2. X-Cutioner's Song

100問 • 1年前

問題一覧

An advertising company hosts static content in an Amazon S3 bucket that is served by Amazon CloudFront. The static content is generated programmatically from a Development account, and the S3 bucket and CloudFront are in a Production account. The build pipeline uploads the files to Amazon S3 using an IAM role in the Development Account. The S3 bucket has a bucket policy that only allows CloudFront to read objects using an origin access identity (OAI). During testing all attempts to upload objects using the to the S3 bucket are denied.. How can a Solutions Architect resolve this issue and allow the objects to be uploaded to Amazon S3?

Create a new cross-account IAM role in the Production account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Production Account.

A new application will ingest millions of records per minute from user devices all over the world. Each record is less than 4 KB in size and must be stored durably and accessed with low latency. The data must be stored for 90 days after which it can be deleted. It has been estimated that storage requirements for a year will be 15-20TB. Which storage strategy is the MOST cost-effective and meets the design requirements?

Store each incoming record in an Amazon DynamoDB table. Configure the DynamoDB Time to Live (TTL) feature to delete records older than 90 days.

A company is in the process of migrating applications to AWS using multiple accounts in AWS Organizations . The management account is at the root of the Organizations hierarchy. Business units each have different accounts and requirements for the services they need to use. The security team needs to implement controls across all accounts to prohibit many AWS services. In some cases a business unit may have a valid exception to these controls and this must be achievable. Which solution will meet these requirements with minimal optional overhead?

Use an SCP in Organizations to implement a deny list of AWS services. Apply this SCP at each OU level. Leave the default AWS managed SCP at the root level. For any specific exceptions for an OU, remove the standard deny list SCP and add a new deny list SCP for that OU

A company is planning to migrate on-premises resources to AWS. The resources include over 150 virtual machines (VMs) that use around 50 TB of storage. Most VMs can be taken offline outside of business hours, however, a few are mission critical and downtime must be minimized. The company’s internet bandwidth is fully utilized and cannot currently be increased. A Solutions Architect must design a migration strategy that can be completed within the next 3 months. Which method would fulfill these requirements?

Set up a 1 Gbps AWS Direct Connect connection. Then, provision a private virtual interface, and use AWS Application Migration Service (MGN) to migrate the VMs into Amazon EC2.

A Solutions Architect is working on refactoring a monolithic application into a modern application design that will be deployed in the AWS Cloud. A CI/CD pipeline should be used that supports the modern design and allows for multiple releases every hour. The pipeline should also ensure that changes can be quickly rolled back if required. Which design will meet these requirements?

Use AWS Elastic Beanstalk and create a secondary environment configured as a deployment target for the CI/CD pipeline. To deploy, swap the staging and production environment URLs.

A company recently migrated a high-traffic eCommerce website to the AWS Cloud. The website is experiencing strong growth. Developers use a private GitHub repository to manage code and the DevOps team use Jenkins for builds and unit testing. The Developers need to receive notifications when a build does not work and ensure there is no downtime during deployments. It is also required that any changes to production are seamless for users and can be easily rolled back if a significant issue occurs. A Solutions Architect is finalizing the design for the environment and will use AWS CodePipeline to manage the build and deployment process. What other steps should be taken to meet the requirements?

Use GitHub webhooks to trigger the CodePipeline pipeline. Use the Jenkins plugin for AWS CodeBuild to conduct unit testing. Send alerts to an Amazon SNS topic for any bad builds. Deploy in a blue/green deployment using AWS CodeDeploy.

A Solutions Architect must enable an AWS CloudHSM M of N access control—also named a quorum authentication mechanism—to allow security officers to make administrative changes to a hardware security module (HSM). The new security policy states that at least two of the four security officers must authorize any administrative changes to CloudHSM. This is the first time this configuration has been setup. Which steps must be taken to enable quorum authentication (Select TWO.)

Using the cloudhsm_mgmt_util command line tool, enable encrypted communication, login as a CO, and set the Quorum minimum value to two using the setMValue command., Using the cloudhsm_mgmt_util command line tool, enable encrypted communication, login as a CO, and register a key for signing with the registerMofnPubKey command.

A company runs a two-tier application that uses EBS-backed Amazon EC2 instances in an Auto Scaling group and an Amazon Aurora PostgreSQL database. The company intends to use a pilot light approach for disaster recovery in a different AWS Region. The company has an RTO of 6 hours and an RPO of 24 hours. Which solution would achieve the requirements with MINIMAL cost?

Use AWS Lambda to create daily EBS snapshots and copy them to the disaster recovery Region. Implement an Aurora Replica in the DR Region. Use Amazon Route 53 with an active-passive failover configuration. Use Amazon EC2 in an Auto Scaling group with the capacity set to 0 in the disaster recovery Region.

A company wants to host a web application on AWS. The application will be used by users around the world. A Solutions Architect has been given the following design requirements: · Allow the retrieval of data from multiple data sources. · Minimize the cost of API calls. · Reduce latency for user access. · Provide user authentication and authorization and implement role-based access control. · Implement a fully serverless solution. How can the Solutions Architect meet these requirements?

Use Amazon CloudFront with Amazon S3 to host the web application. Use AWS AppSync to build the application APIs. Use Amazon Cognito groups for RBAC. Authorize data access by leveraging Cognito groups in AWS AppSync resolvers.

A company is running a two-tier web-based application in an on-premises data center. The application layer consists of a single server running a stateless application. The application connects to a PostgreSQL database running on a separate server. A Solutions Architect is planning a migration to AWS. The company requires that the application and database layer must be highly available across three availability zones. Which solution will meet the company’s requirements?

Create an Auto Scaling group of Amazon EC2 instances across three availability zones behind an Application Load Balancer. Create an Amazon Aurora PostgreSQL database in one AZ and add Aurora Replicas in two more AZs.

An e-commerce company has developed a newer version of a shopping application with many new features. But before rolling it out to the public, they want to test the new version incrementally using small incremental deployments. The application is deployed using AWS CloudFormation and uses multiple AWS Lambda functions. Which solution will meet these requirements?

Enable versioning for the AWS Lambda function and associate an alias for every new version. Use the AWS CLI ‘update-alias’ command with the ‘routing-config’ parameter to distribute the load.

An S3 endpoint has been created in an Amazon VPC. A staff member assumed an IAM role and attempted to download an object from a bucket using the endpoint. The staff member received the error message “403: Access Denied”. The bucket is encrypted using an AWS KMS key. A Solutions Architect has verified that the staff member assumed the correct IAM role and the role does allow the object to be downloaded. The bucket policy and NACL are also valid. Which additional step should the Solutions Architect take to troubleshoot this issue?

