AWS Solutions Arch-QuestionsGotWrong
Your development team has recently finished developing a web application that will soon be put into production. Before they transfer it into the environment, they need to do a final test run. Only the employees can access the app - either on the corporate network or via the Internet. Your manager also instructed you to ensure that the EC2 instance hosting the application server will not be exposed to the Internet. As a Solutions Architect, which of the following will you implement to fulfill the requirement? (Test 3)
1. Configure SSL VPN on the public subnet of your VPC. 2. Install an SSL VPN client software on all employee workstations. 3. Create a private subnet in your VPC and place your application servers in it.
You are setting up a VPN for a customer to connect his remote network to his Amazon VPC environment. There are many ways to accomplish this. Also, you have given a list of the things that the customer has specified that the network needs to be able to do. They are as follows:- Predictable network performance- Support for BGP peering and routing policies- A secure IPsec VPN connection but not over the InternetWhich of the following VPN options would best satisfy the customer's requirements? Choose the correct answer from the options below (Test 6)
AWS Direct Connect and IPsec Hardware VPN connection over private lines
A leading aerospace engineering company is experiencing high growth and demand on their highly-available and fault-tolerant cloud services platform that is hosted in AWS. The technical lead of your team has asked you to virtually extend two existing on-premises data centers into AWS cloud to support an online flight-tracking service which is used by a lot of airline companies. The online service heavily depends on existing, on-premises resources located in multiple data centers and static content that is served from an S3 bucket. To meet the requirement, you launched a dual-tunnel VPN connection between your CGW and VGW. In this scenario, which component of your cloud architecture represents a potential single point of failure, which you should consider changing to make the solution more highly available? (Test 4)
Create another Customer Gateway in a different data center and set up another dual-tunnel VPN connection.
Your supervisor gave you brief of a client who needs a web application set up on AWS. The most important requirement is that MySQL must be used as the database, and this database must not be hosted in the public cloud, rather at the client's data center due to security risks. Which of the following solutions would be the best to assure that the client's requirements are met? Choose the correct answer from the options below (Test 6)
Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
You are a Solutions Architect for a global financial company which has a lot of data centers around the globe. Due to the ever-growing data that your company is storing, you were instructed to set up a durable, cost-effective solution to archive your data from your existing tape-based backup infrastructure to AWS Cloud. How could you implement this solution in AWS? (Test 4)
Set up a Tape Gateway which will back up your data in Amazon S3 and archive in Amazon Glacier using your existing tape-based processes.
A new online banking portal has been recently deployed to an Auto Scaling group of EC2 instances on your VPC. However, after several days, you found out that there is an unusually high amount of inbound HTTP traffic coming from a set of 15 specific IP addresses from a certain country where your company has absolutely no customers. The EC2 instances are flooded with incoming requests that the system administrators cannot even establish an SSH connection to the instances.What should a Solutions Architect do to fix this security vulnerability in the MOST cost-effective way? (Test 2)
Set up deny rules on your inbound Network Access control list associated with the web application tier subnet to block access to the group of attacking IP addresses.
You want to set up a public website on AWS. The things that you require are as follows:- You want the database and the application server running on AWS VPC.- You want the database to be able to connect to the Internet, specifically for any patch upgrades.- You do not want to receive any incoming requests from the Internet to the database.Which of the following solutions would be the best to satisfy all the above requirements for your planned public website on AWS? Choose the correct answer from the options below (Test 6)
Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
You are given a task with moving a legacy application from a virtual machine running inside your datacenter to an Amazon VPC. Unfortunately, this app requires access to a number of on-premise services and no one who configured the app still works for your company. Even worse, there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured?Choose 3 options the below:(Test 7)
A. An AWS Direct Connect link between the VPC and the network housing the internal services. D. An IP address space that does not conflict with the one on-premises F. A VM Import of the current virtual machine.
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen to add an extra layer of defense against terminating the instances. What is the best method to ensure that the employee does not terminate the production instances?Choose the 2 correct answers from the options below (Test 6)
A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. B. Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.
You are working as a Solutions Architect for a company that recently adopted a hybrid cloud architecture. Your manager instructed you to create a new VPC, set up the required security configurations, and migrate their web applications. Which of the following services can be used to deploy their applications to the cloud and also launch the required AWS resources automatically? (Choose 3) (Test 4)
AWS CloudFormation AWS Opsworks AWS Elastic Beanstalk
You formed a new startup company where you develop health-related mobile apps on both iOS and Android devices. Your co-founder developed a sleep tracking app which collects the user's biometric data then stores them in a DynamoDB table, which is configured with on-demand provisioned throughput capacity. Every 9 in the morning, a scheduled task scans the DynamoDB table to extract and aggregate last night's data for each user and stores the results in an S3 bucket. When the new data is available, the users are then notified via Amazon SNS mobile push notifications. Due to budget constraints, you want to optimize the current architecture of the backend system to lower costs and increase your bottom line. Which of the following can you do to further lower the cost in AWS? (Choose 2) (Test 5)
a. Avail a reserved capacity for provisioned throughput for DynamoDB. b. Set up a scheduled job to drop the DynamoDB table for the previous day that contains the biometric data after it is successfully stored in the S3 bucket. Create another DynamoDB table for the day and perform the deletion and creation process everyday.
You are instructed to perform a Total Cost of Ownership (TCO) analysis and prepare a cost optimized migration plan for the systems hosted in your on-premises network to AWS. It is required that you collect configuration, usage, and behavior data from your on-premises servers to help you better understand your workloads before doing the migration.Which of the following is the most suitable solution that you should implement to meet this requirement? (Test 3)
(Answer) Use the AWS Application Discovery Service to gather data about your on-premises data center and perform the TCO analysis. (Explain) AWS Application Discovery Service helps enterprise customers plan migration projects by gathering information about their on-premises data centers. The collected data is retained in encrypted format in an AWS Application Discovery Service data store. You can export this data as a CSV file and use it to estimate the Total Cost of Ownership (TCO) of running on AWS and to plan your migration to AWS.
A global data analytics firm has various data centers from different countries all over the world. The staff are regularly uploading analytics, financial, and regulatory files of each of their respective data centers to a web portal deployed in AWS, which uses an S3 bucket named global-analytics-reports-bucket to durably store the data. The staff download various reports from a CloudFront distribution which uses the global-analytics-reports-bucket S3 bucket as the origin. You noticed that the staff are using both the CloudFront link and the direct Amazon S3 URLs to download the reports. The IT Security team of the company sees this as a security risk and they recommended that you implement a way to prevent anyone from bypassing CloudFront and using the direct Amazon S3 URLs. What would you do to meet the above requirement? (Test 5)
1. Create a special CloudFront user called an origin access identity (OAI) and associate it with your CloudFront distribution. 2. Give the origin access identity permission to read the objects in your bucket. 3. Remove anyone else's permission to use Amazon S3 URLs to read the objects.
You are working as the technical lead of the DevOps team in a cryptocurrency startup company which uses multiple AWS accounts that are all connected using AWS Organizations. Due to the financial nature of the business, you were instructed by your CTO to prepare for the IT audit activities to meet the compliance requirements.Which of the following provides the most durable and secure logging solution that you can use to track changes made to all of your AWS resources globally? (Test 4)
1. Launch a new CloudTrail trail using the AWS console with one new S3 bucket to store the logs and with the "Apply trail to all regions" checkbox enabled. 2. Enable MFA Delete and Log Encryption on the S3 bucket.
