AWS SA-001 Questions
A Solutions Architect is considering possible options for improving the security of the data on an Amazon EBS volume attached to an Amazon EC2 instance.Which solution will improve the security of the data? A. Use AWS KMS to encrypt the EBS volume B. Create an IAM policy that restricts read and write access to the volume C. Migrate the sensitive data to an instance store volume D. Use Amazon single sign-on to control login access to the EC2 instance
A
A Solutions Architect is designing a critical business application with a relational database that runs on an EC2 instance. It requires a single EBS volume that can support up to 16,000 IOPS. Which Amazon EBS volume type can meet the performance requirements of this application? A. EBS Provisioned IOPS SSD B. EBS Throughput Optimized HDD C. EBS General Purpose SSD D. EBS Cold HDD
A
A Solutions Architect needs to use AWS to implement pilot light disaster recovery for a three-tier web application hosted in an on-premises datacenter.Which solution allows rapid provision of working, fully-scaled production environment? A. Continuously replicate the production database server to Amazon RDS. Use AWS CloudFormation to deploy the application and any additional servers if necessary. B. Continuously replicate the production database server to Amazon RDS. Create one application load balancer and register on-premises servers. Configure ELB Application Load Balancer to automatically deploy Amazon EC2 instances for application and additional servers if the on-premises application is down. C. Use a scheduled Lambda function to replicate the production database to AWS. Use Amazon Route 53 health checks to deploy the application automatically to Amazon S3 if production is unhealthy. D. Use a scheduled Lambda function to replicate the production database to AWS. Register on-premises servers to an Auto Scaling group and deploy the application and additional servers if production is unavailable.
A
A business team requires a structured storage solution to store all of a company's historical sales data. Currently there are 4 TB of data, which will grow to hundreds of terabytes within a few years. The team must be able to regularly run queries against the data using current business intelligence tools. Fast performance is required despite the dataset growth.Which solution should the company use? A. Amazon Redshift B. Amazon Aurora C. Amazon DynamoDB D. Amazon S3
A
A client is building a payment processing service that sends orders to a fulfilment service. Both these services have varying levels of throughput. What can the client use to decouple requests between these components to better handle burst traffic during peak holiday season? A. Use Amazon SQS to send messages between the two services B. Set up the services in separate AWS regions C. Use Amazon Redshift for sending orders to the fulfilment service D. Setup internal Elastic Load Balancer for synchronous calls between the two services.
A
A company plans to use Amazon GuardDuty to detect unexpected and potentially malicious activity. The company wants to use Amazon CloudWatch to ensure that when findings occur, remediation takes place automatically. Which CloudWatch feature should be used to trigger an AWS Lambda function to perform the remediation? A. Events B. Dashboards C. Metrics D. Alarms
A
A company processes mobile chat messages. Throughput can increase dramatically, and the Amazon EC2 infrastructure cannot handle the fluctuating demand. Messages are received in an Amazon Kinesis Data Stream, and the processor instances are deployed in an Auto Scaling group. A CloudWatch alarm, which uses Amazon SNS to tiger a Lambda function, automatically scales the Kinesis Data Stream. The processor instances' application code and configuration are stored in an S3 bucket. A. How can a Solution Architect improve the launch time of new instances in the AutoScaling group? B. Reduce the values of the Default Cool down and Health Check Grace Period settings for the Auto Scaling group. C. Change the scale-out rules for the AutoScaling group to launch instances at a lower threshold on the Kinesis CloudWatch alarm. D. Modify the Lambda function to change the number of Auto Scaling group members when it updates the Kinesis Shard count. E. Update the launch configuration to use a custom Amazon Machine Image(AMI)with all the software pre-installed. Use user data scripts to pull the configuration at launch from Amazon S3.
A
A company wants to create an application that will transmit protected health information (PHI) to thousands of service consumers in different AWS accounts. The application servers will sit in private VPC subnets. The routing for the application must be fault tolerant.What should be done to meet these requirements? A. Create a VPC endpoint service and grant permissions to specific service consumers to create a connection. B. Create a virtual private gateway connection between each pair of service provider VPCs and service consumer VPCs. C. Create an internal Application Load Balancer in the service provider VPC and put application servers behind it. D. Create a proxy server in the service provider VPC to route requests from service consumers to the application servers.
A
A retail company has sensors placed in its physical retail stores. The sensors send messages over HTTP when customers interact with in-store product displays. A Solutions Architect needs to implement a system for processing those sensor messages; the results must be available for the Data Analysis team. Which architecture should be used to meet these requirements? A. Implement an Amazon API Gateway to server as the HTTP endpoint. Have the API Gateway trigger an AWS Lambda function to process the messages, and save the results to an Amazon DynamoDB table. B. Create an Amazon EC2 instance to server as the HTTP endpoint and to process the messages. Save the results to Amazon S3 for the Data Analysis team to download. C. Use Amazon Route 53 to direct incoming sensor messages to a Lambda function to process the message and save the results to a Amazon DynamoDB table. D. Use AWS Direct Connect to connect sensors to DynamoDB so that data can be written directly to a DynamoDB table where it can be accessed by the Data Analysis team.
A
A website experiences unpredictable traffic. During peak traffic times, the database is unable to keep up with the write request. Which AWS service will help decouple the web application from the database? A. Amazon SQS B. Amazon EFS C. Amazon S3 D. AWS Lambda
A
An application consists of microservices. The microservices need to communicate asynchronously and the solution must ensure that each message is consumed only once. Which service should be used? A. AmazonSQS B. AmazonKinesis C.AmazonSNS D. AWS STS
A
An application is running on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple AvailabilityZones. Four instances are required to handle a predictable traffic load. The Solutions Architect wants to ensure that the operation is fault-tolerant up to the loss of one Availability Zone.Which is the MOST cost-efficient way to meet these requirements? A. Deploy two instances in each of three Availability Zones. B. Deploy two instances in each of two Availability Zones. C. Deploy four instances in each of two Availability Zones. D. Deploy one instance in each of three Availability Zones.
