AWS Solutions Architect Associate
A company currently hosts a Redshift cluster in AWS. For security reasons, it should ensure that all traffic from and to the Redshift cluster does not go through the Internet. Which features can be used to fulfill this requirement in an efficient manner? A. Enable Amazon Redshift Enhanced VPC Routing B. Create a NAT Gateway to route the traffic C. Create a NAT Instance to route the traffic D. Create a VPN connection to ensure traffic does not flow through the internet
A
A company has a lot of data hosted on their on-premises infrastructure. Running out of storage space, the company wants a quick win solution using AWS. Which of the following would allow easy extension of their data infrastructure to AWS? A. The company could start using Gateway Cached Volumes B. The company could start using Gateway Stored Volumes C. the company could start using the DEEP_ARCHIVE storage class D. the company could start using Amazon Glacier
A
A large medical institute is using a legacy database for saving all its patient details. Due to compatibility issues with the latest software they are planning to migrate this database to AWS cloud infrastructure. This large size database will be using a NoSQL database Amazon DynamoDB in AWS. As an AWS Consultant you need to ensure that all tables of the current legacy database are migrated without a glitch to Amazon DynamoDB. Which of the following is the most cost-effective way of transferring legacy databases to Amazon DynamoDB? A. Use AWS DMS with AWS Schema Conversion Tool to save data to Amazon S3 bucket and then upload all data to Amazon DynamoDB B. Use AWS DMS with engine conversion tool to save data to Amazon S3 bucket and then upload all data to Amazon DynamoDB C. Use AWS DMS with engine conversion tool to save data to Amazon EC2 and then upload all data to Amazon DynamoDB D. Use AWS DMA with AWS Schema Conversion Tool to save data to Amazon EC2 instance and then upload all data to Amazon DynamoDB
A
A security audit discovers that one of your RDS MySQL instances is not encrypted. The instance has a Read Replica in the same AWS region which is also not encrypted. You need to fix this issue as soon as possible. What is the proper way to add encryption to the instance and its replica? A. Copy a DB snapshot and encrypt the snapshot. Restore a new DB instance from the encrypted snapshot and add a Read Replica B. Encrypt the DB instance. Launch a new Read Replica and the replica is encrypted automatically C. Create a DB snapshot and encrypt the snapshot. Launch a new instance and its Read Replica from the snapshot. D. Promote the Read Replica to be a standalone instance and encrypt it. Add a new Read Replica to the standalone instance
A
An EC2 instance hosts a Java-based application that accesses a DynamoDB table. This EC2 instance is currently serving production users. What would be a secure way for the EC2 instance to access the DynamoDB table? A. Use IAM roles with permissions to interact with DynamoDB and assign it to the EC2 instance B. Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 instance C. Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 instance D. Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 instance
A
The security policy of an organization requires an application to encrypt data before writing to the disk. Which solution should the organization use to meet this requirement? A. AWS KMS (Key Management Service) API B. AWS Certificate Manager C. API Gateway with STS D. IAM Access Key
A
Third-party sign-in (Federation) has been implemented in your web application allow users who need access to AWS resources. Users have been successfully logging in using Google, Facebook, and other third-party credentials. Suddenly, their access to some AWS resources has been restricted. What is the most likely cause of the restricted use of AWS resources? A. IAM policies for resources were changed, thereby restricting access to AWS resources B. Federation protocols are used to authorize services and need to be updated C. AWS changed the services allowed to be accessed via federated login D. The identity providers no longer allow access to AWS services
A
What is the data processing engine behind Amazon Elastic MapReduce? A. Apache Hadoop B. Apache Hive C. Apache Pig D. Apache HBase
A
Which of the following use cases is well suited for Amazon RedShift? A. A 500TB data warehouse used for market analytics B. A NoSQL, unstructured database workload C. A high traffic, e-commerce web application D. An in-memory cache
A
You are working as an AWS consultant for an E-commerce organization. the organization is planning to migrate to a managed database service using Amazon RDS. To avoid any business loss due to any deletion in the database, the management team is looking for a backup process which will restore Database at any specific time during the last month. Which action should be performed as a part of Amazon RDS Automated backup process? A. AWS performs storage volume snapshot of database instance during the backup window once a day, captures transaction logs every 5 minutes, and store in S3 buckets B. AWS performs a full snapshot of the database every 12 hours during the backup window, captures transactions logs throughout the data, and store in S3 buckets C. AWS performs full daily snapshot during the backup window. Given this doesn't provide point in time restoration it does not meet the requirements D. AWS performs storage volume snapshot of the database instance every 12 hours during the backup window, captures transaction logs throughot the day, store in S3 buckets
A
You have an S3 bucket that receives photos uploaded by customers. When an object is uploaded, an event notification is sent to an SQS queue with the object details. You also have an ECS cluster that gets messages from the queue to do the batch processing. The queue size may change greatly depending on the number of incoming messages and backend processing speed. Which metric would you use to scale up/down the ECS cluster capacity? A. The number of messages in the SQS queue B. Memory usage of the ECS cluster C. Number of objects in the S3 bucket D. Number of containers in the ECS cluster
A
You have an application that will run on an Amazon EC2 instance. The application will make requests to Amazon S3 and Amazon Dynamo DB. Using best practices, what type of AWS IAM identity should you create for your application to access the identified services? A. IAM role B. IAM user C. IAM group D. IAM directory
A
Amazon CloudWatch offers which types of monitoring plans (Choose 2) A. Basic B. Detailed C. Diagnostic D. Precognitive E. Retroactive
A,B
You have an application hosted on AWS consisting of EC2 instances launched via an Auto Scaling group. You notice that the EC2 instances are not scaling on demand. Which checks should be done to ensure that the scaling occurs as expected? (Select 2) A. Ensure that the right metrics are being used to trigger the scale-out B. Check your scaling policies to see whether more than one policy is triggered by an event C. Ensure that AutoScaling Health checks are being used D. Ensure that you are using Load Balancers