You are working as a Solutions Architect for a leading food chain that has recently adopted a hybrid cloud infrastructure which extends its data centers into AWS Cloud. You are told to allow on-premises users, who are already signed-in using their corporate accounts, to manage AWS resources without creating separate IAM users for each of them. This is to avoid having two separate login accounts and memorizing multiple credentials. Which of the following is the best way to handle user authentication in this hybrid architecture? (Test 2)
Authenticate using your on-premises SAML 2.0-compliant identity provider (IDP), retrieve temporary credentials using STS, and grant federated access to the AWS console via the AWS single sign-on (SSO) endpoint using a browser. [This is correct because it has Federated, SAML 2.0 and Singls Sig on SSO)
A company has many employees who need to run internal applications that access the company's AWS resources. These employees already have user credentials in the company's current identity authentication system, which does not support SAML 2.0. The company does not want to create a separate IAM user for each company employee.How should the SSO setup be designed?Choose the 2 correct answers from the options below (Test 6)
B. Create a custom identity broker application which authenticates the employees using the existing system, uses the GetFederationToken API call and passes a permission policy to gain temporary access credentials from STS. C. Create a custom identity broker application which authenticates employees using the existing system and uses the AssumeRole API call to gain temporary, role-based access to AWS
A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user. Which two approaches can satisfy these objectives?Choose 2 options from the below (Test 7)
B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service (STS) to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket. C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service (STS) to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
The national election will be held in 6 months time and your startup won the bid to build an e-voting system. There would be millions of voters, which is why the system must be able to handle large incoming requests and also have a web page to show the real-time poll. What would be the best and most cost-effective method of architecting this system? (Test 5)
Build a javascript application using Angular or React for the UI of the voting system and host it in S3 static website hosting. Use CloudFront as the CDN and Route 53 for routing. Build an API using Lambda and API Gateway which communicates directly with DynamoDB to post and get the voting data.
A company is building an AWS Cloud Environment for a financial regulatory firm. Part of the requirements is being able to monitor all changes in an environment and all traffic sent to and from the environment. What suggestions would you make to ensure all the requirements for monitoring the financial architecture are satisfied?Choose the 2 correct answers from the options below (Test 6)
C. Configure an IPS/IDS to listen and block all suspected bad traffic coming into and out of the VPC. Configure CloudTrail with CloudWatch Logs to monitor all changes within an environment. D. Configure an IPS/IDS system, such as Palo Alto Networks, that monitors, filters, and alerts of all potential hazard traffic leaving the VPC.
You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your servers on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways.Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above?Choose 4 answers from the below:(Test 7)and(Test4)
C. Data encryption across the Internet D. Protection of data in transit over the Internet E. Peer identity authentication between VPN gateway and customer gateway F. Data integrity protection across the Internet
You are excited that your company has just purchased a Direct Connect link from AWS as everything you now do on AWS should be much faster and more reliable. Your company is based in Sydney, Australia so obviously, the Direct Connect Link to AWS will go into the Asia Pacific (Sydney) region. Your first job after the new link purchase is to create a multi-region design across the Asia Pacific(Sydney) region and the US West (N. California) region. You soon discover that all the infrastructure you deploy in the Asia Pacific(Sydney) region is extremely fast and reliable, however, the infrastructure you deploy in the US West(N. California) region is much slower and unreliable. Which of the following would be the best option to make the US West(N. California) region a more reliable connection? Choose the correct answer from the options below(Test 7)
Create a public virtual interface to the US West region's public end points and use VPN over the public virtual interface to protect the data. (Explanation) To connect to AWS public endpoints, such as an Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Simple Storage Service (Amazon S3), with dedicated network performance, use a public virtual interface.To connect to private services, such as an Amazon Virtual Private Cloud (Amazon VPC), with dedicated network performance, use a private virtual interface. Since the scenario does not mention VPC only, you need to create a public virtual interface - which allows you to connect to all AWS public IP spaces globally.
You are working as a Senior Solutions Architect in a multinational healthcare company where you need to launch a new medtech information website. You chose to use Amazon CloudFormation to deploy a three-tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage. In this scenario, which of the following options will allow the application instance access to the DynamoDB tables without exposing API credentials? (test 2)
Create an IAM Role and assign the required permissions to read and write from the DynamoDB table. Have the instance profile property of the application instance reference the role. (this is the most simplistic answer - do not pick the more complex answer)
A company is running a batch analysis every hour on their main transactional DB running on an RDS MySQL instance to populate their central Data Warehouse running on Redshift. During the execution of the batch their transactional applications are very slow. When the batch completes they need to update the top management dashboard with the new data. The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required. The on-premises system cannot be modified because is managed by another team.How would you optimize this scenario to solve performance issues and automate the process as much as possible? (Test 7)
Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard
You are working as a Cloud Engineer at a leading insurance company in South East Asia. Your team has recently deployed a new portal that enables your users to login and manage their accounts, view their insurance plans and pay their monthly premiums. After a few weeks, you noticed that there are several incoming traffic from a country in which the insurance company does not operate. Later on, you see that the same set of IP addresses coming from the unsupported country is sending out massive amounts of requests to your portal which has caused some minor performance issues. Which of the following is the best solution to implement to block the series of attacks coming from a set of determined IP ranges? (Test 5)
Create an inbound Network Access control list associated with explicit deny rules to block the attacking IP addresses.
An online home loan system is deployed across multiple Availability Zones in the ap-southeast-2 region. As part of their Disaster Recovery Plan, the RTO must be less than 2 hours and the RPO must be 10 minutes. At 12:00 PM, there was a production incident in their database and the operations team found out that they cannot recover the transactions made from 10:30 AM onwards or 1.5 hours ago. How can you change the current architecture to achieve the required RTO and RPO in case a similar system failure occurred again? (Test 5)
Create database backups every hour and store it in an S3 bucket with Cross-Region Replication enabled. Store the transaction logs in the same S3 bucket every 5 minutes.
A web-startup runs its very successful social news application on Amazon EC2 with an Elastic Load Balancer, an Auto-Scaling group of Java/Tomcat application-servers, and DynamoDB as a data store. The main web application best runs on m2 x large instances since it is highly memory- bound. Each new deployment requires the semi-automated creation and testing of a new AMI for the application servers which takes quite a while and is therefore only done once per week. Recently, a new chat feature has been implemented in Node.js and waits to be integrated into the architecture. First tests show that the new component is CPU bound because the company has some experience with using Chef, they decided to streamline the deployment process and use AWS Ops Works as an application lifecycle tool to simplify management of the application and reduce the deployment cycles. What configuration in AWS Ops Works is necessary to integrate the new chat module in the most cost-efficient and flexible way? (Test 7)
Create one AWS Ops Works stack create two AWS Ops Works layers, create one custom recipe
A company needs to configure a NAT instance for its internal AWS applications to be able to download patches and package software. Currently, they are running a NAT instance that is using the floating IP scripting configuration to create fault tolerance for the NAT. The NAT instance needs to be built with fault tolerance in mind. What is the best way to configure the NAT instance with fault tolerance? Choose the correct answer from the options below: (Test 6)
Create two NAT instances in ' two separate public subnet'; create a route from the private subnet to each NAT instance for fault tolerance (explaination - know the part that is different than other answers that say 'in two separate public subnet
Your team has a Tomcat-based Java application you need to deploy into development, test and production environments. After some research, you opt to use Elastic Beanstalk due to its tight integration with your developer tools and RDS due to its ease of management. Your QA team lead points out that you need to roll a sanitized set of production data into your environment on a nightly basis. Similarly, other software teams in your organization want access to that same restored data via their EC2 instances in your VPC.What of the following would be the optimal setup for persistence and security that meets the above requirements? (Test 7)
Create your RDS instance separately and pass its DNS name to your app's DB connection string as an environment variable. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself.
