AWS Solutions Architect Test 2

You would like to use Snowball to move on-premises backups into a long term archival tier on AWS. Which solution provides the MOST cost savings?

-Create a Snowball job and target an S3 bucket. Create a lifecycle policy to immediately move data to Glacier Deep Archive

Which of the following IAM policies provides read-only access to the S3 bucket mybucket and its content?

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListBucket" ], "Resource":"arn:aws:s3:::mybucket" }, { "Effect":"Allow", "Action":[ "s3:GetObject" ], "Resource":"arn:aws:s3:::mybucket/*" } ] } (s3:ListBucket is applied to buckets, so the ARN is in the form "Resource":"arn:aws:s3:::mybucket", without a trailing / s3:GetObject is applied to objects within the bucket, so the ARN is in the form "Resource":"arn:aws:s3:::mybucket/*", with a trailing /* to indicate all objects within the bucket mybucket)

A financial services firm uses a high-frequency trading system and wants to write the log files into Amazon S3. The system will also read these log files in parallel on a near real-time basis. The engineering team is apprehensive of any data discrepancies that might arise when the trading system overwrites an existing log file and then tries to read that specific log file. Which of the following options BEST describes the given scenario?

-A process replaces an existing object and immediately tries to read it. Amazon S3 always returns the latest version of the object

A media publishing company is looking at moving their on-premises infrastructure to AWS Cloud. Their flagship application uses a massive PostgreSQL database and the engineering team would like to retain control over managing the patches, version upgrades for the database, and consistent performance with high IOPS. The team wants to install the database on an EC2 instance with the optimal storage type on the attached EBS volume. As a solutions architect, which of the following configurations would you suggest to the engineering team?

-Amazon EC2 with EBS volume of Provisioned IOPS SSD (io1) type (Provision IOPS type supports critical business applications that require sustained IOPS performance, or more than 16,000 IOPS or 250 MiB/s of throughput per volume. Examples are large database workloads, such as: MongoDB Cassandra Microsoft SQL Server MySQL PostgreSQL Oracle)

A financial services company has to retain the activity logs for each of their customers to meet regulatory and compliance guidelines. Depending on the business line, the company wants to retain the logs for 5-10 years in highly available and durable storage on AWS. The overall data size is expected to be in PetaBytes. In case of an audit, the data would need to be accessible within a timeframe of up to 48 hours. Which AWS storage option is the MOST cost-effective for the given compliance requirements?

-Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive is up to 75% less expensive than S3 Glacier and provides retrieval within 12 hours using the Standard retrieval speed. You may also reduce retrieval costs by selecting Bulk retrieval, which will return data within 48 hours.)

A cybersecurity company uses a fleet of EC2 instances to run a proprietary application. The infrastructure maintenance group at the company wants to be notified via an email whenever the CPU utilization for any of the EC2 instances breaches a certain threshold. Which of the following services would you use for building a solution with the LEAST amount of development effort? (Select two)

-Amazon SNS (how the email happens) -Amazon CloudWatch (how to know when CPU breaches threshold)

A social photo-sharing web application is hosted on EC2 instances behind an Elastic Load Balancer. The app gives the users the ability to upload their photos and also shows a leaderboard on the homepage of the app. The uploaded photos are stored in S3 and the leaderboard data is maintained in DynamoDB. The EC2 instances need to access both S3 and DynamoDB for these features. As a solutions architect, which of the following solutions would you recommend as the MOST secure option?

-Attach the appropriate IAM role to the EC2 instance profile so that the instance can access S3 and DynamoDB (Instead, you should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you don't have to distribute long-term credentials (such as a username and password or access keys) to an EC2 instance)

The engineering team at an IT company is deploying an Online Transactional Processing (OLTP) application, which will have unpredictable spikes of usage, that they do not know in advance. Which database would you recommend using?