A
An application tier currently hosts two web services on the same set of instances, listening on different ports.Which AWS service should a Solutions Architect use to route traffic to the service based on the incoming request path? A. AWS Application Load Balancer B. Amazon CloudFront C. Amazon Classic Load Balancer D. Amazon Route 53
A
An interactive, dynamic website runs on Amazon EC2 instances in a single subnet behind an ELB Classic Load Balancer.Which design changes will make the site more highly available? A. Move some Amazon EC2 instances to a subnet in a different way. B. Move the website to Amazon S3. C. Change the ELB to an Application Load Balancer. D. Move some Amazon EC2 instances to a subnet in the same Availability Zone.
A
An organization is planning a migration from on-premises workloads to AWS, and needs a design that will provide greater operational transparency. Which service should be built into the architecture to automate the capture and publishing of custom metrics that will provide this required transparency? A. Amazon CloudWatch B. AWS CloudTrail C. AWS DeveloperTools D. AWS X-Ray
A
Before approving the use of AWS for a new application, the infosec team has asked if it will be possible for specific IP addresses to be blocked from accessing the application, in the event that a threat is detected from a particular block of IP addresses on the internet. What could be used to meet this requirement? A. Network Access control lists B. Security groups C. VirtualPrivateGateways. D. Internet Gateways
A
Two Auto Scaling applications, Application A and Application B, currently run within a shared set of subnets. A Solutions Architect wants to make sure thatApplication A can make requests to Application B, but Application B should be denied from making requests to Application A.Which is the SIMPLEST solution to achieve this policy? A. Using security groups that reference the security groups of the other application B. Using security groups that reference the application server's IP addresses C. Using Network Access Control Lists to allow/deny traffic based on application IP addresses D. Migrating the applications to separate subnets from each other
A
A Solutions Architect has an application running on an Amazon EC2 instance in a VPC. A client running in another VPC in the same region must be able to communicate with this application. Security policies require that this application should not be accessible from the internet. Which architectures will meet these requirements? (Select TWO) A. Configure a VPC peering connection between the application VPC and the client VPC. B.Configure an Elastic Load Balancing(ELB) Network Load Balancer as a VPC endpoint in the application VPC, connect to it from the clients' VPC C. Configure AWS Direct Connect and private virtual interface between the application VPC and the client VPC D. Configure a NAT gateway in the VPC in the application VPC E. Configure an egress-only internet gateway in the application VPC
A,B
A company is launching a dynamic website, and the Operations team expects up to 10 times the traffic on the launch date. This website is hosted on Amazon EC2 instances and traffic is distributed by Amazon Route 53. A Solutions Architect must ensure that there is enough backend capacity to meet user demands. TheOperations team wants to scale down as quickly as possible after the launch.What is the MOST cost-effective and fault-tolerant solution that will meet the company's customer demands? (Choose two.) A. Set up an Application Load Balancer to distribute traffic to multiple EC2 instances B. Set up an Auto Scaling group across multiple Availability Zones for the website, and create scale-out and scale-in policies C. Create an Amazon CloudWatch alarm to send an email through Amazon SNS when EC2 instances experience higher loads D. Create an AWS Lambda function to monitor website load time, run it every 5 minutes, and use the AWS SDK to create a new instance if website load time is longer than 2 seconds E. Use Amazon CloudFront to cache the website content during launch and set a TTL for cache content to expire after the launch date
A,B
A company must collect temperature data from thousands of remote weather devices. The company must also store this data in a data warehouse to run aggregations and visualizations. Which services will meet these requirements? (Choose two.) A. Amazon Kinesis Data Firehouse B. Amazon SQS C. Amazon Redshift D.Amazon SNS E. Amazon DynamoDB
A,C
A company expects its user base to increase five times over one year. Its application is hosted in one region and uses an Amazon RDS MySQL database, an ELBApplication Load Balancer, and Amazon ECS to host the website and its microservices.Which design changes should a Solutions Architect recommend to support the expected growth? (Choose two.) A. Move static files from ECS to Amazon S3 B. Use an Amazon Route 53 geolocation routing policy C. Scale the environment based on real-time AWS CloudTrail logs D. Create a dedicated Elastic Load Balancer for each microservice E. Create RDS read replicas and change the application to use these replicas
A,E
A Solutions Architect is defining a shared Amazon S3 bucket where corporate applications will save objects.How can the Architect ensure that when an application uploads an object to the Amazon S3 bucket, the object is encrypted? A. Set a CORS configuration. B. Set a bucket policy to encrypt all Amazon S3 objects. C. Enable default encryption on the bucket. D. Set permission for users
B
A Solution Architect is designing a three-tier web application. The Architect wants to restrict access to the database tier to accept traffic from the application servers only. However, these application servers are in an Auto Scaling group and may vary in quantity. How should the Architect configure the database servers to meet the requirements? A. Configure the database security group to allow database traffic from the application server IP addresses. B. Configure the database security group to allow database traffic from the application server security group. C. Configure the database subnet network ACL to deny all inbound non-database traffic from the application-tier subnet. D. Configure the database subnet network ACL to allow inbound database traffic from the application-tier subnet.
B
A Solutions Architect is architecting a workload that requires a performant object-based storage system that must be shared with multiple Amazon EC2 instances.Which AWS service meets this requirement? A. Amazon EFS B. Amazon S3 C. Amazon EBS D. Amazon ElastiCache
B
A Solutions Architect is designing a web application for document sharing. The users will upload documents that are then made available to other users. There will be tens of thousands of these documents. What is the MOST cost-effective storage solution? A. AmazonEFS B. Amazon S3 C. AmazonGlacier D. Amazon EBS
B
A Solutions Architect is designing an API that will use Amazon API Gateway, which is backed by AWS Lambda. The Lambda function is not running inside a VPC and will query Amazon DunamoDB to get the results. The user will include the ItemId request parameter in the URL query string as the key to retrieve the data. The Solutions Architect analysed the traffic patter and has noticed that customers are sending repeated queries to get the same information. The Solution Architect wants to implement a caching to reduce the load on the database and improve query latency. What should the Solution Architect do to implement a caching solution? A. in APIGateway, add an additional Cute-Control: only-if-cached header before sending the request to Lambda B. In APIGateway, enable caching based on the item id query parameter C.In Lambda, use/tmp as the cache directory to store previously retrieved requests D. In Amazon ElastiCache. store previously retrieved requests and query the cluster before querying the database.
