This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

For SQS-backed worker architectures, AWS recommends scaling consumers based on queue metrics (e.g., ApproximateNumberOfMessagesVisible, AgeOfOldestMessage). EC2 Auto Scaling can “scale out based on Amazon CloudWatch alarms” tied to SQS backlog, increasing worker capacity to reduce latency as demand grows. DAX (A) accelerates DynamoDB reads, not message processing. API Gateway (B) and CloudFront (C) optimize request ingress and content delivery, not the asynchronous email-sending application. The bottleneck is consumer throughput; scaling workers with an SQS-driven policy restores timely processing without downtime and follows Well-Architected patterns for decoupled, elastic systems.

AWS documents that Amazon Macie supportsautomated sensitive data discovery, which continuously discovers and reports sensitive data in S3. AWS also documents that Macie findings can be processed automatically by usingAmazon EventBridge, including sending those events to a Lambda function for remediation or downstream processing. That combination provides continuous monitoring with low operational overhead and avoids the custom scheduling and job-launch logic in the other options. Because the question explicitly asks for continuous monitoring and low overhead, Macie automated sensitive data discovery plus EventBridge-triggered Lambda remediation is the best fit.

============

The correct answer isAbecause the application must acceptTLS connections from IPv4 clients, provideoutbound internet access, present asingle entry point, and maintain thelowest possible attack surface. Placing the Amazon ECS tasks inprivate subnetsis the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through aNAT gatewayin the public subnet.

ANetwork Load Balancer (NLB)is well suited for handlingTLSat Layer 4 and can expose a single public endpoint for client connections. Withawsvpcnetwork mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because anegress-only internet gatewayis forIPv6 outbound traffic only, while the requirement specifically mentionsIPv4 clients. Option C is incorrect because placing ECS tasks inpublic subnetsincreases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses anegress-only internet gateway, which does not satisfy IPv4 outbound needs, and it places tasks inpublic subnets, which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a publicNLBwith private ECS tasks and aNAT gatewayis the most secure and appropriate architecture.

The issue is most likely that messages become visible in the queue again before Lambda finishes processing them. AWS documents that when Lambda polls SQS, messages remain hidden only for the queue’s visibility timeout, and if they are not deleted before that timeout expires, they can be retrieved again and reprocessed. AWS specifically recommends setting the SQS visibility timeout to at least six times the Lambda function timeout, and if a batch window is used, to add that value as well. Long polling reduces empty receives but does not prevent duplicate processing. Changing to FIFO is unnecessary here, and deleting messages before successful processing risks data loss.

============

Comprehensive and Detailed Step-by-Step Explanation:

To meet the requirements of copying only relevant data as soon as possible and receiving notifications upon completion, the following steps are recommended:

Generate a Manifest File (Option A):

Action:Modify the on-premises data generation process to create a manifest file at the end of each data generation cycle. This manifest should list the names of the objects that need to be copied to Amazon S3.

Implementation:Develop a custom script that runs after data generation. This script compiles the list of relevant data files into a manifest file and uploads it to a designated S3 bucket.

Justification:Using a manifest allows AWS DataSync to transfer only the specified files, reducing unnecessary data transfer and associated costs.

docs.aws.amazon.com

Automate DataSync Task Execution (Option D):

Action:Set up an S3 Event Notification to trigger an AWS Lambda function whenever a new manifest file is uploaded to the S3 bucket.

Implementation:Configure the Lambda function to invoke the DataSync task by calling the StartTaskExecution API action, specifying the manifest file. This ensures that only the files listed in the manifest are copied from on-premises storage to Amazon S3.

Justification:This automation ensures timely data transfer as soon as relevant data is available, minimizing delays and manual intervention.

docs.aws.amazon.com

Set Up Completion Notifications (Option E):

Action:Create an Amazon SNS topic to handle notifications. Then, establish an Amazon EventBridge rule that monitors the DataSync task execution status and sends an email notification to the SNS topic when the status changes to SUCCESS or ERROR.

Implementation:Configure EventBridge to capture state changes of the DataSync task. When a task completes successfully or encounters an error, EventBridge triggers a notification to the SNS topic, which then sends an email to the subscribed recipients.

Justification:This setup provides immediate feedback on the data transfer process, allowing the analytics team to act promptly based on the success or failure of the data copy operation.

docs.aws.amazon.com

AmazonKinesis Data Streamsis the best choice for this scenario:

Message throughput: Kinesis Data Streams supports high throughput with enhanced fan-out and dedicated throughput for consumers.

Large message size: Supports message sizes up to 1 MB, meeting the 500 KB requirement.

Message retention: Data streams can retain messages for up to 365 days.

Strict ordering: Guarantees message ordering within shards.

Why Other Options Are Not Ideal:

Option B:

While SQS FIFO supports strict ordering, SNS topics do not. SNS also does not natively support message retention or strict ordering across consumers.Does not meet requirements.