-Aurora Serverless (on-demand, auto-scaling configuration for Amazon Aurora (MySQL-compatible and PostgreSQL-compatible editions), where the database will automatically start up, shut down, and scale capacity up or down based on your application's needs)

An e-commerce website hosted on an EC2 instance consumes messages from an SQS queue which has records for pending orders. The SQS queue has a visibility timeout of 30 minutes. The EC2 instance sends out an email once an order has been processed. The development team observes that 12 emails have been sent but only 4 orders have been placed. As a solutions architect, which of the following options would you choose to describe this issue?

-Because of a configuration issue, the consumer application is not deleting the messages in the SQS queue after it has processed them (It is the consumer application's responsibility to process the message from the queue and delete them once the processing is done. Otherwise, the message will be processed repeatedly by consumer applications. The SQS queue will not delete any messages unless the default retention period of 4 days is over.)

A Hollywood studio is planning a series of promotional events leading up to the launch of the trailer of its next sci-fi thriller. The executives at the studio want to create a static website with lots of animations in line with the theme of the movie. The studio has hired you as a solutions architect to build a scalable serverless solution. Which of the following represents the MOST cost-optimal and high-performance solution?

-Build the website as a static website hosted on Amazon S3. Create a CloudFront distribution with Amazon S3 as the origin. Use Amazon Route 53 to create an alias record that points to your CloudFront distribution

The DevOps team at a leading social media company uses AWS OpsWorks, which is a fully managed configuration management service. OpsWorks eliminates the need to operate your configuration management systems or worry about maintaining its infrastructure. Can you identify the configuration management tools for which OpsWorks provides managed instances? (Select two)

-Chef -Puppet (OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed and managed across your Amazon EC2 instances or on-premises compute environments.)

Your e-commerce application is using an RDS PostgreSQL database and an analytics workload also runs on the same database. When the analytics workload is run, your e-commerce application slows down which further affects your sales. Which of the following is the MOST cost-optimal solution to fix this issue?

-Create a Read Replica in the same AZ as the Master database and point the analytics workload there (Creating a Read Replica is the answer. As we want to minimize the costs, we need to launch the Read Replica in the same AZ, because we have to pay for inter-AZ data transfer, whereas the transfer of data within a single AZ is free.) Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads)

You have multiple AWS accounts within a single AWS Region managed by AWS Organizations and you would like to ensure all EC2 instances in all these accounts can communicate privately. Which of the following solutions provides the capability at the CHEAPEST cost?

-Create a VPC in an account and share one or more of its subnets with the other accounts using Resource Access Manager (AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. The correct solution is to share the subnet(s) within a VPC using RAM. This will allow all EC2 instances to be deployed in the same VPC (although from different accounts) and easily communicate with one another.) -Transit gateway would have worked but is not the CHEAPEST option

An Industrial Appliances company has just moved a significant percentage of its existing workloads to the AWS Cloud, and all departments now use some AWS solutions. Although these changes have helped the company to become more flexible, but the DevOps team still needs to ramp up on IT security. Currently, the team wants to enable a highly available architecture for a bastion host solution. As a solutions architect, which of the following options would you recommend as the solution?

-Create a public Network Load Balancer that links to EC2 instances that are bastion hosts managed by an ASG (You need to remember that Bastion Hosts are using the SSH protocol, which is a TCP based protocol on port 22. They must be publicly accessible. Here, the correct answer is to use a Network Load Balancer, which supports TCP traffic, and will automatically allow you to connect to the EC2 instance in the backend.)

You would like to deploy an application behind an Application Load Balancer, that will have some Auto Scaling capability and efficiently leverage a mix of Spot Instances and On-Demand instances to meet demand. What do you recommend to manage the instances?

-Create an ASG with a launch template (Launch Templates do support a mix of On-Demand and Spot instances, and thanks to the ASG, we get auto-scaling capabilities)

To improve the performance and security of the application, the engineering team at a company has created a CloudFront distribution with an Application Load Balancer as the custom origin. The team has also set up a Web Application Firewall (WAF) with CloudFront distribution. The security team at the company has noticed a surge in malicious attacks from a specific IP address to steal sensitive data stored on the EC2 instances. As a solutions architect, which of the following actions would you recommend to stop the attacks?

