4. X-Cutioner's Song

90問 • 1年前

問題一覧

An application generates around 15 GB of statistical data each day and this is expected to increase over time. A Solutions Architect plans to store the data in Amazon S3 and use Amazon Athena to analyze the data. The data will be analyzed using date ranges. Which combination of steps will ensure optimal performance as the data grows? (Select TWO.)

Store the data using Apache Hive partitioning in Amazon S3 using a key that includes a date., Store the data in Amazon S3 using Apache Parquet or Apache ORC formats.

A company is reviewing its CI/CD practices for updating a critical web application that runs on Amazon ECS. The application manager requires that deployments happen as quickly as possible with a minimum of downtime. In the case of errors there must be an ability to quickly roll back. The company currently uses AWS CodeCommit to host the application source code and has configured an AWS CodeBuild project to build the application. The company also plans to use AWS CodePipeline to trigger builds from CodeCommit commits using the existing CodeBuild project. What changes should be made to the CI/CD configuration to meet these requirements?

Create a pipeline in CodePipeline with a deploy stage that uses a blue/green deployment strategy. Monitor the application and if there are any issues trigger a manual rollback using CodeDeploy.

An automotive company is using AWS CodeBuild for CI/CD pipelines where each CodeBuild project is directly mapped to an individual application. Many of these applications use large sets of marketing data which is hosted inside an Amazon S3 bucket. This data is provided by files which are owned by another third-party agency. A few of these projects need the entire set of data while a few of them require just a subset of more relevant data. As the number of CodeBuild projects grows, the company notices a significant increase in the time required for the pipeline to finish running. The company wants to optimize the pipeline and reduce the amount of time that the pipeline requires to finish running. Which solution will meet these requirements?

Create an S3 bucket for the pipeline. Configure S3 caching for the CodeBuild projects that are in the pipeline. Update the build specifications of the CodeBuild projects. Add the data file directory to the cache definition.

A company is planning a move to the AWS Cloud and is creating an account strategy. There are various teams in the company and each team prefers to keep their resources isolated from other teams. The Finance team would like each team’s resource usage separated for billing purposes. The Security team will provide permissions to each team using the principle of least privilege. Which account strategy will meet all of these requirements?

Use AWS Organizations to create a management account and create each team’s account from the management account. Create a security account for cross-account access. Apply service control policies on each account and grant the security team cross-account access to all accounts. The Security team will create IAM policies to provide least privilege access.

The security department of a large company with several AWS accounts wishes to centralize the management of identities and AWS permissions. The design should also synchronize authentication credentials with the company’s existing on-premises identity management provider (IdP). Which solution will meet the security department’s requirements?

Create a SAML-based identity management provider in a central account and map IAM roles that provide the necessary permissions for users. Map users in the on-premises IdP groups to IAM roles. Use cross-account access to the other AWS accounts.

A company is planning to migrate 30 small applications to AWS. The applications run on a mixture of Node.js and Python across a cluster of virtual servers on-premises. The company must minimize costs and standardize on a single deployment methodology for all applications. The applications have various usage patterns but generally have a low number of concurrent users. The applications use an average usage of 1 GB of memory with up to 3 GB during peak processing periods which can last several hours. What is the MOST cost effective solution for these requirements?

Migrate the applications to Docker containers on Amazon ECS. Create a separate ECS task and service for each application. Enable service Auto Scaling based on memory utilization and set the threshold to 75%. Monitor services and hosts by using Amazon CloudWatch.

A company is planning to launch a new web application on AWS using a fully serverless design. The website will be used by global customers and should be highly responsive and offer minimal latency. The design should be highly availably and include baseline DDoS protections against spikes in traffic. The users will login in to the web application using social IdPs such as Google, and Amazon. How can the design requirements be met?

Build an API with API Gateway and AWS Lambda, use Amazon S3 for hosting static web resources and create an Amazon CloudFront distribution with the S3 bucket as the origin. Use Amazon Cognito to provide user management authentication functions.

A business is in the process of setting up an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to manage a specific workload. This workload is expected to generate a highly variable number of stateless pods, with a significant number of these pods being launched in a brief timeframe due to automatic scaling of replicas. What approach should be taken to optimize the resilience of the nodes in this scenario?

Adjust the workload configuration to utilize topology spread constraints based on different Availability Zones.

A multinational corporation offers a web-based customer relationship management (CRM) tool that operates in the AWS Cloud. The tool is hosted on Amazon EC2 instances situated behind an Application Load Balancer (ALB), with instances spread across multiple Availability Zones within a single AWS Region. As part of its expansion strategy, the corporation plans to deploy the tool in several new AWS Regions. To comply with customer security policies, the corporation needs to provide fixed IP addresses for the tool so that customers can include these IPs in their firewall allow lists. Additionally, the corporation wants to ensure that users are automatically directed to the nearest regional deployment for optimal performance. Which solution would fulfill these requirements?

Implement AWS Global Accelerator with a standard accelerator configuration. Associate each regional deployment's ALB with the Global Accelerator and distribute its static IP addresses to customers.

An application runs in us-east-1 and consists of Amazon EC2 instances behind an Application Load Balancer (ALB) and an Amazon RDS MySQL database. The company is creating a disaster recovery solution to a second AWS Region (us-west-1). A solution has been created for replicating AMIs across Regions and an ALB is provisioned in us-west-1. Amazon Route 53 failover routing is configured appropriately. A Solutions Architect must complete the solution by designing the disaster recovery processes for the storage layer. The RPO is 5 minutes and the RTO is 15 minutes. The solution must be fully automated. Which set of actions would complete the disaster recovery solution?

Create a cross-Region read replica in us-west-1. Use Amazon EventBridge to trigger an AWS Lambda function that promotes the read replica to primary and updates the DNS endpoint address for the database.

A company uses Elastic Load Balancing to distribute traffic across multiple Amazon EC2 instances. Auto Scaling groups start and stop Amazon EC2 machines based on the number of incoming requests. The company has recently started operations in a new AWS Region and is setting up an Application Load Balancer for its fleet of EC2 instances spread across two Availability Zones, with one instance as a target in Availability Zone X and four instances as targets in Availability Zone Y. The company is doing benchmarking for server performance in the new Region for the case when cross-zone load balancing is enabled compared to the case when cross-zone load balancing is disabled. As a Solutions Architect Professional, which of the following traffic distribution outcomes would you identify as correct?