Verify that the IAM role has permission to decrypt the referenced KMS key.

A Solutions Architect has deployed a REST API using an Amazon API Gateway Regional endpoint. The API will be consumed by a growing number of US-based companies. Each company will use the API twice each day to get the latest data. Following the deployment of the API the operations team noticed thousands of requests coming from hundreds of IP addresses around the world. The traffic is believed to be originating from a botnet. The Solutions Architect must secure the API while minimizing cost. Which approach should the company take to secure its API?

Create an AWS WAF web ACL with a rule to allow access from the IP addresses used by the companies. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.

A company requires an application in which employees can log expense claims for processing. The expense claims are typically submitted each week on a Friday. The application must store data in a format that will allow the finance team to be able to run end of month reports. The solution should be highly available and must scale seamlessly based on demand. Which combination of solution options meets these requirements with the LEAST operational overhead? (Select TWO.)

Store the expense claim data in Amazon S3. Use Amazon Athena and Amazon QuickSight to generate the reports using Amazon S3 as the data source., Deploy the application front end to an Amazon S3 bucket served by Amazon CloudFront. Deploy the application backend using Amazon API Gateway with an AWS Lambda proxy integration.

An online retailer is updating its catalogue of products. The retailer has a dynamic website which uses EC2 instances for web and application servers. The web tier is behind an Application Load Balancer and the application tier stores data in an Amazon Aurora MySQL database. There is additionally a lot of static content and most website traffic is read-only. The company is expecting a large spike in traffic to the website when the new catalogue is launched and optimal performance is a high priority. Which combination of steps should a Solutions Architect take to reduce system response times for a global audience? (Select TWO.)

Configure an Aurora global database for storage-based cross-Region replication. Use Amazon S3 with cross-Region replication for static content and resources and create Amazon CloudFront distributions., Use Amazon Route 53 with a latency-based routing policy. Create Auto Scaling groups for the web and application tiers and deploy them in multiple global Regions.

A healthcare organization is looking to establish a robust disaster recovery (DR) strategy for its patient record management system, currently hosted in their local data center. The system primarily handles two types of data: patient records (text-based) and diagnostic images (large files). Both sets of data are stored on SMB file shares in the data center. The organization requires a backup solution on AWS, ensuring that in case of a disaster, the data can be accessed via SMB from AWS or the data center. The backup data is infrequently accessed but must be retrievable within a short time frame. Which AWS solution would be most appropriate for these needs?

Deploy an Amazon S3 File Gateway, configuring it to store both patient records and diagnostic images in Amazon S3 Standard-Infrequent Access (S3 Standard-IA), accessible via SMB.

A company is creating a multi-account structure using AWS Organizations. The accounts will include the Management account, Production account, and Development account. The company requires auditing for all API actions across accounts. A Solutions Architect is advising the company on how to configure the accounts. Which of the following recommendations should the Solutions Architect make? (Select TWO.)

Enable AWS CloudTrail and keep all CloudTrail trails and logs in the management account., Create user accounts in the Production and Development accounts.

A multinational corporation with offices in different regions has several AWS accounts, each managed by local IT teams. The corporation's central IT department, based in their headquarters, needs to gain oversight, and implement standardized security policies across all these regional AWS accounts. A solutions architect is tasked with enabling the central IT department to efficiently manage security policies and monitor compliance across all regional AWS accounts. After setting up AWS Organizations and inviting all regional accounts to join, what should be the next step to meet these requirements?

In each regional account, establish the SecurityAudit IAM role and grant permission to the central account to assume this role.

An application currently runs on Amazon EC2 instances in a single Availability Zone. A Solutions Architect has been asked to re-architect the solution to make it highly available and secure. The security team has requested that all inbound requests are filtered for common vulnerability attacks and all rejected requests must be sent to a third-party auditing application. Which solution meets the high availability and security requirements?

Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the WebACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.

A company is setting up a new big data analytics cluster on AWS, which will operate on numerous Linux Amazon EC2 instances distributed across several Availability Zones. The cluster requires a shared file storage system that all nodes can read from and write to. This storage must not only be highly available and resilient but also POSIX-compliant and capable of handling substantial throughput levels. What storage solution should be adopted to fulfill these criteria?

Establish a new Amazon Elastic File System (Amazon EFS) using the Max I/O performance mode and mount this EFS file system on each EC2 instance in the cluster.

A company is closing an on-premises data center and needs to move some business applications to AWS. There are over 100 applications that run on virtual machines in the data center. The applications are simple PHP, Java, Ruby, and Node.js web applications. The applications are not developed and are not heavily utilized. A Solutions Architect must determine the best approach to migrate these applications to AWS with the LOWEST operational overhead. Which method best fits these requirements?

Deploy each application to a single-instance AWS Elastic Beanstalk environment without a load balancer.

A company captures financial transactions in Amazon DynamoDB tables. The security team is concerned about identifying fraudulent behavior and has requested that all changes to items stored in DynamoDB tables must be logged within 30 minutes. How can a Solutions Architect meet this requirement?

Use Amazon DynamoDB Streams to capture and send updates to AWS Lambda. Create a Lambda function to output records to Amazon Kinesis Data Streams. Analyze any anomalies with Amazon Kinesis Data Analytics. Send SNS notifications when anomalous behaviors are detected.

In a corporation using AWS Organizations, there's a requirement to supervise Amazon EC2 resource utilization across different accounts. The goal is to create a mechanism that sends daily notifications to the company's IT architecture team when the EC2 resource usage exceeds the average of the previous 45 days by more than 15%. What strategy should be employed to meet this objective?

Set up a monitoring system in the organization's central account using AWS Budgets. Focus on tracking the hours of EC2 instance operation, setting a monitoring interval to daily. Define a budget limit that is 15% above the 45-day average usage of EC2, as determined by AWS Cost Explorer, and configure alerts for the architecture team when this limit is reached.

A finance company needs to implement a solution to share a common network across multiple AWS accounts which are a part of an AWS organization. The company's operations team uses a dedicated operations account with a VPC, and this must be used for network management. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets. Which combination of actions should be taken to meet these requirements? (Select TWO.)

Enable resource sharing from the AWS Organizations management account., Create a resource share in AWS Resource Access Manager in the operations account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.

A company plans to migrate physical servers and VMs from an on-premises data center to the AWS Cloud using AWS Migration Hub. The VMs run on a combination of VMware and Hyper-V hypervisors. A Solutions Architect must determine the best services for data collection and discovery. The company has also requested the ability to generate reports from the collected data. Which solution meets these requirements?