A,B
Your company currently has a set of EC2 instances hosted in AWS. The states of these instances need to be monitored and each state needs to be changed when a metric breaches a threshold value. Which step could be helpful to fulfill this requirement? (Choose 2) A. Use CloudWatch logs to store the state change of the instances B. Create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance C. Use SQS to trigger a record to be added to a DynamoDB table D. Use AWS Lambda to store a change record in a DynamoDB table
A,B
What administrative tasks are handled by AWS for Amazon Relational Database Service (RDS) databases? (Choose 3) A. Regular backups of the database B. Deploying virtual infrastructure C. Deploying the schema (for example, tables and stored procedures) D. Patching the operating system and database software E. Setting up non-admin database accounts and privileges
A,B, D
Which of the following are true about the AWS shared responsibility model? (Choose 3) A. AWS is responsible for all infrastructure components (AWS Cloud Services) that support customer deployments B. The customer is responsible for the components from the guest operating system upward (including updates, security patches, and antivirus software) C. The customer may rely on AWS to manage the security of their workloads deployed on AWS D. While AWS manages security of the cloud, security in the cloud is the responsibility of the customer E. The customer must audit the AWS data centers personally to confirm the compliance of AWS systems and services
A,B,D
A media firm has a global presence for its sports programming and broadcasting network which uses AWS infrastructure. They have multiple AWS accounts created based upon verticals and to manage these accounts they have created AWS organizations. Recently this firm is acquired by another media firm which is also using AWS Infrastructure for media streaming services. Both these firms need to merge AWS Organizations to have new policies created and enforce in all the member AWS accounts of merged entities. As an AWS consultant which of the following steps you will suggest to the client to move the master account of original media firm to AWS Organization used by the merged entity? (Choose 3) A. Remove all member accounts from the organization B. Make another member account as a master account C. Delete old organization D. Invite an old master account to join a new organization as a member account E. Invite an old master account to join a new organization as a master account
A,C,D
A retailer exports data daily from its transactional databases into an S3 bucket in the Sydney region. The retailer's Data Warehousing team wants to import this data into an existing Amazon Redshift cluster in their VPC at Sydney. Corporate security policy mandates that data can only be transported within a VPC. Which steps would satisfy the security policy? (Choose 2) A. Enable Amazon Redshift Enhanced VPC Routing B. Create a Cluster Security Group to allow the Amazon Redshift cluster to access Amazon S3 C. Create a NAT Gateway in a public subnet to allow the Amazon Redshift cluster to access amazon S3 D. Create and configure an Amazon S3 VPC endpoint
A,D
For which of the following scenarios should a Solutions Architect consider using ElasticBeanStalk? A. A web application using Amazon RDS B. An Enterprise Data Warehouse C. A long-running worker process D. Capacity provisioning and load balancing of website E. A management task run once on nightly basis
A,D
If you launch five Amazon EC2 instances in an Amazon VPC without specifying a security group, the instances will be launched into a default security group that provides which of the following? (Choose 3) A. The five Amazon EC2 instances can communicate with each other B. The five Amazon EC2 instances can't communicate with each other C. All inbound traffic will be allowed to the 5 Amazon EC2 instances D. No inbound traffic will be allowed to the 5 Amazon EC2 instances E. All outbound traffic will be allowed from the 5 Amazon EC2 instances F. No outbound traffic will be allowed from the 5 Amazon EC2 instances
A,D,E
A Singapore based large Architect firm is using Amazon S3 bucket to save all architecture drawings. This firm works globally and multiple accounts are created within the Singapore region as well in other regions to access AWS resources. Users in all these accounts access the Amazon S3 bucket for architectural drawings. AWS Organization is created for accounts in the Singapore region. Central IT teams are managing access to S3 buckets using Service Control Policies with AWS Organization. While applying SCP to an AWS Organization which of the following needs to be considered to avoid blocking of legitimate user access? A. SCP will block access to Amazon S3 bucket to all accounts within the singapore region including root users of each account within AWS organization as well as access to users outside this region who have access to S3 bucket B. SCP will block access to Amazon S3 bucket to all accounts within the singapore region including root users of each account within AWS Organization and not to users outside this region who have access to S3 bucket C. SCP will block access to Amazon S3 bucket to all acounts within the Singapore region excluding root users of each account within AWS organization as well as access to users outside this region who have access to S3 bucket D. SCP will block access to Amazon S3 bucket to all accounts within the Singapore region excluding root users of each account within AWS organization and not to users outside this region who have access to S3 bucket
B
A Solutions Architect is designing a highly scalable system to track records. These records must remain available for immediate download for up to three months and then must be deleted. What is the most appropriate decision for this use case? A. Store the files in Amazon EBS and create a Lifecycle Policy to remove files after 3 months B. Store the files in Amazon S3 and create a Lifecycle Policy to remove files after 3 months C. Store the files in Amazon Glacier and create a Lifecycle Policy to remove files after 3 months D. Store the files in Amazon EFS and create a Lifecycle Policy to remove files after 3 months
B
A company has a set of Hyper-V machines and VMware virtual machines. They are now planning to migrate these resources to the AWS Cloud. What should they use to move these resources to the AWS cloud? A. DB Migration utility B. AWS Server Migration Service C. Use AWS Migration Tools D. Use AWS Config Tools
B
A company has a set of web servers. It is required to ensure that all the logs from these web servers can be analyzed in real-time for any sort of threat detection. What could be the right choice in this regard? A. Upload all the logs to the SQS Service and then use EC2 instances to scan the logs B. Upload the logs to Amazon Kinesis and then analyze the logs accordingly C. Upload the logs to CloudTrail and then analyze accordingly D. Upload the logs to Glacier and then analyze the logs accordingly
