64

A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.

Which solution will meet this requirement?

一个公司在 AWS 组织中有一个组织。该公司正在使用 AWS 控制塔为该组织部署一个着陆区。该公司希望实现治理和策略实施。公司必须实现一个策略，该策略将检测在公司的生产 OU 中未加密的 Amazon RDS DB 实例。哪种解决方案将满足这一要求？

A. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.

在 AWS Control Tower 使用强制性护栏，在生产的「开放式写字楼」使用强制性护栏。

B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.

使适当的护栏从列表中强烈推荐的护栏在自动气象站控制塔。将护栏应用于生产 OU。

C. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.

使用 AWS 配置创建一个新的强制护栏。将该规则应用于生产 OU 中的所有帐户。

D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.

在 AWS 控制塔中创建自定义 SCP。将 SCP 应用于生产 OU。

66

70

A company has an environment that has a single AWS account. A solutions architect is reviewing the environment to recommend what the company could improve specifically in terms of access to the AWS Management Console. The company’s IT support workers currently access the console for administrative tasks, authenticating with named IAM users that have been mapped to their job role. 公司的环境只有一个 AWS 帐户。解决方案架构师正在审查环境，以推荐公司在访问 AWS 管理控制台方面可以特别改进的地方。该公司的 IT 支持人员目前访问控制台以执行管理任务，并与已映射到其作业角色的命名 IAM 用户进行身份验证。

The IT support workers no longer want to maintain both their Active Directory and IAM user accounts. They want to be able to access the console by using their existing Active Directory credentials. The solutions architect is using AWS IAM Identity Center (AWS Single Sign-On) to implement this functionality. IT 支持人员不再需要同时维护 ActiveDirectory 和 IAM 用户帐户。它们希望能够使用现有的 ActiveDirectory 凭据访问控制台。解决方案架构师正在使用 AWS IAM 标识中心(AWS Single Sign-On)来实现此功能。

Which solution will meet these requirements MOST cost-effectively? 哪种解决方案能够最经济有效地满足这些要求？

A. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in Organizations. Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active Directory. Configure IAM Identity Center and set the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Managed Microsoft AD directory.

在 AWS 组织中创建一个组织。打开组织中的 IAM 身份中心特性。在微软活动目录(目录服务管理的微软广告)的自动服务系统中创建和配置一个目录，该目录对公司内部的活动目录具有双向信任。配置 IAM 标识中心，并将 AWS ManagedMicrosoftAD 目录设置为标识源。创建权限集并将它们映射到 AWS ManagedMicrosoftAD 目录中的现有组。

B. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in Organizations. Create and configure an AD Connector to connect to the company’s on-premises Active Directory. Configure IAM Identity Center and select the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.

在 AWS 组织中创建一个组织。打开组织中的 IAM 身份中心特性。创建并配置一个 AD 连接器以连接到公司内部的 ActiveDirectory。配置 IAM 标识中心并选择 AD 连接器作为标识源。创建权限集并将它们映射到公司 ActiveDirectory 中的现有组。

C. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active Directory. Configure IAM Identity Center and select the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Managed Microsoft AD directory.

在 AWS 组织中创建组织。打开组织的所有特性。在微软活动目录(目录服务管理的微软广告)的自动服务系统中创建和配置一个目录，该目录对公司内部的活动目录具有双向信任。配置 IAM 标识中心并选择 AWS ManagedMicrosoftAD 目录作为标识源。创建权限集并将它们映射到 AWS ManagedMicrosoftAD 目录中的现有组。

D. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure an AD Connector to connect to the company’s on-premises Active Directory. Configure IAM Identity Center and set the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.

在 AWS 组织中创建一个组织。打开组织的所有特性。创建并配置一个 AD 连接器以连接到公司内部的 ActiveDirectory。配置 IAM 标识中心并将 AD 连接器设置为标识源。创建权限集并将它们映射到公司 ActiveDirectory 中的现有组。

78

A company recently completed the migration from an on-premises data center to the AWS Cloud by using a replatforming strategy. One of the migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical application relies upon. The application sends outbound email messages to the company’s customers. The legacy SMTP server does not support TLS encryption and uses TCP port 25. The application can use SMTP only. 最近，一家公司通过使用重新平台化策略完成了从内部数据中心到 AWS 云的迁移。迁移的服务器之一正在运行关键应用程序所依赖的遗留简单邮件传输协议(SMTP)服务。应用程序向公司的客户发送出站电子邮件消息。遗留的 SMTP 服务器不支持 TLS 加密并使用 TCP 端口25。应用程序只能使用 SMTP。

The company decides to use Amazon Simple Email Service (Amazon SES) and to decommission the legacy SMTP server. The company has created and validated the SES domain. The company has lifted the SES limits. 公司决定使用 AmazonSimpleEmail 服务(AmazonSES)并停用遗留的 SMTP 服务器。该公司已经创建并验证了 SES 域。公司已经取消了 SES 的限制。

What should the company do to modify the application to send email messages from Amazon SES? 公司应该如何修改应用程序以从 AmazonSES 发送电子邮件消息？

A. Configure the application to connect to Amazon SES by using TLS Wrapper. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Attach the IAM role to an Amazon EC2 instance.