Use the AWS Application Discovery Service agent for data collection on physical servers and Hyper-V. Use the AWS Agentless Discovery Connector for data collection on VMware. Store the collected data in Amazon S3. Query the data with Amazon Athena. Generate reports by using Amazon QuickSight.

A mobile app has become extremely popular with global usage increasing to millions of users. The app allows users to capture and upload funny images of animals and add captions. The current application runs on Amazon EC2 instances with Amazon EFS storage behind an Application Load Balancer. The data access patterns are unpredictable and during peak periods the application has experienced performance issues. Which changes should a Solutions Architect make to the application architecture to control costs and improve performance?

Use an Amazon S3 bucket for static images and use the Intelligent Tiering storage class. Use an Amazon CloudFront distribution in front of the S3 bucket and AWS Lambda for processing the images.

A Solutions Architect has been tasked with migrating an application to AWS. The application includes a desktop client application and web application. The web application has an uptime SLA of 99.5%. The Solutions Architect must re-architect the application to meet or exceed this SLA. The application contains a MySQL database running on a single virtual machine. The web application uses multiple virtual machines with a load balancer. Remote users complain about slow load times while using this latency-sensitive application. The Solutions Architect must minimize changes to the application whilst improving the user experience, minimizing costs, and ensuring the availability requirements are met. Which solutions best meets these requirements?

Migrate the database to an Amazon RDS Aurora MySQL configuration. Host the web application on an Auto Scaling configuration of Amazon EC2 instances behind an Application Load Balancer. Use Amazon AppStream 2.0 to improve the user experience.

A media publishing company has created an online bookstore which gives users access to books and other reference material. These materials can be downloaded by users and new materials can also be uploaded on the portal. According to company requirements, all data must be encrypted in transit and at rest. A solutions architect is building the solution by using Amazon S3 and Amazon CloudFront. Which combination of steps will meet the encryption requirements? (Select THREE.)

Create a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses., Turn on the S3 server-side encryption for the S3 bucket in use., Configure redirection of HTTP requests to HTTPS requests in CloudFront.

A company has created a fitness tracking mobile app the uses a serverless REST API. The app consists of an Amazon API Gateway API with a Regional endpoint, AWS Lambda functions and an Amazon Aurora MySQL database cluster. The company recently secured a deal with a sports company to promote the new app which resulted in a significant increase in the number of requests received. Unfortunately, the increase in traffic resulted in sporadic database memory errors and performance degradation. The traffic included significant numbers of HTTP requests querying the same data in short bursts of traffic during weekends and holidays. The company needs to improve its ability to support the additional usage while minimizing the increase in costs associated with the solution. Which strategy meets these requirements?

Convert the API Gateway Regional endpoint to an edge-optimized endpoint. Enable caching in the production stage.

A company runs an eCommerce web application on a pair of Amazon EC2 instances behind an Application Load Balancer. The application stores data in an Amazon DynamoDB table. Traffic has been increasing with some major sales events and read and write traffic has slowed down considerably over the busiest periods. Which option provides a scalable application architecture to handle peak traffic loads with the LEAST development effort?

Use Auto Scaling groups for the web application and use DynamoDB auto scaling.

A rapidly growing online retail company is experiencing performance issues during high-traffic events like sales and holidays. The company's current architecture includes a web application running on several Amazon EC2 instances, managed by an Elastic Load Balancer. The application relies on Amazon RDS for data storage. During peak times, the website experiences slow response times and occasional downtime. Which solution would effectively scale the application architecture to handle high-traffic periods with minimal development effort?

Use Auto Scaling groups for the EC2 instances and enable RDS auto scaling to dynamically adjust the database capacity based on demand.

A company leases data center space in a co-location facility and needs to move out before the end of the financial year in 90 days. The company currently runs 150 virtual machines and a NAS device that holds over 50 TB of data. Access patterns for the data are infrequent but when access is required it must be immediate. The VM configurations are highly customized. The company has a 1 Gbps internet connection which is mostly idle and almost completely unused outside of business hours. Which combination of steps should a Solutions Architect take to migrate the VMs to AWS with minimal downtime and operational impact? (Select TWO.)

Migrate the NAS data to AWS using AWS Storage Gateway., Migrate the virtual machines with AWS Application Migration Service.

A company needs to host a highly available and secure image processing application in AWS. Their VPC architecture consists of a public and a private subnet within an Amazon VPC traversing two Availability Zones. The application is hosted on Amazon EC2 instances in the private subnet. The application needs to communicate with the internet via two NAT gateways and uses an Application Load Balancer in the public subnet. Images are stored in an Amazon S3 bucket which average around 1 TB in new objects per day. A solutions architect must reduce the associated cost of the solution and reduce manual effort while maintaining security. How can this be accomplished?

Set up an S3 gateway VPC endpoint in the VPC. Attach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.

A company is running an application on an on-premises VMware cluster that must be migrated to an Amazon EC2 instance. While migrating, they wish to preserve the software and configuration settings. What is the best strategy to meet these requirements?

Use the VMware vSphere client to export the application as an image in Open Virtualization Format (OVF) format. Create an Amazon S3 bucket to store the image in the destination AWS Region. Create and apply an IAM role for VM Import. Use the AWS CLI to run the EC2 import command.

A company runs a single application in an AWS account. The application uses an Auto Scaling Group of Amazon EC2 instances with a combination of Reserved Instances (RIs) and On-Demand instances. To maintain cost-effectiveness the RIs should cover 70% of the workload. The solution should include the ability to alert the DevOps team if coverage drops below the 70% threshold. Which set of steps should a Solutions Architect take to create the report and alert the DevOps team?

Use AWS Budgets to create a budget for Rl coverage and set the threshold to 70%. Configure an alert that notifies the DevOps team.

A company runs a web application in an on-premises data center in Paris. The application includes stateless web servers behind a load balancer, shared files in a NAS device, and a MySQL database server. The company plans to migrate the solution to AWS and has the following requirements: · Provide optimum performance for customers. · Implement elastic scalability for the web tier. · Optimize the database server performance for read-heavy workloads. · Reduce latency for users across Europe and the US. · Design the new architecture with a 99.9% availability SLA. Which solution should a Solutions Architect propose to meet these requirements while optimizing operational efficiency?

Use an Application Load Balancer (ALB) in front of an Auto Scaling group of Amazon EC2 instances in one AWS Region and three Availability Zones. Configure an Amazon ElastiCache cluster in front of a Multi-AZ Amazon Aurora MySQL DB cluster. Move the shared files to Amazon EFS. Configure Amazon CloudFront with the ALB as the origin and select a price class that includes the US and Europe.

