https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_RefreshCache.html " It only updates the cached inventory to reflect changes in the inventory of the objects in the S3 bucket. This operation is only supported in the S3 File Gateway types. "

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

The current design colocates the web tier, database, and cache on the same EC2 instances. This causes resource contention and makes it difficult to scale each layer independently. The correct solution is to separate these concerns into independently scalable managed services.

Option D uses an Application Load Balancer (ALB) in front of an Auto Scaling group for the web application. ALB is designed for HTTP/HTTPS traffic, supports path-based and host-based routing, and can spread load evenly across multiple instances and Availability Zones, eliminating the issue where one instance is overloaded.

The database is migrated to Amazon Aurora with Multi-AZ , which provides high availability, automated failover, and managed backups. Aurora offloads database management and ensures consistent performance.

For caching, Option D introduces Amazon ElastiCache for Redis , a managed in-memory cache that is purpose-built for low-latency reads, independent scaling, and high availability through replication and clustering.

Option A and C misuse NLB for HTTP traffic or for Redis exposure and introduce unnecessary complexity. Option B keeps Redis on EC2 (via NLB + ASG in a single AZ), which reduces availability and does not leverage managed caching.

Thus, Option D best separates tiers and improves performance and availability.

To meet the requirements of creating a new Organizations account structure with an appropriate SCP that supports the use of only services that are currently active in the AWS account, the company should use the following solution:

Create an SCP that allows the services that IAM Access Analyzer identifies. IAM Access Analyzer is a service that helps identify potential resource-access risks by analyzing resource-based policies in the AWS environment. IAM Access Analyzer can also generate IAM policies based on access activity in the AWS CloudTrail logs. By using IAM Access Analyzer, the company can create an SCP that grants only the permissions that are required for the application to run, and denies all other services. This way, the company can enforce the use of only approved AWS services and reduce the risk of unauthorized access12

Create an OU for the account. Move the account into the new OU. An OU is a container for accounts within an organization that enables you to group accounts that have similar business or security requirements. By creating an OU for the account, the company can apply policies and manage settings for the account as a group. The company should move the account into the new OU to make it subject to the policies attached to the OU3

Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU. An SCP is a type of policy that specifies the maximum permissions for an organization or organizational unit (OU). By attaching the new SCP to the new OU, the company can restrict the services that are available to all accounts in that OU, including the account that runs the application. The company should also detach the default FullAWSAccess SCP from the new OU, because this policy allows all actions on all AWS services and might override or conflict with the new SCP45

The other options are not correct because they do not meet the requirements or follow best practices. Creating an SCP that denies the services that IAM Access Analyzer identifies is not a good option because it might not cover all possible services that are not approved or required for the application. A deny policy is also more difficult to maintain and update than an allow policy. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the organization’s root is not a good option because it might affect other accounts and OUs in the organization that have different service requirements or approvals. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the management account is not a valid option because SCPs cannot be attached directly to accounts, only to OUs or roots.

1: Using AWS Identity and Access Management Access Analyzer - AWS Identity and Access Management

2: Generate a policy based on access activity - AWS Identity and Access Management

3: Organizing your accounts into OUs - AWS Organizations

4: Service control policies - AWS Organizations

5: How SCPs work - AWS Organizations

The CloudFormation IaC generator can reverse-engineer existing resources (partial scan) into infrastructure as code. Filtering by Lambda type creates CDK-ready constructs with minimal manual work. AWS recommends this method for IaC onboarding of existing workloads.

To allow developers to create IAM users without granting excessive permissions, the correct solution is to use permissions boundaries, which AWS specifically recommends for restricting delegated administrators such as developers. A permissions boundary defines the maximum permissions that an IAM user or role can delegate.

Step C ensures that each AWS account contains a PermissionBoundaries policy defining the maximum allowed permissions that any developer-created user may receive. This prevents privilege escalation, even if the developer attaches a more powerful policy. This aligns with AWS guidance for restricting privilege escalation within multi-account environments.

Step E ensures that developers can create IAM users but only if they attach the PermissionBoundaries policy as the permissions boundary. By attaching the DeveloperBoundary policy to the CreateAndManageUsers role, developers gain the ability to create users, but they are cryptographically prevented from assigning permissions outside the boundary policy.

Meanwhile, the DevOps team (who are not restricted by the boundary) can still create IAM users with full permissions.

This combination satisfies all constraints:

DevOps team: unrestricted IAM creation

Developers: restricted IAM creation enforced by boundaries

Other users: still blocked from IAM creation by existing SCP

To archive CloudWatch Logs to S3 with long-term retention, you need:

a streaming mechanism to move data from CloudWatch Logs to S3, and

an S3 Lifecycle policy to handle tiering and expiration.

Option B uses a CloudWatch Logs subscription filter that targets Amazon Data Firehose . Firehose provides managed, scalable streaming from CloudWatch Logs to S3 with optional buffering and transformation. This is the AWS-recommended pattern for exporting continuous log streams with minimal operational overhead. Option C is not valid because CloudWatch Logs subscription filters cannot directly target S3; they must target Kinesis, Firehose, or Lambda.

Once logs are in S3, the company wants to keep them rarely accessed after 90 days and retained for 10 years. Option D configures an S3 lifecycle policy to transition logs to S3 Glacier Instant Retrieval after 90 days, which is a low-cost archival tier with relatively fast access, and to expire (delete) logs after 3,650 days (10 years). This precisely matches the retention requirement.

Option E uses Reduced Redundancy, which is a legacy storage class and not optimized for long-term archival. Therefore, the correct combination is B and D .

In the source AWS account, the IAM role used by the CI/CD pipeline should have permissions to access the source code repository, build artifacts, and any other resources required for the build process. In the destination AWS accounts, the IAM role used for deployment should have permissions to access the AWS resources required for deploying the application, such as EC2 instances, RDS databases, S3 buckets, etc. The exact permissions required will depend on the specific resources being used by the application. the IAM role used for deployment in the destination accounts should also have permissions to assume the IAM role for deployment in the centralized DevOps account. This is typically done using an IAM role trust policy that allows the destination account to assume the DevOps account role.