-Create an IP match condition in the WAF to block the malicious IP address (If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. So, this option is correct.)

A social photo-sharing company is storing user profile pictures in an S3 bucket and an image analysis application is deployed on four EC2 instances. A solutions architect would like to trigger an image analysis procedure only on one of the four EC2 instances for each photo uploaded. What do you recommend?

-Create an S3 Event Notification that sends a message to an SQS queue. Make the EC2 instances read from the SQS queue

You are looking to build an index of your files in S3, using Amazon RDS PostgreSQL. To build this index, it is necessary to read the first 250 bytes of each object in S3, which contains some metadata about the content of the file itself. There are over 100,000 files in your S3 bucket, amounting to 50TB of data. How can you build this index efficiently?

-Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS

You are deploying a critical monolith application that must be deployed on a single web server, as it hasn't been created to work in distributed mode. Still, you want to make sure your setup can automatically recover from the failure of an AZ. Which of the following solutions is the MOST cost-efficient? (Select three)

-Create an auto-scaling group that spans across 2 AZ, which min=1, max=1, desired=1 (So we have an ASG with desired=1, across two AZ, so that if an instance goes down, it is automatically recreated in another AZ) -Create an Elastic IP and use the EC2 user-data script to attach it (Now, between the ALB and the Elastic IP. If we use an ALB, things will still work, but we will have to pay for the provisioned ALB which sends traffic to only one EC2 instance. Instead, to minimize costs, we must use an Elastic IP) -Assign an EC2 Instance Role to perform the necessary API calls (For that Elastic IP to be attached to our EC2 instance, we must use an EC2 user data script, and our EC2 instance must have the correct IAM permissions to perform the API call, so we need an EC2 instance role.)

An application is currently hosted on four EC2 instances (behind Application Load Balancer) deployed in a single Availability Zone (AZ). To maintain an acceptable level of end-user experience, the application needs at least 4 instances to be always available. As a solutions architect, which of the following would you recommend so that the application achieves high availability with MINIMUM cost?

-Deploy the instances in three Availability Zones. Launch two instances in each Availability Zone (The correct option is to deploy the instances in three Availability Zones and launch two instances in each Availability Zone. Even if one of the AZs goes out of service, still we shall have 4 instances available and the application can maintain an acceptable level of end-user experience. Therefore, we can achieve high availability with just 6 instances in this case.)

An IT company is working on a client project to build a Supply Chain Management application. The web-tier of the application runs on an EC2 instance and the database tier is on Amazon RDS MySQL. For beta testing, all the resources are currently deployed in a single Availability Zone. The development team wants to improve application availability before the go-live. Given that all end users of the web application would be located in the US, which of the following would be the MOST resource-efficient solution?

-Deploy the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration (As Elastic Load Balancing does not work across regions!!!.)

You are building an application that will be deployed on 10 EC2 instances using Amazon Linux 2 AMI. The application needs access to a shared network file system that is POSIX compliant. What do you recommend?

-EFS (POSIX compliant)

You would like to mount a network file system on Linux instances, where files will be stored and accessed frequently at first, and then infrequently. What solution is the MOST cost-effective?

-EFS IA (Amazon EFS Infrequent Access (EFS IA) is a storage class that provides price/performance that is cost-optimized for files, not accessed every day, with storage prices up to 92% lower compared to Amazon EFS Standard. CANT MOUNT A NFS ON S3)

Researchers at a pharma company are working on developing a vaccine for the COVID-19 pandemic. They have identified multiple candidates as potential vaccines and they need to analyze healthcare data of individuals in the US to identify the first batch of recipients for the initial trials. For faster processing, the data processing application needs to parse through this healthcare data in an in-memory database that is highly available as well as HIPAA compliant. As a solutions architect, which of the following AWS services would you recommend for this task?