A company runs several IT services in an on-premises data center that is connected to AWS using an AWS Direct Connect (DX) connection. The service data is sensitive and the company uses an IPSec VPN over the DX connection to encrypt data. Security requirements mandate that the data cannot traverse the internet. The company wants to offer the IT services to other companies who use AWS. Which solution will meet these requirements?

Create a VPC Endpoint Service that accepts TCP traffic and host it behind a Network Load Balancer. Enable access to the IT services over the DX connection.

An Amazon RDS database was created with encryption enabled using an AWS managed CMK. The database has been reclassified and no longer requires encryption. How can a Solutions Architect unencrypt the database with the LEAST operational overhead?

Export the data from the DB instance and import the data into an unencrypted DB instance.

A company is running several development projects. Developers are assigned to a single project but move between projects frequently. Each project team requires access to different AWS resources. Currently, there are projects for serverless, analytics, and database development. The resources used within each project can change over time. Developers require full control over the project they are assigned to and no access to the other projects. When developers are assigned to a different project or new AWS resources are added, the company wants to minimize policy maintenance. What type of control policy should a Solutions Architect recommend?

Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to an IAM group. Change the group membership when developers change projects. Update the policy document when the set of resources changes.

A company uses AWS CodePipeline to manage an application that runs on Amazon EC2 instances in an Auto Scaling group. All AWS resources are defined in CloudFormation templates. Application code is stored in an Amazon S3 bucket and installed at launch time using lifecycle hooks with EventBridge and AWS Lambda. Recent changes in the CloudFormation templates have resulted in issues that have caused outages and management require a solution to ensure this situation is not repeated. What should a Solutions Architect do to reduce the likelihood that future changes in the templates will cause downtime?

Use AWS CodeBuild for automated testing. Use CloudFormation changes sets to evaluate changes ahead of deployment. Use AWS CodeDeploy to leverage blue/green deployment patterns.

A car rental company operates a serverless REST API, which includes an Amazon API Gateway with a Regional endpoint, AWS Lambda functions, and an Amazon Aurora MySQL Serverless DB cluster. This API, initially serving a mobile app, has been extended to partner mobile apps, leading to a substantial increase in requests and occasional database memory errors. Analysis shows that clients frequently make repeated HTTP GET requests for the same queries in short intervals, especially during business hours and around holidays. To enhance the system's capacity to handle this increased load without significantly raising costs, what approach should the company adopt?

Integrate an Amazon ElastiCache for Redis layer to cache database query results. Update the Lambda functions to retrieve data from this cache when available.

An application runs on a fleet of Amazon ECS instances and stores data in an Amazon S3 bucket. Until recently the application had been working well and then started to fail to upload objects to the S3 bucket. Server access logging has been enabled and 403 errors have been identified since the time of the fault. The ECS cluster has been setup according to best practices and no changes have been made to the S3 bucket policy or IAM roles used to access the bucket. What is the most LIKELY cause of the failure?

The ECS task IAM role was modified.

A company has a line of business (LOB) application that is used for storing sales data for an eCommerce platform. The data is unstructured and stored in an Oracle database running on a single Amazon EC2 instance. The application front end consists of six EC2 instances in three Availability Zones (AZs). Each week the application receives bursts of traffic and application performance suffers. A Solutions Architect must design a solution to address scalability and reliability. The solutions should also eliminate licensing costs. Which set of steps should the Solutions Architect take?

Create an Auto Scaling group for the front end with a combination of Reserved instances and Spot Instances to reduce costs. Convert the tables in the Oracle database into Amazon DynamoDB tables.

An application publishes data continuously to Amazon DynamoDB using an AWS Lambda function. The DynamoDB table has an auto scaling policy enabled with the target utilization set to 70%. There are short predictable periods in which a large volume of data is received and this can exceed the typical load by up to 300%. The AWS Lambda function writes ProvisionedThroughputExceededException messages to Amazon CloudWatch Logs during these times, and some records are redirected to the dead letter queue. What change should the company make to resolve this issue?

Use Application Auto Scaling to scale out write capacity on the DynamoDB table based on a schedule.

A company runs a Java application on Amazon EC2 instances. The DevOps team uses a combination of Amazon CloudFormation and AWS OpsWorks to update the infrastructure and application stacks respectively. During recent updates the DevOps team reported service disruption issues that affected the Java application running on the Amazon EC2 instances. Which solution will increase the reliability of application updates?

Implement a blue/green deployment strategy.

A company has an application that generates data exports which are saved as CSV files in an Amazon S3 bucket. The data is generally confidential and only accessed by IAM users. An individual CSV file must be shared with an external organization. A Solutions Architect used an IAM user account to attempt to perform a PUT Object call to enable a public ACL on the object and it failed with “insufficient permissions”. What is the most likely cause of this issue?

The bucket has the BlockPublicAcls setting set to TRUE.

A company has a security policy that requires that all internal application connectivity must use private IP addresses. A Solutions Architect has created interface endpoints in private subnets to connect to AWS public services. The Solutions Architect tested the configuration and the connectivity failed. Which configuration change should the Solutions Architect make to resolve the issue?

Configure the security group on the interface endpoint to allow connectivity to the AWS services.

A financial services company is developing a secure web application on AWS. This application will handle sensitive customer data and needs to be accessible only within the company's corporate network. The application is hosted on Amazon EC2 instances within a VPC. The company wants to ensure that this web application is not accessible from the public internet for enhanced security. As AWS solutions architect must ensure that the web application is only accessible from the company's corporate network and not from the public internet. Which action should be taken?

Create a VPN connection between the company’s corporate network and the VPC. Configure security groups for the EC2 instances to only allow traffic from the VPN connection.

A company has several Amazon RDS databases each with over 50 TB of data. Management have requested that ability to generate a weekly business report from the databases. The system should support ad-hoc SQL queries. What is the MOST cost-effective solution for the Business Intelligence platform?

Configure an AWS Glue crawler to crawl the databases and create tables in the AWS Glue Data Catalog. Create an AWS Glue ETL job that loads data from the RDS databases to Amazon S3. Use Amazon Athena to run the queries.

A Solutions Architect wants to make sure that only IAM users with appropriate permissions can access a new Amazon API Gateway endpoint. How can the Solutions Architect design the API Gateway access control to meet this requirement?

Set the authorization to AWS_IAM for the API Gateway method. Create a permissions policy that grants execute-api:Invoke permission on the REST API resource and attach it to a group containing the IAM user accounts.