With cross-zone load balancing enabled, one instance in Availability Zone X receives 20% traffic and four instances in Availability Zone Y receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone X receives 50% traffic and four instances in Availability Zone Y receive 12.5% traffic each

A retail company is introducing multiple business units as part of its expansion plans. To implement this change, the company will be building several new business-unit-specific workloads by leveraging a variety of AWS services. The company wants to track the expenses of each business unit and limit the spending to a pre-defined threshold. In addition, the solution should allow the security team to identify and respond to threats as quickly as possible for all the workloads across the business units. Also, workload accounts may need to be pulled off into a temporary holding area due to resource audit reasons. Which of the following can be combined to build a solution for the given requirements? (Select three)

Use AWS Organizations to set up a multi-account environment. Organize the accounts into the following Organizational Units (OUs): Security, Infrastructure, Workloads, Suspended and Exceptions, Configure an AWS Budget alert to move an AWS account to Exceptions OU if the account reaches a predefined budget threshold. Use Service Control Policies (SCPs) to limit/block resource usage in the Exceptions OU. Configure a Suspended OU to hold workload accounts with retired resources. Use Service Control Policies (SCPs) to limit/block resource usage in the Suspended OU, Designate an account within the AWS Organizations organization to be the GuardDuty delegated administrator. Create an SNS topic in this account. Subscribe the security team to the topic so that the security team can receive alerts from GuardDuty via SNS

An Amazon S3 bucket is shared by three different teams (managing their own separate AWS accounts) for document uploads. Initially, the S3 bucket settings were set to default. Later, the bucket sees the following updates: After week 1, S3 Object Ownership bucket-level settings were used and all Access Control Lists (ACLs) were disabled. The three teams uploaded their documents to the shared bucket with this new setting. After week 2, S3 bucket level settings were again set back to default and the ACLs were enabled once more What is the outcome of these action(s) on the documents uploaded after week 1 and what are the key points of consideration for future S3 bucket configurations? (Select two)

You, as the bucket owner, still own any objects that were written to the bucket while the bucket owner enforced setting was applied. These objects are not owned by the object writer, even if you re-enable ACLs, If you used object ACLs for permissions management before you applied the bucket owner enforced setting and you didn't migrate these object ACL permissions to your bucket policy after you re-enable ACLs, these permissions are restored

A financial services company wants to set up an AWS WAF-based solution to manage AWS WAF rules across multiple AWS accounts that are structured under different Organization Units (OUs) in AWS Organizations. The solution should automatically update and remediate noncompliant AWS WAF rules in all accounts. The solution should also facilitate adding or removing accounts or OUs from managed AWS WAF rule sets as needed. Which of the following solutions is the most operationally efficient to address the given use case?

Create an AWS Organizations organization-wide AWS Config rule that mandates all resources in the selected OUs to be associated with the AWS WAF rules. Configure automated remediation actions by using AWS Systems Manager Automation documents to fix non-compliant resources. Set up AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied

A multi-national company operates hundreds of AWS accounts and the CTO wants to rationalize the operational costs. The CTO has mandated a centralized process for purchasing new Reserved Instances (RIs) or modifying existing RIs. Whereas earlier the business units (BUs) would directly purchase or modify RIs in their own AWS accounts independently, now all BUs must be denied independent purchase and the BUs must submit requests to a dedicated central team for purchasing RIs. As an AWS Certified Solutions Architect Professional, which of the following solutions would you combine to enforce the new process most efficiently? (Select two)

Make sure that all AWS accounts are assigned organizational units (OUs) within an AWS Organizations structure operating in all features mode, Set up a Service Control Policy (SCP) that contains a deny rule to the ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions. Attach the SCP to each organizational unit (OU) of the AWS Organizations structure

A social media company has VPC Flow Logs enabled for its NAT gateway. The security team is seeing Action = ACCEPT for inbound traffic that comes from the public IP address 198.21.200.1 destined for a private EC2 instance. The team must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 205.1. Which of the following options can address this requirement?

Inspect the VPC Flow Logs using the CloudWatch console and select the log group that contains the NAT gateway's ENI and the EC2 instance's ENI. Leverage a query filter with the destination address set as like 205.1 and the source address set as like 198.21.200.1. Execute the stats command to filter the sum of bytes transferred by the source address and the destination address

A mobile app based social media company is using Amazon CloudFront to deliver media-rich content to its audience across the world. The Content Delivery Network (CDN) offers a multi-tier cache by default, with regional edge caches that improve latency and lower the load on the origin servers when the object is not already cached at the edge. However, there are certain content types that bypass the regional edge cache and go directly to the origin. Which of the following content types skip the regional edge cache? (Select two)

Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin, Dynamic content, as determined at request time (cache-behavior configured to forward all headers)

A leading mobility company wants to use AWS for its connected cab application that would collect sensor data from its electric cab fleet to give drivers dynamically updated map information. The company would like to build its new sensor service by leveraging fully serverless components that are provisioned and managed automatically by AWS. The development team at the company does not want an option that requires the capacity to be manually provisioned, as it does not want to respond manually to changing volumes of sensor data. The company has hired you as an AWS Certified Solutions Architect Professional to provide consultancy for this strategic initiative. Given these constraints, which of the following solutions would you suggest as the BEST fit to develop this service?

Ingest the sensor data in an Amazon SQS standard queue, which is polled by a Lambda function in batches and the data is written into an auto-scaled DynamoDB table for downstream processing

An e-commerce company wants to rollout and test a blue-green deployment for its global application in the next couple of days. Most of the customers use mobile phones which are prone to DNS caching. The company has only two days left before the big sale will be launched. As a Solutions Architect Professional, which of the following options would you suggest to test the deployment on as many users as possible in the given time frame?

Use AWS Global Accelerator to distribute a portion of traffic to a particular deployment

A multi-national company uses Amazon S3 as its data lake to store the data that flows into its business. This data is both structured and semi-structured and is organized under different buckets in the company's AWS account in the same Region. Hundreds of applications in the company's AWS account use structured data for running data analytics, event monitoring, report generation, event creation, and many more. While the semi-structured data runs through several transformations and is sent to downstream applications for further processing. While the company's security policy restricts S3 bucket access over the internet, the internal security team has requested tighter access rules for the applications using the S3 data lake. Which combination of steps will you undertake to implement this requirement in the most efficient way? (Select three)

Create a gateway endpoint for Amazon S3 in the data lake VPC. Attach an endpoint policy to allow access to the S3 bucket only via the access points. Specify the route table that is used to access the bucket, In the AWS account that owns the S3 buckets, create an S3 access point for each bucket that the applications must use to access the data. Set up all applications in a single data lake VPC, Add a bucket policy on the buckets to deny access from applications outside the data lake VPC

A leading internet television network company uses AWS Cloud for analytics, recommendation engines and video transcoding. To monitor and optimize this network, the engineering team at the company has developed a solution for ingesting, augmenting, and analyzing the multiple terabytes of data its network generates daily in the form of virtual private cloud (VPC) flow logs. This would enable the company to identify performance-improvement opportunities such as identifying apps that are communicating across regions and collocating them. The VPC flow logs data is funneled into Kinesis Data Streams which further acts as the source of a delivery stream for Kinesis Firehose. The engineering team has now configured a Kinesis Agent to send the VPC flow logs data from another set of network devices to the same Firehose delivery stream. They noticed that data is not reaching Firehose as expected. As a Solutions Architect Professional, which of the following options would you identify as the MOST plausible root cause behind this issue?