-ElastiCache for Redis (HIPAA compliant)

Your company has an on-premises Distributed File System Replication (DFSR) service to keep files synchronized on multiple Windows servers, and would like to migrate to AWS cloud. What do you recommend as a replacement for the DFSR?

-FSx for Windows (FSx for Windows is a perfect distributed file system, with replication capability, and can be mounted on Windows.)

You have a team of developers in your company, and you would like to ensure they can quickly experiment with AWS Managed Policies by attaching them to their accounts, but you would like to prevent them from doing an escalation of privileges, by granting themselves the AdministratorAccess managed policy. How should you proceed?

-For each developer, define an IAM permission boundary that will restrict the managed policies they can attach to themselves (Here we have to use an IAM permission boundary. They can only be applied to roles or users, not IAM groups.)

A silicon valley based startup has a two-tier architecture using EC2 instances for its flagship application. The web servers (listening on port 443), which have been assigned security group A, are in public subnets across two Availability Zones and the MSSQL based database instances (listening on port 1433), which have been assigned security group B, are in two private subnets across two Availability Zones. The DevOps team wants to review the security configurations of the application architecture. As a solutions architect, which of the following options would you select as the MOST secure configuration? (Select two)

-For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433 -For security group B: Add an inbound rule that allows traffic only from security group A on port 1433

What is true about RDS Read Replicas encryption?

-If the master database is encrypted, the read replicas are encrypted (On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots)

A tax computation software runs on Amazon EC2 instances behind a Classic Load Balancer. The instances are managed by an Auto Scaling Group. The tax computation software has an optimization module, which can take up to 10 minutes to find the optimal answer. How do you ensure that when the Auto Scaling Group initiates a scale-in event, the users do not see their current requests interrupted?

-Increase the deregistration delay to more than 10 minutes (Elastic Load Balancing stops sending requests to targets that are deregistering. By default, Elastic Load Balancing waits 300 seconds before completing the deregistration process, which can help in-flight requests to the target to complete. We need to update this value to more than 10 minutes to allow our tax software to complete in-flight requests.)

The DevOps team at a startup has provisioned a new EC2 instance A by choosing all default options in the AWS management console. The team can ping instance A from other instances in the VPC. The other instances were also created using the default options. The next day, the team launches another instance B by creating a new security group and attaching it to instance B. All other configuration options for instance B are chosen as default. However, the team is not able to ping instance B from other instances in the VPC. Could you help the team identify the root cause of the issue?

-Instance A is in the default security group. The default rules for the default security group allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. Instance B is in a new security group. The default rules for a security group that you create allow no inbound traffic

What does this IAM policy do? { "Version": "2012-10-17", "Statement": [ { "Sid": "Mystery Policy", "Action": [ "ec2:RunInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "eu-west-1" } } } ] }

-It allows running EC2 instances only in the eu-west-1 region, and the API call can be made from anywhere in the world (aws:RequestedRegion represents the target of the API call. So in this example, we can only launch EC2 instances in eu-west-1, and we can do this API call from anywhere.

What does this IAM policy do? { "Version": "2012-10-17", "Statement": [ { "Sid": "Mystery Policy", "Action": [ "ec2:RunInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "34.50.31.0/24" } } } ] }

-It allows starting EC2 instances only when the IP where the call originates is within the 34.50.31.0/24 CIDR block

An IT company is working on client engagement to build a real-time data analytics tool for the Internet of Things (IoT) data. The IoT data is funneled into Kinesis Data Streams which further acts as the source of a delivery stream for Kinesis Firehose. The engineering team has now configured a Kinesis Agent to send IoT data from another set of devices to the same Firehose delivery stream. They noticed that data is not reaching Firehose as expected. As a solutions architect, which of the following options would you attribute as the MOST plausible root cause behind this issue?

-Kinesis Agent cannot write to a Kinesis Firehose for which the delivery stream source is already set as Kinesis Data (When a Kinesis data stream is configured as the source of a Firehose delivery stream, Firehose's PutRecord and PutRecordBatch operations are disabled and Kinesis Agent cannot write to Firehose delivery stream directly. Data needs to be added to the Kinesis data stream through the Kinesis Data Streams PutRecord and PutRecords operations instead.)