As a best practice in your company, all of the cloud-related deployments should not be done manually but through the use of CloudFormation. All of the CloudFormation templates should be treated as a code and hence, all of them are committed in a private GIT repository. A senior DevOps engineer has recently left your team and your manager asked you to take over his tasks and applications. One of the tasks that the outgoing DevOps engineer is handling is a distributed system in AWS, in which the architecture is declared in a template. The distributed system needs to be migrated to another VPC and you tried to read the template to understand the AWS resources that the template will generate. While analyzing the CloudFormation template, you stumbled upon this code below. What does this code snippet do in CloudFormation?"SNSTopic" : {"Type" : "AWS::SNS::Topic","Properties" : {"Subscription" : [{"Protocol" : "sqs","Endpoint" : { "Fn::GetAtt" : [ "TutorialsDojoQueue", "Arn" ] }}]} (Test 2)
Creates an SNS topic and then adds a subscription using the ARN attribute name for the SQS resource, which is created under the logical name TutorialsDojoQueue.
You are working as a Solutions Architect for a major insurance company. They are planning to migrate a MySQL database from their on-premises data center to their AWS Cloud. This is used by a legacy batch application which has steady-state workloads in the morning but has its peak load at night for the end-of-day processing. You are instructed to set up the EC2 and EBS volumes which can handle a maximum of 450 GB of data and can also be used as the system boot volume for your EC2 instance.Which of the following is the most cost-effective storage type to use in this scenario? (Test 5)
General Purpose SSD (gp2) volumes offer cost-effective storage that is ideal for a broad range of workloads. Explanation (Wrong Answer) Provisioned IOPS (io1) is incorrect because Amazon EBS Provisioned IOPS SSD is not the most cost-effective EBS type and is primarily used for critical business applications that require sustained IOPS performance. (Wrong Answer) Throughput Optimized HDD (st1) is incorrect because Amazon EBS Throughput Optimized HDD is primarily used for frequently accessed, throughput-intensive workloads. Although it is a low-cost HDD volume, it cannot be used as a system boot volume. (Wrong Answer) Cold HDD (sc1) is incorrect because although Amazon EBS Cold HDD provides lower cost HDD volume compared to General Purpose SSD, it cannot be used as a system boot volume
A small telecommunications company has recently adopted a hybrid cloud architecture with AWS. They are storing static files of their on-premises web application on a 5 TB gateway-stored volume in AWS Storage Gateway, which is attached to the application server via an iSCSI interface. As part of their disaster recovery plan, they should be able to run the web application on AWS in case that their on-premises network encountered any technical issues.Which of the following options is the MOST suitable solution that you should implement? (Test 4)
Generate an EBS snapshot of the static content from the AWS Storage Gateway service. Afterwards, restore it to an EBS volume that you can then attach to the EC2 instance where the application server is hosted.
S.I.G.A Hackers United, a new international hacktivist group, has announced that they will launch wide-scale cyber attacks such as SQL Injection, cross-site scripting (XSS) and DDoS attacks, to multiple government websites which are hosted in AWS. You are hired as an IT consultant to reinforce the security of these government websites. Which of the following approach provides a cost-effective and scalable mitigation from cyber attacks? (Test 3)
Implement an AWS WAF (Web Application Firewall)
An online shopping website, which provides cheap bargains and discounts on various products, has recently moved from their previous hosting provider to AWS. Their architecture uses an Application Load Balancer (ALB) in front of an Auto Scaling group of Spot and On-Demand EC2 instances. You need to set up a CloudFront web distribution which uses a custom domain name and where the origin is set to point to the ALB. Which of the following is the correct implementation of an end-to-end HTTPS connection from the origin to the CloudFront viewers? (Test 5)
Import a certificate that is signed by a trusted third-party certificate authority, store it to ACM then attach it in your ALB. Set the Viewer Protocol Policy to HTTPS Only in CloudFront and use an SSL/TLS certificate from a third-party certificate authority which was imported to either ACM or the IAM certificate store.
A top university has launched its serverless online portal using Lambda and API Gateway in AWS that enables its students to enroll, manage their class schedule, and see their grades online. After a few weeks, the portal abruptly stopped working and lost all of its data. The university hired an external cyber security consultant and based on the investigation, the outage was due to an SQL injection vulnerability on the portal's login page in which the attacker simply injected the malicious SQL code. You also need to track historical changes to the rules and metrics associated to your firewall.Which of the following is the most suitable and cost-effective solution to avoid another SQL Injection attack against their infrastructure in AWS? (Test 2)
In each new AWS Region, request for SSL/TLS certificates using the AWS Certificate Manager for each FQDN. Associate the new certificates to the corresponding Application Load Balancer of the same AWS Region.
A media company has a suite of internet-facing web applications hosted in US West (N. California) region in AWS. The architecture is composed of several On-Demand Amazon EC2 instances behind an Application Load Balancer, which is configured to use public SSL/TLS certificates. The Application Load Balancer also enables incoming HTTPS traffic through the fully qualified domain names (FQDNs) of the applications for SSL termination. A Solutions Architect has been instructed to upgrade the corporate web applications to a multi-region architecture that uses various AWS Regions such as ap-southeast-2, ca-central-1, eu-west-3, and so forth.Which of the following approach should the Architect implement to ensure that all HTTPS services will continue to work without interruption? (Test 2)
In each new AWS Region, request for SSL/TLS certificates using the AWS Certificate Manager for each FQDN. Associate the new certificates to the corresponding Application Load Balancer of the same AWS Region. [This answer focus on the AWS Certificate Manager which sets it apart for a similar response)
A clothing company is using a proprietary e-commerce platform as their online shopping website. The e-commerce platform is hosted on a fleet of on-demand EC2 instances which are launched in a public subnet. Aside from acting as web servers, these EC2 instances also fetch updates and critical security patches from the Internet. The Solutions Architect was tasked to ensure that the instances can only initiate outbound request to specific URLs provided by the proprietary e-commerce platform while accepting all inbound requests from the online shoppers.Which of the following is the BEST solution that the Architect should implement in this scenario? (Test 3)
In your VPC, remove the default routes and then launch a new web proxy server that only allow outbound access to the URLs provided by the proprietary e-commerce platform.
You recently deployed a new version of a travel booking application which is composed of multiple components. All of the components of the web application are hosted on a single On-Demand EC2 instance. The company wants to implement 2 separate SSL for the separate modules to enhance security and modularity of the application. In this scenario, how can you implement this requirement using only a single EC2 instance? (Test 3)
Launch a new On-Demand EC2 instance with multiple network interfaces and multiple EIPs.
An AWS Certified Solutions Architect is using CloudFormation to deploy a three tier web application that consists of a web tier and application tier, which will utilize DynamoDB for storage when creating the CloudFormation template. Which of the following would allow the application instance access to the DynamoDB tables without exposing the API credentials? (Test 4)
Launch an IAM Role that has the required permissions to read and write from the DynamoDB table. Reference the IAM Role in the InstanceProfileName property of the application instance.