B
A company has an application that stores images and thumbnails on S3. The thumbnail needs to be available for download immediately. Additionally, both the images and thumbnails are not accessed frequently. What would be the cost-efficient storage option that meets the above-mentioned requirements? A. Amazon Glacier with Expedited Retrievals B. Amazon S3 Standard Infrequent Access C. Amazon EFS D. Amazon S3 Standard
B
A company has an entire infrastructure hosted on AWS. It requires to create code templates used to provision the same set of resources in another region in case of a disaster in the primary region. Which AWS service can be helpful in this regard? A. AWS Beanstalk B. AWS CloudFormation C. AWS CodeBuild D. AWS CodeDeploy
B
A company is planning on testing a large set of IoT enabled devices. These devices will be streaming data every second. A proper service needs to be chosen in AWS which could be used to collect and analyze these streams in real-time. Which AWS service would be the most appropriate for this purpose. A. Use AWS EMR to store and process the streams B. Use AWS Kinesis to process and analyze the data C. Use AWS SQS to store the data D. Use SNS to store the data
B
A company is planning to build an application using the services available on AWS. This application will be stateless in nature, and the service must have the ability to scale according to the demand. Which compute service should be used in this scenario? A. AWS DynamoDB B. AWS Lambda C. AWS S3 D. AWS SQS
B
A company requires to use the AWS RDS service to host a MySQL database. This database is going to be used for production purposes and is expected to experience a high number of read/write activities. Which EBS Volume type would be ideal for this database? A. General Purpose SSD B. Provisioned IOPS SSD C. Throughput Optimized HDD D. Cold HDD
B
A company wants to have a fully managed data store in AWS. It should be a compatible MySQL database, which is an application requirement. Which AWS database engine could be used for this purpose? A. AWS RDS B. AWS Aurora C. AWS DynamoDB D. AWS RedShift
B
A company with a set of Admin jobs (.NET core) currently set up in the C# programming language, is moving its infrastructure to AWS. What would be an efficient mean of hosting the Admin related jobs in AWS? A. Use AWS DynamoDB to store the jobs and then run them on demand B. Use AWS lambda functions with C# for the admin jobs C. Use AWS S3 to store the job and then run them on demand D. Use AWS Config functions with C# for the Admin jobs
B
A consulting firm repeatedly builds large architectures for their customers using AWS resources from several AWS services including IAM, Amazon EC2, Amazon RDS, DynamoDB, and Amazon VPC. The consultants have architecture diagrams for each of their architectures and are frustrated that they can't use them to automatically create their resources. Which service should provide immediate benefits to the organization? A. AWS Beanstalk B. AWS Cloudformation C. AWS CodeBuild D. AWS CodeDeploy
B
A financial firm is planning to build a highly resilient application with primary database servers at on-premise data centers while DB snapshots at Amazon S3 bucket. IT team is looking for a cost-effective secure way of the initial transfer of large customer financial databases between on-premise servers to Amazon S3 bucket with no impact on client usage of these applications. Also, post this data transfer, the on-premise application will be fetching data from the database in Amazon S3 in case of a primary database fails. So, your solution should ensure the Amazon S3 database is fully synced with the on-premise database. Which of the following can be used to meet this requirement? A. Amazon S3 Transfer Acceleration for transferring data between the on-premise and Amazon S3 bucket while using AWS Data sync for accessing these S3 bucket data from the on-premise application B. Use AWS Data Sync for transferring data between the on-premise and Amazon S3 bucket while using AWS Storage Gateway for accessing these S3 bucket data from the on-premise application C. Use AWS snowball Edge for transferring data between the on-premise and Amazon S3 bucket while using AWS Storage Gateway for accessing these S3 bucket data from the on-premise application D. Use AWS Transfer for transferring data between the on-premise and Amazon S3 bucket while using AWS Data Sync for accessing these S3 bucket data from the on-premise application
B
A website runs on EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple AZ's and deliver several static files that are stored on a shared Amazon EFS file system. The company needs to avoid serving the files from EC2 instances every time a user requests these digital assets. What should the company do to improve the user experience of the website? A. Move the digital assets to Amazon Glacier B. Cache static content using Cloudfront C. Resize the images so that they are smaller D. Use reserved EC2 instances
B
An AWS Solutions Architect who is designing a solution to store and archive corporate documents has determined Amazon Glacier as the right choice. An important requirement is that the data must be delivered within 10 minutes of a retrieval request. Which feature in Amazon Glacier could help to meet this requirement? A. Vault Lock B. Expedited retrieval C. Bulk retrieval D. Standard retrieval
B
An organization hosts a multi-language website on AWS, which is served using CloudFront. Language is specific in the HTTP request as shown below: -http://d11111f8.cloudfront.net/main.html?language=de -http://d11111f8.cloudfront.net/main.html?language=en -http://d11111f8.cloudfront.net/main.html?language=es How should AWS Cloudfront be configured to deliver cached data in the correct language? A. Forward cookies to the origin B. Based on query string parameters C. Cache objects at the origin D. Serve dynamic content
B
As a Solutions Architect for a multinational organization having more than 150,000 employees, management has decided to implement a real time analysis for their employees' time spent in offices across the globe. You are tasked to design an architecture that will receive the inputs from 10,000+ sensors with swipe machine sending in and out data across the globe, each sending 20KB data every 5 seconds in JSON format. The application will process and analyze the data and upload the results to dashboards in real-time. Other application requirements will include the ability to apply real-time analytics on the capture data, processing of capture data will be parallel and durable, the application must be scalable as per the requirement as the load varies and new sensors are added or removed at various facilities. The analytic processing results are stored in a persistent data storage for data mining. What combination of AWS services would be used for the above scenario? A. Use EMR to copy the data coming from Swipe machines into DynamoDB and make it available for analytics B. Use Amazon Kinesis Streams to ingest the Swipe data coming from sensors, Custom Kinesis Streams Applications to analyze the data and then move analytics outcomes to RedShift using AWS EMR C. Use SQS to receive the data coming from sensors, Kinesis Firehose to analyze the data from SQS, then save the results