A company uses an AWS account with resources deployed in multiple Regions globally. Operations teams deploy and manage resources within each Region. Some Region-specific service quotas have been reached causing an inability for the local operations teams to deploy resources. A centralized cloud team is responsible for monitoring and updating service quotas. The cloud team needs to create an automated and operationally efficient solution to proactively monitor service quotas. Monitoring should occur every 15 minutes and send alerts when a team exceeds 80% utilization. Which solution will meet these requirements?

Create an Amazon EventBridge rule that triggers an AWS Lambda function to use AWS Trusted Advisor to retrieve the most current utilization and service limit data. If the current utilization is above 80%, publish a message to an Amazon SNS topic to alert the cloud team.

A media company runs an application that uses a static website configured in an Amazon S3 bucket and an Amazon CloudFront distribution. The website calls an Amazon API Gateway REST API, and an AWS Lambda function backs each API method. The company wants to generate a CSV report every 2 weeks that records the following for each Lambda function: · Recommended configured memory. · Recommended cost. · Price difference between current configurations and the recommendations. Which solution will meet these requirements with the LEAST development time?

Use AWS Compute Optimizer. Call the “ExportLambdaFunctionRecommendations” operation for the Lambda functions. Export the .csv file to an S3 bucket. Create an Amazon EventBridge rule to schedule the Lambda function to run every 2 weeks.

A secure web application runs in an Amazon VPC that has a public subnet and a private subnet. An Application Load Balancer is deployed into the public subnet. Each subnet has a separate Network ACL. The public subnet CIDR range is 10.1.0.0/24 and the private subnet CIDR range is 10.1.1.0/24. The web application is deployed on Amazon EC2 instances in the private subnet. Which combination of rules should be defined on the private subnet’s Network ACL to allow access from internet-based clients? (Select TWO.)

An inbound rule for port 443 from source 10.1.0.0/24., An outbound rule for ports 1024 through 65535 to destination 10.1.0.0/24.

A start-up company has created a new serverless application which includes an AWS Lambda function which sits behind an Amazon API gateway and an Amazon CloudFront CDN. The development team is currently using AWS CLI scripts to update the versions of Lambda functions. In case an error is detected, a different CLI script is used to roll back the version to the previous stable one. A solutions architect needs to optimize this process and reduce the time taken to switch versions and detect the error in Lambda functions. How can this be accomplished?

Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually shift traffic to the new version, and use pre-traffic and post-traffic test functions to verify code. Rollback in case Amazon CloudWatch alarms is triggered.

A fleet of EC2 instances generate a large quantity of data and store the data on an Amazon EFS file system. The EC2 instances also backup the data by uploading to an Amazon S3 bucket in another Region on a daily basis. Some S3 uploads have been failing and the storage costs have significantly increased. The operations team has removed the failed uploads. How can a Solutions Architect configure the backup jobs to efficiently backup data to S3 while reducing storage costs?

Use multipart upload for the backup jobs. Create a lifecycle policy for the incomplete multipart uploads on the S3 bucket to prevent new failed uploads from accumulating.

A serverless application uses an AWS Lambda function behind and Amazon API Gateway REST API. During busy periods thousands of simultaneous invocations are required and requests fail multiple times before succeeding. The operations team has checked for AWS Lambda errors and did not find any. A Solutions Architect must investigate the root cause of the issue. What is the most likely cause of this problem?

The throttle limit on the REST API is configured too low. During busy periods some requests are being throttled and are not reaching the Lambda function.

An eCommerce website consists of a two-tier architecture. Amazon EC2 instances in an Auto Scaling group are used for the web server layer behind an Application Load Balancer (ALB). The web servers run a PHP application on Apache Tomcat. The database layer runs on an Aurora MySQL database instance. Recently, a large sales event caused some errors to occur for customers when placing orders on the website. The operations team collected logs from the web servers and reviewed Aurora DB cluster performance metrics. Several web servers were terminated by the ASG before the logs could be collected and the Aurora metrics were not sufficient for query performance analysis. Which combination of steps should a Solutions Architect take to improve application performance visibility during peak traffic events? (Select THREE.)

Implement the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for PHP., Install and configure an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs., Configure the Aurora MySQL DB cluster to generate slow query logs by setting parameters in the parameter group.

A company's serverless application, comprising several AWS Lambda functions and Amazon DynamoDB tables, is undergoing an upgrade to include interaction with an Amazon Neptune DB cluster. This cluster is distributed across two subnets within a VPC. Identify two solutions that would enable the Lambda functions to access both the Neptune DB cluster and the DynamoDB tables (Select TWO.)

Configure two private subnets in the Neptune VPC and route internet traffic via a NAT gateway. Deploy the Lambda functions in these private subnets., Create two new subnets in the Neptune VPC, specifically for hosting the Lambda functions. Implement a VPC endpoint for DynamoDB to facilitate direct access from these subnets.

A development team created a service that uses an AWS Lambda function to store information in an Amazon RDS Database. The database credentials are stored in clear text in the Lambda function code. A Solutions Architect is advising the development team on how to better secure the service. Which of the following should the Solutions Architect recommend? (Select TWO.)

Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation., Create encrypted database credentials in AWS Secrets Manager for the Amazon RDS database.

A start-up company has been using bastion hosts to connect to EC2 instances which are based on the latest Amazon Linux 2 AMI. They use these bastion hosts to SSH into EC2 instances to view logs and other troubleshooting activities. So far, they have configured a VPC with private and public subnets, and a NAT gateway. Also, they have a Site-to-Site VPN for connectivity with the on-premises environment and EC2 security groups with direct SSH access from the on-premises environment To increase security control and comply with auditing requirements around access to instances, which strategy should a solutions architect use?

Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

An application runs across a fleet of Amazon EC2 instances in an Auto Scaling group. Application logs are collected from the EC2 instances using a cron job that is scheduled to run every 30 minutes. The cron job saves the log files to an Amazon S3 bucket. Failures and scaling events have caused some logs to be lost as the instances have been lost before the cron job collected the log files. Which of the following options is the MOST reliable way of collecting and preserving the log files?

Use the Amazon CloudWatch Logs agent to stream log messages directly to CloudWatch Logs. Configure the batch_count parameter to 1.

A company runs a high performance computing (HPC) application in an on-premises data center. The solution consists of a 10-node cluster running Linux with high-speed inter-node connectivity. The company is planning to migrate the application to the AWS Cloud. A Solutions Architect needs to design the solution architecture on AWS to ensure optimum performance for the HPC cluster. Which combination of steps will meet these requirements? (Select TWO.)

Deploy Amazon EC2 instances in a placement group., Use Amazon EC2 instances that support Elastic Fabric Adapter (EFA).