A financial services company is looking to transition its IT infrastructure from on-premises to AWS Cloud. They are moving towards a single log processing model for all their log files (consisting of system logs, application logs, database logs, etc) that can be processed in a serverless fashion and then durably stored for downstream analytics. They want to use an AWS managed service that automatically scales to match the throughput of the log data and requires no ongoing administration. As a solutions architect, which of the following AWS services would you recommend solving this problem?

-Kinesis Data Firehose (the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. THROUGHPUT)

A weather forecast agency collects key weather metrics across multiple cities in the US and sends this data in the form of key-value pairs to AWS Cloud at a one-minute frequency. As a solutions architect, which of the following AWS services would you use to build a solution for processing and reliably storing this data with high availability? (Select two)

-Lambda -DynamoDB (AWS Lambda can be combined with DynamoDB to process and capture the key-value data from the IoT sources described in the use-case.)

A big-data consulting firm is working on a client engagement where the ETL workloads are currently handled via a Hadoop cluster deployed in the on-premises data center. The client wants to migrate their ETL workloads to AWS Cloud. The AWS Cloud solution needs to be highly available with about 50 EC2 instances per Availability Zone. As a solutions architect, which of the following EC2 placement groups would you recommend handling the distributed ETL workload?

-Partition placement group (up to 100 instances per group per AZ)

An IT company wants to optimize the costs incurred on its fleet of 100 EC2 instances for the next year. Based on historical analyses, the engineering team observed that 70 of these instances handle the compute services of its flagship application and need to be always available. The other 30 instances are used to handle batch jobs that can afford a delay in processing. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution?

-Purchase 70 reserved instances and 30 spot instances

An application runs big data workloads on EC2 instances. The application needs at least 20 instances to maintain a minimum acceptable performance threshold and the application needs 300 instances to handle spikes in the workload. Based on historical workloads processed by the application, it needs 80 instances 80% of the time. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution so that it can meet the workload demand in a steady state?

-Purchase 80 reserved instances. Provision additional on-demand and spot instances per the workload demand (Use Auto Scaling Group with launch template to provision the mix of on-demand and spot instances)

You would like to migrate an AWS account from an AWS Organization A to an AWS Organization B. What are the steps do to it?

-Remove the member account from the old organization. Send an invite to the new organization. Accept the invite to the new organization from the member account

A popular real estate website in the United States provides the latest market information to tens of millions of buyers and sellers every day. A primary feature of the website is the home-valuation tool that provides buyers and sellers with the estimated market value for a specific home. The inputs to the home-valuation tool are updated via a flexible nightly process which runs for 1 hour using Python and is currently running on-premises. It needs to be migrated to AWS. Which of the following options do you recommend as the MOST cost-effective solution?

-Run on a Spot Instance with Spot Block (A Spot Instance is an unused EC2 instance that is available for less than the On-Demand price. Spot Instances with a defined duration (also known as Spot blocks) are designed not to be interrupted and will run continuously for the duration you select. This makes them ideal for jobs that take a finite time to complete, such as batch processing, encoding and rendering, modeling and analysis, and continuous integration. -Running our load on a Spot Instance with Spot Block sounds like the perfect use case, as we can block the spot instance for 1 hour, run the script there, and then the instance will be terminated.) Why Lambda is wrong: Lambda would be the perfect fit if our script could run in less than 15 minutes, as this is the maximum timeout for Lambda.

Your company has a monthly big data workload, running for about 2 hours, which can be efficiently distributed across various servers of various sizes, with a variable number of CPU, and that can withstand server failures. Which is the MOST cost-optimal solution for this workload?