A technology company asked you to develop an educational mobile app for students, with an exam feature that also allows them to submit their answers. You used React Native so the app can be deployed on both iOS and Android devices. You used Lambda and API Gateway for the backend services and DynamoDB as the database service. After a month, you released the app which has been downloaded over 3 million times. However, there are a lot of users who complain about the slow processing of the app especially when they are submitting their answers in the multiple-choice exams. The diagrams and images on the exam also take a lot of time to load, which is not a good user experience.Which of the following options provides the most cost-effective and scalable architecture for your app? (Test 5)
Launch an SQS queue and develop a custom service which integrates with SQS to buffer the incoming requests. Use a web distribution in CloudFront and Amazon S3 to host the diagrams, images, and other static assets of the mobile app.
You, a Solutions Architect for a BPO company, are working on a multitiered, java-based content management system (CMS) hosted on an on-premises data centre. The CMS has a JBoss Application server present in the application tier. The database tier consists of an Oracle database which is regularly backed up to S3 using the Oracle RMAN backup utility. The application's static files and content are kept on a 512 GB Storage Gateway volume which is attached to the application server via an iSCSI interface. Which AWS based disaster recovery strategy will give you the best RTO? (Test 2)
Provision EC2 servers for both your JBoss application and Oracle database, and then restore the database backups from an S3 bucket. Also provision an EBS volume containing static content obtained from Storage Gateway, and attach the volume to the JBoss EC2 server.
You are working as a consultant for a company designing a new hybrid architecture to manage part of their application infrastructure in the cloud and on-premise. As part of the infrastructure, they need to consistently transfer high amounts of data. They require a low latency and high consistency traffic to AWS. The company is looking to keep costs as low possible and is willing to accept slow traffic in the event of primary failure. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below (Test 6)
Provision a Direct Connect connection to an AWS region using a Direct Connect partner. Provision a VPN connection as a backup in the event of Direct Connect connection failure.
You are working for a digital advertising startup that runs an ad-supported global photo sharing website. You are using Amazon S3 to serve photos to the website visitors which come from all over the world. Several weeks later, you found out that other sites have been linking to the photos on your site which is causing financial loss to the startup. Some users also reported that the photos are taking too much time to load. In this scenario, what is an effective method to mitigate this security flaw and to improve the performance of the photo sharing website? (Test 4)
Remove public read access from the S3 bucket. Use CloudFront as the global content delivery network (CDN) service for the photos and use Signed URLs with expiry dates.
You are working for a hospital chain in London which uses an online central hub for doctors and nurses. The application interacts with millions of requests per day to fetch various medical data of their patients. The system is composed of a web tier, an application tier and a database tier that receives large and unpredictable traffic demands. Your responsibility as a Solutions Architect is to ensure that its architecture is scalable enough to handle web traffic fluctuations automatically. Which of the following AWS architecture should you use to meet the above requirements? (Test 3)
Run your web and application tiers in stateless instances in an autoscaling group, using Elasticache Memcached for tier synchronization and CloudWatch for monitoring. Run your database tier using RDS with read replicas.
The DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below (Test 6)
The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
A multinational bank has recently set up AWS Organizations to manage their multiple AWS accounts from their various business units. The Senior Solutions Architect attached the SCP below to an Organizational Unit (OU) to define the services that its member accounts can use:{"Version":"2012-10-17″,"Statement":[{"Effect":"Allow","Action":["EC2:*","S3:*"],"Resource":"*"}]}In one of the member accounts under that OU, an IAM user tried to create a new S3 bucket but was unsuccessful. Which of the following is the root cause of this issue? (Test 5)
The IAM user in the member account does not have IAM policies which explicitly grant EC2 or S3 service actions.
While implementation of cost-cutting measurements in your organization, you have been told that you need to migrate some of your existing resources to another region. The first task you have been given is to copy all of your Amazon Machine Images from Asia Pacific (Sydney) to US West (Oregon). One of the things that you are unsure of is how the PEM keys on your Amazon Machine Images need to be migrated. Which of the following best describes how your PEM keys are affected when AMIs are migrated between regions? Choose the correct answer from the options below(Test 7)
The PEM keys will not be copied to the new region but the authorization keys will still be in the operating system of the AMI. You need to ensure when the new AMI is launched that it is launched with the same PEM key name. (explanation) the authorization key is included in the AMI, hence copied across the region; however, the PEM keys are not copied; hence, need to be imported explicitly.
The biggest fast-food chain in Asia is planning to implement a location-based alert on their existing mobile app. If the user is in proximity of their restaurant, an alert will be shown on the mobile phone. The notification needs to happen in less than a minute while the user is still in the vicinity. Currently, the mobile app has 10 million users in the Philippines, China, Korea and other Asian countries. Which one of the following AWS architecture is the most suitable option for this scenario? (Test 5)
The mobile app will send device location to an SQS endpoint. Set up an API that utilizes an Application Load Balancer and an Auto Scaling group of EC2 instances, which will retrieve the relevant offers from DynamoDB. Use AWS Mobile Push to send offers to the mobile app.
A large real-estate brokerage is exploring the option of adding a cost-effective location-based alert to their existing mobile application. The application backend infrastructure currently runs on AWS. Users who opt into this service will receive alerts on their mobile device regarding real-estate offers in proximity to their location. For the alerts to be relevant, delivery time needs to be in the low minute count. The existing mobile app has 5 million users across the US. Which one of the following architectural suggestions would you make to the customer? (Test 7)
The mobile application will send device location using SQS. EC2 instances will retrieve the relevant offers from DynamoDB. AWS Mobile Push will be used to send offers to the mobile application
You are a Solutions Architect for a software development company and you have been instructed to manage your AWS cloud infrastructure as code to automate the build and deploy process. The company would like to have the ability to easily deploy exact copies of different versions of your cloud infrastructure, stage changes into different environments, revert back to previous versions, and identify the specific versions running in the VPC. Plus, all new public-facing applications should also have global content delivery network (CDN) service.Which of the following can meet this requirement? (Test 3)
Use AWS CloudFormation to manage the cloud architecture and CloudFront as the CDN.
Your company is using Microsoft Active Directory to manage all employee accounts and devices. The IT department instructed you to implement a single sign-on feature to allow the employees to use their existing Windows account password to connect and use the various AWS resources.Which of the following is the most suitable way to extend your Active Directory domain to AWS? (Test 3)
Use AWS Directory Service to integrate your AWS resources with the existing Active Directory using trust relationship. Enable single sign-on using Managed Microsoft AD.
The users of a popular photo-sharing website are complaining about the frequent downtime of the site, including the hefty price for using their service. The company is using a MySQL RDS instance to record user details and other data analytics. A standard S3 storage class bucket is used to store the photos and user metadata, which are frequently accessed only in the first month. The website is also capable of immediately retrieving the images no matter how long they were stored. The RDS instance is always affected and sometimes goes down when there is a problem in the Availability Zone. You were hired by the company to analyze the current architecture and to solve the user complaints about the website. In addition, you should also implement a system that automatically discovers, classifies, and protects personally identifiable information (PII) data in the S3 bucket.Which of the following offers the BEST solution for this scenario? (Test 2)
Use Amazon Macie to automatically discover, classify, and protect personally identifiable information (PII) data in the Amazon S3 bucket. Use a lifecycle policy in S3 to move the old photos to Infrequent Access storage class after a month. Re-configure the existing database to use RDS Multi-AZ Deployments.