B
Elastic Load Balancing allows you to distribute traffic across which of the following? A. Only within a single AZ B. Multiple AZ's within a region C. Multiple AZ's within and between regions D. Multiple AZ's within and between regions and on-premises virtualized instances running OpenStack
B
How is data stored in Amazon S3 for high durability? A. Data is automatically replicated to other regions? B. Data is automatically replicated to different AZ's within a region C. Data is replicated only if versioning is enabled on the bucket D. Data is automatically backed up on tape and restored if needed
B
It is expected that only certain specified customers can upload images to the S3 bucket for a certain period of time. What would you suggest as an architect to fulfill this requirement? A. Create a secondary S3 bucket. Then, use an AWS Lambda to sync the contents to the primary bucket B. Use pre-signed URLs for uploading the images C. Use ECS Containers to upload the images D. Upload the images to SQS and then push them to the S3 bucket
B
What is the primary use case of Amazon Kinesis Firehose? A. Ingest huge streams of data and allow custom processing of data in flight B. Ingest huge streams of data and store it to Amazon S3, Amazon RedShift, or Amazon Elasticsearch Service C. Generate a huge stream of data from an Amazon S3 bucket D. Generate a huge stream of data from Amazon DyamoDB
B
What type of AWS Elastic Beanstalk environment tier provisions resources to support a web application that handles background processing tasks? A. Web Server environment tier B. Worker environment tier C. Database environment tier D. Batch environment tier
B
Which of the following is true if you stop an Amazon EC2 instance with an Elastic IP address in an Amazon VPC? A. The instance is disassociated from its Elastic IP address and must be re-attached when the instance is restarted B. The instance remains associated with its Elastic IP address C. The Elastic IP address is released from your account D. The instance is disassociated from the Elastic IP address temporarily while you restart the instance
B
Which process in an Amazon Simple Workflow Service workflow implements a task? A. Decider B. Activity Worker C. Workflow starter D. Business Rule
B
You are working as an AWS Architect for a start-up company. They have a two-tier production website. Database servers are spread across multiple Availability Zones and are stateful. You have configured Auto Scaling group for these database servers with a minimum of 2 instances and maximum of 6 instances. During post-peak hours, you observe some data loss. Which feature needs to be configured additionally to avoid future data loss (and copy data before instance termination) A. Modify the cool down period to complete custom actions before the instance terminates B. Add lifecycle hooks to Auto Scaling group C. Customize Termination policy to complete data copy before termination D. Suspend Terminate process that will avoid data loss
B
You are working for a start-up company that develops mobile gaming applications using AWS resources. For creating AWS resources, the project team is using CloudFormation templates. The Project Team is concerned about the changes made in EC2 instance properties by the Operations Team, apart from parameters specified in CloudFormation Templates. To observe changes in AWS EC2 instance, you advise using CloudFormation Drift Detection. After Drift detection, when you check drift status for all AWS EC2 instance, drift for certain property values having default values for resource properties s not displayed. What would you do to include these resources properties to be captured in CloudFormation Drift Detection? A. Run CloudFormation Drift Detection on individual stack resources instead of entire CloudFormation stack B. Explicitly set the property value, which can be the same as the default value C. Manually check these resources as this is not supported in CloudFormation Drift Detection D. Assign Read permission to CloudFormation Drift Detection to determine drift
B
You currently have your EC2 instances running in multiple availability zones. You have a NAT gateway defined for your private instances and you want to make this highly available. How could this be accomplished? A. Create another NAT Gateway and place it behind and ELB B. Create a NAT Gateway in another Availability Zone C. Create a NAT Gateway in another region D. Use Auto Scaling groups to scale the NAT gateway
B
You have a local data center on premise which stores archived files. The total amount of the files is about 70TB. The data needs to be transferred to Amazon S3. After the data transfer is finished, the local data center will not be used. Which solution is the most appropriate? A. AWS Direct Connect B. AWS Snowball C. Amazon S3 Transfer Acceleration D. AWS Global Accelerator
B
You have an EC2 instance in the AWS us-east-1 region. The application in the instance needs to access a DynamoDB table that is located in the AWS us-east-2 region. The connection must be private without leaving the Amazon network and instance should not use any public IP for communication. How would you configure this? A. Configure an inter-region VPC endpoint for the DynamoDB service B. Configure inter-region VPC peering and create a VPC endpoint for DynamoDB in us-east-2 C. Create an inter-region VPC peering connection between us-east-1 and us-east-2 D. there is no way to setup the private inter-region connections
B
You need to deploy a machine learning application in AWS EC2. The performance of inter-instance communication is very critical for the application and you want to attach a network device to the instance so that the performance can be greatly improved. Which option is the most appropriate to improve the performance? A. Enable enhanced networking feature in the EC2 instance B. Configure Elastic Fabric Adapter (EFA) in the instance C. Attach high speed Elastic Network Interface (ENI) in the instance D. Create Elastic File System (EFS) and mount the file system in the instance
B
Your company has 17 TB of financial trading records that need to be stored for 7 years by law. Experience has shown that any record more than a year old is unlikely to be accessed. Which of the following storage plans meets these needs in the most cost-efficient manner? A. Store the data on Amazon EBS volume attached to t2.large instances B. Store the data on Amazon S3 with lifecycle policies that change the storage class to Amazon Glacier after 1 year, and delete the object after 7 years C. Store the data in Amazon DynamoDB, and delete data older than 7 years D. Store the data in an Amazon Glacier Vault Lock