Kinesis Agent cannot write to a Kinesis Firehose for which the delivery stream source is already set as Kinesis Data Streams

A global biomedicine company has built a Genomics Solution on AWS Cloud. The company's labs generate hundreds of terabytes of research data daily. To further accelerate the innovation process, the engineering team at the company wants to move most of the on-premises data into Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server easily, quickly, and cost-effectively. The team would like to automate and accelerate online data transfers to these AWS storage services. As a Solutions Architect Professional, which of the following solutions would you recommend as the BEST fit?

Use AWS DataSync to automate and accelerate online data transfers to the given AWS storage services

A leading club in the Major League Baseball runs a web platform that boasts over 50,000 pages and over 100 million digitized photographs. It is available in six languages and maintains up-to-date information for the season. The engineering team has built a notification system on the web platform using SNS notifications which are then handled by a Lambda function for end-user delivery. During the off-season, the notification systems need to handle about 100 requests per second. During the peak baseball season, the rate touches about 5000 requests per second and it is noticed that a significant number of the notifications are not being delivered to the end-users on the web platform. As a Solutions Architect Professional, which of the following would you suggest as the BEST fit solution to address this issue?

Amazon SNS message deliveries to AWS Lambda have crossed the account concurrency quota for Lambda, so the team needs to contact AWS support to raise the account limit

A global healthcare company wants to develop a solution called Health Information Systems (HIS) on AWS Cloud that would allow the providers, payers, and government agencies to collaborate, anticipate and navigate the changing healthcare landscape. While pursuing this endeavor, the company would like to decrease its IT operational overhead so it could focus more intently on its core business - healthcare analytics. The solution should help the company eliminate the bottleneck created by manual provisioning of development pipelines while adhering to crucial governance and control requirements. As a means to this end, the company has set up "AWS Organizations" to manage several of these scenarios and would like to use Service Control Policies (SCP) for central control over the maximum available permissions for the various accounts in their organization. This allows the organization to ensure that all accounts stay within the organization’s access control guidelines. As a Solutions Architect Professional, which of the following scenarios would you identify as correct regarding the given use-case? (Select three)

SCPs do not affect service-linked role, If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can't perform that action, SCPs affect all users and roles in attached accounts, including the root user

A data analytics company needs to set up a data lake on Amazon S3 for a financial services client. The data lake is split in raw and curated zones. For compliance reasons, the source data needs to be kept for a minimum of 5 years. The source data arrives in the raw zone and is then processed via an AWS Glue based ETL job into the curated zone. The business analysts run ad-hoc queries only on the data in the curated zone using Athena. The team is concerned about the cost of data storage in both the raw and curated zones as the data is increasing at a rate of 2 TB daily in each zone. Which of the following options would you implement together as the MOST cost-optimal solution? (Select two)

Setup a lifecycle policy to transition the raw zone data into Glacier Deep Archive after 1 day of object creation, Use Glue ETL job to write the transformed data in the curated zone using a compressed file format

The world’s largest cable company uses AWS in a hybrid environment to innovate and deploy features for its flagship video product, XFINITY X1, several times a week. The company uses AWS products such as Amazon Virtual Private Cloud (Amazon VPC) and Amazon Direct Connect to deliver the scalability and security needed for rapidly innovating in a hybrid environment. As part of an internal product roadmap, the engineering team at the company has created a private hosted zone and associated it with a virtual private cloud (VPC). However, the domain names remain unresolved, resulting in errors. As a Solutions Architect Professional, which of the following Amazon VPC configuration options would you use to get the private hosted zone to work?

To use private hosted zones, DNS hostnames and DNS resolution should be enabled for the VPC

A medical technology company has recently set up a hybrid cloud between its on-premises data centers and AWS Cloud. The engineering team at the company has developed a Media Archiving and Communication System application that runs on AWS to support real-time collaboration among radiologists and other specialists. The company uses Amazon S3 to aggregate the raw medical images and video footage from its research teams across the world to discover tremendous medical insights. The technical teams at the overseas research facilities have reported huge delays in uploading large video files to the destination S3 bucket. As a Solutions Architect Professional, which of the following would you recommend as the MOST cost-effective solutions to improve the file upload speed into S3? (Select two)

Use Amazon S3 Transfer Acceleration to enable faster file uploads into the destination S3 bucket, Use multipart uploads for faster file uploads into the destination S3 bucket

A Big Data Analytics company has built a custom data warehousing solution for a large airline by using Amazon Redshift. The solution helps the airline to analyze the international and domestic flight reservations, ticket issuing and boarding information, aircraft operation records, and cargo transportation records. As part of the cost optimizations, the airline now wants to move any historical data (any data older than a year) into S3, as the daily analytical reports consume data for just the last one year. However, the analysts at multiple divisions of the airline want to retain the ability to cross-reference this historical data along with the daily reports. The airline wants to develop a solution with the LEAST amount of effort and MINIMUM cost. As a Solutions Architect Professional, which option would you recommend to address this use-case?

Use Redshift Spectrum to create Redshift cluster tables pointing to the underlying historical data in S3. The analytics team can then query this historical data to cross-reference with the daily reports from Redshift

A mobile app with video upload and archival capabilities has been launched a few weeks ago with Amazon S3 as the storage service supporting videos of up to 10 GB each. The S3 bucket is configured for Virginia (us-east-1) Region. The application is gaining a lot of traction in Melbourne and Sydney cities of Australia. The users of these cities have been complaining of slow uploads and regular timeouts while using the application. Which of the following options can be used to speed up the uploads and enhance the user experience?

To upload video files to Amazon S3 bucket, leverage multipart uploads feature. Configure the application to use S3 Transfer Acceleration endpoints to improve the performance of uploads and also optimize the multipart uploads

A financial services company is building a hybrid Payment Card Industry Data Security Standard (PCI-DSS) compliant application that runs in the us-east-1 Region as well as on-premises. The application sends access logs from all locations to a single S3 bucket in the us-east-1 Region. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. As an AWS Certified Solutions Architect Professional, how would you configure the network to meet these requirements?

Create a private virtual interface to a Direct Connect connection in us-east-1. Set up an interface VPC endpoint and configure the on-premises systems to access S3 via this endpoint

A retail company has two web applications and wants to run them in separate, isolated VPCs. The company is looking at using Elastic Load Balancing to distribute requests between application instances. The security and compliance team at the company has imposed the following restrictions: 1. Inbound HTTP requests to the application must be routed through a centralized VPC 2. Application VPCs must not be exposed to any other inbound traffic 3. Application VPCs cannot be allowed to initiate any outbound connections 4. Internet gateways must not be attached to the application VPCs Which of the following solutions would you recommend to address these requirements?