A privately funded aerospace manufacturer and sub-orbital spaceflight services company hosts its rapid-evolving applications in AWS. For their deployment process, they are using CloudFormation templates which are regularly updated to map the latest AMI IDs. It takes a lot of time to execute this on a regular basis which is why you were instructed to automate this process.In this scenario, which of the following options is the most suitable solution that can satisfy the requirement? (Test 5)
Use CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template.
Your department creates regular analytics reports from your company's log files. All log data is collected in Amazon S3 and processed by daily Amazon Elastic MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse.Your CFO requests you to optimize the cost structure for this system. Which of the following alternatives will lower costs without compromising the average performance of the system or data integrity for the raw data?(Test 7)
Use Reduced Redundancy Storage (RRS) for PDF and CSV files in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs. Use Reserved instances for Amazon Redshift.
A leading mobile game company is planning to host their GraphQL API in AWS which will be heavily used for their massively multiplayer online role-playing games (MMORPGs) for 3 years or more. You are assigned to prepare the architecture of the entire system and to ensure consistent connection and faster loading times for their players across the globe. Which of the following is the most cost-effective solution that you can implement in this scenario? (Test 3)
Use Reserved EC2 Instances to host the GraphQL API and CloudFront for web distribution of the static assets.
A newspaper organization has an on-premises application which allows the public to search its back catalog and retrieve individual newspaper pages via a website written in Java. They have scanned the old newspapers into JPEGs which is of a total size of 17TB and used Optical Character Recognition (OCR) to populate a commercial search product. The hosting platform and software now end of life and the organization wants to migrate its archive to AWS and produce a cost-efficient architecture and still be designed for availability and durability. Which of the below options is the most appropriate? (Test 7)
Use S3 with reduced redundancy to store and serve the scanned files. Use CloudSearch for query processing, and use Elastic Beanstalk to host the website across multiple availability zones.
A company has two batch processing applications that consume financial data about the day's stock transactions. Each transaction needs to be stored durably and guarantee that a record of each application is delivered so the audit and billing batch processing applications can process the data. However, the two applications run separately and several hours apart and need access to the same transaction information. After reviewing the transaction information for the day, the information no longer needs to be stored. What is the best way to architect this application? Choose the correct answer from the options below (Test 6)
Use SQS for storing the transaction messages. When the billing batch process consumes each message, have the application create an identical message and place it in a different SQS for the audit application to use several hours later.
The leading media company in the country is building a voting system for their popular singing competition show on national TV. The viewers who watch the performances can visit their dynamic website to vote for their favorite singer. After the show has finished, it is expected that the site will receive millions of visitors who would like to cast their votes. Web visitors should login using their social media accounts and then submit their votes. The webpage will display the winner after the show, as well as the vote total for each singer. You are hired to build the voting site and to ensure that it can handle the rapid influx of incoming traffic in the most cost-effective way possible. Which of the following architecture should you use to meet the requirement? (Test 5)
Use a CloudFront web distribution and an Application Load Balancer in front of an Auto Scaling group of EC2 instances. Use Amazon Cognito for user authentication. The web servers will process the user's vote and pass the result in an SQS queue. Set up an IAM Role to grant the EC2 instances permissions to write to the SQS queue. A group of EC2 instances will then retrieve and process the items from the queue. Finally, store the results in a DynamoDB table.
A legacy software is hosted on an EC2 instance which has the license tied to the MAC address. From your experience with AWS, you know that every time an instance is restarted, it will almost certainly lose it's MAC address. What will be a possible solution to this? Choose an answer from the options below (Test 6)
Use a VPC with an elastic network interface that has a fixed MAC Address
To serve Web traffic for a popular product your chief financial officer and IT director have purchased 10 large heavy utilization Reserved Instances (RIs) evenly spread across two availability zones. Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product grows even more popular and you need additional capacity. As a result, your company purchases two c4.2xlarge medium utilization RI. You register the two c4.2xlarge instances with your ELB and quickly find that the large instances are at 100% of capacity and the c4.2xlarge instances have a significant capacity that's unused. Which option is the most cost-effective and uses EC2 capacity most effectively? (Test 7)
Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin
A company has a suite of IBM products in their on-premises data center such as IBM WebSphere, IBM MQ, and IBM DB2 servers. You are instructed to migrate all of their systems to AWS in the most cost-effective way and improve the availability of your cloud infrastructure.Which of the following is the MOST suitable solution that you have to implement to meet the requirement? (Test 5)
Use the AWS Database Migration Service (DMS) and the AWS Schema Conversion Tool (SCT) to convert, migrate, and re-architect the IBM Db2 database to Amazon Aurora. Set up an Auto Scaling group of EC2 instances with an ELB in front to migrate and re-host your IBM WebSphere. Migrate and re-platform IBM MQ to Amazon MQ in a phased approach.
You are working as a Solutions Architect for a telecommunications company. As per instruction, you are to design a data leak prevention solution for your VPC environment. You want your EC2 instances that are launched on public subnet to be able to access product updates and patches from the Internet. The packages are accessible through the third party via their URLs. You want to explicitly deny any other outbound connections from your VPC instances to hosts on the Internet. Which of the following options would you consider? (test 2)
You can use a forward web proxy server in your VPC and manage outbound access using URL-based rules. Default routes are also removed.
You are setting up a website for a small company. This website serves up images and is very resource intensive. You have decided to serve up the images using Cloudfront. There is a requirement though, that the content should be served up using a custom domain and should work with https. What can you do to ensure this requirement is fulfilled? (Test 6)
You must provision and configure your own SSL certificate in IAM and associate it to your CloudFront distribution.
You are working as a Solutions Architect for a computer hardware manufacturer which has a supply chain application written in NodeJS. The application is deployed on a Reserved EC2 instance which has been allocated with an IAM Role that provides access to data files stored in an S3 bucket.In this architecture, which of the following IAM policies control access to your data files in S3? (Choose 2) (Test 5)
a. An IAM access policy that allows the EC2 role to access S3 objects. b. An IAM trust policy that allows the EC2 instance to assume an EC2 instance role.
You are a Software Engineer for a leading call center company in Seattle. Their corporate web portal is deployed to AWS and is linked to their corporate data center via a link aggregation group (LAG) which terminates at the same AWS Direct Connect endpoint and connected on a private virtual interface (VIF) in your VPC. The portal must authenticate against their on-premises LDAP server. Each Amazon S3 bucket can only be accessed by a logged-in user if it belongs to that user.How will you implement this architecture in AWS? (Choose 2) (Test 3)
a. Authenticate against LDAP using an identity broker you created, and have it call IAM Security Token Service (STS) to retrieve IAM federated user credentials. The application then gets the IAM federated user credentials of the identity broker to access the appropriate S3 bucket. b. The application first authenticates against LDAP to retrieve the name of an IAM role associated with the user. It then assumes that role via call to IAM Security Token Service (STS). Afterwards, the application can now use the temporary credentials from the role to access the appropriate S3 bucket.
