The best solution is to upload files from the mobile software directly to Amazon S3, use S3 event notifications to create a message in an Amazon Simple Queue Service (Amazon SQS) standard queue, and invoke an AWS Lambda function to perform image processing when a message is available in the queue. This solution will ensure that image processing can scale to handle the load, as Amazon S3 can store any amount of data and handle concurrent uploads, Amazon SQS can buffer the messages and deliver them reliably, and AWS Lambda can run code without provisioning or managing servers and scale automatically based on the demand. This solution will also notify the user when processing is complete by sending a push notification to the mobile app using Amazon Simple Notification Service (Amazon SNS), which is a web service that enables applications to send and receive notifications from the cloud. This solution is more cost-effective than using Amazon MQ, which is a managed message broker service for Apache ActiveMQ that requires a dedicated broker instance, or S3 Batch Operations, which is a feature that allows users to perform bulk actions on S3 objects, such as copying or tagging, but does not support custom code execution. This solution is also more suitable than using Amazon Simple Email Service (Amazon SES), which is a web service that enables applications to send and receive email messages, but does not support push notifications for mobile devices. References: Amazon S3 Documentation, Amazon SQS Documentation, AWS Lambda Documentation, Amazon SNS Documentation

Store Secret in AWS Secrets Manager:

Create a random string in AWS Secrets Manager to be used as a custom HTTP header value.

Set Up Automatic Rotation:

Implement a Lambda function to handle automatic rotation of the secret in AWS Secrets Manager, ensuring the header value remains secure.

Configure CloudFront Custom Header:

In the CloudFront distribution settings, configure an origin custom header with the name and value from AWS Secrets Manager. This header will be included in requests forwarded to the ALB.

Create AWS WAF Web ACL:

Create a Web ACL in AWS WAF with a string match rule to allow requests that include the custom header with the correct value.

Associate the Web ACL with the ALB to filter incoming traffic based on the custom header.

By using this method, you can ensure that only requests coming through CloudFront (which injects the custom header) can reach the ALB, enhancing the origin security

 AWS Trusted Advisor is a service that provides real-time guidance to help users provision their resources following AWS best practices1. One of the Trusted Advisor checks is “Low Utilization Amazon EC2 Instances”, which identifies EC2 instances that appear to be underutilized based on CPU, network I/O, and disk I/O metrics1. This check can help users optimize the cost and size of their EC2 instances by recommending smaller or more appropriate instance types.

AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of AWS resources and generates optimization recommendations to reduce the costand improve the performance of workloads2. Compute Optimizer supports four types of AWS resources: EC2 instances, EBS volumes, ECS services on AWSFargate, and Lambdafunctions2. For EC2 instances, Compute Optimizer evaluates the vCPUs, memory, storage, and other specifications, as well as the CPU utilization, network in and out, disk read and write, and other utilization metrics of currently running instances3. It then recommends optimal instance types based on price-performance trade-offs.

Option A is incorrect because purchasing AWS Business Support or AWS Enterprise Support for the account will not directly help with cost-optimization and sizing of EC2 instances. However, these support plans do provide access to more Trusted Advisor checks than the basic support plan1.

Option C is incorrect because installing the Amazon CloudWatch agent and configuring memory metric collection on the EC2 instances will not provide any optimization recommendations by itself. However, memory metrics can be used by Compute Optimizer to enhance its recommendations if enabled3.

Option E is incorrect because creating an EC2 Instance Savings Plan for the AWS Regions, instance families, and operating systems of interest will not help with cost-optimization and sizing of EC2 instances. Savings Plans are a flexible pricing model that offer lower prices on Amazon EC2 usage in exchange for a commitment to a consistent amount of usage for a 1- or 3-year term4. Savings Plans do not affect the configuration or utilization of EC2 instances.

A is correct because:

CloudFormation templatesenable repeatable infrastructure deployment.

Route 53 latency-based routingensures users hit the closest Region.

DynamoDB global tablesallow multi-Region, active-active replication of application data.

Manual console work (B) is not scalable.

C lacks EC2/ALB replication.

D adds unnecessary services like Beanstalk and doesn’t scale cleanly.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

B is correct because the requirement is to allocate shared EC2 infrastructure costs (ECS on EC2, shared cluster) down to the business groups with the least operational effort. With shared compute, the EC2 line-item charges are not naturally per “task,” so you need a cost allocation feature that can split shared costs using workload metadata. Split cost allocation data combined with the AWS Cost and Usage Report (CUR) and resource tags provides the standard AWS mechanism to distribute (“split”) shared resource costs across consumers for chargeback/showback reporting. This avoids operationally heavy changes (like redesigning clusters) and supports automated reporting.

Why the other options are incorrect:

A: Tagging the Auto Scaling group can only attribute costs at the ASG level, not split costs between multiple business groups sharing the same cluster capacity. It does not solve per-business-group allocation when capacity is shared.