Configure the applications behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to route application traffic to the corresponding target group through the ALB

A pharmaceutical company uses AWS Cloud to run multiple workloads with each workload managed by its software development team. The company leverages AWS Organizations and SAML-based federation to provide access to its development teams. A single shared production AWS account is used by all teams to deploy their production workloads. Recently, the company faced an incident when one of the teams had accidentally shut down a production EC2 instance used by another team. As an AWS Certified Solutions Architect Professional, you have been tasked to devise a solution that will eliminate the possibility of recurrence of such an event while making sure that all the teams still retain the necessary access permissions to their AWS resources in the shared AWS account. Which solution is the best fit for these requirements?

During SAML-based federation, pass an attribute for DevelopmentDept as an AWS Security Token Service (AWS STS) session tag. The policy of the assumed IAM role used by the developers should be updated with a deny action and a StringNotEquals condition for the DevelopmentDept resource tag and aws:PrincipalTag/ DevelopmentDept

A solutions architect is setting up DNS failover configuration for Route 53. The architect needs to use multiple routing policies (such as latency-based and weighted) to configure a more complex DNS failover. Which of the following options represent the key points of consideration while setting up a failover configuration on Route 53? (Select two)

If you're creating failover records in a private hosted zone, you must assign a public IP address to an instance in the VPC to check the health of an endpoint within a VPC by IP address, Records without a health check are always considered healthy. If no record is healthy, all records are deemed to be healthy

An e-commerce business has several AWS accounts. For implementing a new feature, the development team has used AWS Lambda functions which will be managed in a centralized AWS account. The team needs the required permissions to allow the Lambda functions to access resources in each of the company's AWS accounts with the least privilege(s) possible. How will you configure this requirement? (Select two)

In the centralized account, configure an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts, In the other AWS accounts, configure an IAM role that has minimal permissions. Add the Lambda execution role of the centralized account as a trusted entity

An analytics company has configured a hybrid environment between its on-premises data center and the AWS Cloud. The company wants to use the Elastic File System (EFS) to store and share data between the on-premises applications that need to resolve DNS queries through the on-premises DNS servers. The company wants to use a custom domain name to connect to EFS. The company also wants to avoid using the Amazon EFS target IP address. Which of the following solutions would you recommend to address these requirements?

Configure a Route 53 Resolver inbound endpoint and configure it for the EFS specific VPC. Create a Route 53 private hosted zone and add a new CNAME record with the value of the EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone

A company has various business units, each holding its AWS account. With a growing number of different AWS accounts, the company has decided to use AWS Organizations to centralize permissions and access controls. As a solutions architect, you have been asked to define Service Control Policies (SCPs) for the company. Which of the following represent true statements about SCPs? (Select two)

If a user has an IAM policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user cannot perform that action, The specified actions from an attached SCP affect all IAM identities including the root user of the member account

A company has three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows: VPC A: 10.1.0.0/16 VPC B: 192.168.0.0/16 VPC C: 10.1.0.0/16 Instance a-1 in VPC A has the IP address 10.1.0.10. Instance c-1 in VPC C has the IP address 10.1.0.10. Instances b-1 and b-2 in VPC B have the IP addresses 192.168.2.10 and 192.168.2.20 respectively. The instances b-1 and b-2 are in the subnet 192.168.2.0/24. The networking team at the company has mandated that b-1 must be able to communicate with a-1, and b-2 must be able to communicate with c-1. However, the team has noticed that both b-1 and b-2 are only able to communicate with a-1; instead of b-1 communicating with a-1 and b-2 communicating with c-1. Which of the following combination of steps will address this issue? (Select two)

Discard existing subnet in VPC B. Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC B. Move b-1 to subnet 192.168.2.0/28 and b-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance, Create two route tables in VPC B - one with a route for destination VPC A and another with a route for destination VPC C

A solutions architect has configured an Amazon Relational Database Service (Amazon RDS) DB instance as part of an AWS Elastic Beanstalk environment. To resolve an issue, the Beanstalk environment has to be upgraded from environment A to environment B for a week. Therefore, the dependency between the DB instance and the Beanstalk environment has to be removed. How will you implement this requirement without causing a downtime and data loss?

Decouple the RDS DB instance from the Beanstalk environment (environment A) and leverage Elastic Beanstalk blue (environment A)/green (environment B) deployment to connect to the decoupled database post the upgrade

A company has many AWS accounts for its different business units. As per the company's policy, developers should have limited access to a few AWS Regions (known as Core Regions). This restricted access was implemented using custom code. The company now wants to use AWS services to implement this restriction and relinquish the custom application. Which of the following represents the most optimal solution that is easy to set up and maintain?

Enable AWS Organizations and attach the AWS accounts of all business units to it. Create a Service Control Policy to deny access to the Non-Core Regions and attach the policy to the root OU

A company has its web application hosted on Amazon EC2 instances that are deployed in a single AWS Region. The company has now expanded its operations into new geographies and the company wants to offer low-latency access for the application to its customers. To comply with different financial regulations of each geography, the application needs to operate in silos and the underlying instances in one region should not interact with instances running in other regions. Which of the following represents the most optimal solution to automate the application deployment to different AWS regions?

Create a CloudFormation template describing the application infrastructure in the Resources section. Use CloudFormation stack set from an administrator account to launch stack instances that deploy the application to various other regions

A team uses an Amazon S3 bucket to store the client data. After updating the S3 bucket with a few file deletes and some new file additions, the team has just realized that these changes have not been propagated to the AWS Storage Gateway file share. What is the underlying issue? Which method can be used to resolve it?

Storage Gateway doesn't automatically update the cache when you upload a file directly to Amazon S3. Perform a RefreshCache operation to see the changes on the file share

An ed-tech company needs to deliver its video-on-demand (VOD) content to approximately 1 million users in a cost-effective way. The learning material is in the form of videos with a maximum size of 10 GB each. The videos are highly watched when initially uploaded and subsequently have very less views after 6-8 months. While the old videos might not be accessed regularly, they need to be immediately accessible when needed. With trainers and material doubling every few months, the number of videos has exploded over the last few months, dramatically increasing the cost of storage for the company. Which is the most cost-effective way of storing these videos to address the given use case?

Use Amazon S3 Intelligent-Tiering storage class to store the video files. Configure this S3 bucket as the origin of an Amazon CloudFront distribution for delivering the contents to the customers

A company has its flagship application fronted by an Application Load Balancer that is targeting several EC2 Linux instances running in an Auto Scaling group in a private subnet. AWS Systems Manager Agent is installed on all the EC2 instances. The company recently released a new version of the application, however, some of the EC2 instances are now being marked as unhealthy and are being terminated, thereby causing the application to run at reduced capacity. You have been tasked to ascertain the root cause by analyzing Amazon CloudWatch logs that are collected from the application, but you find that the logs are inconclusive. Which of the following options would you propose to get access to an EC2 instance to troubleshoot the issue?

