Explanation: The correct answers are A and B because Service Quotas console and AWS Trusted Advisor are AWS services or tools that can report on the quotas so that the company can improve the reliability of the application. Service Quotas console is an AWS tool that enables users to view and manage their quotas for AWS services from a central location. Users can use Service Quotas console to request quota increases, track quota usage, and set up alarms for approaching quota limits. AWS Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault tolerance. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other options are incorrect because they are not AWS services or tools that can report on the quotas so that the company can improve the reliability of the application. AWS Systems Manager is an AWS service that enables users to automate operational tasks, manage configuration and compliance, and monitor system health and performance. AWS Shield is an AWS service that protects users from distributed denial of service (DDoS) attacks. AWS Cost Explorer is an AWS tool that enables users to visualize, understand, and manage their AWS costs and usage.

Explanation: Architecture optimization is the best practice for cost governance that this example shows. Architecture optimization is the process of designing and implementing AWS solutions that are efficient, scalable, and cost-effective. By using specific AWS services to improve efficiency and reduce cost, the company is following the architecture optimization best practice. Some of the techniques for architecture optimization include using the right size and type of resources, leveraging elasticity and scalability, choosing the most suitable storage class, and using serverless and managed services2.

Explanation: The correct answers are B and D because a virtual private gateway and a customer gateway are components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the VPN connection that attaches to the customer’s VPC. A customer gateway is the customer side of the VPN connection that resides in the customer’s network. The other options are incorrect because they are not components of an AWS Site-to-Site VPN connection. AWS Storage Gateway is a service that connects onpremises software applications with cloud-based storage. NAT gateway is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. Internet gateway is a service that enables communication between instances in a VPC and the internet.

Explanation: The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys.

Explanation: Amazon S3 is the most cost-effective service for storing offsite backups of on-premises infrastructure. Amazon S3 offers low-cost, durable, and scalable storage that can be accessed from anywhere over the internet. Amazon S3 also supports lifecycle policies, versioning, encryption, and cross-region replication to optimize the backup and recovery process. Amazon EFS, Amazon FSx, and Amazon EBS are more suitable for storing data that requires high performance, low latency, and frequent access12.

Explanation: AWS manages the encryption of the database clusters and database snapshots for Amazon Aurora, as well as the encryption keys. This is part of the AWS shared responsibility model, where AWS is responsible for the security of the cloud, and the customer is responsible for the security in the cloud. Encryption is one of the security features that AWS provides to protect the data at rest and in transit. For more information, see Amazon Aurora FAQs and AWS Shared Responsibility Model.

Explanation: The correct answers are B and E because AWS Online Tech Talks and AWS Classroom Training are options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Online Tech Talks are live, online presentations that cover a broad range of topics at varying technical levels. AWS Online Tech Talks are delivered by AWS experts and feature live Q&A sessions with the audience. AWS Classroom Training are in-person or virtual courses that are led by accredited AWS instructors. AWS Classroom Training offer hands-on labs, exercises, and best practices to help customers gain confidence and skills on AWS. The other options are incorrect because they are not options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Trusted Advisor is an AWS service that provides real-time guidance to help customers follow AWS best practices for security, performance, cost optimization, and fault tolerance. AWS Blog is an AWS resource that provides news, announcements, and insights from AWS experts and customers. AWS Forums are AWS resources that enable customers to interact with other AWS users and get feedback and support.

Explanation: AWS Pricing Calculator is a web-based planning tool that customers can use to create estimates for their AWS use cases. They can use it to model their solutions before building them, explore the AWS service price points, and review the calculations behind their estimates. Therefore, the correct answer is A. You can learn more about AWS Pricing Calculator and how it works.