B
A Solutions Architect needs to design a centralized logging solution for a group of web applications running on Amazon EC2 instances. The solution requires minimal development effort due to budget constraints.Which of the following should the Architect recommend? A. Create a crontab job script in each instance to push the logs regularly to Amazon S3. B. Install and configure Amazon CloudWatch Logs agent in the Amazon EC2 instances. C. Enable Amazon CloudWatch Events in the AWS Management Console. D. Enable AWS CloudTrail to map all API calls invoked by the applications.
B
A call center application consists of a three-tier application using Auto Scaling groups to automatically scale resources as needed. Users report that every morning at 9:00 AM the system becomes very slow for about 15 minutes. A Solution Architect determines that a large percentage of the call center staff starts work at 9:00AM, so Auto Scaling does not have enough time to scale out to meet demand.How can the Architect fix the problem? A. Change the Auto Scaling group's scale out event to scale based on network utilization. B. Create an Auto Scaling scheduled action to scale out the necessary resources at 8:30 AM every morning. C. Use Reserved Instances to ensure the system has reserved the right amount of capacity for the scale-up events. D. Permanently keep a steady state of instances that is needed at 9:00 AM to guarantee available resources, but leverage Spot Instances.
B
A company is creating a web application that will run on an Amazon EC2 instance. The application on the instance needs access to an Amazon DynamoDB table for storage.What should be done to meet these requirements? A. Create another AWS account root user with permissions to the DynamoDB table. B. Create an IAM role and assign the role to the EC2 instance with permissions to the DynamoDB table. C. Create an identity provider and assign the identity provider to the EC2 instance with permissions to the DynamoDB table. D. Create identity federation with permissions to the DynamoDB table.
B
A company is launching a new application and expects it to be very popular. The company requires a database layer that can scale along with the application. The schema will be frequently changes and the application cannot afford any downtime for database changes. Which AWS service allows the company to achieve these requirements? A. Amazon RDS MySQL B. Amazon DynamoDB C. Amazon Aurora D. Amazon RedShift
B
A company wants to improve latency by hosting images within a public Amazon S3 bucket fronted by an Amazon CloudFront distribution. The company wants to restrict access to the S3 bucket to include the CloudFront distribution only, while also allowing CloudFront to continue proper functionality.What should be done after making the bucket private to restrict access with the LEAST operational overhead? A. Create a CloudFront origin access identity and create a security group that allows access from CloudFront. B. Create a CloudFront origin access identity and update the bucket policy to grant access to it. C. Create a bucket policy restricting all access to the bucket to include CloudFront IPs only. D. Enable the CloudFront option to restrict viewer access and update the bucket policy to allow the distribution.
B
A customer owns a simple API for their website that receives about 1,000 requests each day and has an average response time of 50 ms. It is currently hosted on one c4.large instance.Which changes to the architecture will provide high availability at the LOWEST cost? A. Create an Auto Scaling group with a minimum of one instance and a maximum of two instances, then use an Application Load Balancer to balance the traffic. B. Recreate the API using Amazon API Gateway and use AWS Lambda as the service backend. C. Create an Auto Scaling group with a maximum of two instances, then use an Application Load Balancer to balance the traffic. D. Recreate the API using Amazon API Gateway and integrate the new API with the existing backend service.
B
A large media site has multiple applications in Amazon ECS. A Solutions Architect needs to use content metadata and route traffic to specific services.What is the MOST efficient method to perform this task? A. Use an AWS Classic Load Balancer with a host-based routing option to route traffic to the correct service. B. Use the AWS CLI to update Amazon Route 53 hosted zone to route traffic as services get updated. C. Use an AWS Application Load Balancer with host-based routing option to route traffic to the correct service. D. Use Amazon CloudFront to manage and route traffic to the correct service.
B
A legacy build management application stores artifacts in an NFS shared filesystem accessed by 400 servers. The company is migrating its infrastructure to AWS. Which storage service should be used for build management? A. Amazon S3 B. Amazon EFS C. Amazon EBS D. Amazon EC2 Instance Storage
B
An application saves the logs to an S3 bucket. A user wants to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this? A. Adding a bucket policy on the S3 bucket. B. Configuring lifecycle configuration rules on the S3 bucket. C. Creating an IAM policy for the S3 bucket. D. Enabling CORS on the S3 bucket.
B
An application stack includes an Elastic Load Balancer in a public subnet, a fleet of Amazon EC2 instances in an Auto Scaling group, and an Amazon RDSMySQL cluster. Users connect to the application from the Internet. The application servers and database must be secure.How should a Solutions Architect perform this task? A. Create a private subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS cluster. B. Create a private subnet for the Amazon EC2 instances and a private subnet for the Amazon RDS cluster. C. Create a public subnet for the Amazon EC2 instances and a private subnet for the Amazon RDS cluster. D. Create a public subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS cluster.
B
An application uses an Amazon SQS queue as a transport mechanism to deliver data to a group of EC2 instances for processing. The application owner wants to add a mechanism to archive the incoming data without modifying application code on the EC2 instances.How can this application be re-architected to archive the data without modifying the processing instances? A. Trigger a Lambda function by using Amazon CloudWatch Events to retrieve messages from the SQS queue and archive to Amazon S3. B. Use an Amazon SNS topic to fan out the data to the SQS queue in addition to a Lambda function that records the data to an S3 bucket. C. Set up an Amazon Kinesis Data Stream so that multiple instances can receive data. Add a separate EC2 instance that is configured to archive all data it receives. D. Write the data to an S3 bucket, and use an SQS queue for S3 event notifications to tell the instances where to retrieve the data.
B
An online company wants to conduct real-time sentiment analysis about its products from its social media channels using SQL.Which of the following solutions has the LOWEST cost and operational burden? A. Set up a streaming data ingestion application on Amazon EC2 and connect it to a Hadoop cluster for data processing. Send the output to Amazon S3 and use Amazon Athena to analyze the data. B. Configure the input stream using Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to write SQL queries against the stream. C. Configure the input stream using Amazon Kinesis Data Streams. Use Amazon Kinesis Data Firehose to send data to an Amazon Redshift cluster, and then query directly against Amazon Redshift D. Set up streaming data ingestion application on Amazon EC2 and send the output to Amazon S3 using Kinesis Data Firehose. Use Athena to analyze the data.