Suspend the Auto Scaling group's Terminate process. Use Session Manager to log in to an instance that is marked as unhealthy and analyze the system logs to figure out the root cause

A retail company offers its services to the customers via APIs that leverage Amazon API Gateway and Lambda functions. The company also has a legacy API hosted on an Amazon EC2 instance that is used by the company's supply chain partners. The security and audit team at the company has raised concerns over the use of these APIs and wants a solution to secure them all from any vulnerabilities, DDoS attacks, and malicious exploits. Which of the following options would you use to address the security requirements of the company?

Use AWS Web Application Firewall (WAF) as the first line of defense to protect the API Gateway APIs against malicious exploits and DDoS attacks. Install Amazon Inspector on the EC2 instance to check for vulnerabilities. Configure Amazon GuardDuty to monitor any malicious attempts to access the APIs illegally

The development team at a company needs to implement a client-side encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The team created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose. The team created the following IAM policy and attached it to an IAM role: { "Version": "2012-10-17", "Id": "key-policy-1", "Statement": [ { "Sid": "GetPut", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::ExampleBucket/*" }, { "Sid": "KMS", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt" ], "Resource": "arn:aws:kms:us-west-1:111122223333:key/keyid-12345" } ] } The team was able to successfully get existing objects from the S3 bucket while testing. But any attempts to upload a new object resulted in an error. The error message stated that the action was forbidden. Which IAM policy action should be added to the IAM policy to resolve the error?

kms:GenerateDataKey

A company provides a web-based business-management platform for IT service companies across the globe to manage help desk, customer service, sales and marketing, and other critical business functions. More than 50,000 people use the company's platform, so the company must respond quickly to any reported problems. However, the company has issues with not having enough visibility into its systems to discover any issues. Multiple logs and monitoring systems are needed to understand the root cause of problems thereby taking hours to resolve. Even as the company is slowly moving towards serverless architecture using AWS Lambda/Amazon API Gateway/Amazon Elastic Container Service (Amazon ECS), the company wants to monitor the microservices and gain deeper insights into its serverless resources. Which of the following will you recommend to address the given requirements?

Use AWS X-Ray to analyze the microservices applications through request tracing. Configure Amazon CloudWatch for monitoring containers, latency, web server requests, and incoming load-balancer requests and create CloudWatch alarms to send out notifications if system latency is increasing

A company is migrating its two-tier legacy application (using MongoDB as a key-value database) from its on-premises data center to AWS. The company has mandated that the EC2 instances must be hosted in a private subnet with no internet access. In addition, all connectivity between the EC2 instance-hosted application and the database must be encrypted. The database must be able to scale to meet traffic spikes from any bursty or unpredictable workloads. Which do you recommend?

Set up new Amazon DynamoDB tables for the application with on-demand capacity. Use a gateway VPC endpoint for DynamoDB so that the application can have a private and encrypted connection to the DynamoDB tables

An e-commerce company manages its flagship application on a load-balanced EC2 instance fleet for web hosting, database API services, and business logic. This tightly coupled architecture makes it inflexible for new feature additions while also making the architecture less scalable. Which of the following options can be used to decouple the architecture, improve scalability and provide the ability to track the failed orders?

Configure Amazon S3 for hosting the web application while using AWS AppSync for database access services. Use Amazon Simple Queue Service (Amazon SQS) for queuing orders and AWS Lambda for business logic. Use Amazon SQS dead-letter queue for tracking and re-processing failed orders

An Amazon Simple Storage Service (Amazon S3) bucket has been configured to host a static website. While using the S3 static website endpoint, the testing team has complained that they are receiving access denied error for this website. What are the key points to consider while configuring an S3 bucket as a static website? (Select two)

Objects can't be encrypted by AWS Key Management Service (AWS KMS), The AWS account that owns the bucket must also own the object

An analytics company wants to leverage ElastiCache for Redis in cluster mode to enhance the performance and scalability of its existing two-tier application architecture. The ElastiCache cluster is configured to listen on port 6379. The company has hired you as an AWS Certified Solutions Architect Professional to build a secure solution so that the cache data is secure and protected from unauthorized access. Which of the following steps would address the given use-case? (Select three)

Create the cluster with auth-token parameter and make sure that the parameter is included in all subsequent commands to the cluster, Configure the security group for the ElastiCache cluster with the required rules to allow inbound traffic from the cluster itself as well as from the cluster's clients on port 6379, Configure the ElastiCache cluster to have both in-transit as well as at-rest encryption

The engineering team at a healthcare company is working on the Disaster Recovery (DR) plans for its Redshift cluster deployed in the eu-west-1 Region. The existing cluster is encrypted via AWS KMS and the team wants to copy the Redshift snapshots to another Region to meet the DR requirements. As a Solutions Architect Professional, which of the following solutions would you suggest to address the given use-case?

Create a snapshot copy grant in the destination Region for a KMS key in the destination Region. Configure Redshift cross-Region snapshots in the source Region

The DevOps team at a leading SaaS company is planning to release the major upgrade of its flagship CRM application in a week. The team is testing the alpha release of the application running on 20 EC2 instances managed by an Auto Scaling group in subnet 172.20.0.0/24 within VPC X with CIDR block 172.20.0.0/16. The team has noticed connection timeout errors in the application logs while connecting to a MySQL database running on an EC2 instance in the same region in subnet 172.30.0.0/24 within VPC Y with CIDR block 172.30.0.0/16. The IP of the database instance is hard-coded in the application instances. As a Solutions Architect Professional, which of the following solutions would you recommend to the DevOps team to solve the problem in a secure way with minimal maintenance and overhead? (Select two)

Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC X that points to the IP address range of 172.30.0.0/16, Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC Y that points to the IP address range of 172.20.0.0/16

A digital media company wants to use AWS Cloudfront to manage its content. Firstly, it would like to allow only those new users who have paid the annual subscription fee the ability to download the application installation file. Secondly, only the subscribers should be able to view the files in the members' area. As a Solutions Architect Professional, which of the following would you recommend as the MOST optimal solutions to deliver restricted content to the bona fide end users? (Select two)

Use CloudFront signed URLs to restrict access to the application installation file, Use CloudFront signed cookies to restrict access to all the files in the members' area of the website

The DevOps team for a CRM SaaS company wants to implement a patching plan on AWS Cloud for a large mixed fleet of Windows and Linux servers. The patching plan has to be auditable and must be implemented securely to ensure compliance with the company's business requirements. As a Solutions Architect Professional, which of the following options would you recommend to address these requirements with MINIMAL effort? (Select two)

Apply patch baselines using the AWS-RunPatchBaseline SSM document, Set up Systems Manager Agent on all instances to manage patching. Test patches in pre-production and then deploy as a maintenance window task with the appropriate approval

A web hosting company's CFO recently analyzed the company's monthly bill for the AWS account for the development environment and identified an opportunity to reduce the cost for AWS Elastic Beanstalk infrastructure in use. The CFO in consultation with the CTO has hired you as an AWS Certified Solutions Architect Professional to design a highly available solution that will provision an Elastic Beanstalk environment in the morning and terminate it at the end of the day. The solution should be designed with minimal operational overhead with a focus on minimizing costs. The solution should also facilitate the increased use of Elastic Beanstalk environments among different development teams and must provide a one-stop scheduler solution for all teams to keep the operational costs as low as possible. Which of the following solution designs will you suggest to address these requirements?