B
Your recent security review revealed a large spike in attempted logins to your AWS account. With respect to sensitive data stored in encryption enabled S3, the data has not been encrypted and is susceptible to fraud if it was to be stolen. You've recommended AWS Key Management Service as a solution. Which of the following is true regarding the operation of KMS? A. Only KMS generated keys can be used to encrypt or decrypt data B. Data is encrypted at rest C. KMS allows all users and roles to use the keys by default D. Data is decrypted in transit
B
A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a default VPC private subnet created with default ACL settings. The web servers must be accessible only to customers on an SSL connection and the database must only be accessible to web servers in a public subnet. Which solution would meet these requirements without impacting other applications?(Select 2) A. Create a network ACL on the Web Sever's subnets, allow HTTPS port 443 inbound and specify the source as 0.0.0.0/0 B. Create a web server security group that allows HTTPS port 443 inbound traffic from anywhere (0.0.0.0/0) and apply it to the Web Servers C. Create a DB Server security group that allows MySQL port 3306 inbound and specify the source as the Web Server security group D. Create a network ACL on the DB subnet, allow MySQL port 3306 inbound for Web Servers and deny all outbound traffic E. Create a DB server security group that allows HTTPS port 443 inbound and specify the source as a Web Server security group
B,C
An application consists of the following architeture: a. EC2 instances in a single AZ behind an ELB b. A NAT Instance which is used to ensure that instances can download updates from the internet What could be done to ensure better fault tolerance in this set up? (Choose 2) A. Add more instances in the existing Availability Zone B. Add na Auto Scaling Group to the setup C. Add more instances in another Availability Zone D. Add another ELB for more fault tolerance
B,C
You have planned to host a web application on AWS. You create an EC2 instance in a public subnet which needs to connect to an EC2 instance that will host an Oracle database. Which steps would ensure a secure setup? (Select 2) A. Place the EC2 instance with the Oracle database in the same public subnet as the Webserver for faster communication B. Place the EC2 instance in a public subnet and the Oracle database in a private subnet C. Create a database security group which allows incoming traffic only from the web server's security group D. Ensure that the database security group allows incoming traffic from 0.0.0.0/0
B,C
When a request is made to an AWS Cloud service, the request is evaluated to decide whether it should be allowed or denied. The evaluation logic follows which of the following rules (Choose 3) A. An explicit allow overrides any denies B. By default, all requests are denied C. An explicit allow overrides the default D. An explicit deny overrides any allows E. By default, all requests are allowed
B,C,D
An Amazon EC2 instance in an Amazon VPC subnet can send and receive traffic from the Internet when which of the following conditions are met? (Choose 3) A. Network Access Control Lists and security group rules disallow all traffic except relevant Internet traffic B. Network ACLs and security group rules allow relevant Internet traffic C. Attach an Internet Gateway to the Amazon VPC and create a subnet route table to send all non-local traffic to that IGW D. Attach a Virtual Private Gateway to the Amazon VPC and create subnet routes to send all non-local traffic to that VPG E. The Amazon EC2 instance has a public IP address of Elastic IP address F. The Amazon EC2 instance does not need a public IP or Elastic IP when using Amazon VPC
B,C,E
Your company wants to host its secure web application in AWS. The internal security policies consider any connection to or from the web server as insecure and require application data protection. What approaches should you use to protect data in transit for the application? (Choose 2) A. Use BitLocker to encrypt data B. Use HTTPS with server certificate authentication C. Use an AWS IAM role D. Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for database connection E. Use XML for data transfer from client to server
B,D
You lead a team to develop a new online game application in AWS EC2. The application will have a large number of users globally. For a great user experience, this application requires very low network latency and jitter. If the network speed is not fast enough, you will lose customers. Which tool would you choose to improve the application performance? (Select 2) A. AWS VPN B. AWS global accelerator C. Direct connect D. API Gateway E. Cloudfront
B,E
A Solutions Architect is designing an online shopping application running in a VPC on EC2 instances behind an elastic Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer-managed database cluster. There should be no access to the database from the Internet but the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements? A. Public subnets for both the application tier and the database cluster B. Public subnets for the application tier and private subnets for the database cluster C. Public subnets for both application tier and NAT Gateway and private subnets for the database cluster D. Private subnets for the application tier and private subnets for both the database cluster and NAT Gateway
C
A popular blogging site is planning to save all its data to EFS as a redundancy plan. This database is constantly fetch and updated by client information. You need to ensure that all files saved at EFS using AWS DataSync are validated for data-integrity for each packet. Which of the following will ensure fast transfer for data between on-premise and EFS with data integrity done as per security guidelines? A. Enable Verification and perform all data transfer B. Enable verification during initial file transfers and disable it post last data transfer C. Disable verification during initial file transfers and enable it post last data transfer D. Disable verification and perform all data transfer
C
A start-up firm is using AWS organization for managing policies across its Development and Production accounts. The development account is looking for an EC2 dedicated host that would provide visibility on the number of sockets used. The production account has subscribed to an EC2 dedicated host for its application but is currently not in use. which of the following can be done to share the Amazon EC2 dedicated host from the Production account to the Development account? A. Remove both Development and Production accounts from organization and then share resources between them B. You can share resources within enabling sharing within an organization C. share resources as an individual account in an organization D. Remove the destination development account from an organization and then share resources with it