-Run the workload on a Spot Fleet (The Spot Fleet selects the Spot Instance pools that meet your needs and launches Spot Instances to meet the target capacity for the fleet. SELECTING IN ADVANCE )

You would like to store a database password in a secure place, and enable automatic rotation of that password every 90 days. What do you recommend?

-Secrets Manager (AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.)

A junior DevOps engineer wants to change the default configuration for EBS volume termination. By default, the root volume of an EC2 instance for an EBS-backed AMI is deleted when the instance terminates. Which option below helps change this default behavior to ensure that the volume persists even after the instance terminates?

-Set the DeleteOnTermination attribute to false

A medium-sized business has a taxi dispatch application deployed on an EC2 instance. Because of an unknown bug, the application causes the instance to freeze regularly. Then, the instance has to be manually restarted via the AWS management console. Which of the following is the MOST cost-optimal and resource-efficient way to implement an automated solution until a permanent fix is delivered by the development team?

-Setup a CloudWatch alarm to monitor the health status of the instance. In case of an Instance Health Check failure, an EC2 Reboot CloudWatch Alarm Action can be used to reboot the instance (You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically reboots the instance. The reboot alarm action is recommended for Instance Health Check failures (as opposed to the recover alarm action, which is suited for System Health Check failures).)

A big data consulting firm needs to set up a data lake on Amazon S3 for a Health-Care client. The data lake is split in raw and refined zones. For compliance reasons, the source data needs to be kept for a minimum of 5 years. The source data arrives in the raw zone and is then processed via an AWS Glue based ETL job into the refined zone. The business analysts run ad-hoc queries only on the data in the refined zone using AWS Athena. The team is concerned about the cost of data storage in both the raw and refined zones as the data is increasing at a rate of 1TB daily in each zone. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution? (Select two)

-Setup a lifecycle policy to transition the raw zone data into Glacier Deep Archive after 1 day of object creation -Use Glue ETL job to write the transformed data in the refined zone using a compressed file format (You cannot transition the refined zone data into Glacier Deep Archive because it is used by the business analysts for ad-hoc querying. Therefore, the best optimization is to have the refined zone data stored in a compressed format via the Glue job. The compressed data would reduce the storage cost incurred on the data in the refined zone.)

A silicon valley based startup has a content management application with the web-tier running on EC2 instances and the database tier running on Amazon Aurora. Currently, the entire infrastructure is located in us-east-1 region. The startup has 90% of its customers in the US and Europe. The engineering team is getting reports of deteriorated application performance from customers in Europe with high application load time. As a solutions architect, which of the following would you recommend addressing these performance issues? (Select two)

-Setup another fleet of EC2 instances for the web tier in the eu-west-1 region. Enable latency routing policy in Route 53 (Use latency based routing when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the lowest latency) -Create Amazon Aurora read replicas in the eu-west-1 region (Amazon Aurora read replicas can be used to scale out reads across regions. This will improve the application performance for users in Europe)

One of the largest biotechnology companies in the world uses Amazon S3 to store and protect terabytes of critical research data for its AWS based Drug Discovery application, which allows thousands of universities to collaborate. The engineering team wants to publish an event into an SQS queue whenever a new research paper is uploaded on S3. Which of the following statements are true regarding this functionality?

-Standard SQS queue is only allowed as an Amazon S3 event notification destination, whereas FIFO SQS queue is not allowed (The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. Currently, the Standard SQS queue is only allowed as an Amazon S3 event notification destination, whereas the FIFO SQS queue is not allowed.)

Upon a security review of your AWS account, an AWS consultant has found that a few RDS databases are un-encrypted. As a Solutions Architect, what steps must be taken to encrypt the RDS databases?

-Take a snapshot of the database, copy it as an encrypted snapshot, and restore a database from the encrypted snapshot. Terminate the previous database (You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. So this is the correct option.)

The engineering team at a startup is running a Proof-of-Concept to move their business to AWS Cloud. The team wants to store business-critical data on Elastic Block Storage (EBS) volumes which provide persistent storage independent of EC2 instances. During a test run, the team found out that on terminating an Amazon EC2 instance, the attached Elastic Block Storage (EBS) volume was also lost, which was contrary to their assumptions. As a solutions architect, could you explain this issue?