Set up separate Lambda functions to provision and terminate the Elastic Beanstalk environment. Configure a Lambda execution role granting the required Elastic Beanstalk environment permissions and assign the role to the Lambda functions. Configure cron expression based Amazon EventBridge events rules to trigger the Lambda functions

An automobile company helps more than 20 million web and mobile users browse automobile dealer inventory, read vehicle reviews, and consume other automobile-related content by leveraging its library of 50 million vehicle photos uploaded by auto dealers. The company is planning a key update with even better image quality and faster load times on the company's website as well as mobile apps but the existing image-handling solution based on Cloudera MapReduce clusters is not the right tool for the job. The company now wants to switch to a serverless solution on AWS Cloud. As part of this process, the engineering team has been studying various best practices for serverless solutions. They intend to use AWS Lambda extensively and are looking at the salient features to consider when using Lambda as the backbone for the serverless architecture. As a Solutions Architect Professional, which of the following would you identify as key considerations for a serverless architecture? (Select three)

By default, Lambda functions always operate from an AWS-owned VPC and hence have access to any public internet address or public AWS APIs. Once a Lambda function is VPC-enabled, it will need a route through a NAT gateway in a public subnet to access public resources, Since Lambda functions can scale extremely quickly, it's a good idea to deploy a CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds the expected threshold, If you intend to reuse code in more than one Lambda function, you should consider creating a Lambda Layer for the reusable code

A healthcare company has migrated some of its IT infrastructure to AWS Cloud and is looking for a solution to enable real-time data transfer between AWS and its data centers to reduce the turnaround time to generate the patients' diagnostic reports. The company wants to build a patient results archival solution such that only the most frequently accessed results are available as cached data locally while backing up all results on Amazon S3. As a Solutions Architect Professional, which of the following solutions would you recommend for this use-case?

Use AWS Volume Gateway - Cached Volume - to store the most frequently accessed results locally for low-latency access while storing the full volume with all results in its Amazon S3 service bucket

A multi-national bank has recently migrated to AWS Cloud to utilize dedicated instances that are physically isolated at the host hardware level from instances that belong to other AWS accounts. The bank's flagship application is hosted on a fleet of EC2 instances which are part of an Auto Scaling group (ASG). The ASG uses a Launch Configuration (LC-A) with "dedicated" instance placement tenancy but the VPC (VPC-A) used by the Launch Configuration LC-A has the instance tenancy set to default. Later the engineering team creates a new Launch Configuration (LC-B) with "default" instance placement tenancy but the VPC (VPC-B) used by the Launch Configuration LC-B has the instance tenancy set to dedicated. As a Solutions Architect Professional, which of the following options would you identify as correct regarding the instances launched via Launch Configuration LC-A and Launch Configuration LC-B?

The instances launched by both Launch Configuration LC-A and Launch Configuration LC-B will have dedicated instance tenancy

A healthcare technology solutions company recently faced a security event resulting in an S3 bucket with sensitive data containing Personally Identifiable Information (PII) for patients being made public. The company policy mandates never to have public S3 objects so the Governance and Compliance team must be notified immediately as soon as any public objects are identified. The company has hired you as an AWS Certified Solutions Architect Professional to help build a solution that detects the presence of a public S3 object, which in turn sets off an alarm to trigger notifications and then automatically remediates the said object. Which of the following solutions would you implement in tandem to meet the requirements of the given use-case? (Select two)

Configure a Lambda function as one of the SNS topic subscribers, which is invoked to secure the objects in the S3 bucket, Enable object-level logging for S3. Set up a EventBridge event pattern when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs and set the target as an SNS topic for downstream notifications

A financial services company runs more than 400 core-banking microservices on AWS, using services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS), and Amazon Simple Storage Service (Amazon S3). The company also segregates parts of its infrastructure using separate AWS accounts, so if one account is compromised, critical parts of the infrastructure in other accounts remain unaffected. The company uses one account for production, one for non-production, and one for storing and managing users’ login information and roles within AWS. The privileges that are assigned in the user account then allow users to read or write to production and non-production accounts. The company has set up "AWS Organizations" to manage several of these scenarios. The company wants to provide shared and centrally-managed VPCs to all business units for certain applications that need a high degree of interconnectivity. As a solutions architect, which of the following options would you choose to facilitate this use-case?

Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations

A leading gaming company runs multiple game platforms that need to store game state, player data, session history, and leaderboards. The company is looking to move to AWS Cloud to scale reliably to millions of concurrent users and requests while ensuring consistently low latency measured in single-digit milliseconds. The engineering team at the company is evaluating multiple in-memory data stores with the ability to power its on-demand, live leaderboard. The company's leaderboard requires high availability, low latency, and real-time processing to deliver customizable user data for the community of its users. As an AWS Certified Solutions Architect Professional, which of the following solutions would you recommend? (Select two)

Develop the leaderboard using ElastiCache Redis as it meets the in-memory, high availability, low latency requirements, Develop the leaderboard using DynamoDB with DynamoDB Accelerator (DAX) as it meets the in-memory, high availability, low latency requirements

A big data analytics company leverages its proprietary analytics workflow (built using Redshift) to correlate traffic with marketing campaigns and to help retailers optimize hours for peak traffic, among other activities. The company has hired you as an AWS Certified Solutions Architect Professional to review the company's Redshift cluster, which has now become an integral part of its technology solutions. You have been asked to improve the reliability and availability of the cluster in case of a disaster and provide options to ensure that if an issue arises, the cluster can either operate or be restored within five hours. Which of the following would you suggest as the BEST solution to meet the business needs in the most cost-effective way?

Set up a CloudFormation stack set for Redshift cluster creation so it can be launched in another Region and configure Amazon Redshift to automatically copy snapshots for the cluster to the other AWS Region. In case of a disaster, restore the cluster in the other AWS Region from that Region's snapshot

The product team at a global IoT technology company is looking to build features to facilitate better collaboration with the company's customers. As part of its research, the product team has figured out a market need to support both stateful and stateless client-server communications via the APIs developed using its platform. You have been hired by the company as an AWS Certified Solutions Architect Professional to build a solution to fulfill this market need using AWS API Gateway. Which of the following would you recommend to the company?