B
As part of securing an API layer built on Amazon API gateway, a Solutions Architect has to authorize users who are currently authenticated by an existing identity provider. The users must be denied access for a period of one hour after three unsuccessful attempts.How can the Solutions Architect meet these requirements? A. Use AWS IAM authorization and add least-privileged permissions to each respective IAM role. B. Use an API Gateway custom authorizer to invoke an AWS Lambda function to validate each user's identity. C. Use Amazon Cognito user pools to provide built-in user management. D. Use Amazon Cognito user pools to integrate with external identity providers.
B
Company salespeople upload their sales figures daily. A Solutions Architect needs a durable storage solution for these documents that also protects against users accidentally deleting important documents. Which action will protect against unintended user actions? A. Store data in an EBS volume and create snapshots once a week. B.Store data in an S3 bucket and enable versioning. C.Store data in two S3 buckets in different AWS regions. D. Store data on EC2 instance storage.
B
A Solutions Architect is designing a solution that retains traffic information between network interfaces. This traffic information will be monitored for anomalies by an InfoSec team using Amazon Cloudwatch. What approach should the Architect take? A. Save all inbound request to Amazon DynamoDB B. Maintain traffic history on each Amazon EC2 instance. C. Enable Amazon VPC Flow Logs. D. Save all inbound request to Amazon S3
C
A Solutions Architect is about to deploy an API on multiple EC2 instances in an Auto Scaling group behind an ELB. The support team has the following operational requirements:1 They get an alert when the requests per second go over 50,0002 They get an alert when latency goes over 5 seconds 3 They can validate how many times a day users call the API requesting highly-sensitive dataWhich combination of steps does the Architect need to take to satisfy these operational requirements? (Select two.) A. Ensure that CloudTrail is enabled. B. Create a custom CloudWatch metric to monitor the API for data access. C. Configure CloudWatch alarms for any metrics the support team requires. D. Ensure that detailed monitoring for the EC2 instances is enabled. E. Create an application to export and save CloudWatch metrics for longer term trending analysis.
B,D
A company is developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? (Select TWO.) A. CloudWatch B.DynamoDB C.Elastic Load Balancing D. ElastiCache E. Storage Gateway
B,D
A startup company is building an application to track the high scores for a popular video game. Their Solution Architect is tasked with designing a solution to allow real-time processing of scores from millions of players worldwide. Which AWS service should the Architect use to provide reliable data ingestion from the video game into the datastore? A. AWS Data Pipeline B. Amazon Kinesis Firehose C. Amazon DynamoDB Streams D. Amazon Elasticsearch Service
B.
A Company requires scalable shared storage to be accessed from hundreds of Linux-based Amazon EC2 instances in a single region. Which option provides the greatest levels of availability and performance? A.Mount an Amazon S3 bucket as a volume by using third-party tools like s3fs B.Implement a file gateway in the same region, and present it to the EC2 instances. C. Use Amazon EFS and mount it from different Availability Zones D. Design an LVM-based NFS server, and add more Provisioned IOPS volumes to it when more space is needed
C
A Company wants to organize the contents of multiple websites in managed file storage. The company must be able to scale the storage based on demand without needing to provision storage. Multiple servers should be able to access this storage concurrently. Which service should the solutions architect recommend? A. AmazonS 3 B. Amazon EBS C.Amazon EFS D.AWS Storage Gateway - volume gateway
C
A Solution Architect works for an insurance company that has a large number of patient health records. Each record will be used once when assessing a patient and will need to be securely stored for seven years to meet regulations. In rare cases the Solution Architect may need to retrieve a patient record in five hours. Which type of AWS storage would deliver the most cost-effective solution? A. Amazon S3 Reduced Redundancy Storage B. Amazon S3 C. Amazon Glacier D. Amazon S3 Infrequent Access
C
A Solutions Architect is designing a new social media application. The application must provide a secure method for uploading profile photos. Each user should be able to upload a profile photo into a shared storage location for one week after their profile is created.Which approach will meet all of these requirements? A. Use Amazon Kinesis with AWS CloudTrail for auditing the specific times when profile photos are uploaded. B. Use Amazon EBS volumes with IAM policies restricting user access to specific time periods. C. Use Amazon S3 with the default private access policy and generate pre-signed URLs each time a new site profile is created. D. Use Amazon CloudFront with AWS CloudTrail for auditing the specific times when profile photos are uploaded. Hide Solution
C
A Solutions Architect is designing a ride-sharing application. The application needs consistent and single-digit millisecond latency. In addition, the application must integrate with a highly scalable and fully managed database service to track GPS coordinates and user data for all rides.Which database service should the Solutions Architect use to meet these performance requirements? A. Amazon RDS B. Amazon Redshift C. Amazon DynamoDB D. Amazon Aurora
C
A Solutions Architect is designing an application that requires having six Amazon EC2 instances running at all times. The application will be deployed in the sa-east-1 region, which has three Availability Zones: sa-east-1 a, sa-east-1 b, and sa-east-1 c.Which action will provide 100 percent fault tolerance and the LOWEST cost in the event that one Availability Zone in the region becomes unavailable? A. Deploy six Amazon EC2 instances in sa-east-1a, six Amazon EC2 instances in sa-east-1b, and six Amazon EC2 instances in sa-east-1c B. Deploy six Amazon EC2 instances in sa-east-1a, four Amazon EC2 instances in sa-east-1b, and two Amazon EC2 instances in sa-east-1c C. Deploy three Amazon EC2 instances in sa-east-1a, three Amazon EC2 instances in sa-east-1b, and three Amazon EC2 instances in sa-east-1c D. Deploy two Amazon EC2 instances in sa-east-1a, two Amazon EC2 instances in sa-east-1b, and two Amazon EC2 instances in sa-east-1c
C
A Solutions Architect is designing an online shopping application running in a VPC on EC2 instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer managed database cluster. There should be no access to the database from the Internet, but the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements? A. Public subnets for both the application tier and the database cluster B. Public subnets for the application tier, and private subnets for the database cluster C. Public subnets for the application tier and NAT Gateway, and private subnets for the database cluster D. Public subnets for the application tier, and private subnets for the database cluster and NAT Gateway
C
A Solutions Architect is designing network architecture for an application that has compliance requirements. The application will be hosted on Amazon EC2 instances in a private subnet and will be using Amazon S3 for storing data. The compliance requirements mandate that the data cannot traverse the public Internet. What is the MOST secure way to satisfy this requirement? A. Use a NAT Instance. B. Use a NAT Gateway. C. Use a VPC endpoint. D. Use a Virtual Private Gateway.