-The EBS volume was configured as the root volume of the Amazon EC2 instance. On termination of the instance, the default behavior is to also terminate the attached root volume (By default, the root volume for an AMI backed by Amazon EBS is deleted when the instance terminates. You can change the default behavior to ensure that the volume persists after the instance terminates. Non-root EBS volumes remain available even after you terminate an instance to which the volumes were attached.)

An HTTP application is deployed on an Auto Scaling Group, is accessible from an Application Load Balancer that provides HTTPS termination, and accesses a PostgreSQL database managed by RDS. How should you configure the security groups? (Select three)

-The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432 -The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80 -The security group of the ALB should have an inbound rule from anywhere on port 443

A company has many VPC in various accounts, that need to be connected in a star network with one another and connected with on-premises networks through Direct Connect. What do you recommend?

-Transit Gateway (AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes. So, this is a perfect use-case for the Transit Gateway.)

An IT company has an Access Control Management (ACM) application that uses Amazon RDS for MySQL but is running into performance issues despite using Read Replicas. The company has hired you as a solutions architect to address these performance-related challenges on an urgent basis without moving away from the underlying relational database schema. The company has branch offices across the world, and it needs the solution to work on a global scale. Which of the following will you recommend as the MOST cost-effective and high-performance solution?

-Use Amazon Aurora Global Database to enable fast local reads with low latency in each region (Amazon Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages)

A large news agency uses Amazon S3 for centralized storage of the static media assets such as video reports. Reporters typically upload and download video files (about 500MB each) to the same S3 bucket as part of their day to day work. As the agency has started running offices from remote branches, it has resulted in poor latency for accessing and uploading data to/from S3. The agency wants to continue with the serverless solution for its storage requirements but wants to improve the performance. As a solutions architect, which of the following solutions do you propose to address this issue? (Select two)

-Use Amazon CloudFront distribution with origin as the S3 bucket. This would speed up uploads as well as downloads for the video files -Enable Amazon S3 Transfer Acceleration for the S3 bucket. This would speed up uploads as well as downloads for the video files

A Machine Learning research group uses a proprietary computer vision application hosted on an EC2 instance. Every time the instance needs to be stopped and started again, the application takes about 3 minutes to start as some auxiliary software programs need to be executed so that the application can function. The research group would like to minimize the application boostrap time whenever the system needs to be stopped and then started at a later point in time. As a solutions architect, which of the following solutions would you recommend for this use-case?

-Use EC2 Instance Hibernate (By using EC2 hibernate, we have the capability to resume it at any point of time, with the application already launched, thus helping us cut the 3 minutes start time.)

You have an in-memory database launched on an EC2 instance and you would like to be able to stop and start the EC2 instance without losing the in-memory state of your database. What do you recommend?

-Use EC2 Instance Hibernate (When you hibernate an instance, AWS signals the operating system to perform hibernation (suspend-to-disk). Hibernation saves the contents from the instance memory (RAM) to your Amazon EBS root volume. AWS then persists the instance's Amazon EBS root volume and any attached Amazon EBS data volumes. When you start your instance: The Amazon EBS root volume is restored to its previous state The RAM contents are reloaded The processes that were previously running on the instance are resumed Previously attached data volumes are reattached and the instance retains its instance ID)

A global media company uses a fleet of EC2 instances (behind an Application Load Balancer) to power its video streaming application. To improve the performance of the application, the engineering team has also created a CloudFront distribution with the Application Load Balancer as the custom origin. The security team at the company has noticed a spike in the number and types of SQL injection and cross-site scripting attack vectors on the application. As a solutions architect, which of the following solutions would you recommend as the MOST effective in countering these malicious attacks?

-Use Web Application Firewall (WAF) with CloudFront distribution (AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.)

