Amazon FSx for Windows File Server is a fully managed native Windows file system that supports SMB, Windows authentication, and Windows ACLs. The Multi-AZ deployment option automatically replicates data synchronously across Availability Zones and provides automatic failover with minimal downtime.

This architecture ensures continuous availability during AZ failures or maintenance events without manual intervention. Users experience consistent access and permissions through SMB, fully meeting the stated requirements.

Storage Gateway introduces on-premises dependencies. DFS Replication increases complexity and recovery time. Therefore, FSx for Windows Multi-AZ is the correct solution.

AWS CloudOps governance best practices emphasize centralized account management and preventive guardrails. AWS Control Tower integrates directly with AWS Organizations and provides “Region deny controls” and “Service Control Policies (SCPs)” that apply automatically to all existing and newly created member accounts. SCPs are organization-wide guardrails that define the maximum permissions for accounts. They can explicitly deny actions such as launching EC2 instances in a specific Region, or block root user access.

To prevent CloudTrail log deletion, SCPs can also include denies on cloudtrail:DeleteTrail and s3:DeleteObject actions targeting the CloudTrail log S3 bucket. These SCPs ensure that no user, including administrators, can violate the compliance requirements.

AWS documentation under the Security and Compliance domain for CloudOps states:

“Use AWS Control Tower to establish a secure, compliant, multi-account environment with preventive guardrails through service control policies and detective controls through AWS Config.”

This approach meets all stated needs: centralized enforcement, automatic propagation to new accounts, region-based restrictions, and immutable audit logs. Options A, B, and D either detect violations reactively or lack complete enforcement and automation across future accounts.

SSH access to a Linux EC2 instance requires inbound TCP port 22 to be allowed by the instance’s security group from the administrator’s source IP address. A timeout usually indicates that network traffic is being blocked before the SSH service can respond. Since the instance is in a public subnet and has a public IP address, the most likely missing control is an inbound security group rule. Security groups are stateful, so return traffic is automatically allowed after inbound SSH is permitted. Adding a route for the engineer’s IP address is not needed because public subnets use a default route to the internet gateway. An outbound-only NACL or security group rule does not allow inbound SSH initiation. Therefore, the correct remediation is to allow inbound SSH from the engineer’s public IP.

===============

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

CloudFormation drift detection compares the actual configuration of stack resources with the expected configuration defined in the CloudFormation template. This directly satisfies the requirement to find resources that do not match the expected configuration. Scheduling drift detection with Amazon EventBridge automates the audit and avoids manual CLI checks or repository reviews. Repository reviews only validate desired template code, not the real deployed state. EventBridge notifications about resource creation do not prove that resources remain compliant after deployment. AWS CLI scripts could work, but they would require custom logic and ongoing maintenance. For CloudOps, the best approach is to use the native drift detection capability and automate it on a schedule, then capture the drift results for operational review and remediation planning.

===============

The AWS Cloud Operations and Security documentation specifies that for Amazon CloudFront, automatic certificate renewal is only supported for certificates issued by AWS Certificate Manager (ACM). When a certificate is managed by ACM and validated through DNS validation, ACM automatically renews the certificate before expiration without requiring manual intervention.

Option A ensures that the certificate is issued and managed by ACM, enabling full integration with CloudFront. Option E (DNS validation) is essential for automation; AWS performs revalidation automatically as long as the DNS validation record remains in place.

By contrast, email validation (Option D) requires manual user confirmation upon renewal, which prevents automatic renewals. Certificates issued by third-party certificate authorities (Option B) are manually managed and must be reimported into ACM after renewal. CloudFront does not have a direct feature (Option C) to renew certificates; it relies on ACM’s lifecycle management.

Thus, combining ACM-issued certificates (A) with DNS validation (E) ensures continuous, automated renewal with no downtime or human action required.

Standard Amazon Linux AMIs typically already include the Systems Manager Agent. If instances do not appear as managed nodes in Systems Manager, the most common missing requirement is the instance profile permissions that allow the SSM Agent to communicate with Systems Manager service endpoints. The AWS managed policy AmazonSSMManagedInstanceCore grants the required permissions for core Systems Manager functionality. Option A is unnecessary because the standard Amazon Linux AMI already includes SSM Agent in most supported versions. Option B is irrelevant; ACM certificates are not required for SSM Agent registration. Option C is also wrong because the ssm-user account is created and managed by Session Manager when needed; manually creating it does not register the instance. Therefore, attach an IAM instance profile with AmazonSSMManagedInstanceCore.

===============

AWS Backup is the managed service for backing up and restoring Amazon EFS file systems. It supports backup vaults and restore workflows without requiring a second live EFS file system. This is more cost-effective than maintaining a duplicate EFS file system in another Region. AWS documentation explains that AWS Backup performs incremental backups of EFS file systems, reducing duplicate backup storage and improving cost efficiency. For file-level recovery, a partial restore job can restore selected files or directories rather than restoring the entire file system. Amazon DLM is primarily used for EBS snapshots, not EFS file-level backup management. S3 Glacier retrieval is not the best fit for rapid individual file recovery because retrieval latency and restore workflow are unsuitable for quick operational recovery. Therefore, AWS Backup with partial restore is the right answer.

===============

The explicit Deny statement uses NotAction, which means it denies all actions except ec2:* and s3:GetObject. Explicit deny overrides any allow. Therefore, even though rds:Describe* is allowed in the first statement, it is denied by the Deny statement because RDS actions are not excluded from the deny. s3:PutObject is also denied because only s3:GetObject is excluded. EC2 actions are excluded from the deny, but they still need an applicable Allow. The second statement allows ec2:* only when the EC2 Region condition equals us-east-1. Therefore, ec2:DescribeInstances in us-east-1 is allowed, while ec2:AttachNetworkInterface in eu-west-1 is not allowed. Option C is the only permitted action.

===============

AMI IDs are Region-specific. An AMI ID that exists in us-east-1 does not automatically exist in us-west-2, and even copied AMIs receive different AMI IDs in the destination Region. The correct CloudFormation pattern is to define Region-specific AMI IDs in the Mappings section and use Fn::FindInMap with AWS::Region to select the correct AMI for the deployment Region. Option A is wrong because you cannot assign the same AMI ID in another Region. Option B is invalid because AMI IDs are not globally qualified by adding a Region code. Option C can help users select an AMI manually, but it does not ensure the template automatically works in every Region. Therefore, mappings are the correct infrastructure-as-code solution.

===============