API Gateway creates RESTful APIs that enable stateless client-server communication and API Gateway also creates WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between client and server

A leading video creation and distribution company has recently migrated to AWS Cloud for digitally transforming its movie business. The company wants to speed up its media distribution process and improve data security while also reducing costs and eliminating errors. The company wants to set up a Digital Cinema Network that would allow it to store content in Amazon S3 as well as to accelerate the online distribution of movies and advertising to theaters in 38 key media markets worldwide. The company also wants to do an accelerated online migration of hundreds of terabytes of files from their on-premises data center to Amazon S3 and then establish a mechanism for low-latency access of the migrated data for ongoing updates from the on-premises applications. As a Solutions Architect Professional, which of the following would you select as the MOST performant solution for the given use-case?

Use AWS DataSync to migrate existing data to Amazon S3 and then use File Gateway for low latency access to the migrated data for ongoing updates from the on-premises applications

A Wall Street based trading firm is modernizing its message queuing system by migrating from self-managed message-oriented middleware systems to Amazon SQS. The firm is using SQS to migrate several trading applications to the cloud to ensure high availability and cost efficiency while simplifying administrative complexity and overhead. The development team at the firm expects a peak rate of about 2,400 messages per second to be processed via SQS. It is important that the messages are processed in the order they are received. Which of the following options can be used to implement this system in the most cost-effective way?

Use Amazon SQS FIFO queue in batch mode of 8 messages per operation to process the messages at the peak rate

After a recent DDoS assault, the IT security team of a media company has asked the Security Engineer to revamp the security of the application to prevent future attacks. The website is hosted on an Amazon EC2 instance and data is maintained on Amazon RDS. A large part of the application data is static and this data is in the form of images. Which of the following steps can be combined to constitute the revamped security model? (Select two)

Use Amazon Route 53 to distribute traffic, Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution. Configure another layer of protection by adding AWS Web Application Firewall (AWS WAF) to the CloudFront distribution

An e-commerce company has hired an AWS Certified Solutions Architect Professional to design a dual-tier storage layer for its flagship application running on EC2 instances. One of the tiers of this storage layer is a data tier that should support a POSIX file system shared across many systems. The other tier of this storage layer is a service tier that supports static file content that requires block storage with more than a million IOPS. Which of the following solutions represent the BEST combination of AWS services for this use-case? (Select two)

Use EFS as the data tier of the storage layer, Use EC2 Instance Store as the service tier of the storage layer

A health and beauty products company processes thousands of orders each day from 100 countries and its website is localized in 15 languages. The company’s website faces continual security threats and challenges in the form of HTTP flood attacks, distributed denial of service (DDoS) attacks, rogue robots that flood its website with traffic, SQL-injection attacks designed to extract data and cross-site scripting attacks (XSS). Most of these attacks originate from certain countries. Therefore, the company wants to block access to its application from specific countries; however, the company wants to allow its remote development team (from one of the blocked countries) to have access to the application. The application is deployed on EC2 instances running under an Application Load Balancer (ALB) with AWS WAF. As a Solutions Architect Professional, which of the following solutions would you suggest as the BEST fit for the given use-case? (Select two)

Use WAF IP set statement that specifies the IP addresses that you want to allow through, Use WAF geo match statement listing the countries that you want to block

A business has their web application hosted in us-east-1 region. Recently, the business has added another region us-east-2, and has configured Route53 to direct user traffic to the least-latency AWS Region. However, the development team has found some aberrations in the expected functionality and the team is trying to ascertain if it's a configuration issue. Which of the following would you suggest as the key points of consideration while configuring Route53? (Select three)

After a Route 53 health checker receives the HTTP status code, it must receive the response body from the endpoint within the next two seconds with the SearchString string that you specified. The string must appear entirely in the first 5,120 bytes of the response body or the endpoint fails the health check, HTTPS health checks don't validate SSL/TLS certificates, so checks don't fail if a certificate is invalid or expired, If you configure Route 53 to use the HTTPS protocol to check the health of your endpoint, then that endpoint must support TLS

An e-commerce company has a three-tier web application with separate subnets for Web, Application and Database tiers. The CTO at the company wants to monitor any malicious activity targeting the web application running on EC2 instances. As a solutions architect, you have been tasked with developing a solution to notify the security team in case the network exposure of EC2 instances on specific ports violates the security policies of the company. Which AWS Services would you use to build an automated notification system to meet these requirements with the least development effort? (Select two)

Amazon Inspector, Amazon SNS

A company is building an on-demand streaming application on AWS Cloud. The company has chosen Amazon S3 as its storage service and moved the existing videos to an Amazon S3 bucket. The application requires the video playback to start quickly, fast-forwarding should be more efficient and the overall user experience should be smoother without smothering the user's bandwidth. Which AWS service(s) will help implement this solution effectively?

Use AWS Elemental MediaConvert for file-based video processing and Amazon CloudFront for delivery. Use video streaming protocols like Apple’s HTTP Live Streaming (HLS) and create a manifest file. Point the CloudFront distribution at the manifest

A global multi-player gaming application runs on UDP protocol and it needs to add functionality where you can assign multiple players to a single session on a game server based on factors such as geographic location, player skill, and a few more configurable parameters. The application is accessed by players spread out across different regions of the world. What is the BEST way to configure this requirement?

Use custom routing accelerator of Global Accelerator to deterministically route one or more users to a specific instance using VPC subnet endpoints

A team needs to set up a private network connection between AWS Storage Gateway's file interface (file gateway) and Amazon Simple Storage Service (Amazon S3). The Gateway should not communicate with AWS services over the internet. Which of the following options can be used to configure this requirement? (Select two)

Create a VPC Gateway endpoint and create the file gateway using this VPC endpoint, Create a VPC Interface endpoint and create the file gateway using this VPC endpoint

A business has hosted their custom made log data analyzer application on AWS. The application examines the generated log data using the date ranges. Every day the application generates around 15 GB of data which is expected to keep growing in the future. As a solutions architect, you are responsible for storing the data in Amazon S3 and analyzing it using Amazon Athena. What combination of steps will you recommend for the best-performing solution? (Select two)

Store the data in Amazon S3 in a columnar format such as Apache Parquet, Partition the data in Amazon S3 using Apache Hive partitioning. Use a date column as partition key

A retail company has a Direct Connect connection between its on-premises data center and its VPC on the AWS Cloud. The company's flagship application runs on an EC2 instance in the VPC and it needs to access customer data stored in the on-premises data center with consistent performance. To meet the compliance guidelines, the data should remain encrypted during this operation. Which of the following solutions would you recommend for this use case?

Configure a public virtual interface on the Direct Connect connection. Create an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC

A company wants to use AWS Organizations to set up Service control policies (SCPs) for better control over AWS resources used by the teams. The policy should allow access to describe actions on Amazon EC2 instances while denying access to all actions on Amazon S3 buckets. Which of the following is the correct option to include both the requirements into a single SCP?