C
A team is building an application that must persist and index JSON data in a highly available data store. The latency of data access must remain consistent despite very high application traffic. Which service would help the team to meet the above requirement? A. Amazon EFS B. Amazon Redshift C. DynamoDB D. AWS CloudFormation
C
Amazon S3 is an eventually consistent storage system. For what kinds of operations is it possible to get stale data as a result of eventual consistency? A. GET after PUT of a new object B. GET or LIST after a DELETE C. GET after overwrite PUT (PUT to an existing key) D. DELETE after GET of new object
C
An application with a 150 GB relational database runs on an EC2 instance. While the application is used infrequently with small peaks in the morning and evening, which storage type would be the most cost-effective option for the above requirement? A. Amazon EBS provisioning IOPS SSD B. Amazon EBS Throughput Optimized HDD C. Amazon EBS General Purpose SSD D. Amazon EFS
C
Which Amazon EC2 pricing model allows you to pay a set hourly price for compute, giving you full control over when the instance launches and terminates? A. Spot Instance B. Reserved Instance C. On Demand Instance D. Dedicated Instances
C
You are working as an AWS Architect for a start-up company. The company has web servers deployed in all AZ's in the eu-central-1 (Frankfurt) region. These web servers have German news and local web content for people accessing these websites within Germany. These web servers have multiple records created for a single domain. The company is looking for a random selection of web-servers that will increase its availability. What would be the most appropriate routing policy for this requirement? A. Latency routing policy B .Weighted routing policy C. Multivalue answer routing policy D. Geolocation routing policy
C
You configure an Amazon S3 bucket as the origin for a new CloudFront distribution. You need to restrict access so that users cannot view the files by directly using the S3 URLs. The files should be only fetched through the CloudFront URL. Which method is the most appropriate? A. Configure Signed URLs to serve private content by using CloudFront B. Configure Signed Cookies to restrict access to S3 files C. Create the origin access identity (OAI) and associate it with the distribution D. Configure the CloudFront web distribution to ask viewers to use HTTPS to request S3 objects
C
You have developed a new web application on AWS for a real estate firm. It has a web interface where real estate employees upload photos of newly constructed houses in S3 buckets. Prospective buyer's login to the website and access photos. The marketing team has initiated an intensive marketing event to promote new housing schemes which will lead to customers who frequently access these images. As this is a new application, you have no projection of traffic. You have created Auto Scaling across multiple instance types for these web servers, but you also need to optimize the cost for storage. You don't want to compromise on latency and all images should be downloaded instantaneously without any outage. Which of the following is a recommended storage solution to meet this requirement? A. Use One Zone-IA storage class to store all images B. Use Standard-IA to store all images C. Use S3 Intelligent-Tiering storage class D. Use Standard storage class, use Storage class analytics to identify and move objects using lifecycle policies
C
You have instances hosted in a private subnet in a VPC. There is a need for instances to download updates from the Internet. As an architect, what change would you suggest to the IT Operations team that would also be the most efficient and secure? A. Create a new public subnet and move the instance to that subnet B. Create a new EC2 instance to download the updates separately and then push them to the required instance C. Use a NAT Gateway to allow the instances in the private subnet to download the updates D. Create a VPC link to the internet to allow the instances in the private subnet to download the updates
C
You've implemented AWS Key Management Service to protect your data in your applications and other AWS services. Your global headquarters is in Norther Virginia (US East (N. Virginia)) where you created your keys and have provided the appropriate permissions to designated users and specific roles within your organization. While the N. American users are not having issues, German and Japanese users are unable to get KMS to function. what is the most likely cause of it? A. KMS is only offered in North America B. AWS cloudTrail has not been enabled to log events C. KMS master keys are region-specific and the applications are hitting the wrong API endpoints D. The master keys have been disabled
C
Your company has designed an app and requires it to store data in DynamoDB. The company has registered the app with identity providers so users can sign-in using third parties like Google and Facebook. What must be in place such that the app can obtain temporary credentials to access DynamoDB? A. Multi-factor authentication must be used to access DynamoDB B. AWS CloudTrail needs to be enable to audit usage C. An IAM role allowing the app to have access to DynamoDB D. The user must additionally log into the AWS console to gain database access
C
Your company manages an application that currently allows users to upload images to an S3 bucket. These images are picked up by EC2 instances for processing and then placed in another S3 bucket. You need an area where the metadata for these images can be stored. What would be an ideal data store for this? A. AWS RedShift B. AWS Glacier C. AWS DynamoDB D. AWS SQS
C
Your company needs to provide streaming access to videos to authenticated users around the world. What is a good way to accomplish this? A. Use Amazon S3 buckets in each region with website hosting enabled B. Store the videos on Amazon Elastic Block store volumes C. Enable Amazon CloudFront with geolocation and signed URL's D. Run a fleet of Amazon EC2 instances to host the videos
C
A company has set up an application in AWS that interacts with DynamoDB. It is required that when an item is modified in a DynamoDB table, immediate entry is made to the associating application. How can this be accomplished? (Choose 2) A. Setup CloudWatch to monitor the DynamoDB table for changes. Then trigger a Lambda function to send the changes to the application. B. Setup CloudWatch logs to monitor the DynamoDB table for changes. Then trigger AWS SQS to send the changes to the application C. Use DynamoDB streams to monitor the changes the DynamoDB table D. Trigger a lambda function to make an associated entry in the application as soon as the DynamoDB streams are modified.