An online shopping portal is running in eu-west-1 region. One of the application components uses AWS Lambda functions and stores inventory data in an Amazon Aurora database. Deployment of the Lambda functions is performed using a deployment package. The company has configured automated backups for Aurora. The company wants to move the application to another AWS account within the same AWS organization. The application processes critical data and downtime must be minimized or avoided if possible. Which solution will meet the requirements for moving this application from the source account to the target account?

Download the Lambda function package from the source account. Use the deployment package and create new Lambda functions in the target account. Share the Aurora DB cluster with the target account by using AWS Resource Access Manager (AWS RAM). Grant the Target account permission to clone the Aurora DB cluster.

A web application is being deployed on Amazon EC2 instances and requires that users authenticate before they can access content. The solution needs to be configured so that it is highly available. Once authenticated, users should remain connected even if an underlying instance fails. Which solution will meet these requirements?

Create an Auto Scaling group for the EC2 instances and use an Application Load Balancer to direct incoming requests. Use Amazon DynamoDB to save the authenticated connection details.

A company needs to deploy an application into an AWS Region across multiple Availability Zones and has several requirements for the deployment. The application requires access to 100 GB of static data before the application starts and must be able to scale up and down quickly. Startup time must be minimized as much as possible. The Operations team must be able to install critical OS patches within 48 hours of release. The solution should also be cost-effective. Which deployment strategy meets these requirements?

Use Amazon EC2 Auto Scaling with an AMI that includes the latest OS patches. Mount an Amazon EFS file system with the static data to the EC2 instances at launch time.

A company stores highly confidential information in an Amazon S3 bucket. The security team have evaluated the security of the configuration and have come up with some new requirements that must be met. The security team now requires the ability to identify the IP addresses that make requests to the bucket to be able to identify malicious actors. They additionally require that any changes to the bucket policy are automatically remediated and alerts of these changes are sent to their team members. Which strategies should a Solutions Architect use to meet these requirements?

Identify the IP addresses in Amazon S3 requests with Amazon S3 access logs and Amazon Athena. Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS.

An application runs on Amazon EC2 instances in a private subnet within an Amazon VPC. The application stores files in a specific Amazon S3 bucket. The files should not traverse the internet and only the application instances should be granted access to save files to the S3 bucket. A gateway endpoint has been created for Amazon S3 and connected to the Amazon VPC. What additional steps should a Solutions Architect take to meet the stated requirements?

Attach an endpoint policy to the gateway endpoint that restricts access to the specific S3 bucket. Assign an IAM role to the EC2 instances and attach a policy to the S3 bucket that grants access only to this role.

A security team has discovered that developers have been storing IAM secret access keys in AWS CodeCommit repositories. The security team requires that measures are put in place to automatically find and remediate all instances of this vulnerability on an ongoing basis. Which solution meets these requirements?

Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If any credentials are found, disable them and notify the user.

A manufacturing company collects data from IoT devices in JSON format. The data is collected, transformed, and stored in a data warehouse for analysis using an analytics tool that uses ODBC. The performance of the current solution suffers under high loads due to insufficient compute capacity and incoming data is often lost. The application will be migrated to AWS. The solution must support the current analytics tool, resolve the compute constraints, and be cost-effective. Which solution meets these requirements?

Re-architect the application. Load the data into Amazon S3. Use AWS Glue to transform the data. Store the table schema in an AWS Glue Data Catalog. Use Amazon Athena to query the data.

A healthcare organization is planning to transition its on-premises data processing workloads to AWS. Before migration, the organization needs a thorough assessment of its current server infrastructure to determine appropriate sizing for Amazon EC2 instances. Key data to be collected includes CPU and memory usage, network I/O, and a list of active services on each server. Additionally, the organization wants to analyze network traffic patterns to understand dependencies between servers. What is the most cost-effective method to gather this comprehensive data for migration planning?

Implement AWS Application Discovery Service with the installation of its data collection agent on each server in the organization's data center to gather detailed server usage and network data.

A corporation is seeking to develop a disaster recovery (DR) plan for its web application, which is currently operational in a single AWS Region. This application utilizes a microservices architecture with services running on AWS Fargate within Amazon Elastic Container Service (ECS). The data layer is handled by an Amazon RDS for MySQL database, and DNS management is conducted through Amazon Route 53. An Amazon CloudWatch alarm is configured to trigger an Amazon EventBridge rule in the event of an application failure. The task is to design a DR strategy that enables quick restoration of the application in a different AWS Region following a failure. Which approach would best meet these requirements?

Set up a standby ECS cluster and service on Fargate in a different Region. Create a cross-Region RDS read replica in this new Region. Design an AWS Lambda function to promote the read replica to a primary database and reconfigure Route 53 to reroute traffic to the standby ECS cluster. Adjust the EventBridge rule to include this Lambda function as a target.

An on-premises analytics database running on Oracle will be migrated to the cloud. The database runs on a single virtual machine (VM) and multiple client VMs running a Java-based web application that is used to perform SQL queries on the database. All virtual machines will be migrated to the cloud. The database uses 2 TB of storage and each client VM has a different configuration and saves stored procedures and query results in the local file system. There is a 10 Gbit AWS Direct Connect (DX) connection established and the application can be migrated over a scheduled 48-hour change window. Which strategy will reduce the operational overhead on the database and have the LEAST impact on the operations staff after the migration?

Use AWS DMS to migrate the database to Amazon RDS. Replicate the client VMs into AWS using AWS SMS. Create Route 53 A records for each client VM.

A company is planning to migrate a containerized application to Amazon ECS. The company wishes to reduce instance costs as much as possible whilst reducing the probability of service interruptions. How should a Solutions Architect configure the solution?

Use Amazon ECS Spot instances and configure Spot Instance Draining.

A Solutions Architect is designing a publicly accessible web application that runs from an Amazon S3 website endpoint. The S3 website is the origin for an Amazon CloudFront distribution. After deploying the solution the operations team ran some tests and received an “Error 403: Access Denied message” when attempting to connect. What should the Solutions Architect check to determine the root cause of the issue? (Select TWO.)

Check if the S3 bucket is encrypted using AWS KMS., Check if the S3 block public access option is enabled on the S3 bucket.

A financial company stores personally identifiable information (PII) in an Amazon S3 bucket which currently does not have versioning enabled. The current configuration has server-side encryption with S3 managed encryption keys (SSE-S3) enabled to encrypt the objects. According to a new requirement, all current and future objects in the S3 bucket must be encrypted by keys that the company's security team manages. Which solution will meet these requirements?

Change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS) in S3 bucket. Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket.

An eCommerce company runs an application that records product registration information. The application uses an Amazon S3 bucket for storing files and an Amazon DynamoDB table to store customer record data. The application software runs in us-west-1 and eu-central-1. The S3 bucket and DynamoDB table are in us-west-1. A Solutions Architect has been asked to implement protection from data corruption and the loss of connectivity to either Region. Which solution meets these requirements?