Option C:

EventBridge does not provide strict ordering guarantees or message retention beyond 24 hours.Does not meet requirements.

Option D:

SNS topics with Data Firehose are not designed for use cases requiring strict ordering or long message retention.Does not meet requirements.

AWS References:

Amazon Kinesis Data Streams:AWS Documentation - Kinesis Data Streams

AWS Messaging Services Comparison:AWS Documentation - Messaging Services

Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

To grant cross-account access to an Amazon S3 bucket, you can use a bucket policy that specifies the AWS account ID of the account you want to grant access to. This method allows Account B to access the S3 bucket in Account A without the need for additional services or configurations.

Amazon QuickSight includes built-in ML-powered forecasting capabilities, allowing you to create, visualize, and interact with time series forecasts directly within the BI dashboard, with no ML experience or infrastructure management required. This is the lowest management overhead solution.

AWS Documentation Extract:

" Amazon QuickSight provides built-in ML-powered forecasting, allowing business users to forecast future trends with a few clicks and no machine learning expertise required. "

(Source: Amazon QuickSight documentation)

A, C, D: Require additional setup, management, or ML knowledge.

AWS documentation states that Amazon Macie is the managed service designed to automatically identify and classify sensitive data stored in Amazon S3, including PII and healthcare-related identifiers.

Storing logs in Amazon S3 provides scalable, durable storage, and Amazon Athena can directly query JSON data stored in S3 using SQL.

Amazon Inspector (Option D) is for vulnerability scanning and does not identify sensitive data. DynamoDB with KMS (Option C) cannot detect sensitive information. EBS (Option B) requires custom tooling and does not support serverless SQL querying.

=====================================================

For processing thousands of images and generating large files while minimizing manual tasks and operational overhead, usingAWS Batchis the best solution. AWS Batch allows you to run large-scale, parallel, and managed batch computing jobs without needing to manage the underlying infrastructure.

AWS Batch: Automates the image processing jobs, dynamically allocating the necessary resources based on the job requirements, which reduces operational overhead.

AWS Step Functions: Orchestrates the entire image processing workflow, ensuring that tasks are executed in the correct sequence, improving manageability.

Amazon S3: Stores the processed files, providing scalable and cost-effective storage.

Option A (ECS with EC2 Spot Instances): While cost-effective, managing ECS and Spot Instances involves more operational effort.

Option C (Lambda with EC2 Spot): Lambda functions have size and duration limitations, making them less suited for large image processing tasks.

Option D (EC2 with Step Functions): Managing EC2 instances involves more overhead than using AWS Batch.

AWS References:

AWS Batch

AWS Step Functions

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirements “shard-level control” and “custom checkpointing” point directly to the Kinesis Client Library (KCL), which is designed for building consumer applications that coordinate shard processing, perform load balancing across workers, and manage checkpoints in a durable store (commonly DynamoDB) with fine-grained control. While Lambda can consume from Kinesis Data Streams, its event source mapping abstracts shard coordination and checkpoint behavior; it is not the best fit when you explicitly need custom checkpointing logic and shard-level control beyond the managed integration.

Running the existing Lambda processing logic as a long-running consumer in Amazon ECS on AWS Fargate allows the company to operate a scalable KCL-based consumer fleet without managing servers. With Fargate, AWS manages the underlying compute while the application maintains direct control over shard assignment and checkpoint timing/frequency through KCL—exactly what the requirement calls for. Latency is minimized because the consumer reads directly from Kinesis Data Streams and processes records continuously, avoiding additional buffering layers or store-and-forward patterns.

Option A adds significant latency by delivering to S3 through Firehose and then triggering processing from S3 object notifications; this is optimized for delivery and batch-style processing, not low-latency streaming with shard-level control. Options B and D introduce SQS between Kinesis and processing, which adds another hop and does not inherently provide shard-level control or KCL-style checkpointing; FIFO also limits throughput and is not intended for high-scale streaming fan-in. Increasing Lambda provisioned concurrency can reduce cold starts, but it does not solve the need for custom checkpointing at the shard level.

Therefore, C best meets shard-level control and custom checkpointing requirements with the least latency by using a direct KCL consumer on a managed compute platform (Fargate).

In Amazon Aurora, a custom endpoint is a feature that allows you to create a load-balanced endpoint that directs traffic to a specific set of instances in your Aurora DB cluster. This is particularly useful when you want to route traffic to a subset of instances that have different configurations or when you want to isolate specific workloads (e.g., reporting queries) to certain instances.

Custom Endpoint: The correct solution is to create a custom endpoint that includes the three Aurora Replicas that the department wants to use for near-real-time reporting. This custom endpoint will distribute the reporting queries only across the three selected replicas with the specified compute and memory configurations, ensuring that these queries do not affect the rest of the DB cluster.