C
A Solutions Architect is developing software on AWS that requires access to multiple AWS services, including an Amazon EC2 instance. This is a security sensitive application, and AWS credentials such as Access Key ID and Secret Access Key need to be protected and cannot be exposed anywhere in the system.What security measure would satisfy these requirements? A. Store the AWS Access Key ID/Secret Access Key combination in software comments. B. Assign an IAM user to the Amazon EC2 instance. C. Assign an IAM role to the Amazon EC2 instance. D. Enable multi-factor authentication for the AWS root account.
C
A Solutions Architect is migrating a company's MySQL database to an Amazon RDS MySQL database. The company requires the database to be resilient with minimum downtime when failures occur. How can these requirements be met? A.Enable a read replica in another Availability Zone B. Enable multiple Availability Zones in a different AWS Region C. Enable multiple Availability Zones in a same AWS Region D. Enable Amazon RDS instance snapshots in one Availability Zone
C
A Solutions Architect must select the storage type for a big data application that requires very high sequential I/O. The data must persist if the instance is stopped. Which of the following storage types will provide the best fit at the LOWEST cost for the application? A. An Amazon EC2 instance store local SSD volume. B. An Amazon EBS provisioned IOPS SSD volume. C. An Amazon EBS throughput optimized HDD volume. D. An Amazon EBS general purpose SSD volume.
C
A Solutions Architect was tasked with reviewing several templates that build VPCs and ensuring that they meet specific security requirements. After reviewing the templates, the Architect realizes that all of the templates are missing important security best practices. What should the Architect do to implement security best practices in an efficient manner? A. Use VPC peering to enforce network consistency B. Restrict users from deploying an AWS Cloud Formation template C. Provide the teams a nested AWS Cloud Formation template that builds the VPC correctly D. Create AWS Identity and Access Management (1AM) policies that enforce the corporate VPC architecture standards
C
A client has set up an Auto Scaling group associated with a load balancer. The client has noticed that instances launched by the Auto Scaling group are reported unhealthy as the result of an Elastic Load Balancing (ELB) health check, but these unhealthy instances are not being terminated.What can a Solutions Architect do to ensure that the instances marked unhealthy will be terminated and replaced? A. Increase the value for the health check interval set on the ELB load balancer. B. Change the thresholds set on the Auto Scaling group health check. C. Change the health check type to ELB for the Auto Scaling group. D. Change the health check set on the ELB load balancer to use TCP rather than HTTP checks.
C
A company has an application that accesses a MySQL database installed on a single EC2 instance. The instance recently experienced a fault and brought down the entire application for several hours. The company wants to address the issue but is concerned about spending too much time modifying application code or managing the legacy application.What should the Solutions Architect recommend to remove this single point of failure with the FEWEST changes to the application code and the LEAST amount of administrative effort? A. Implement a caching layer by using Amazon ElastiCache to store query results of frequently accessed information. B. Deploy a second EC2 instance with MySQL installed, and configure replication between this instance and the existing MySQL instance. C. Migrate the database to an RDS MySQL Multi-AZ DB instance, and point the application servers to the new RDS instance. D. Create a DynamoDB table to use as a cache layer, and update the application to query data from Amazon DynamoDB before querying MySQL.
C
A company has two different types of reporting needs on their 200-GB data warehouse:✑ Data scientists run a small number of concurrent ad hoc SQL queries that can take several minutes each to run.✑ Display screens throughout the company run many fast SQL queries to populate dashboards.Which design would meet these requirements with the LEAST cost? A. Replicate relevant data between Amazon Redshift and Amazon DynamoDB. Data scientists use Redshift. Dashboards use DynamoDB. B. Configure auto-replication between Amazon Redshift and Amazon RDS. Data scientists use Redshift. Dashboards use RDS. C. Use Amazon Redshift for both requirements, with separate query queues configured in workload management. D. Use Amazon Redshift for Data Scientists. Run automated dashboard queries against Redshift and store the results in Amazon ElastiCache. Dashboards query ElastiCache.
C
A company is launching a marketing campaign on their website tomorrow and expects a significant increase in traffic. The website is designed as a multi-tiered web architecture, and the increase in traffic could potentially overwhelm the current design.What should a Solutions Architect do to minimize the effects from a potential failure in one or more of the tiers? A. Migrate the database to Amazon RDS. B. Set up DNS failover to a statistic website. C. Use Auto Scaling to keep up with the demand. D. Use both a SQL and a NoSQL database in the design.
C
A company plans to use AWS for all new batch processing workloads. The company's developers use Docker containers for the new batch processing. The system design must accommodate critical and non-critical batch processing workloads 24/7.How should a Solutions Architect design this architecture in a cost-efficient manner? A. Purchase Reserved Instances to run all containers. Use Auto Scaling groups to schedule jobs. B. Host a container management service on Spot Instances. Use Reserved Instances to run Docker containers. C. Use Amazon ECS orchestration and Auto Scaling groups: one with Reserve Instances, one with Spot Instances. D. Use Amazon ECS to manage container orchestration. Purchase Reserved Instances to run all batch workloads at the same time.
C
A company with an existing AWS VPC is experiencing an increasing number of malicious attacks from a particular IP address range. The company wants to block all access from these IP addresses while the abuse patterns are being investigated. How can access from the specified IPs be denied quickly and temporarily? A. Use an AWS Marketplace solution to block access from the specified IP range B. Leverage NAT gateway on each instance to block access from the specified IP range C. Use Network ACLs to block access from the specified IP range D. Create a rule in the security groups to block access from the specified IP range
C
A company's new web application running on Amazon EC2 across multiple Availability Zones (AZs) will be heavily accessed during regular business hours. After business hours, usage will be minimal.What fleet-scaling approach should be used to size the EC2 fleet to handle the traffic demands? A. Manual scaling across all AZs B. Provisioning for peak traffic C. Scheduled scaling D. Programmatic termination of all instances in one AZ during off-peak hours
C
A data-processing application runs on an i3.large EC2 instance with a single 100 GB EBS gp2 volume. The application stores temporary data in a small database(less than 30 GB) located on the EBS root volume. The application is struggling to process the data fast enough, and a Solutions Architect has determined that theI/O speed of the temporary database is the bottleneck.What is the MOST cost-efficient way to improve the database response times? A. Enable EBS optimization on the instance and keep the temporary files on the existing volume. B. Put the temporary database on a new 50-GB EBS gp2 volume. C. Move the temporary database onto instance storage. D. Put the temporary database on a new 50-GB EBS io1 volume with a 3-K IOPS provision.