Create a DynamoDB global table to replicate data between us-west-1 and eu-central-1. Enable continuous backup on the DynamoDB table in us-west-1 . Set up S3 cross-region replication from us-west-1 to eu-central-1.

A company is migrating an application into AWS. The application code has already been installed and tested on Amazon EC2. The database layer consists of a 25 TB MySQL database in the on-premises data center. There is a 50 Mbps internet connection and an IPSec VPN connection to the Amazon VPC. The company plans to go live on AWS within 2 weeks. Which combination of actions will meets the migration schedule with the LEAST downtime? (Select THREE.)

When the RDS Aurora MySQL database is fully synchronized, change the DNS entry to point to the Aurora DB instance and stop replication., Launch an RDS Aurora MySQL DB instance and load the database data from the Snowball export. Configure replication from the on-premises database to the RDS Aurora instance using the VPN., Export the data from the database using database-native tools and import the data to AWS using AWS Snowball.

A rapidly growing company has registered 10 new domain names for multiple applications soon to be productionized. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL and route combination for each domain. The URL and route combinations are defined in a JSON document. All DNS records are managed by Amazon Route 53. They also need to accept HTTP and HTTPS requests. Which combination of steps should a solutions architect take to meet these requirements with the LEAST amount of operational effort? (Select THREE.)

Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names., Create an Amazon CloudFront distribution and deploy a Lambda@Edge function., Create an Application Load Balancer that includes HTTP and HTTPS listeners.

A new employee is joining a security team. The employee initially requires access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. All security team members are added to the security team IAM group that provides additional permissions to manage all other AWS services. The team lead wants to limit the permissions the new employee has access to until the employee takes on additional responsibilities, and then be able to easily add permissions as required, eventually providing the same access as all other security team employees. How can the team lead limit the permissions assigned to the new user account whilst minimizing complexity?

Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy.

A Solutions Architect must design a solution for providing private connectivity from a company’s WAN network to multiple AWS Regions. The company has offices around the world and has its main data center in New York. The company has mandated that traffic must not traverse the public internet at any time. The solution must also be highly available. How can the Solutions Architect meet these requirements?

Create two AWS Direct Connect connections from the New York data center to an AWS Region. Configure the company WAN to send traffic over the DX connection. Use Direct Connect Gateway to access data in other AWS Regions.

A company has recently established 15 Amazon VPCs within the us-east-1 AWS Region. The company has also established an AWS Direct Connect to the Region from their on-premises data center. The company requires full transitive peering between the VPCs and the on-premises data center. Which combination of actions is required to implement these requirements with the LEAST complexity? (Select TWO.)

Create an AWS Direct Connect (DX) gateway and attach the DX gateway to a transit gateway. Enable route propagation with BGP., Create an AWS transit gateway and add attachments for all of the VPCs. Configure the route tables in the VPCs to send traffic to the transit gateway.

An eCommerce company runs a workload on AWS that includes a web and application tier running on Amazon EC2 and a database tier running on Amazon RDS MySQL. The business requires a cost-efficient disaster recovery solution for the application with an RTO of 5 minutes and an RPO of 1 hour. The solution should ensure the primary and DR sites have a minimum distance of 150 miles between them. Which of the following options could a Solutions Architect recommend to meet the company’s disaster recovery requirements?

Deploy a scaled-down version of the production environment in a separate AWS Region ensuring the minimum distance requirements are met. The DR environment should include one instance for the web tier and one instance for the application tier. Create another database instance and configure source-replica replication for MySQL. Configure Auto Scaling for the web and app tiers to they can scale based on load. Use Amazon Route 53 to switch traffic to the DR Region.

An application is being tested for deployment in a Development account. The application consists of an Amazon API Gateway, Amazon EC2 instances behind an Elastic Load Balancer and an Amazon DynamoDB table. The Developers wish to grant a testing team access to deploy the application several times for performing a variety of acceptance tests but don’t want to grant broad permissions to each user. The Developers currently deploy the application using an AWS CloudFormation template and a role that has permission to the APIs for the included services. How can a Solutions Architect meet the requirements for granting restricted access to the testing team so they can run their tests?

Create an AWS Service Catalog product from the environment template and add a launch constraint to the product with the existing role. Give users in the testing team permission to use AWS Service Catalog APIs only. Train users to launch the template from the AWS Service Catalog console.

A company which recently moved to AWS is trying to build a hybrid DNS solution. An AWS Direct Connect (DX) connection between the on-premises corporate network and an AWS Transit Gateway is established. This solution will use an Amazon Route 53 private hosted zone for the domain internal.company.local for the resources stored within Amazon VPCs. The company has the following DNS resolution requirements: · On-premises systems should be able to resolve and connect to internal.company.local. · All VPCs should be able to resolve internal.company.local. Which architecture should the company use to meet these requirements with the HIGHEST performance?

Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for internal.company.local that point to the inbound resolver.

A healthcare company has developed a series of microservices for processing patient data, hosted on AWS. These microservices are accessed through REST APIs managed by Amazon API Gateway. To comply with healthcare regulations, the company needs to ensure that these APIs are only accessible from their internal application, which runs on an Amazon EC2 instance within their AWS VPC. The application must securely access these APIs without exposing them to the public internet. Which step should a solutions architect take to ensure that the REST APIs are securely accessible by the internal application, while complying with the healthcare regulations?

Create an interface VPC endpoint for API Gateway in the VPC. Enable private DNS naming for the VPC endpoint and configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint's DNS names to access the API from the EC2 instance.

A company has launched a web application on Amazon EC2 instances. The instances have been launched in a private subnet. An Application Load Balancer (ALB) is configured in front of the instances. The instances are assigned to a security group named WebAppSG and the ALB is assigned to a security group named ALB-SG. The security team requires that the security group rules are locked down according to best practice. What rules should be configured in the security groups? (Select TWO.)

An inbound rule in ALB-SG allowing port 80 from source 0.0.0.0/0., An inbound rule in WebAppSG allowing port 80 from source ALB-SG.

A legacy application consists of a series of batch scripts that coordinate multiple application components. Each application component processes data within a few seconds before passing it on to the next component. The application has become complex and difficult to update. A Solutions Architect plans to migrate the application to the AWS Cloud. The application should be refactored into serverless microservices and be fully coordinated using cloud-native services. Which approach meets these requirements most cost-effectively?

Refactor the application onto AWS Lambda functions. Use AWS Step Functions to orchestrate the application.

