Executioner's Song Book 1

30問 • 1年前

問題一覧

A company uses Elastic Load Balancing to distribute traffic across multiple Amazon EC2 instances. Auto Scaling groups start and stop Amazon EC2 machines based on the number of incoming requests. The company has recently started operations in a new AWS Region and is setting up an Application Load Balancer for its fleet of EC2 instances spread across two Availability Zones, with one instance as a target in Availability Zone X and four instances as targets in Availability Zone Y. The company is doing benchmarking for server performance in the new Region for the case when cross-zone load balancing is enabled compared to the case when cross-zone load balancing is disabled. As a Solutions Architect Professional, which of the following traffic distribution outcomes would you identify as correct?

With cross-zone load balancing enabled, one instance in Availability Zone X receives 20% traffic and four instances in Availability Zone Y receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone X receives 50% traffic and four instances in Availability Zone Y receive 12.5% traffic each

A retail company is introducing multiple business units as part of its expansion plans. To implement this change, the company will be building several new business-unit-specific workloads by leveraging a variety of AWS services. The company wants to track the expenses of each business unit and limit the spending to a pre-defined threshold. In addition, the solution should allow the security team to identify and respond to threats as quickly as possible for all the workloads across the business units. Also, workload accounts may need to be pulled off into a temporary holding area due to resource audit reasons. Which of the following can be combined to build a solution for the given requirements? (Select three)

Use AWS Organizations to set up a multi-account environment. Organize the accounts into the following Organizational Units (OUs): Security, Infrastructure, Workloads, Suspended and Exceptions, Configure an AWS Budget alert to move an AWS account to Exceptions OU if the account reaches a predefined budget threshold. Use Service Control Policies (SCPs) to limit/block resource usage in the Exceptions OU. Configure a Suspended OU to hold workload accounts with retired resources. Use Service Control Policies (SCPs) to limit/block resource usage in the Suspended OU, Designate an account within the AWS Organizations organization to be the GuardDuty delegated administrator. Create an SNS topic in this account. Subscribe the security team to the topic so that the security team can receive alerts from GuardDuty via SNS

An Amazon S3 bucket is shared by three different teams (managing their own separate AWS accounts) for document uploads. Initially, the S3 bucket settings were set to default. Later, the bucket sees the following updates: After week 1, S3 Object Ownership bucket-level settings were used and all Access Control Lists (ACLs) were disabled. The three teams uploaded their documents to the shared bucket with this new setting. After week 2, S3 bucket level settings were again set back to default and the ACLs were enabled once more What is the outcome of these action(s) on the documents uploaded after week 1 and what are the key points of consideration for future S3 bucket configurations? (Select two)

You, as the bucket owner, still own any objects that were written to the bucket while the bucket owner enforced setting was applied. These objects are not owned by the object writer, even if you re-enable ACLs, If you used object ACLs for permissions management before you applied the bucket owner enforced setting and you didn't migrate these object ACL permissions to your bucket policy after you re-enable ACLs, these permissions are restored

A financial services company wants to set up an AWS WAF-based solution to manage AWS WAF rules across multiple AWS accounts that are structured under different Organization Units (OUs) in AWS Organizations. The solution should automatically update and remediate noncompliant AWS WAF rules in all accounts. The solution should also facilitate adding or removing accounts or OUs from managed AWS WAF rule sets as needed. Which of the following solutions is the most operationally efficient to address the given use case?

Create an AWS Organizations organization-wide AWS Config rule that mandates all resources in the selected OUs to be associated with the AWS WAF rules. Configure automated remediation actions by using AWS Systems Manager Automation documents to fix non-compliant resources. Set up AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied

A multi-national company operates hundreds of AWS accounts and the CTO wants to rationalize the operational costs. The CTO has mandated a centralized process for purchasing new Reserved Instances (RIs) or modifying existing RIs. Whereas earlier the business units (BUs) would directly purchase or modify RIs in their own AWS accounts independently, now all BUs must be denied independent purchase and the BUs must submit requests to a dedicated central team for purchasing RIs. As an AWS Certified Solutions Architect Professional, which of the following solutions would you combine to enforce the new process most efficiently? (Select two)

Make sure that all AWS accounts are assigned organizational units (OUs) within an AWS Organizations structure operating in all features mode, Set up a Service Control Policy (SCP) that contains a deny rule to the ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions. Attach the SCP to each organizational unit (OU) of the AWS Organizations structure

A social media company has VPC Flow Logs enabled for its NAT gateway. The security team is seeing Action = ACCEPT for inbound traffic that comes from the public IP address 198.21.200.1 destined for a private EC2 instance. The team must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 205.1. Which of the following options can address this requirement?