C
A gaming application is heavily dependent on caching and uses Amazon ElastiCache for Redis. The application performance was recently degraded due to failure of the cache node.What should a Solutions Architect recommend to minimize performance degradation in the future? A. Migrate from ElastiCache to Amazon RDS B. Configure automatic backup to save cache data C. Configure ElastiCache Multi-AZ with automatic failover D. Use Auto Scaling to provision cache nodes based on CPU usage
C
A large enterprise has highly sensitive customer data which is stored in several Amazon S3 buckets. Which of the following features should be enabled to detect unauthorized access to the buckets? A. Amazon VPC flow logs B. Amazon Cloudwatch logs C. Amazon S3 server access logs D. AWS CloudTrail
C
A web application allows customers to upload orders to an S3 bucket. The resulting Amazon S3 events trigger a Lambda function that inserts a message to an SQS queue. A single EC2 instance reads messages from the queue, processes them, and stores them in an DynamoDB table partitioned by unique order ID. Next month traffic is expected to increase by a factor of 10 and a Solutions Architect is reviewing the architecture for possible scaling problems. Which component is MOST likely to need re-architecting to be able to scale to accommodate the new traffic? A. Lambda function B.SQS queue C.EC2 instance D.DynamoDB table
C
A web application has an increase in traffic during certain times of the day, and a Solutions Architect notices that CPU usage reaches 100%, which results in poor application performance. How should the solutions Architect ensure that adequate compute resources are provisioned at all times? A.Launch Spot Instances when CPU exceeds a given threshold B.Use Elastic Load Balancing to balance the load during high-traffic periods C. Use Amazon EC2 Auto Scaling to launch instances when CPU exceeds a given threshold D. Purchase Reserved Instances to ensure capacity
C
An AWS Lambda function requires access to an Amazon RDS for SQL Server instance. It is against company policy to store passwords in Lambda functions.How can a Solutions Architect enable the Lambda function to retrieve the database password without violating company policy? A. Add an IAM policy for IAM database access to the Lambda execution role. B. Store a one-way hash of the password in the Lambda function. C. Have the Lambda function use the AWS Systems Manager Parameter Store. D. Connect to the Amazon RDS for SQL Server instance by using a role assigned to the Lambda function.
C
An application calls a service run by a vendor. The Vendor charges based on the number of calls. The finance department needs to know the number of calls that are made to the service to validate the billing statements. How can a Solution Architect design a system to durably store the number of calls without requiring changes to the application? A. Call the service through an internet a gateway B.Decouple application from the service with an Amazon SQS queue C. publish a custom Amazon Cloud Watch metric that counts calls to the service. D. Call the service through VPC peering connection.
C
An application requires a highly available relational database with an initial storage capacity of 8 TB. The database will grow by 8 GB every day. To support expected traffic, at least eight read replicas will be required to handle database reads. Which option will meet these requirements? A. DynamoDB B. Amazon S3 C. Amazon Aurora D. Amazon Redshift
C
An organization must process a stream of large-volume hashtag data in real time and needs to run custom SQL queries on the data to get insights on certain tags.The organization needs this solution to be elastic and does not want to manage clusters.Which of the following AWS services meets these requirements? A. Amazon Elasticsearch Service B. Amazon Athena C. Amazon Redshift D. Amazon Kinesis Data Analytics
D
An online retailer is designing a public-facing web application with database servers that are not publicly accessible. Which design is a secure way to ensure that the database have access to the internet to download security patches? A. The web servers should be in a public subnet. The database servers should be in the private subnet with a route to a NAT gateway in the public subnet B. The web servers should be in the private subnet with a route to the NAT gateway in the public subnet. The database servers should be in the public subnet C. Deploy the Lambda function in private subnets and route outbound traffic through a NAT gateway. Provide the NAT gateway's Elastic IP address to the external service provider. D. Provide the external party the allocated AWS IP address range for Lambda functions, and send change notifications by using a subscription to the AmazonlpSpaceChanged SNS topic.
C
An organization is building an Amazon Redshift cluster in their shared services VPC. The cluster will host sensitive data. How can the organization control which networks can access the cluster? A. Run the cluster in a different VPC and connect through VPC peering. B. Create a database user inside the Amazon Redshift cluster only for users on the network. C. Define a cluster security group for the cluster that allows access from the allowed networks. D. Only allow access to networks that connect with the shared services network via VPN.
C
As part of a migration strategy, a Solutions Architect needs to analyze workloads that can be optimized for performance and cost. The Solutions Architect has identified a stateless application that serves static content as a potential candidate to move to the cloud. The Solutions Architect has the flexibility to choose an identity solution between Facebook, Twitter, and Amazon.Which AWS solution offers flexibility and ease of use, and the LEAST operational overhead for this migration? A. Use AWS Identity and Access Management (IAM) for managing identities, and migrate the application to run on Amazon S3, Amazon API Gateway, and AWS Lambda. B. Use a third-party solution for managing identities, and migrate the application to run on Amazon S3, EC2 Spot Instances, and Amazon EC2. C. Use Amazon Cognito for managing identities, and migrate the application to run on Amazon S3, Amazon API Gateway, and AWS Lambda. D. Use Amazon Cognito for managing identities, and migrate the application to run on Amazon S3, EC2 Spot Instances, and Amazon EC2.
C
Employees from several companies use an application once a year during a specific 30-day period. The periods are different for each company. Traffic to the application spikes during these 30-day periods.How can the application be designed to handle these traffic spikes? A. Use an Amazon Route 53 latency routing policy to route traffic to an Amazon EC2 instance with the least lag time. B. Use Amazon S3 to cache static elements of the website requests. C. Use an Auto Scaling group to scale the number of EC2 instances to match the site traffic. D. Use Amazon Cloud Front to serve static assets to decrease the load on the EC2 instances.