You are working at the IT department of a top law firm in the country. It was decided that Amazon S3 will be used for storage after an extensive Total Cost of ownership (TCO) analysis comparing S3 versus acquiring more on-premises storage hardware. The attorneys, paralegals, clerks and other employees of the law firm will be using Amazon S3 to store their legal documents and other media files. For a better user experience, you are planning to implement a single sign-on system in which the user can just use his or her existing Active Directory login to access the S3 storage to avoid having to remember yet another password. Which of the following should you do to implement this feature and to also provide a mechanism that restricts access for each user to a designated user folder in a bucket? (Choose 2) (Test 5)
a. Configure an IAM Policy that restricts access only to the user-specific folders in the Amazon S3 Bucket. b. Set up a federation proxy or a custom identity provider and use AWS Security Token Service to generate temporary tokens. Use an IAM Role to enable access to AWS services.
Many software developers and DevOps engineers in your company are frustrated because they have to memorize two passwords for their AWS account and another one for their corporate account. The solution is to implement a Single Sign-On feature where the employees will only have to sign-in once on your corporate Windows Active Directory and then they can log into the AWS console easily. In this scenario, which of the following options will you choose to set up single sign-on (SSO) feature? (Choose 4) (Test 5)
a. Configure your identity store (Windows Active Directory) to work with a SAML-based identity provider (IdP) such as Windows Active Directory Federation Services. b. Create an IAM role that identifies your identity provider as a principal (trusted entity) for purposes of federation c. Use AWS Security Token Service to generate temporary tokens. d. Set up an AWS SSO endpoint.
An automative company that sells electric vehicles around the world will be releasing its latest car model which has a semi-autonomous driving technology also known as "autopilot" capability. Due to the popularity of their new product, they are planning to use CloudFront for static asset caching to speed up the delivery of new models' images and other static contents to viewers across the globe. The static contents should be delivered over HTTPS using their own domain name which provides visitors of their website the required security over an SSL connection plus lower latency and higher reliability. How can you implement this setup in AWS using CloudFront? (Choose 2) (Test 5)
a. Create a CloudFront distribution with a custom SSL certificate that is stored in AWS Certificate Manager (ACM). b. Create a CloudFront distribution with a custom SSL certificate that is stored in IAM.
A blockchain application was deployed in AWS a year ago using Opsworks. There has been a lot of security patches lately for the underlying linux servers of the blockchain application, which means that the Opsworks stack instances should be updated.In this scenario, which of the following are the best practices when updating an AWS stack? (Select TWO) (Test 5)
a. Create and start new instances to replace your current online instances. Then delete the current instances. The new instances will have the latest set of security patches installed during setup. b. Run the Update Dependencies stack command for Linux based instances.
A major telecommunications company has contracted you to design and build an online shopping portal in which they can sell their new smart home devices. It is expected that there will be a lot of buyers on the online shopping portal due to the popularity of smart home devices so the manager wants to ensure that the architecture that you will design can also mitigate distributed denial-of-service (DDoS) attacks. Which of the following options are mitigation techniques in AWS? (Choose 3) (Test 5)
a. Distribute static content using Amazon CloudFront. b. Configure an alert in Amazon CloudWatch to look for high NetworkIn and CPUUtilization metrics. c.Launch multiple EC2 instances with Auto Scaling to multiple Availability Zones. Place these behind an Elastic Load Balancer to distribute incoming traffic to your application across these EC2 instances.
A leading commercial bank has recently hired you as a replacement for their outgoing Solutions Architect. The bank has a hybrid network architecture and is extensively using AWS for their day-to-day operations. The outgoing Solutions Architect told you that the S3 bucket that they are using to store sensitive bank records has versioning enabled and does not have any encryption. He handed over the task of implementing a Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) for the S3 bucket to ensure data security both at rest and in-transit.Which of the following will you do to properly complete this task? (Choose 2) (Test 3)
a. For presigned URLs, specify the algorithm using the x-amz-server-side?-encryption?-customer-algorithm request header b. For Amazon S3 REST API calls, use the following HTTP Request Headers: x-amz-server-side?-encryption?-customer-algorithm x-amz-server-side?-encryption?-customer-key x-amz-server-side?-encryption?-customer-key-MD5
You are the developer of a live flight tracker that gets updated every 10 minutes with the latest flight information on every airplane. The tracking website has a global audience and uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon RDS database. A simple web interface is hosted as static content on your Amazon S3 bucket. The Auto Scaling group is set to trigger a scale up event at 90% CPU utilization. The average load time of your web pages is around 7 seconds but you want to bring it down to less than 3 seconds.In this scenario, which combination of options will make the page load time faster in the MOST cost-effective way? (Choose 2) (Test 3)
a. Have CloudFront enable caching of re-usable content from your website. b. Add a caching layer using Amazon ElastiCache Service to be used for storing sessions and frequent DB queries.
The Java-based aerospace data analytics application of a major airline has been re-engineered to use the latest technologies such as NodeJS, GraphQL, WebSockets, and ReactJS. Before deploying the new version to the production environment, your manager asked if Blue/Green deployment is indeed the most suitable strategy to use.Which of the following are the common case patterns where applying this methodology is not recommended? (Choose 2) (Test 3)
a. In case your application needs to be "deployment aware" in which you have to use feature flags to control the behavior of the application during the blue/green deployment. b.If you are using a commercial off-the-shelf (COTS) application which comes with a predefined update/upgrade process that isn't blue/green deployment friendly.
A call center company has recently adopted a hybrid architecture in which they needed a more predictable network performance and reduced bandwidth costs to connect their data center and their AWS Cloud. They decided to have two AWS Direct Connect connections to have a highly available and much more stable network performance. After a recent IT financial audit, it was decided to review the current implementation and replace it with a more cost-effective option. Which of the following connectivity setup is the most suitable solution for this scenario? (Test 4)
A combination of AWS Direct Connect and an AWS managed VPN connection
You are running a startup company in which you are building a mobile app and a custom GraphQL API that lets people post photos and videos of road potholes, faulty street lights, bridge damages and other issues in the public infrastructure with 100-character summaries. The data gathered by the system will be used by the department of public works which will allow fast resolution. You decided to develop the app using a javascript-based React Native mobile framework so that it would run on various mobile and tablet devices. The app will also be connecting to a custom GraphQL API that you have built which will be responsible to store the photos and videos in an S3 bucket and will also need access to the DynamoDB database to store the summaries. You have recently deployed the mobile app prototype but you found out that there is an availability issue with the custom GraphQL API. To proceed with the project, your team decided to remove the API and instead, remodel the mobile app so that it will directly connect to both DynamoDB and S3 as well as handle user authentication. Which option provides the most cost-effective and scalable architecture for this project? (Test 3)
1. Set up a web identity federation using the AssumeRoleWithWebIdentity API of STS and register with social identity providers like Amazon, Google, Facebook or any other OpenID Connect (OIDC)-compatible IdP. 2. Create an IAM role for that provider and set up permissions for the IAM role to allow access to S3 and DynamoDB. 3. The mobile app will use the AWS temporary security credentials to store the photos and videos to an S3 bucket and persist the summaries to the DynamoDB database.