Your application is deployed on EC2 instances fronted by an Application Load Balancer. Recently, your infrastructure has come under attack. Attackers perform over 100 requests per second, while your normal users only make about 5 requests per second. How can you efficiently prevent attackers from overwhelming your application?

-Use a Web Application Firewall and setup a rate-based rule (AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.)

The infrastructure team at a company maintains 5 different VPCs (let's call these VPCs A, B, C, D, E) for resource isolation. Due to the changed organizational structure, the team wants to interconnect all VPCs together. To facilitate this, the team has set up VPC peering connections between VPC A and all other VPCs in a hub and spoke model with VPC A at the center. However, the team has still failed to establish connectivity between all VPCs. As a solutions architect, which of the following would you recommend as the MOST resource-efficient and scalable solution?

-Use a transit gateway to interconnect the VPCs (Instead of using VPC peering, you can use an AWS Transit Gateway that acts as a network transit hub, to interconnect your VPCs or connect your VPCs with on-premises networks.)

You are establishing a monitoring solution for desktop systems, that will be sending telemetry data into AWS every 1 minute. Data for each system must be processed in order, independently, and you would like to scale the number of consumers to be possibly equal to the number of desktop systems that are being monitored. What do you recommend?

-Use an SQS FIFO queue, and make sure the telemetry data is sent with a Group ID attribute representing the value of the Desktop ID

You have deployed a database technology that has a synchronous replication mode to survive disasters in data centers. The database is therefore deployed on two EC2 instances in two Availability Zones. The database must be publicly available so you have deployed the EC2 instances in public subnets. The replication protocol currently uses the EC2 public IP addresses. What can you do to decrease the replication cost?

-Use the EC2 instances private IP for the replication (The source of the cost is that traffic between two EC2 instances is going over the public internet, thus incurring high costs. Here, the correct answer is to use Private IP, so that the network remains private, for a minimal cost.)

A startup has just developed a video backup service hosted on a fleet of EC2 instances. The EC2 instances are behind an Application Load Balancer and the instances are using EBS volumes for storage. The service provides authenticated users the ability to upload videos that are then saved on the EBS volume attached to a given instance. On the first day of the beta launch, users start complaining that they can see only some of the videos in their uploaded videos backup. Every time the users log into the website, they claim to see a different subset of their uploaded videos. Which of the following is the MOST optimal solution to make sure that users can view all the uploaded videos? (Select two)

-Write a one time job to copy the videos from all EBS volumes to S3 and then modify the application to use Amazon S3 standard for storing the videos -Mount EFS on all EC2 instances. Write a one time job to copy the videos from all EBS volumes to EFS. Modify the application to use EFS for storing the videos

The engineering team at an e-commerce company is working on cost optimizations for EC2 instances. The team wants to manage the workload using a mix of on-demand and spot instances across multiple instance types. They would like to create an Auto Scaling group with a mix of these instances. Which of the following options would allow the engineering team to provision the instances for this use-case?

-You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost (With launch templates, you can provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost)

A DevOps engineer at an organization is debugging issues related to an Amazon EC2 instance. The engineer has SSH'ed into the instance and he needs to retrieve the instance public IP from within a shell script running on the instance command line. Can you identify the correct URL path to get the instance public IP?

-http://169.254.169.254/latest/meta-data/public-ipv4

The development team at an e-commerce startup has set up multiple microservices running on EC2 instances under an Elastic Load Balancer. The team wants to route traffic to multiple back-end services based on the content of the request. Which of the following types of load balancers would allow routing based on the content of the request?

Application Load Balancer (based on the content of the request)

A junior developer is learning to build websites using HTML, CSS, and JavaScript. He has created a static website and then deployed it on Amazon S3. Now he can't seem to figure out the endpoint for his super cool website. As a solutions architect, can you help him figure out the allowed formats for the Amazon S3 website endpoints? (Select two)

http://bucket-name.s3-website.Region.amazonaws.com http://bucket-name.s3-website-Region.amazonaws.com s3-website dash (-) Region OR s3-website dot (.) Region