdPs.

13. Which statements are best practices for multi-account environments? (Choose THREE.)

  • Enable Amazon CloudWatch billing alarms per account and configure tagging policies in AWS Organizations. ✅
  • Give AdministratorAccess policies to developers in their development AWS accounts.
  • Prevent CloudTrail configuration from being disabled in the shared services account. ✅
  • Use multi-factor authentication (MFA) for users in centralized credentialing, such as using AWS IAM Identity Center (successor to AWS Single Sign-On). ✅
  • Reuse passwords for simplicity and ease of access.
  • Provide powerful users and broad roles for Cloud Center of Excellence (CCoE) members, such as granting AdministratorAccess permissions to them.

Explanation:
Don’t reuse passwords or give broad permissions to developers.

14. A solutions architect must create well-defined governance standards for a company that has multiple AWS accounts. The company needs centralized infrastructure logging for all AWS accounts. In addition, the company’s chief information security officer (CISO) would like to have a measurement that applies a circuit breaker to stop Amazon Elastic Compute Cloud (Amazon EC2) API activities if the billing alarms indicate suspicious activity. The company intends to use AWS Organizations. Which architectural scenario should the solutions architect propose to meet the company’s needs in the MOST effective way?

  • Enable AWS CloudTrail for all accounts in AWS Organizations. Use Organizations to centralize all logs into one Amazon Simple Storage Service (Amazon S3) bucket. As the circuit breaker, use service control policies (SCPs) that have an explicit deny for Amazon EC2 API activity. These SCPs can then be applied to the root organizational unit (OU) as needed. ✅
  • Enable AWS CloudTrail for all accounts in AWS Organizations. Use Organizations to centralize all logs into one Amazon Simple Storage Service (Amazon S3) bucket. Use multi-factor authentication (MFA) devices for every user in AWS IAM Identity Center (successor to AWS Single Sign-On).
  • Enable AWS CloudTrail for only the production accounts in AWS Organizations. Use Organizations to centralize logs into one Amazon Simple Storage Service (Amazon S3 bucket). For single sign-on, use AWS IAM Identity Center (successor to AWS Single Sign-ON).
  • Enable AWS CloudTrail for all accounts in AWS Organizations. Use Organizations to centralize logs in one Amazon Simple Storage Service (Amazon S3) bucket. As the circuit breaker, use AWS Identity and Access Management (IAM) policies on each account that have an explicit deny for Amazon EC2 API activity. The IAM policies can then be applied to the root organizational unit (OU) as needed.

Explanation:
This enables centralized logging and a circuit breaker mechanism via SCP to restrict suspicious EC2 activity.

Related contents:

Module 1: Designing a serverless web backend on AWS
Module 2: Designing a serverless data analytics solution on AWS
Module 3: Designing a hybrid solution for container based workloads on AWS

You might also like:

Course 1: AWS Cloud Technical Essentials
Course 3: Building Data Lakes on AWS
Course 4: Exam Prep: AWS Certified Solutions Architect – Associate

Leave a Reply