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource":" *" }, { "Effect": "Deny", "Action": "s3:*", "Resource": "*" } ] }

A data analytics company leverages Amazon QuickSight (Enterprise Edition) for creating and publishing interactive BI dashboards that can be accessed from any device. For a new requirement, the company must create a private connection from Amazon QuickSight to an Amazon RDS DB instance that's in a private subnet to fetch data for analysis. Which is the BEST solution for configuring a private connection between QuickSight and Amazon RDS DB instance?

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new security group with necessary inbound rules for QuickSight in the same VPC. Sign in to QuickSight as a QuickSight admin and create a new QuickSight VPC connection. Create a new dataset from the RDS DB instance

An investment firm collects daily stock trading data from exchanges and stores it in a data warehouse. The development team at the firm needs a solution that streams data directly into the data repository but should also allow SQL-based data modifications when needed. The solution should facilitate complex analytical queries that execute in the fastest possible time. The solution should also offer a business intelligence dashboard that highlights any stock price anomalies. Which of the following options represents the best solution for the given use case?

Configure Amazon Kinesis Data Firehose to stream data to Amazon Redshift. Create a business intelligence dashboard by using Amazon QuickSight that has Amazon Redshift as a data source

A development team is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The team has flagged a concern regarding a probable attack on the origin server IP addresses, despite it being served by CloudFront. As an AWS Certified Solutions Architect Professional, which of the following would you recommend as the BEST solution for providing the strongest level of protection to the origin server?

Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header

An e-commerce company manages its flagship applications on AWS. The Amazon EC2 instances running the applications are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services. Different URLs (mobile.ecomm.com, web.ecomm.com, api.ecomm.com) will serve the required content to the end-users. As an AWS Certified Solutions Architect Professional, which combination of services would you use to serve the content to the end-users? (Select two)

Use Host conditions in ALB listener to route *.ecomm.com to appropriate target groups, Use Host conditions in ALB listener to route ecomm.com to appropriate target groups

An analytics company runs a web service that is used by client applications deployed in multiple offices worldwide. The application architecture consists of an Elastic Load Balancer (ELB) distributing traffic across ten application servers deployed in an Auto Scaling group across two Availability Zones. The ELB uses a round-robin configuration with no sticky sessions. The development team has configured the NACLs and security groups to allow port 22 from a NAT instance being used as a jump host, and also allow port 80 from 0.0.0.0/0. The client configuration is managed by each regional IT team. The networking team has noticed that a significant number of requests from incorrectly configured client sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects. As an AWS Certified Solutions Architect Professional, what would you recommend to address the situation and prevent future occurrences?

Update the Security Groups for the application servers to only allow incoming traffic on port 80 from the ELB

A healthcare company has to maintain a log of all transactions for audit and compliance purposes. The company is planning stringent security measures for all of its CloudTrail log files. Which of the following would you suggest as the LEAST effort options to secure the CloudTrail logs? (Select two)

Enable CloudTrail log file integrity validation, Use Amazon S3 MFA Delete on the S3 bucket that holds CloudTrail logs and digest files

During a quarterly audit, it has come to light that employees have not followed the security standards mandated by the company while using the AWS Key Management Service (AWS KMS) keys. The senior management has decided that access to AWS KMS keys should be restricted to only the principals belonging to their AWS Organizations. How will you implement this requirement?

The aws:PrincipalOrgID global condition key can be used with the Principal element in a resource-based policy with AWS KMS. You need to specify the Organization ID in the Condition element

A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2022:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries: 2 098765432112 eni-0596e500987654321 2022:db8:2:200::2 2022:db8:1:100::1 0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112 eni-0596e500987654321 2022:db8:1:100::1 2022:db8:2:200::2 0 0 58 236 42336 1551200195 1551200434 REJECT OK Which of the following options will restore network reachability to the EC2 instance?

Update the network ACL associated with the subnet to allow outbound traffic

A company runs a three-tier web application hosted on AWS Cloud. A Multi-AZ RDS MySQL server (with one standby) forms the database layer with Amazon ElastiCache forming the cache layer. The top management wants a reporting feature for the sales and marketing activity at the company. As a solutions architect, you have been tasked to build a reporting layer that fetches the information from the database and displays it to the management's dashboards every half an hour. What is the most optimal solution to meet these requirements with the least impact on the operational performance of the database?

Create a new RDS Read Replica from your Multi AZ primary database and generate reports by querying the Read Replica

A social gaming company is developing a mobile game that streams score updates to a backend processor and then publishes results on a leaderboard. The company has hired you to design a solution that can handle major traffic spikes, process the mobile game updates in the order of receipt, and store the processed updates in a highly available database. The company wants to minimize the management overhead required to maintain the solution. Which of the following solutions will you recommend to meet these requirements?

Send score updates to Kinesis Data Streams which uses a Lambda function to process these updates and then store these processed updates in DynamoDB

A data analytics company runs a real-time data processing application that uses Kinesis Client Library (KCL) to help consume and process data from the real-time data streams. The development team has raised a query on the viability of using the same DynamoDB table for different KCL applications. Which of the following are correct statements for KCL while consuming Kinesis Data Streams? (Select two)

Each KCL application must use its own DynamoDB table, You can only use DynamoDB for checkpointing KCL

A medical insurance company stores its bills and supporting documents of its customers in an Amazon S3 bucket as per the regulatory guidelines. The bucket is organized into folders with each folder having an insurance claim type. Employees working on claims have access to this S3 bucket and copy the bills and supporting documents to the folders based on the claim type. With changes in the regulations, the company has a new workflow for a new type of claim that exceeds a certain amount. These high-value claims have to be copied to a different bucket from where a program processes them within an hour. The workflow must trigger a ticket for the Audit team if the claim data is not copied into the destination bucket within 15 minutes. Which is the most effective solution that can be quickly implemented to incorporate the necessary changes in the workflow?

Create a new Amazon S3 bucket to be used for replication. Create a new S3 Replication Time Control (S3 RTC) rule on the source S3 bucket that filters data based on the prefix (high-value claim type) and replicates it to the new S3 bucket. Leverage an Amazon S3 event notification to trigger a notification when the time to copy the claim data exceeds the desired threshold

An e-commerce company has its flagship application hosted on Amazon EC2 instances that are configured in an Auto Scaling group behind a public-facing Application Load Balancer (ALB). The application should only be accessible to users from a specific country. The company also needs the ability to monitor any prohibited requests for further analysis by the security team. What will you suggest as the most optimal and low-maintenance solution for the given use case?

Set up an AWS Web Application Firewall (WAF) web ACL. Create a rule to deny any requests that do not originate from the specified country. Attach the rule with the web ACL. Attach the web ACL with the ALB

The development team at a company has noticed issues with the Quality of Service (QoS) in the traffic to the EC2 instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a programming error or a networking error. As an AWS Certified Solutions Architect Professional, which of the following options would you suggest for the given use case?

Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis

MPLE

ユーザ名非公開 · 41問 · 13日前

MPLE