Inspect the VPC Flow Logs using the CloudWatch console and select the log group that contains the NAT gateway's ENI and the EC2 instance's ENI. Leverage a query filter with the destination address set as like 205.1 and the source address set as like 198.21.200.1. Execute the stats command to filter the sum of bytes transferred by the source address and the destination address

A mobile app based social media company is using Amazon CloudFront to deliver media-rich content to its audience across the world. The Content Delivery Network (CDN) offers a multi-tier cache by default, with regional edge caches that improve latency and lower the load on the origin servers when the object is not already cached at the edge. However, there are certain content types that bypass the regional edge cache and go directly to the origin. Which of the following content types skip the regional edge cache? (Select two)

Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin, Dynamic content, as determined at request time (cache-behavior configured to forward all headers)

A leading mobility company wants to use AWS for its connected cab application that would collect sensor data from its electric cab fleet to give drivers dynamically updated map information. The company would like to build its new sensor service by leveraging fully serverless components that are provisioned and managed automatically by AWS. The development team at the company does not want an option that requires the capacity to be manually provisioned, as it does not want to respond manually to changing volumes of sensor data. The company has hired you as an AWS Certified Solutions Architect Professional to provide consultancy for this strategic initiative. Given these constraints, which of the following solutions would you suggest as the BEST fit to develop this service?

Ingest the sensor data in an Amazon SQS standard queue, which is polled by a Lambda function in batches and the data is written into an auto-scaled DynamoDB table for downstream processing

An e-commerce company wants to rollout and test a blue-green deployment for its global application in the next couple of days. Most of the customers use mobile phones which are prone to DNS caching. The company has only two days left before the big sale will be launched. As a Solutions Architect Professional, which of the following options would you suggest to test the deployment on as many users as possible in the given time frame?

Use AWS Global Accelerator to distribute a portion of traffic to a particular deployment

A multi-national company uses Amazon S3 as its data lake to store the data that flows into its business. This data is both structured and semi-structured and is organized under different buckets in the company's AWS account in the same Region. Hundreds of applications in the company's AWS account use structured data for running data analytics, event monitoring, report generation, event creation, and many more. While the semi-structured data runs through several transformations and is sent to downstream applications for further processing. While the company's security policy restricts S3 bucket access over the internet, the internal security team has requested tighter access rules for the applications using the S3 data lake. Which combination of steps will you undertake to implement this requirement in the most efficient way? (Select three)

Create a gateway endpoint for Amazon S3 in the data lake VPC. Attach an endpoint policy to allow access to the S3 bucket only via the access points. Specify the route table that is used to access the bucket, In the AWS account that owns the S3 buckets, create an S3 access point for each bucket that the applications must use to access the data. Set up all applications in a single data lake VPC, Add a bucket policy on the buckets to deny access from applications outside the data lake VPC

A leading internet television network company uses AWS Cloud for analytics, recommendation engines and video transcoding. To monitor and optimize this network, the engineering team at the company has developed a solution for ingesting, augmenting, and analyzing the multiple terabytes of data its network generates daily in the form of virtual private cloud (VPC) flow logs. This would enable the company to identify performance-improvement opportunities such as identifying apps that are communicating across regions and collocating them. The VPC flow logs data is funneled into Kinesis Data Streams which further acts as the source of a delivery stream for Kinesis Firehose. The engineering team has now configured a Kinesis Agent to send the VPC flow logs data from another set of network devices to the same Firehose delivery stream. They noticed that data is not reaching Firehose as expected. As a Solutions Architect Professional, which of the following options would you identify as the MOST plausible root cause behind this issue?

