AWS Cloud Practitioner Practice Test (CLF-C02)

The correct service to implement in this scenario is an elasticity provider that dynamically adjusts compute capacity in response to real-time workload demands, ensuring performance and cost-efficiency. This service optimizes resources by adding them during peak demand and scaling down as traffic decreases, eliminating the risk of overprovisioning and the need for manual intervention. While increasing instance sizes and using a serverless architecture can help in managing workloads, they do not offer the same level of dynamic adaptability without predefined scaling policies.

AWS Lambda is the best fit for this scenario because it's designed to automatically run code in response to events without provisioning or managing servers, which is ideal for workloads that are unpredictable and fluctuating. This service ensures that the application can start quickly and run whenever it is triggered by an event, which is optimal for processing transactions in the scenario described. Other services like ECS and Fargate also offer serverless options but are generally more suitable for long-running tasks and instances where container management is preferred.

The Reliability pillar emphasizes the ability to recover from failures and maintain the availability of services. This involves implementing fault-tolerant systems, ensuring redundant resources, and using automated recovery procedures. The Operational Excellence pillar focuses on effective operations and monitoring, the Security pillar on protecting data and systems, and the Performance Efficiency pillar on adapting to changing requirements efficiently.

While AWS manages the infrastructure and ensures the security of the hardware, software, networking, and facilities that run AWS Cloud services, the encryption of data at rest is a customer responsibility. AWS offers the tools and services (like Amazon S3 server-side encryption), but it is up to the customer to configure and manage these features according to their security requirements. Therefore, the answer suggesting that AWS is responsible for data encryption at rest is incorrect. It is a shared control: AWS provides the capability, while the customer must configure and enable it.

For more information, see the Shared Responsibility Model in the AWS documentation which states file and data encryption is the responsibility of the customer.

The correct service is Amazon EKS (Elastic Kubernetes Service), as it allows for the deployment, management, and scaling of containerized applications using Kubernetes on AWS without the need for the user to manage the Kubernetes control plane themselves. Amazon ECS (Elastic Container Service) also provides a managed container service but is not specifically tailored for Kubernetes, which is hinted at by the mention of open-source orchestration in the question. AWS Lambda is designed for serverless workloads, not for managing containerized applications with Kubernetes, and launching EC2 instances would require manual setup and management of Kubernetes, contrary to the 'fully managed' aspect mentioned in the question.

Amazon Inspector is specifically designed to automatically assess applications, including serverless computing functions, for vulnerabilities or unintended network exposure. It provides detailed assessments that help ensure you are following security best practices. Security Hub and GuardDuty are also crucial in monitoring security posture, but they serve different specific functions compared to Amazon Inspector.

Within the shared responsibility model, while the cloud provider is in charge of securing the infrastructure that runs the services, the user retains the responsibility of securing the operating system including the application of patches and updates. Specifically, this means regular patch management and security configurations must be performed by the user, not the provider. The provider typically does not manage individual guest operating systems or applications. Physical security and infrastructure are handled by the provider, and while the user configures services such as identity and access management, the actual infrastructure and security of the service itself remains the provider’s responsibility.

When assessing costs associated with an on-premises data center, a company needs to consider both the Capital Expenditures (CapEx) which include hardware costs, physical infrastructure, and long-term software licenses, as well as the Operational Expenditures (OpEx) that encompass ongoing costs like maintenance, electricity, and cooling. These costs can be significantly reduced in a cloud environment through a pay-as-you-go model, which eliminates many of the upfront and ongoing expenses of owning and operating data center hardware. The cost of managing on-premises security appliances is not typically reduced in the cloud because security remains a shared responsibility, and application update costs are generally the same whether on-premises or in the cloud.

In the AWS shared responsibility model, the customer is responsible for security 'in' the cloud. This includes the configuration of the AWS resources they use, managing their own data, and securing application platforms. Amazon Web Services is responsible for security 'of' the cloud, which means it manages the infrastructure that runs all the services offered in the AWS Cloud. Incorrect choices might mix up these divisions of responsibility or incorrectly attribute the responsibility of the physical hardware to the customer, which is AWS's responsibility.

The correct answer is the 'Hybrid' deployment model because it involves a combination of on-premises infrastructure with cloud services, which allows for compliance with regulatory requirements while also taking advantage of the scalability and flexibility of AWS Cloud services.

The service in question is Amazon Simple Storage Service (S3), which fulfills all the specified criteria by providing default encryption for stored data, and securing each customer's data with unique keys managed by the service itself, without any additional configuration needed for data access. Amazon Elastic Block Store (EBS) and Amazon Relational Database Service (RDS) provide encryption capabilities, but they may require initial setup and configuration, and do not always use a unique key per customer unless specified. AWS Key Management Service (KMS) is a key management service and not a data storage service, and thus does not directly encrypt data at rest.

Amazon S3 Standard-Infrequent Access (S3 Standard-IA) is the best choice for data that is accessed less frequently, but requires rapid access when needed. It offers a lower storage cost compared to Amazon S3 Standard, while still providing high throughput and fast access to data when an audit occurs, which satisfies the financial institution's need for quick retrieval during unexpected audits.

To accommodate both predictable baseline usage and intermittent spikes, the best approach is to combine Reserved Instances (RIs) for the baseline capacity with On-Demand Instances to handle peak loads. RIs offer a discounted hourly rate and capacity reservation, making them suitable for the steady baseline workload, while On-Demand Instances provide the flexibility to scale up without any upfront commitment, which is ideal for handling unpredictable spikes. Savings Plans require a commitment to a specific amount of usage (measured in $/hour) over 1 or 3 years and could lead to overcommitment during non-peak times. Meanwhile, Spot Instances offer the highest discounts but can be terminated by AWS when the spot price exceeds the bid price, which risks stability during demand spikes.

In the AWS shared responsibility model, AWS is responsible for the security of the cloud, including the infrastructure that runs all the services offered in the AWS Cloud. The customer is responsible for security in the cloud, which includes managing the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS provided firewall (security groups) on each instance. Therefore, applying OS patches and securing the server against unauthorized access are responsibilities of the customer.

A streamlined cloud service designed for centralized backup management allows users to automate the backup process for various workloads in the cloud while ensuring compliance with data retention policies. Such a service enables applying uniform backup policies across different resources, simplifying management and aiding in compliance efforts. A solution which is purpose-built for handling backups across multiple storage and database solutions, offering a unified backup policy and monitoring, would be the correct choice. The other options listed, while being AWS service capabilities, do not offer the same centralized and automated backup management features.