A company is creating an account structure on AWS. There will be separate accounts for the production and testing environments. The Solutions Architect wishes to implement centralized control of security identities and permissions to access the environments. Which solution is most appropriate for these requirements?

Create a separate AWS account for identities where IAM user accounts can be created. Create roles with appropriate permissions in the production and testing accounts. Add the identity account to the trust policies for the roles.

A company is creating a secure data analytics solution. Data will be uploaded into an Amazon S3 bucket. The data will then be analyzed by applications running on an Amazon EMR cluster that is launched into a VPC in a private subnet. The environment must be fully isolated from the internet at all times. Data must be encrypted at rest using keys that are controlled and provided by the company. Which combination of actions should a Solutions Architect take to meet these requirements? (Select TWO.)

Configure the S3 bucket policy to permit access using an aws:sourceVpce condition to match the S3 endpoint ID., Configure the EMR cluster to use an AWS CloudHSM appliance for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3.

A company uses AWS CodeCommit for source control and AWS CodePipeline for continuous integration. The pipeline has a build stage which uses an Amazon S3 bucket for artifacts. The company requires a new development pipeline for testing new features. The new pipeline should be isolated from the production pipeline and incorporate continuous testing for unit tests. How can a Solutions Architect meet these requirements?

Create a separate pipeline in CodePipeline and trigger execution using CodeCommit branches. Use AWS CodeBuild for running unit tests and stage the artifacts in an S3 bucket in a separate testing account.

An eCommerce application offers a membership program. Members of the program need to be able to download all files in a secured Amazon S3 bucket. The access should be restricted to members of the program and not available to anyone else. An Amazon CloudFront distribution has been created to deliver the content to users around the world. What is the most efficient method a Solutions Architect should use to securely enable access to the files in the S3 bucket?

Configure the application to send Set-Cookie headers to the viewer and control access to the files using signed cookies.

A finance organization runs a data processing application in an on-premises data center. The application processes input files that are uploaded by users upload through a web portal. A web server stores the uploaded files on a shared NFS storage appliance and messages the processing server over a message queue. The input files can take up to 1 hour to process and the number of files awaiting processing can be high during business hours and drops outside of business hours. Which of the following is the MOST cost-effective migration recommendation?

Create an Amazon SQS queue. Configure the existing web server to publish to the new queue. Use Amazon EC2 instances in an EC2 Auto Scaling group to pull requests from the queue and process the files. Scale the EC2 instances based on the SQS queue length. Store the processed files in an Amazon S3 bucket.

A business is transitioning its website from an on-premises setup to AWS, aiming to adopt a containerized microservice architecture for enhanced availability and cost efficiency. In line with the company's stringent security policies, which emphasize minimal privilege for network permissions and privileges, a solutions architect has already deployed the application on an Amazon ECS cluster. To align with these security requirements post-deployment, what two actions should be taken? (Select TWO.)

Set up the tasks using the awsvpc network mode for enhanced network isolation and control., Attach security groups to the individual tasks and utilize IAM roles specifically designed for tasks to access other AWS resources.

A company is in the planning stages for an application projected to hold around 15 TB of data. They require a Recovery Point Objective (RPO) of less than 5 minutes and a Recovery Time Objective (RTO) of less than 15 minutes. The team is seeking a database solution that not only meets these recovery objectives but also allows for cost-effective failover to a backup AWS Region. Which database solution aligns best with these requirements while minimizing costs?

Configure an Amazon RDS instance with a cross-Region read replica in an alternative Region. Should the primary Region fail, promote the read replica to become the new primary database.

A company hosts a business-critical monolithic application on an Amazon EC2 instance which is installed on an instance launched from an Amazon Linux 2 AMI. The company requires that the data on the attached EBS volumes must be backed up to a specific Amazon S3 bucket managed by the company. The security team has mandated against owning any SSH keys for instances, so the operations team are unable to SSH into the instance. Which solution will meet these requirements with the least impact on the critical application?

Take a snapshot of the EBS volume by using Amazon Data Lifecycle Manager (Amazon DLM). Use the EBS direct APIs to copy the data from the snapshot to Amazon S3.

A company needs to close a data center and must migrate data to AWS urgently. The data center has a 1 Gbps internet connection and a 500 Mbps AWS Direct Connect link. The company must transfer 25 TB of data from the data center to an Amazon S3 bucket. What is the FASTEST method of transferring the data?

Upload the data to the S3 bucket using S3 Transfer Acceleration.

A company runs an application on Amazon EC2 instances in an Amazon VPC and must access an external security analytics service that runs on an HTTPS REST API. The provider of the external API service can only grant access to a single source public IP address per customer. Which configuration can be used to enable access to the API service using a single IP address without making modifications to the company’s application?

Launch the Amazon EC2 instances in a private subnet with an outbound route to a NAT gateway in a public subnet. Associate an Elastic IP address to the NAT gateway that can be whitelisted on the external API service.

A Solutions Architect is designing a highly available infrastructure for a popular mobile application that offers games and videos for mobile phone users. The application runs on Amazon EC2 instances behind an Application Load Balancer. The database layer consist of an Amazon RDS MySQL Multi-AZ instance. The entire application stack is deployed across us-east-2 and us-west-1. Amazon Route 53 is configured to route traffic to the two deployments using a latency-based routing policy. A testing team blocked access to the Amazon RDS DB instance in us-east-2 to verify that users who are typically directed to that deployment would be directed to us-west-1. This did not occur and users close to us-east-2 were directed there and the application failed. Which changes to the infrastructure should a Solutions Architect make to resolve this issue? (Select TWO.)

Set the value of Evaluate Target Health to Yes on the latency alias resources for both us-east-2 and us-west-1., Write a custom health check that verifies successful access to the database endpoints in each Region. Add the health check within the latency-based routing policy in Amazon Route 53.

A company has created a management account and added several member accounts in an AWS Organization. The security team wishes to restrict access to a specific set of AWS services in the existing member accounts. How can this requirement be implemented MOST efficiently?

Add the member accounts to a single organizational unit (OU). Create a service control policy (SCP) that denies access to the specific set of services and attach it to the OU.

100

A company has connected their on-premises data center to AWS using a single AWS Direct Connect (DX) connection using a private virtual interface. The company is hosting the front end for a business-critical application in an Amazon VPC. The back end is hosted on-premises and the company requires consistent, reliable, and redundant connectivity between the front end and back end of the application. Which design would provide the MOST resilient connectivity between AWS and the on-premises data center?

Install a second DX connection from a different network carrier and attach it to the same virtual private gateway as the first DX connection.

MPLE

ユーザ名非公開 · 41問 · 13日前

MPLE