使用 TLS 包装器将应用程序配置为连接到 AmazonSES。创建具有 ses: SendEmail 和 ses: SendRawEmail 权限的 IAM 角色。将 IAM 角色附加到 AmazonEC2实例。

B. Configure the application to connect to Amazon SES by using STARTTLS. Obtain Amazon SES SMTP credentials. Use the credentials to authenticate with Amazon SES.

通过使用 STARTTLS 将应用程序配置为连接到 AmazonSES。获取 AmazonSESSMTP 凭据。使用凭据对 AmazonSES 进行身份验证。

C. Configure the application to use the SES API to send email messages. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Use the IAM role as a service role for Amazon SES.

将应用程序配置为使用 SES API 发送电子邮件消息。创建具有 ses: SendEmail 和 ses: SendRawEmail 权限的 IAM 角色。将 IAM 角色用作 AmazonSES 的服务角色。

D. Configure the application to use AWS SDKs to send email messages. Create an IAM user for Amazon SES. Generate API access keys. Use the access keys to authenticate with Amazon SES.

配置应用程序使用 AWS SDK 发送电子邮件消息。为 AmazonSES 创建一个 IAM 用户。生成 API 访问密钥。使用访问密钥对 AmazonSES 进行身份验证。

80

88

A company wants to change its internal cloud billing strategy for each of its business units. Currently, the cloud governance team shares reports for overall cloud spending with the head of each business unit. The company uses AWS Organizations to manage the separate AWS accounts for each business unit. The existing tagging standard in Organizations includes the application, environment, and owner. The cloud governance team wants a centralized solution so each business unit receives monthly reports on its cloud spending. The solution should also send notifications for any cloud spending that exceeds a set threshold.

Which solution is the MOST cost-effective way to meet these requirements?

一家公司希望改变其每个业务部门的内部云计费策略。目前，云治理团队与每个业务部门的负责人共享总体云支出报告。公司使用 AWS 组织为每个业务单元管理单独的 AWS 帐户。组织中现有的标签标准包括应用程序、环境和所有者。云治理团队需要一个集中的解决方案，这样每个业务单元都能收到关于其云支出的月度报告。该解决方案还应该对任何超过设定阈值的云消费发送通知。

哪种解决方案是满足这些需求的最具成本效益的方法？

A. Configure AWS Budgets in each account and configure budget alerts that are grouped by application, environment, and owner. Add each business unit to an Amazon SNS topic for each alert. Use Cost Explorer in each account to create monthly reports for each business unit.

在每个帐户中配置 AWS 预算，并配置按应用程序、环境和所有者分组的预算警报。为每个警报将每个业务单元添加到 AmazonSNS 主题。在每个帐户中使用“成本资源管理器”为每个业务单元创建月度报告。

B. Configure AWS Budgets in the organization's management account and configure budget alerts that are grouped by application, environment, and owner. Add each business unit to an Amazon SNS topic for each alert. Use Cost Explorer in the organization's management account to create monthly reports for each business unit.

在组织的管理帐户中配置 AWS 预算，并配置按应用程序、环境和所有者分组的预算警报。为每个警报将每个业务单元添加到 AmazonSNS 主题。使用组织管理帐户中的“成本资源管理器”为每个业务单元创建月度报告。

C. Configure AWS Budgets in each account and configure budget alerts that are grouped by application, environment, and owner. Add each business unit to an Amazon SNS topic for each alert. Use the AWS Billing and Cost Management dashboard in each account to create monthly reports for each business unit.

在每个帐户中配置 AWS 预算，并配置按应用程序、环境和所有者分组的预算警报。为每个警报将每个业务单元添加到 AmazonSNS 主题。使用每个帐户中的 AWS 计费和成本管理仪表板为每个业务单元创建每月报告。

D. Enable AWS Cost and Usage Reports in the organization's management account and configure reports grouped by application, environment. and owner. Create an AWS Lambda function that processes AWS Cost and Usage Reports, sends budget alerts, and sends monthly reports to each business unit's email list.

在组织的管理帐户中启用 AWS 成本和使用报告，并配置按应用程序、环境分组的报告。和所有者。创建一个 AWS Lambda 函数，该函数处理 AWS 成本和使用报告，发送预算通知，并向每个业务单位的电子邮件列表发送月度报告。