C,D
You are planning to use Docker containers on a cluster of EC2 instances. These EC2 instances will be launched in a VPC and will require access to ECR and S3 to download Docker images and other images respectively. Additionally, the EC2 instances require secure connectivity to the ECS control plane. You have created public and private subnets to launch the EC2 instances. What would be helpful to enable secure connectivity and ensure all container orchestration traffic stays within the VPC? (Choose 2) A. Use AWS PrivateLink to connect to the Amazon S3 buckets for downloading images B. For the instances in the public subnets, use Internet Gateway to access Amazon ECS, ECR, and S3 buckets c. Use a Gateway VPC endpoint to download images from the S3 bucket D. Use AWS PrivateLink to connect to Amazon ECS for control plane connectivity and ECR for downloading Docker images E. For the instances in the private subnets, user NAT to access amazon ECS, ECR, and S3 F. Use a Gateway VPC Endpoint to connect to Amazon ECS for control plane connectivity and ECR for downloading Docker images
C,D
While reviewing the Auto Scaling event for your application, you notice that your application is scaling up and down multiple time in the same hour. What changes would you suggest in order to optimize costs while preserving elasticity? (Choose 2) A. Modify the Auto Scaling group termination policy to terminate the older instance first B. Modify the Auto Scaling group termination policy to terminate the newest instance first C. Modify the Auto Scaling group cool down timers D. Modify the Auto Scaling group to use Scheduled Scaling actions E. Modify the Cloudwatch alarm period that triggers your Auto Scaling scale down policy
C,E
A company has an application that delivers objects from S3 to users. Of late, some users spread across the globe have been complaining of slow response times. Which additional step would help in building a cost-effective solution and ensure that the users get an optimal response to objects from S3? A. Use S3 Replication to replicate the objects to regions closest to the users B. Ensure S3 Transfer Acceleration is enabled to ensure that all users get the desired response times C. Place an ELB in front of S3 to distribute the load across S3 D. Place the S3 bucket behind a Cloudfront distribution
D
A company is migrating an on-premises 10 TB MySQL database to AWS. There's a business requirement that the replica lag should be kept under 100 milliseconds. In addition to this requirement, the company expects this database to quadruple in size. Which Amazon RDS engine meets the above requirements? A. MySQL B. Microsoft SQL Server C. Oracle D. Amazon Aurora
D
A global content management company is using Amazon Aurora as a database for scaling millions of documents with high throughput. The Development team has created a new version of the database which needs to be shared with TEST and PRODUCTION accounts within the company which will run their own OLAP queries. The company is using AWS Organizations to manage policies and have consolidated billing across all AWS accounts. Which of the following can be done to share DB clusters with the TEST account? A. Enable sharing for Master account of AWS organizations and grant access to TEST account sharing DB cluster from its own account as well as DB shared by Production account B. Enable sharing for member accounts of AWS organizations and grant access to the TEST account sharing DB cluster from its own account C. Enable sharing for Master and member account of AWS organizations and grant access TEST account sharing DB cluster from its own account as well as DB shared by Production account D. Enable sharing for Master account of AWS organizations and grant access to TEST account sharing DB cluster from its own account
D
An application allows a manufacturing site to upload files, Each uploaded 3 GB file is processed to extract metadata, and this process takes a few seconds per file. The frequency at which the uploading happens is unpredictable. For instance, there may be no upload for hours, followed by several files being uploaded concurrently. Which architecture will address this workload in the most cost-efficient manner. A. Use a Kinesis Data Delivery Stream to store the file. Use Lambda for processing. B. Use an SQS queue to store to be accessed by a fleet of EC2 instances. C. Store the file in an EBS volume, which can then be accessed by another EC2 instance for processing. D. Store the file in an S3 bucket. Use Amazon S3 event notification to invoke a Lambda function for file processing.
D
An application team needs to quickly provision a development environment consisting of a web and database layer. What would be the quickest and most ideal way to get this set up in place? A. Create Spot Instances and install the web and database components B. Create Reserved Instances and install the web and database components C. Use AWS Lambda to create the web components and AWS RDS for the database layer D. Use Elastic Beanstalk to quickly provision the environment
D
Under a single AWS account, you have set up an Auto Scaling group with a maximum capacity of 50 Amazon EC2 instances in us-west-2. When you scale out, however, it only increases to 20 Amazon EC2 instances. What is the likely cause? A. Auto Scaling has a hard limit of 20 Amazon EC2 instances B. If not specified, the Auto Scaling group maximum capacity defaults to 20 Amazon EC2 instances C. The Auto Scaling group desired capacity is set to 20, so Auto Scaling stopped at 20 Amazon EC2 instances D. You have exceeded the default Amazon EC2 instance limit of 20 per region
D
Under what circumstances will Amazon EC2 instance store data not be preserved A. The associated security groups are changed B. The instance is stopped or rebooted C. The instance is rebooted or terminated D. The instance is stopped or terminated E. None of the above
D
What Amazon Relational Database Service (Amazon RDS) feature provides the high availability for your database? A. Regular maintenance windows B. Security groups C. Automated backups D. Multi-AZ deployment
D
What must you do to create a record of who accessed your Amazon S3 data and from where? A. Enable Amazon CloudWatch logs B. Enable versioning on the bucket C. Enable website hosting on the bucket D. Enable server access logs on the bucket E. Create an AWS IAM bucket policy
D
Which of the following statements about Amazon DynamoDB secondary indexes is true? A. There can be many per table, and they can be created at any time B. There can only be one per table, and it must be created when the table is created C. There can be many per table, and they can be created at any time. D. There can only be one per table, and it must e created when the table is created
D
You are an AWS Solutions Architect. Your company has a successful web application deployed in an AWS Auto Scaling group. The application attracts more and more global customers. However, the application's performance is impacted. Your manager you how to improve the performance and availability of the application. Which of the following AWS services would you recommend? A. AWS DataSync B. Amazon DynamoDB Accelerator C. AWS Lake Formation D. AWS Global Accelerator
D
You are deploying an application on Amazon EC2 that must call AWS APIs. Which method would you use to securely pass the credentials to the application? A. Pass API credentials to the instance using instance user data B. Store API credentials as an object in Amazon S3 C. Embed the API credentials into your application D. Assign IAM roles to the EC2 instances
D
You are working as an AWS Architect for a start-up company. The company has a two-tier production website on AWS with web servers in front end and database servers in the back end. A third-party firm has been looking after the operations of these database servers. They need to access these database servers in private subnets on SSH port. As per the standard operating procedure provided by the Security team, all access to these servers should be over a secure layer. What will be the best solution to meet this requirements? A. Deploy bastion hosts in private subnet B. Deploy NAT instance in private subnet C. Deploy NAT instance in public subnet D. Deploy bastion hosts in public subnet
D
You are working as an AWS consultant for a start-up company. They have developed a web application for their employees to share files with external vendors securely. They created an AutoScaling group for the web servers which requires two m4.large EC2 instances running at all times, scaling up to a maximum of 12 instances. Post-deployment of the application, a huge rise in cost was observed. Due to a limited budget, the CTO has requested your advice to optimize the usage of instances in the Auto Scaling groups. What would you suggest to reduce costs without any adverse impact on the performance? A. Create an Auto Scaling group with t2.micro On-Demand instances B. Create an Auto Scaling group with a mix of On-Demand and Spot Instance. Select the On-Demand base as zero. Above On-Demand base, select 100% of On-Demand instance and 0% of sport instance C. Create an Auto Scaling group with all Spot Instance D. Create an Auto Scaling group with a mix of On Demand and Spot instance. Select the on demand base as 2. Above On Demand base, select 20% of on demand instance and 80% of spot instance.