Other Options:

Option B (Create a three-node cluster clone): This would create a separate cluster with its own resources, but it is not necessary and could incur additional costs. Also, it doesn ' t leverage the existing replicas.

Option C (Use any of the instance endpoints): This would involve manually managing connections to individual instances, which is not scalable or automatic.

Option D (Use the reader endpoint): The reader endpoint would distribute the read queries across all replicas in the cluster, not just the selected three. This would not meet the requirement to limit the reporting queries to only three specific replicas.

AWS References:

Amazon Aurora Endpoints- Provides detailed information on the different types of endpoints available in Aurora, including custom endpoints.

Custom Endpoints in Amazon Aurora- Specific documentation on how to create and use custom endpoints to direct traffic to selected instances in an Aurora cluster.

The requirements combine long-term, low-cost storage with retrieval within minutes, which narrows the viable storage classes significantly. Amazon S3 Glacier Flexible Retrieval is designed for exactly this use case: infrequently accessed data that must still be retrievable quickly.

Option C provides substantially lower storage cost than EBS snapshots or EFS while supporting expedited retrievals, which can return data within minutes when required for audits. This meets both the cost and retrieval time constraints. Glacier Flexible Retrieval also integrates seamlessly with S3 lifecycle policies, enabling automated transitions from EBS snapshots or S3 Standard to archival storage.

Option A (EBS snapshots) provides durability but is more expensive for long-term storage at this scale. Option B (Glacier Deep Archive) is cheaper but does not meet the retrieval requirement, as restore times are measured in hours, not minutes. Option D (EFS) is a high-performance file system and is the most expensive option for long-term backups.

Therefore, C is the correct choice because it balances cost efficiency, durability, and audit-friendly retrieval times, aligning with AWS storage best practices for compliance-driven archival data.

AWS Direct Connect: Provides a dedicated network connection from your on-premises data center to AWS, ensuring low latency and consistent network performance.

Direct Connect Gateway Association:

Direct Connect Gateway: Acts as a global network transit hub to connect VPCs across different AWS regions.

Association with Transit Gateway: Enables communication between on-premises data centers and multiple VPCs connected to the transit gateway.

Transit Virtual Interface (VIF):

Create Transit VIF: To connect Direct Connect with a transit gateway.

Setup Steps:

Establish a Direct Connect connection.

Create a transit VIF to the Direct Connect gateway.

Associate the Direct Connect gateway with the transit gateway attached to the VPCs.

Cost Efficiency: This combination avoids the recurring costs and potential performance variability of VPN connections, providing a robust, low-latency hybrid network solution.

The key issue is repeated reads of identical data from an RDS MySQL database, which leads to unnecessary database load and degraded performance. The AWS-recommended solution for this pattern is to introduce an in-memory cache between the application and the database.

Amazon ElastiCache (Redis OSS) is purpose-built for caching frequently accessed data with microsecond-level latency. By caching identical query results, the backend EC2 instances can serve responses directly from memory instead of repeatedly querying the database. This significantly reduces read pressure on the RDS instance and improves overall application performance and scalability.

Option B is correct because Redis integrates cleanly with EC2-based applications and supports advanced caching patterns such as key expiration, eviction policies, and fine-grained control over cached objects. This approach also improves resilience during traffic spikes by offloading work from the database.

Option A is incorrect because SNS is a messaging service and does not cache or accelerate database queries. Option C is incorrect because DynamoDB Accelerator (DAX) works only with DynamoDB tables, not Amazon RDS. Option D is designed for streaming data ingestion and analytics, not for optimizing synchronous database access.

Therefore, B is the correct solution because it addresses the root cause of the performance problem by caching repeated database reads, following AWS best practices for high-performing application architectures.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

The optimal solution for scalable and resilient hybrid networking is to use AWS Direct Connect with a Direct Connect gateway for secure, low-latency access to AWS, and an AWS Transit Gateway to manage connectivity among hundreds of VPCs.

By associating the Transit Gateway with the Direct Connect gateway, you enable transitive routing between on-premises and all VPCs, while minimizing network complexity and maintaining high performance.

VPC peering does not scale well, and VPNs don’t offer the same performance or consistency.

For high availability, Amazon ElastiCache for Redis supports Multi-AZ with automatic failover, which provides primary and replica nodes in different Availability Zones. If the primary node fails, Redis automatically promotes a replica to primary.

From AWS Documentation:

“When you enable Multi-AZ with automatic failover, Amazon ElastiCache automatically detects failures and promotes a read replica to primary with minimal downtime.”

(Source: Amazon ElastiCache for Redis User Guide)

Why B is correct:

Multi-AZ provides automatic failover and data replication.

Ensures continuous availability and protects against node or AZ failures.

Fully managed with no manual intervention needed.

Why others are incorrect:

A: Manual promotion is not automatic.

C & D: Restoring from backup is slow and meant for disaster recovery, not failover.