Kinesis Agent cannot write to a Kinesis Firehose for which the delivery stream source is already set as Kinesis Data Streams

A global biomedicine company has built a Genomics Solution on AWS Cloud. The company's labs generate hundreds of terabytes of research data daily. To further accelerate the innovation process, the engineering team at the company wants to move most of the on-premises data into Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server easily, quickly, and cost-effectively. The team would like to automate and accelerate online data transfers to these AWS storage services. As a Solutions Architect Professional, which of the following solutions would you recommend as the BEST fit?

Use AWS DataSync to automate and accelerate online data transfers to the given AWS storage services

A leading club in the Major League Baseball runs a web platform that boasts over 50,000 pages and over 100 million digitized photographs. It is available in six languages and maintains up-to-date information for the season. The engineering team has built a notification system on the web platform using SNS notifications which are then handled by a Lambda function for end-user delivery. During the off-season, the notification systems need to handle about 100 requests per second. During the peak baseball season, the rate touches about 5000 requests per second and it is noticed that a significant number of the notifications are not being delivered to the end-users on the web platform. As a Solutions Architect Professional, which of the following would you suggest as the BEST fit solution to address this issue?

Amazon SNS message deliveries to AWS Lambda have crossed the account concurrency quota for Lambda, so the team needs to contact AWS support to raise the account limit

A global healthcare company wants to develop a solution called Health Information Systems (HIS) on AWS Cloud that would allow the providers, payers, and government agencies to collaborate, anticipate and navigate the changing healthcare landscape. While pursuing this endeavor, the company would like to decrease its IT operational overhead so it could focus more intently on its core business - healthcare analytics. The solution should help the company eliminate the bottleneck created by manual provisioning of development pipelines while adhering to crucial governance and control requirements. As a means to this end, the company has set up "AWS Organizations" to manage several of these scenarios and would like to use Service Control Policies (SCP) for central control over the maximum available permissions for the various accounts in their organization. This allows the organization to ensure that all accounts stay within the organization’s access control guidelines. As a Solutions Architect Professional, which of the following scenarios would you identify as correct regarding the given use-case? (Select three)

SCPs do not affect service-linked role, If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can't perform that action, SCPs affect all users and roles in attached accounts, including the root user

A data analytics company needs to set up a data lake on Amazon S3 for a financial services client. The data lake is split in raw and curated zones. For compliance reasons, the source data needs to be kept for a minimum of 5 years. The source data arrives in the raw zone and is then processed via an AWS Glue based ETL job into the curated zone. The business analysts run ad-hoc queries only on the data in the curated zone using Athena. The team is concerned about the cost of data storage in both the raw and curated zones as the data is increasing at a rate of 2 TB daily in each zone. Which of the following options would you implement together as the MOST cost-optimal solution? (Select two)

Setup a lifecycle policy to transition the raw zone data into Glacier Deep Archive after 1 day of object creation, Use Glue ETL job to write the transformed data in the curated zone using a compressed file format

The world’s largest cable company uses AWS in a hybrid environment to innovate and deploy features for its flagship video product, XFINITY X1, several times a week. The company uses AWS products such as Amazon Virtual Private Cloud (Amazon VPC) and Amazon Direct Connect to deliver the scalability and security needed for rapidly innovating in a hybrid environment. As part of an internal product roadmap, the engineering team at the company has created a private hosted zone and associated it with a virtual private cloud (VPC). However, the domain names remain unresolved, resulting in errors. As a Solutions Architect Professional, which of the following Amazon VPC configuration options would you use to get the private hosted zone to work?