C
An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern? A. Access the data through an Internet Gateway. B. Access the data through a VPN connection. C. Access the data through a NAT Gateway. D. Access the data through a VPC endpoint for Amazon S3.
D
To meet compliance standards, a company must have encrypted archival data storage. Data will be accessed infrequently, with lead times well in advance of when archived data must be recovered. The company requires that the storage be secure, durable, and provided at the lowest price per 1TB of data stored. What type of storage should be used? A. Amazon S3 B. Amazon EBS C. Amazon Glacier D. Amazon EFS
C
An application uses an Amazon RDS MySQL cluster for the database layer. Database growth requires periodic resizing of the instance. Currently, administrators check the available disk space manually once a week.How can this process be improved? A. Use the largest instance type for the database. B. Use AWS CloudTrail to monitor storage capacity. C. Use Amazon CloudWatch to monitor storage capacity. D. Use Auto Scaling to increase storage size.
D
A Solutions Architect is A Solutions Architect is designing a customer order processing application that will likely have high usage spikes.What should the Architect do to ensure that customer orders are not lost before being written to an Amazon RDS database? (Choose two.) A. Use Amazon CloudFront to deliver the application front end. B. Use Elastic Load Balancing with a round-robin routing algorithm. C. Have the orders written into an Amazon SQS queue. D. Scale the number of processing nodes based on pending order volume. E. Have a standby Amazon RDS instance in a separate Availability Zone.
C,D
When designing an Amazon SQS message-processing solution, messages in the queue must be processed before the maximum retention time has elapsed.Which actions will meet this requirement? (Choose two.) A. Use AWS STS to process the messages B. Use Amazon EBS-optimized Amazon EC2 instances to process the messages C. Use Amazon EC2 instances in an Auto Scaling group with scaling triggered based on the queue length D. Increase the SQS queue attribute for the message retention period E. Convert the SQS queue to a first-in first-out (FIFO) queue
C,D
An on-premises application publishes messages to an Amazon SQS queue. What is the MOST secure way to provide security credentials to the application? A. Store the credentials in AWS Systems Manager Parameter Store B. Include an IAM user's access key and secret access key in the application code. C. Keep an IAM user's access key and secret access key encrypted in a file D. Launch the instance with an IAM role
D
A Solution Architect is building an application that will run for eight hours, Monday through Friday. This application will also run a weekly batch process every Saturday night that consistently takes four hours to complete. Which is the MOST cost- effective computer solution? A. Spot Instances B.Standard Reserved Instances C. On-Demand Instances D. Scheduled Reserved Instances
D
A Solution Architect is creating a serverless web application that must access mapping data in hundreds of data files, each containing approximately 30 KB of data. The storage required is expected to grow to hundreds of terabytes.Which storage solution is most cost-effective, yet still meets the requirements for this use case? A. Amazon EFS B. Amazon EBS Cold HDD (sc1) C. Amazon S3 Standard D. Amazon DynamoDB
D
A Solutions Architect is creating a multi-tiered architecture for an application that includes a public-facing web tier. Security requirements state that the AmazonEC2 instances running in the application tier must not be accessible directly from the internet.What should be done to accomplish this? A. Create a multi-VPC peering mesh with network access rules limiting communications to specific ports. Implement an internet gateway on each VPC for external connectivity. B. Place all instances in a single Amazon VPC with AWS WAF as the web front-end communication conduit. Configure a NAT gateway for external communications. C. Use VPC peering to peer with on-premises hardware. Direct enterprise traffic through the VPC peer connection to the instances hosted in the private VPC. D. Deploy the web and application instances in a private subnet. Provision an Application Load Balancer in the public subnet. Install an internet gateway and use security groups to control communications between the layers.
D
A Solutions Architect is creating an application running in an Amazon VPC that needs to access AWS Systems Manager Parameter Store. Network security rules prohibit any route table entry with a 0.0.0.0/0 destination.What infrastructure addition will allow access to the AWS service while meeting the requirements? A. VPC peering B. NAT instance C. NAT gateway D. AWS PrivateLink
D
A Solutions Architect is designing an application in AWS. The Architect must not expose the application or database tier over the Internet for security reasons. The application must be low-cost and have a scalable front end. The databases and application tier must have only one-way Internet access to download software and patch updates.Which solution helps to meet these requirements? A. Use a NAT Gateway as the front end for the application tier and to enable the private resources to have Internet access. B. Use an Amazon EC2-based proxy server as the front end for the application tier, and a NAT Gateway to allow Internet access for private resources. C. Use an ELB Classic Load Balancer as the front end for the application tier, and an Amazon EC2 proxy server to allow Internet access for private resources. D. Use an ELB Classic Load Balancer as the front end for the application tier, and a NAT Gateway to allow Internet access for private resources.
D
A Solutions Architect needs to design a solution that will enable a security team to detect, review, and perform root cause analysis of security incidents that occur in a cloud environment. The Architect must provide a centralized view of all API events for current and future AWS regions.How should the Architect accomplish this task? A. Enable AWS CloudTrail logging in each individual region. Repeat this for all future regions. B. Enable Amazon CloudWatch logs for all AWS services across all regions and aggregate them in a single Amazon S3 bucket. C. Enable AWS Trusted Advisor security checks and report all security incidents for all regions. D. Enable AWS CloudTrail by creating a new trail and apply the trail to all regions.