A leading aerospace engineering company has over 1TB of aeronautical data stored on the corporate file server of their on-premises network. This data is used by a lot of their in-house analytical and engineering applications. The aeronautical data consists of technical files which can have a file size of a few megabytes to multiple gigabytes. The data scientists typically modify an average of 10 percent of these files everyday. Recently, the management decided to adopt a hybrid cloud architecture to better serve their clients around the globe. You are tasked to migrate their applications to AWS over the weekend to minimize any business impact and system downtime. The on-premises data center has a 50-Mbps Internet connection which can be used to transfer all of the 1TB of data in AWS but based on your calculations, it will take at least 48 hours to complete this task. Which of the following options will allow you to move all of the aeronautical data to AWS to meet the above requirement? (Test 5)
1. Synchronize the on-premises data to an S3 bucket one week before the migration schedule using the AWS CLI's S3 sync command. 2. Perform a final synchronization task on Friday after the end of business hours. 3. Set up your application hosted in a large EC2 instance in your VPC to use the S3 bucket. ?
For performance-testing activities, a Big Data Analytics application is using an Elastic MapReduce cluster which will only be run once. The cluster is designed to ingest 20 TB of data with a total of 30 EC2 instances and is expected to run for about 48 hours. What is the most cost-effective architecture to use for this scenario? (Test 3)
For both the master and core nodes, use On-Demand EC2 instances. For the task nodes, use Spot EC2 instances.
You have multiple AWS accounts with multiple IAM Users which launch different types of EC2 instances and EBS volumes every day. As a result, your account quickly hit the service limit and you can no longer create any new instances. As you are cleaning up the environment, you notice that the majority of the instances and volumes are untagged. Therefore, it is difficult to pinpoint the owner of these resources and verify if they are safe to terminate. Because of this, your company has issued a new protocol which requires adding a predefined set of tags before anyone can launch their EC2 instances.Which of the following options is the simplest way to implement this new requirement? (Test 4)
Configure AWS Organizations to group different accounts into separate Organizational Units (OU) depending on the business function. Create a Service Control Policy that restricts launching any AWS resources without a tag by including the Condition element in the policy which uses the ForAllValues qualifier and the aws:TagKeys condition. This policy will require its principals to tag resources during creation. Apply the SCP to the OU which will automatically cascade the policy to individual member accounts.
If one needs to establish a low latency dedicated connection to an S3 public endpoint over the Direct Connect dedicated low latency connection, what steps need to be taken to accomplish configuring a direct connection to a public S3 endpoint? Choose the correct answer from the options below (Test 7)
Configure a public virtual interface to connect to a public S3 endpoint resource.
An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customer's security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance ID. In addition, an x 509 certificates must be designed by the customer's Key management service in order to be trusted for authentication.Which of the following configurations will support these requirements? (Test 7)
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management, service generate a signed certificate and send it directly to the newly launched instance. (explanation) CORRECT because (a) once the instance is launched in the auto scaling group, it notifies the key management service to generate a signed certificate, (b) the key management service is trusted, and (c) once the certificate is generated, it is directly sent to the newly created instance; hence, the workflow is logical.
A company is managing a customer's application which currently includes a three-tier application configuration. The first tier manages the web instances and is configured in a public subnet. The second layer is the application layer. As part of the application code, the application instances upload large amounts of data to Amazon S3. Currently, the private subnets that the application instances are running on have a route to a single NAT t2.micro NAT instance. The application, during peak loads, becomes slow and customer uploads from the application to S3 are not completing and taking a long time. Which steps might you take to solve the issue using the most cost-efficient method? Choose the correct answer from the options below (test 6)
Create a VPC S3 endpoint
You're migrating an existing application to the AWS cloud. The application will be primarily using EC2 instances. This application needs to be built with the highest availability architecture available. The application currently relies on hardcoded hostnames for intercommunication between the three tiers. You've migrated the application and configured the multi-tiers using the internal Elastic Load Balancer for serving the traffic. The load balancer hostname is demo-app.us-east-1.elb.amazonaws.com. The current hard-coded hostname in your application used to communicate between your multi-tier application is demolayer.example.com. What is the best method for architecting this setup to have as much high availability as possible? Choose the correct answer from the options below (Test 6)
Create a private resource record set using Route 53 with a hostname of demolayer.example.com and an alias record to demo-app.us-east-1.elb.amazonaws.com
Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high-resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you may need to pay for a consultant. How would you implement the most cost-efficient architecture without compromising high availability and quality of video delivery'? (Test 7)
Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. Use S3 to host videos with Lifecycle Management to archive original flies to Glacier after a few days. Use CloudFront to serve HLS transcoded videos from S3.
You are a Solutions Architect for a Software Development company based in New Jersey. Your manager instructed you to design the network architecture of their new enterprise resource planning (ERP) system in AWS. The new system should allow access to business managers and analysts over the Internet, whether they are in their hotel rooms, cafes or elsewhere. However, the ERP system should not be publicly accessible by anyone over the Internet but only to authorized personnel. Which network design meets the above requirements while minimizing deployment and operational costs? (Test 4)
Establish an SSL VPN solution in a public subnet of your VPC. Install and configure SSL VPN client software on all the workstations/laptops of the users who need access to the ERP system. Create a private subnet in your VPC and place your application servers behind it.
You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. http://www.example.com) and has a 2-tier architecture, with multiple application servers and a database server. Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A decision is made to use multi-AZ RDS MySQL instance for the database. During the migration, you can change the application code but you have to file a change request.How would you implement the architecture on AWS In order to maximize scalability and high-ability? (Test 7)
File a change request to implement Proxy Protocol Support. In the application use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different AZs.
You are working as a Solutions Architect for a multinational software provider in Philadelphia and you are tasked to host both of your development and test environments in AWS. Your CTO decided to use separate AWS accounts in hosting each environment. You enabled Consolidated Billing to link each of the accounts' bill to a Master AWS account. To make sure you keep within the budget, you are to provide a way for administrators in the master account to have access to stop, delete and/or terminate resources in both development and test environment accounts. Which of the following is the best option to implement for this scenario? (Test 2)
First, create IAM users in the master account. Then in the Dev and Test accounts, generate cross-account roles that have full admin permissions while granting access for the master account.
A Solutions Architect is managing a multi-tier web application which uses Compute Optimized Instances for server-side processing and Storage Optimized EC2 Instances to store various media files. To ensure data durability, there is a scheduled job that replicates their files to each EC2 instances. The current architecture worked for a few months but it started to fail as the number of files grew, which is why the management decided to redesign the system.Which of the following options should the Architect implement in order to launch a new architecture with improved data durability and cost-efficiency? (Test 5)
Migrate all media files to an Amazon S3 bucket and use this as the origin for the new CloudFront web distribution. Set up an Elastic Load Balancer with an Auto Scaling of EC2 instances to host the web servers. Use a combination of Cost Explorer and AWS Trusted advisor checks to monitor the operating costs and identify potential savings.
Your customer is willing to consolidate their log streams, access logs, application logs, security logs etc. in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours? What is the best approach to meet your customer's requirements? (Test 7)
Send all the log events to Amazon Kinesis. Develop a client process to apply heuristics on the logs
A software development company has a hybrid cloud architecture in which its on-premises data center is connected to AWS Cloud. The company already has an IPsec VPN connection from their on-premises network to their VPC but they noticed that the connection is unstable and usually can't support data transfer rates of above 4 Gbps. They are looking to have a dedicated network connection to supplement their current network architecture. Which of the following would fulfill the company's requirement? (test 2)
Set up a Direct Connect connection between the on-premises data center and their VPC.