C: Separate clusters per group would work but is higher operational overhead (more clusters to manage, scaling policies, capacity planning, governance), which violates the “least operational overhead” requirement.

D: Cost Categories are useful for mapping and organizing costs, but by themselves they do not solve the underlying need to split shared EC2 costs among multiple consumers unless you already have an accurate split basis. Option B directly targets split allocation of shared costs with tagging and CUR.

The goal is to ensure the application operates across multiple Availability Zones. That means removing single points of failure in compute, database, and network egress for private subnets.

For compute, the Auto Scaling group currently has min=1 and max=1, which guarantees only one instance is running at a time. Even if the Auto Scaling group spans multiple subnets, a single-instance configuration cannot provide multi-AZ active capacity because a failure of the Availability Zone hosting the single instance would cause downtime until a new instance is launched in a different zone. To operate across multiple Availability Zones, the solution should run multiple instances across different AZs, which implies increasing the minimum capacity above 1 and allowing the group to launch across multiple subnets/AZs.

For the database, a single-AZ RDS for MySQL instance is a single point of failure. Converting to an RDS Multi-AZ configuration provides synchronous replication to a standby in a different Availability Zone and managed failover to maintain availability when the primary AZ or instance fails.

For NAT, a single NAT gateway is an AZ-scoped managed resource. If private subnets in other AZs route to a NAT gateway in one AZ, an AZ outage can break outbound connectivity for workloads that depend on NAT. The resilient pattern is to deploy a NAT gateway in each Availability Zone and configure each private subnet’s route table to use the NAT gateway in the same AZ.

Option A addresses all three: it deploys additional NAT gateways per AZ and updates route tables accordingly, converts RDS to Multi-AZ, and adjusts Auto Scaling to launch across AZs with min and max set to 3 so there are instances running in multiple AZs simultaneously. This ensures the application remains available across AZ failures, meeting the requirement.

Option B replaces NAT with a virtual private gateway, which is used for VPN/Direct Connect connectivity, not for internet egress from private subnets. It does not satisfy the NAT functionality requirement. Although Aurora can provide high availability, the NAT replacement is not correct for the described architecture.

Option C increases operational overhead by replacing NAT gateway with NAT instances, which are self-managed and less resilient without additional design. It also changes the database engine to PostgreSQL unnecessarily and does not directly address the requirement with minimal change.

Option D improves NAT resiliency but only enables RDS automatic backups, which is a durability feature, not a high availability feature. Backups do not provide automatic failover and do not ensure the application will operate across multiple AZs. Also, keeping Auto Scaling min/max at 1 still leaves the application compute layer single-AZ at any given moment.

Therefore, option A is the correct solution.

This option uses different types of savings plans and reserved nodes to minimize the company’s overall monthly costs for running its application on EC2 instances, Lambda functions, and MemoryDB cache nodes. Savings plans are flexible pricing models that offer significant savings on AWS usage (up to 72%) in exchange for a commitment of a consistent amount of usage (measured in $/hour) for a one-year or three-year term. There are two types of savings plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans apply to any compute usage across EC2 instances, Fargate containers, Lambda functions, SageMaker notebooks, and ECS tasks. EC2 Instance Savings Plans apply to a specific instance family within a region and provide more savings than Compute Savings Plans (up to 66% versus up to 54%). Reserved nodes are similar to savings plans but apply only to MemoryDB cache nodes. They offer up to 55% savings compared to on-demand pricing.

D is correct because this solution modernizes the application into aserverless architectureusing API Gateway and Lambda for scalable microservices.Aurora Serverless v2supports SQL workloads and auto-scales based on demand.AWS SCTallows migration of SQL Server stored procedures to Aurora-compatible formats. This setup ensures cost efficiency, scalability, and minimal manual intervention.

A rehosts but doesn’t refactor into microservices.

B uses MySQL, which might not support the SQL Server-specific stored procedures fully.

C adds unnecessary complexity and loses relational database functionality by using DAX.

AWS Audit Manager is the managed service built for continuous audit evidence collection and audit-ready reporting. It can automatically collect evidence from AWS accounts and services, map evidence to controls and frameworks, and help generate reports for auditors. AWS Config provides the technical compliance signal for resource configuration, and conformance packs package managed or custom AWS Config rules into repeatable compliance templates. An AWS Config aggregator centralizes visibility across accounts. Option D therefore combines control evaluation, centralized aggregation, framework alignment, historical evidence, and audit reporting without custom pipelines. CloudTrail plus Athena or Config snapshots plus Lambda would require custom report generation. Security Hub is useful for security posture aggregation, but the question specifically requires evidence collection and auditor-ready reports mapped to regulatory frameworks.

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html