D
A company has a legacy application using a proprietary file system and plans to migrate the application to AWS.Which storage service should the company use? A. Amazon DynamoDB B. Amazon S3 C. Amazon EBS D. Amazon EFS
D
A company has an application that generates invoices and makes the invoices available online. Invoices are stored as PDFs in an Amazon S3 bucket. Customers typically only view each invoice during the month it is issued. However, past invoices need to be immediately available. There are concerns over rising storage costs as the company gains more customers.What is the MOST cost-effective method to store the data? A. Use Amazon S3 for current invoices. Set up lifecycle rules to migrate invoices to the GLACIER storage class after 30 days. B. Store the invoices as text files. Use Amazon CloudFront to convert the invoices from text to PDF when customers download invoices. C. Store the invoices as binaries in an Amazon RDS database instance. Retrieve them from the database when customers request invoices. D. Use Amazon S3 for current invoices. Set up lifecycle rules to migrate invoices to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
D
A company is setting up a new website for online sales. The company will have a webtier and a database tier. The web tier consists of load-balanced, auto-scaled Amazon EC2 instances in multiple Availability Zones (AZs). The database tier is an Amazon RDS Multi-AZ deployment. The EC2 instances must connect securely to the database.How should the resources be launched? A. EC2 instances: public subnet RDS database instances: public subnet Load balancer: public subnet B. EC2 instances: public subnet RDS database instances: private subnet Load balancer: private subnet C. EC2 instances: private subnet RDS database instances: public subnet Load balancer: public subnet D. EC2 instances: private subnet RDS database instances: private subnet Load balancer: public subnet
D
A company is storing an access key (access key ID and secret access key) in a text file on a custom AMI. The company uses the access key to access DynamoDB tables from instances created from the AMI. The security team has mandated a more secure solution. Which solution will meet the security team's mandate? A. Put the access key in an S3 bucket, and retrieve the access key on boot from the instance. B. Pass the access key to the instances through instance user data. C. Obtain the access key from a key server launched in a private subnet. D. Create an IAM role with permissions to access the table, and launch all instances with the new role.
D
A company needs to quickly ensure that all files created in an Amazon S3 bucket in us-east-1 are also available in another bucket in ap-southeast-2.Which option represents the SIMPLIEST way to implement this design? A. Add an S3 lifecycle rule to move any files from the bucket in us-east-1 to the bucket in ap-southeast-2. B. Create a Lambda function to be triggered for every new file in us-east-1 that copies the file to the bucket in ap-southeast-2. C. Use SNS to notify the bucket in ap-southeast-2 to create a file whenever the file is created in the bucket in us-east-1. D. Enable versioning and configure cross-region replication from the bucket in us-east-1 to the bucket in ap-southeast-2.
D
A customer is looking for a storage archival solution for 1,000 TB of data. The customer requires that the solution be durable and data be available within a few hours of requesting it, but not exceeding a day. The solution should be as cost-effective as possible. To meet security compliance policies, data must be encrypted at rest. The customer expects they will need to fetch the data two times in a year.Which storage solution should a Solutions Architect recommend to meet these requirements? A. Copy data to Amazon S3 buckets by using server-side encryption. Move data to Amazon S3 to reduce redundancy storage (RRS). B. Copy data to encrypted Amazon EBS volumes, then store data into Amazon S3. C. Copy each object into a separate Amazon Glacier vault, and let Amazon Glacier take care of encryption. D. Copy data to Amazon S3 with server-side encryption. Configure lifecycle management policies to move data to Amazon Glacier after 0 days.
D
A customer is running a critical payroll system in a production environment in one data center and a disaster recovery (DR) environment in another. The application includes load-balanced web servers and failover for the MySQL database. The customer's DR process is manual and error-phone. For this reason, management has asked IT to migrate the application to AWS and make it highly available so that IT no longer has to manually fail over the environment. How should a Solutions Architect migrate the system to AWS? A. Migrate the production and DRenvironments to different Availability Zones within the same region. Let AWS manage failover between the environments. B. Migrate the production and DRenvironments to different regions. Let AWS manage failover between the environments. C. Migrate the production environment to a single Availability Zone, and setup instance recovery for Amazon EC2. Decommission the DR environment because it is no longer needed. D. Migrate the production environment to span multiple Availability Zones, using Elastic Load Balancing and Multi-AZ Amazon RDS. Decommission the DR environment because it is no longer needed.
D
A customer needs to provide full access to the objects stored in an Amazon S3 bucket, but only for the members of the HR department. How can a Solutions Architect meet this requirement with the LEAST administrative overhead? A. ConfigureAmazonS3preassignedURLsfortheobjectsstoredinthebucketformembersoftheHR department. B. Configure a policy for the HR department IAM group to allow full accessions bucket C. Configure server-side encryption win Amazon S3-Managed Keys (SSE-S3) for the bucket D. Configure S3 bucket ACLs to grant the required permissions in the bucket for members of the HR department
D
A media company asked a Solutions Architect to design a highly available storage solution to serve as a centralized document store for their Amazon EC2 instances. The storage solution needs to be POSIX-compliant, scale dynamically, and be able to serve up to 100 concurrent EC2 instances.Which solution meets these requirements? A. Create an Amazon S3 bucket and store all of the documents in this bucket. B. Create an Amazon EBS volume and allow multiple users to mount that volume to their EC2 instance(s). C. Use Amazon Glacier to store all of the documents. D. Create an Amazon Elastic File System (Amazon EFS) to store and share the documents.
D
An application currently stores objects in Amazon S3-Standard. The application accterm-78esses new objects frequently for one week. After one week, they are accessed occasionally for analysis batch jobs. A Solutions Architect has been asked to reduce storage costs for the application while allowing immediate access for batch jobs.How can costs be reduced without reducing data durability? A. Create a lifecycle policy that moves Amazon S3 data to Amazon S3 One Zone-Infrequent Access storage after 7 days. After 30 days, move the data to Amazon Glacier. B. Keep the data on Amazon S3, and create a lifecycle policy to move S3 data to Amazon Glacier after 7 days. C. Move all Amazon S3 data to S3 Standard-Infrequent Access storage, and create a lifecycle policy to move the data to Amazon Glacier after 7 days. D. Keep the data on Amazon S3, then create a lifecycle policy to move the data to S3 Standard-Infrequent Access storage after 7 days.
D
How can a user track memory usage in an EC2 instance? A. Call Amazon CloudWatch to retrieve the memory usage metric data that exists for the EC2 instance. B. Assign an IAM role to the EC2 instance with an IAM policy granting access to the desired metric. C. Use an instance type that supports memory usage reporting to a metric by default. D. Place an agent on the EC2 instance to push memory usage to an Amazon CloudWatch custom metric.
D
A company is developing a new stateless web service with low memory requirements. The service needs to scale based on demand. What is the MOST cost-effective solution? A. Deploy the application onto AWS Elastic Beanstalk B. Deploy the application onto AWS Lambda with access through Amazon API Gateway C. Deploy the application onto an Amazon EC2 Spot Fleet D. Deploy the application onto a container with an Amazon ECS EC2 launch type
b