To use private hosted zones, DNS hostnames and DNS resolution should be enabled for the VPC

A medical technology company has recently set up a hybrid cloud between its on-premises data centers and AWS Cloud. The engineering team at the company has developed a Media Archiving and Communication System application that runs on AWS to support real-time collaboration among radiologists and other specialists. The company uses Amazon S3 to aggregate the raw medical images and video footage from its research teams across the world to discover tremendous medical insights. The technical teams at the overseas research facilities have reported huge delays in uploading large video files to the destination S3 bucket. As a Solutions Architect Professional, which of the following would you recommend as the MOST cost-effective solutions to improve the file upload speed into S3? (Select two)

Use Amazon S3 Transfer Acceleration to enable faster file uploads into the destination S3 bucket, Use multipart uploads for faster file uploads into the destination S3 bucket

A Big Data Analytics company has built a custom data warehousing solution for a large airline by using Amazon Redshift. The solution helps the airline to analyze the international and domestic flight reservations, ticket issuing and boarding information, aircraft operation records, and cargo transportation records. As part of the cost optimizations, the airline now wants to move any historical data (any data older than a year) into S3, as the daily analytical reports consume data for just the last one year. However, the analysts at multiple divisions of the airline want to retain the ability to cross-reference this historical data along with the daily reports. The airline wants to develop a solution with the LEAST amount of effort and MINIMUM cost. As a Solutions Architect Professional, which option would you recommend to address this use-case?

Use Redshift Spectrum to create Redshift cluster tables pointing to the underlying historical data in S3. The analytics team can then query this historical data to cross-reference with the daily reports from Redshift

A mobile app with video upload and archival capabilities has been launched a few weeks ago with Amazon S3 as the storage service supporting videos of up to 10 GB each. The S3 bucket is configured for Virginia (us-east-1) Region. The application is gaining a lot of traction in Melbourne and Sydney cities of Australia. The users of these cities have been complaining of slow uploads and regular timeouts while using the application. Which of the following options can be used to speed up the uploads and enhance the user experience?

To upload video files to Amazon S3 bucket, leverage multipart uploads feature. Configure the application to use S3 Transfer Acceleration endpoints to improve the performance of uploads and also optimize the multipart uploads

A financial services company is building a hybrid Payment Card Industry Data Security Standard (PCI-DSS) compliant application that runs in the us-east-1 Region as well as on-premises. The application sends access logs from all locations to a single S3 bucket in the us-east-1 Region. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. As an AWS Certified Solutions Architect Professional, how would you configure the network to meet these requirements?

Create a private virtual interface to a Direct Connect connection in us-east-1. Set up an interface VPC endpoint and configure the on-premises systems to access S3 via this endpoint

A retail company has two web applications and wants to run them in separate, isolated VPCs. The company is looking at using Elastic Load Balancing to distribute requests between application instances. The security and compliance team at the company has imposed the following restrictions: 1. Inbound HTTP requests to the application must be routed through a centralized VPC 2. Application VPCs must not be exposed to any other inbound traffic 3. Application VPCs cannot be allowed to initiate any outbound connections 4. Internet gateways must not be attached to the application VPCs Which of the following solutions would you recommend to address these requirements?

Configure the applications behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to route application traffic to the corresponding target group through the ALB

A pharmaceutical company uses AWS Cloud to run multiple workloads with each workload managed by its software development team. The company leverages AWS Organizations and SAML-based federation to provide access to its development teams. A single shared production AWS account is used by all teams to deploy their production workloads. Recently, the company faced an incident when one of the teams had accidentally shut down a production EC2 instance used by another team. As an AWS Certified Solutions Architect Professional, you have been tasked to devise a solution that will eliminate the possibility of recurrence of such an event while making sure that all the teams still retain the necessary access permissions to their AWS resources in the shared AWS account. Which solution is the best fit for these requirements?

During SAML-based federation, pass an attribute for DevelopmentDept as an AWS Security Token Service (AWS STS) session tag. The policy of the assumed IAM role used by the developers should be updated with a deny action and a StringNotEquals condition for the DevelopmentDept resource tag and aws:PrincipalTag/ DevelopmentDept

A solutions architect is setting up DNS failover configuration for Route 53. The architect needs to use multiple routing policies (such as latency-based and weighted) to configure a more complex DNS failover. Which of the following options represent the key points of consideration while setting up a failover configuration on Route 53? (Select two)

If you're creating failover records in a private hosted zone, you must assign a public IP address to an instance in the VPC to check the health of an endpoint within a VPC by IP address, Records without a health check are always considered healthy. If no record is healthy, all records are deemed to be healthy