D
You currently have the following architecture in AWS: a. a couple of EC2 instances located in us-west-2a b. the EC2 instances are launched via an auto Scaling group c. The EC2 instances sit behind a classic ELB Which additional step would ensure that the above architecture conforms to a well architected framework? A. Convert the Classic ELB to an Application ELB B. Add an additional Auto Scaling Group C. Add additional EC2 instances to us-west-2a D. Add or spread existing instances across multiple Availability Zones
D
You have a web application hosted on an EC2 instance in AWS which is being accessed by users across the globe. The Operations team has been receiving support requests about extreme slowness from users in some regions. what can be done to the architecture to improve the response time for these users? A. Add more EC2 instances to support the load B. Change the instance type to a higher instance type C. Add route 53 health checks to improve the performance D. Place the EC2 instance behind CloudFront
D
You have an RDS instance in a VPC. In the same AWS account, there is an EC2-classic instance that does not belong to any VPC. The EC2 instance needs to communicate with the RDS instance using its private IPv4 address. Which method would you use? A. Modify the security group of the RDS instance to allow the incoming traffic from the Ec2-classic instance B. Attach a security group to the EC2 instance to allow all outgoing traffic C. Enable PrivateLink for the VPC and link the EC2-classic instance D. Enable ClassicLink for the VPC and link the EC2 instance to the VPC
D
You have an application that has been dockerized. You plan to deploy the application in an AWS ECS cluster. As the application gets configuration files from an S3 bucket, the ECS containers should have the AmazonS3ReadOnly Access permission. What is the correct method to configure the IAM permission? A. Add an environment variable to the ECS cluster configuration to allow the S3 read only access B. Add the AmazonS3ReadOnlyAccess permission to the IAM entity that creates the ECS cluster C. Modify the user data of ECS instances to assume an IAM role that has the AmazonS3ReadOnlyAccess permission D. Attach the AmazonS3ReadOnlyAccess policy to the ECS container instance IAM role. Use this role when creating the ECS cluster.
D
You have designed an application that uses AWS resources, such as S3 to operate and store users' documents. You currently use Cognito identity pools and user pools. To increase usage and ease of signing up, you decide that adding social identity federation is the best path forward. How would you differentiate the Cognito identity pool and the federated identity providers? A. They are the same and just called different things. B. First, you sign-in via Cognito then through a federated site like Google C. Federated identity providers and identity pools are used to authenticate services D. Sign-in via AWS Cognito User Pool and sign-in via AWS Cognito Identity Pool are independent of one another.
D
You own a MySQL RDS instance in AWS Region us-east-1. The instance has a Multi-AZ instance in another availability zone for high availability. As business grows, there are more and more clients coming from Europe (eu-west-2) and most of the database workload is read-only. What is the proper way to reduce the load on the source RDS instance? A. Create a snapshot of the instance and launch a new instance in eu-west-2 B. Promote the Multi-AZ instance to be a Read Replica and move the instance to eu-west-2 region C. Configure a read-only Multi-AZ instance in eu-west-2 as Read Replicas cannot span across regions D. Create a read replica in the AWS region eu-west-2
D
Your company has a set of EC2 instances hosted in AWS. It is mandatory to prepare for disasters and come up with the necessary disaster recovery procedures. What would be helpful in mitigating the effects of a disaster for the EC2 instances? A. Place an ELB in front of the EC2 instances B. Use Auto Scaling to ensure that the minimum number of instances are always running C. Use CloudFront in front of the EC2 instances D. Use AMIs to recreate the EC2 instances in another region
D
You have an application running in us-west-2 that requires 6 EC2 instances running at all times. With 3 Availability Zones in the region viz. us-west-2a, us-west-2b, and us-west-2c, which of the following deployments provides fault tolerance if an Availability Zone in us-west-2 becomes unavailable (Choose 2) A. 2 EC2 Instances in us-west-2a, 2 EC2 Instances in us-west-2b, and 2 EC2 Instances in us-west-2c B. 3 EC2 instances in us-west-2a, 3 EC2 instances in us-west-2b, and no EC2 instances in us-west-2c C. 4 EC2 instances in us-west-2a, 2 EC2 instances in us-west-2b, and 2 EC2 instances in us-west-2c D. 6 EC2 instances in us-west-2a, 6 EC2 instances in us-west-2b, and no EC2 instances in us-west-2c E. 3 EC2 instances in us-west-2a, 3 EC2 instances in us-west-2b, and 3 EC2 instances in us-west-2c
D,E