You are working as a Solutions Architect for a major telecommunications company. They are planning to set up a disaster recovery solution for their Amazon Redshift cluster which is being used by their online data analytics application. The database encryption is enabled on their clusters using AWS KMS and it is required that the recovery site should be at least 500 miles from their primary cloud location.Which of the following is the most suitable solution to meet these requirements and to make their architecture highly available? (Test 4)
Set up a snapshot copy grant for a master key in the destination region and enable cross-region snapshots in your Redshift cluster to copy snapshots of the cluster to another region.
You are working for a multinational investment bank which has multiple cloud architectures across the globe. They have a VPC in the US East region for their East Coast office and another VPC in the US West for their West Coast office. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Texas and both of their VPCs in AWS.As the Solutions Architect, how will you implement this in a cost-effective manner? (Test 5)
Set up an AWS Direct Connect Gateway with two virtual private gateways. Launch and connect the required Private Virtual Interfaces to the Direct Connect Gateway.
A leading telecommunications company has many on-premises data centers scattered across the United States and they want to implement a hybrid network architecture to integrate their VPCs located in AWS US East (N. Virginia) and US West (Oregon). In this scenario, how can you allow VPC resources like EC2 instances, RDS databases, and Lambda functions running in different AWS regions to communicate with each other using private IP addresses?
Set up an Inter-Region VPC Peering.
Your firm has uploaded a large amount of aerial image data to S3. In the past, in your on-premises environment, you used a dedicated group of servers to process this data and used Rabbit MQ - An open source messaging system to get job information to the servers. Once processed the data would go to the tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which of the following options is correct? (Test 7)
Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Glacier
A high-performance computing (HPC) application has been launched in the company's Amazon VPC. The application is composed of hundreds of private EC2 instances running in a cluster placement group, which allows the instances to communicate with each other at network speeds of up to 10 Gbps. There is also a custom cluster controller EC2 instance that closely controls and monitors the system performance of each instance. The cluster controller has the same instance type and AMI as the other instances. It is configured with a public IP address and running outside the placement group. The Solutions Architect has been tasked to improve the network performance between the controller instance and the EC2 instances in the placement group.Which option provides the MOST suitable solution that the Architect must implement to satisfy the requirement while maintaining low-latency network performance? (Test 5)
Stop the custom cluster controller instance and move it to the existing placement group.
The website of a new travel and tours agency, which is deployed in AWS, only supports HTTP. To improve their SEO ranking and to provide more security for their customers, they decided to enable SSL on their website. They would also like to ensure a separation of roles between the Development team and the Security team in handling the sensitive SSL certificate. The Development team can login to EC2 Instances but they should not have access to the SSL certificate, which only the Security team has exclusive control of. Currently, they are using an Application Load Balancer which provides loads of incoming traffic to an Auto Scaling group of On-Demand EC2 instances. In this scenario, which configuration option should you implement to satisfy the requirement? (Test 5)
Store the SSL certificate in IAM and authorize access only to the Security team using an IAM policy. Configure the Application Load Balancer to use the SSL certificate instead of the EC2 instances.
A multinational medical research company is migrating their on-premises online repository application to AWS. The application hosts high-resolution endoscopic, cryo-electron microscopy and other anatomical images which are scanned and uploaded by the medical team. The online repository provides various ways to view these images including the ability to zoom in and zoom out on their front-end web application written in ReactJS. The developers implemented the system by splitting each high-resolution image into small individual tiles at multiple zoom levels which are used on various viewing options such as thumbnail, full image, and pinch-to-zoom view. The document can be zoomed at a maximum of 8000 x 6000 pixels in dimension which are split into multiple 20px by 20px image tiles. A group of On-Demand EC2 instances process these tiles by batch and then stored to an S3 bucket. The front-end application fetches the tiles from the S3 bucket and displays them to viewers as they zoom in and pan around each image. 50 MB is the average size of the tiles for all zoom levels. The original high resolution images are archived in Amazon Glacier to save costs. The medical research company expects to process and host over a million of scanned documents every year. Which of the following should you implement to make the current architecture more cost-effective and scalable? (Choose 3) (Test 5)
a. Launch a CloudFront web distribution and use the S3 bucket which hosts the tiles as the origin. b. At the maximum zoom level, increase the width and height of the individual tiles from 20px by 20px to a much larger 40px by 40px dimension. c. Use S3 One-Availability Zone Storage class to store the tiles for each zoom level.
A leading blockchain company is getting ready to do a major announcement of their latest product next month on their public website which is hosted in AWS. It is running on an Auto Scaling group of Spot EC2 instances deployed across multiple Availability Zones with an MySQL database instance. The website performs a high number of read operations to load the articles for their clients around the globe and a relatively low number of write operations to store the comments and inquiries of customers on their products. Before the major announcement, you did a performance testing and found out that the database could not handle a surge of incoming requests. In this scenario, which of the following are the cost-effective and suitable options to solve the database performance issue? (Choose 2) (Test 5)
a. Launch a Read Replica in each Availability Zone. b. Use Provisioned IOPS storage to improve the read performance of your database.
You are working for a large software company which has an on-premises LDAP server and a web application hosted on their VPC. As the Solutions Architect, you are the one who established an IPSec VPN connection between the VPC and the on-premises location. In this scenario, which of the following options can allow the employees to access the web application and other AWS resources using their corporate account? (Choose 2) (Test 3)
a. Launch an identity broker that authenticates against LDAP server and then calls STS to get IAM federated user credentials. Configure the web application to call the identity broker that you created to get IAM federated user credentials with access to the appropriate AWS service. b. Configure the web application to authenticate against the on-premises LDAP server and retrieve the name of an IAM role associated with the user. The application then calls the STS to assume that IAM role. The application can use the temporary credentials to access any AWS resource.
Amazon Virtual Private Cloud provides features such as Security groups, Network access control lists (ACLs) and Flow logs that you can use to monitor and secure your virtual private cloud (VPC). There is a newly launched VPC in your AWS account and your technical manager instructed you to fortify the security of your cloud infrastructure, in which you have to use both Security groups and Network access control lists (ACLs). Which options are correct regarding the differences between these two security features? (Choose 3) (Test 5)
a. Security groups operate at the EC2 instance level while Network ACLs operate at the subnet level. b. Security groups are stateful because return traffic is automatically allowed regardless of any rules while Network ACLs are stateless as return traffic must be explicitly allowed by rules. c. Security Groups support allow rules only while Network ACLs support both allow rules and deny rules.
A technology company has a large enterprise resource planning (ERP) system with 70 TB of data hosted in their data center, which they want to migrate to AWS. The migration activities should not exceed 7 days to avoid any downtime as the on-premises data storage being used by the ERP system is almost full. Since the data to be migrated is 79 TB, the company is choosing between Snowball and Snowball Edge as their preferred service to transfer their data. The service should also provide a durable local storage to ensure data durability. Which of the following are the use cases where Snowball Edge is more suitable than the standard Snowball service? (Choose 4) (Test 5)
a. Use with AWS Greengrass (IoT). b. Local compute instances c. Transfer files through NFS with a GUI. d. Local compute with AWS Lambda.
An enterprise application has a Lambda function connected to your VPC, which has a CIDR block of 172.31.0.0/28. The function processes large amounts of financial transactions every hour and then stores the results to a PostgreSQL database hosted in a Reserved EC2 instance. You noticed that there is an increase in invocation errors with EC2 error types such as EC2ThrottledException on certain times of the day.Which of the following are the possible causes of this issue? (Select TWO) (Test 4)
a. Your VPC does not have sufficient subnet IPs. b.Your VPC does not have sufficient subnet ENIs.