An e-commerce business has several AWS accounts. For implementing a new feature, the development team has used AWS Lambda functions which will be managed in a centralized AWS account. The team needs the required permissions to allow the Lambda functions to access resources in each of the company's AWS accounts with the least privilege(s) possible. How will you configure this requirement? (Select two)

In the centralized account, configure an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts, In the other AWS accounts, configure an IAM role that has minimal permissions. Add the Lambda execution role of the centralized account as a trusted entity

An analytics company has configured a hybrid environment between its on-premises data center and the AWS Cloud. The company wants to use the Elastic File System (EFS) to store and share data between the on-premises applications that need to resolve DNS queries through the on-premises DNS servers. The company wants to use a custom domain name to connect to EFS. The company also wants to avoid using the Amazon EFS target IP address. Which of the following solutions would you recommend to address these requirements?

Configure a Route 53 Resolver inbound endpoint and configure it for the EFS specific VPC. Create a Route 53 private hosted zone and add a new CNAME record with the value of the EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone

A company has various business units, each holding its AWS account. With a growing number of different AWS accounts, the company has decided to use AWS Organizations to centralize permissions and access controls. As a solutions architect, you have been asked to define Service Control Policies (SCPs) for the company. Which of the following represent true statements about SCPs? (Select two)

If a user has an IAM policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user cannot perform that action, The specified actions from an attached SCP affect all IAM identities including the root user of the member account

A company has three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows: VPC A: 10.1.0.0/16 VPC B: 192.168.0.0/16 VPC C: 10.1.0.0/16 Instance a-1 in VPC A has the IP address 10.1.0.10. Instance c-1 in VPC C has the IP address 10.1.0.10. Instances b-1 and b-2 in VPC B have the IP addresses 192.168.2.10 and 192.168.2.20 respectively. The instances b-1 and b-2 are in the subnet 192.168.2.0/24. The networking team at the company has mandated that b-1 must be able to communicate with a-1, and b-2 must be able to communicate with c-1. However, the team has noticed that both b-1 and b-2 are only able to communicate with a-1; instead of b-1 communicating with a-1 and b-2 communicating with c-1. Which of the following combination of steps will address this issue? (Select two)

Discard existing subnet in VPC B. Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC B. Move b-1 to subnet 192.168.2.0/28 and b-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance, Create two route tables in VPC B - one with a route for destination VPC A and another with a route for destination VPC C

A solutions architect has configured an Amazon Relational Database Service (Amazon RDS) DB instance as part of an AWS Elastic Beanstalk environment. To resolve an issue, the Beanstalk environment has to be upgraded from environment A to environment B for a week. Therefore, the dependency between the DB instance and the Beanstalk environment has to be removed. How will you implement this requirement without causing a downtime and data loss?

Decouple the RDS DB instance from the Beanstalk environment (environment A) and leverage Elastic Beanstalk blue (environment A)/green (environment B) deployment to connect to the decoupled database post the upgrade

A company has many AWS accounts for its different business units. As per the company's policy, developers should have limited access to a few AWS Regions (known as Core Regions). This restricted access was implemented using custom code. The company now wants to use AWS services to implement this restriction and relinquish the custom application. Which of the following represents the most optimal solution that is easy to set up and maintain?

Enable AWS Organizations and attach the AWS accounts of all business units to it. Create a Service Control Policy to deny access to the Non-Core Regions and attach the policy to the root OU

A company has its web application hosted on Amazon EC2 instances that are deployed in a single AWS Region. The company has now expanded its operations into new geographies and the company wants to offer low-latency access for the application to its customers. To comply with different financial regulations of each geography, the application needs to operate in silos and the underlying instances in one region should not interact with instances running in other regions. Which of the following represents the most optimal solution to automate the application deployment to different AWS regions?

Create a CloudFormation template describing the application infrastructure in the Resources section. Use CloudFormation stack set from an administrator account to launch stack instances that deploy the application to various other regions

xj9 - 19628 - a

critical flaw · 98問 · 2年前

xj9 - 19628 - a