400+ Câu hỏi luyện thi chứng chỉ AWS Certified Solutions Architect Associate (SAA-C03) - Phần 7

March 29, 2023

Question 1

You work as an architect for a consulting company. The consulting company normally creates the same set of resources for their clients. They want some way of building templates, which can then be used to deploy the resources to the AWS accounts for the various clients. Also, your team needs to be ensured that they have control over the infrastructure. Which of the following service can help fulfill this requirement?

A. AWS Elastic Beanstalk

B. Custom AMI

C. AWS Cloudformation

D. EBS Snapshots

Question 2

Your company runs an automobile reselling company that has a popular online store on AWS. The application sits behind an Auto Scaling group and requires new instances of the Auto Scaling group to identify their public and private IP addresses. Which of the following is the correct AWS option to identify the IP addresses?

A. By using Ipconfig for windows or Ifconfig for Linux.

B. By using a CloudTrail.

C. Using a Curl or Get Command to get the latest meta-data from http://169.254.169.254/latest/meta-data/

D. Using a Curl or Get Command to get the latest user-data from http://169.254.169.254/latest/user-data/

Question 3

You have been designing a CloudFormation template that creates one elastic load balancer fronting two EC2 instances. Which section of the template should you edit so that the load balancer’s DNS is returned upon creating the stack?

A. Resources

B. Parameters

C. Outputs

D. Mappings

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

{

    "Resources": {

        "MyEC2Instance": {

            "Type": "AWS::EC2::Instance",

            "Properties": {

                "ImageId": "ami-d6f32ab5"

            }

        }

    },

    "Outputs": {

        "Availability": {

            "Description": "The Instance ID",

            "Value":

            { "Fn::GetAtt" : [ "MyEC2Instance", "AvailabilityZone" ]}

        }

    }

}

Question 4

Your company has a set of resources defined in AWS. These resources consist of applications hosted on EC2 Instances. Data is stored on EBS volumes and S3. The company mandates that all data should be encrypted at rest. How can you achieve this? Choose 2 answers from the options below.

A. Enable SSL with the underlying EBS volumes.

B. Enable EBS Encryption.

C. Make sure that data is transmitted from S3 via HTTPS.

D. Enable S3 server-side Encryption.

Question 5

You have been instructed to establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud). As an architect, which of the following pre-requisites should you ensure to establish the site-to-site VPN connection? Choose 2 answers from the options given below.

A. The main route table to route traffic through a NAT instance

B. A public IP address on the customer gateway for the on-premises network

C. A virtual private gateway attached to the VPC

D. An Elastic IP address to the Virtual Private Gateway

Question 6

You are using a c5.large EC2 Instance with one 300GB EBS General purpose SSD volume to host a relational database. You noticed that the read/write capacity of the database needs to be increased. Which of the following approaches can help achieve this? Choose 2 answers from the options given below.

A. Use a larger EC2 Instance Type.

B. Enable Multi-AZ feature for the database.

C. Consider using Provisioned IOPS Volumes.

D. Put the database behind an Elastic Load Balancer.

Explanation

Answer - A and C
The below snapshot from the AWS Documentation shows the different volume types and why Provisioned IOPS is the most ideal for this requirement.

Also, consider using a larger instance size for better processing capabilities based on EBS Bandwidth.
- Option B is incorrect since the Multi-AZ feature is only for high availability.
- Option D is incorrect since this would not alleviate the high number of read/write of the database.

Question 7

Your company has a set of AWS RDS Instances. Your management has asked you to disable Automated backups to save on cost. When you disable automated backups for AWS RDS, what are you compromising on?

A. Nothing,you are actually saving resources on aws

B. You are disabling the point-in-time recovery.

C. Nothing really, you can still take manual backups.

D. You cannot disable automated backups in RDS.

Question 8

A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. There is a requirement to ensure that instances in the Development and Test VPC’s can access resources in the Production VPC. There should be minimal efforts with minimal administrative overhead. Which of the following would be the ideal way to get this in place?

A. Create an AWS Direct Connect connection between the Development, Test VPC to the Production VPC.

B. Create a separate VPC peering connection from Development to Production and from Test to the Production VPC.

C. Create a VPN connection between the Development, Test VPC to the Production VPC.

D. Create a VPC peering connection between the Development to the Production VPC and from Development to the Test VPC.

Explanation

Answer – B
Options A and C are incorrect since these options will NOT involve minimal efforts or minimal overhead. Hence you need to choose VPC peering.
Options D is incorrect since the VPC Peering configuration mentioned would be invalid. We need access from Production to Test and NOT from "Development to Test" as given in the option
You need VPC Peering Configuration between Dev to Prod and Test to Prod.
"A VPC peering connection is a networking connection between two VPCs that enable you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection)."

Question 9

You are working as an AWS consultant for an online grocery store. They are using a two-tier web application with web-servers hosted in VPC’s at us-east-1 region & on-premise data-center. Network Load balancer is configured in the front end to distribute traffic between these servers. All traffic between clients & servers is encrypted. They are looking for an alternate solution to terminate the TLS connection on this Network Load balancer to reduce load on back-end servers.

This store’s management team has engaged you to suggest a solution for certificate management used in case of TLS termination. Which of the following is a preferred secure option to provision & store certificates to be used along with Network Load Balancer for terminating TLS?

A. Use multiple certificates per TLS listener & If a hostname provided by a client matches multiple certificates in the certificate list. The load balancer selects all of the certificates.

B. Use TLS tools to generate a new certificate & upload in AWS Certificate Manager.

C. Use a single certificate per TLS listener provided by AWS Certificate Manager.

D. Use a single certificate with 4096 bits RSA keys for higher security.

Question 10

As a solutions architect, it is your job to design for high availability and fault tolerance. Company-A is utilizing Amazon S3 to store large amounts of file data. You need to ensure that the files are still available in the case of an entire region facing an outage due to a natural disaster. How can you achieve this?

A. Copy the S3 bucket to an EBS optimized backed EC2 instance

B. Amazon S3 is highly available and fault tolerant by design and requires no additional configuration

C. Enable Cross-Region Replication for the bucket

D. Enable versioning for the bucket

Question 11

Your company currently has a set of EC2 Instances hosted on the AWS Cloud. There is a requirement to ensure the restart of instances if a CloudWatch metric goes beyond a certain threshold. As a solutions architect, how would you ask the IT admin staff to implement this?

A. Look at the Cloudtrail logs for events and then restart the Instance based on the events.

B. Create a CloudWatch metric which looks into the instance threshold, and assign this metric against an alarm to reboot the instance.

C. Create a CLI script that restarts the server at certain intervals.

D. Use the AWS Config utility on the EC2 Instance to check for metrics and restart the server

Question 12

Your company is currently hosting a long-running heavy load application on its On-premise environment, whose processing time is greater than 15 minutes. The company has developed this application in-house. Consulting companies then use this application via API calls, and each API call may take half an hour to finish. You now need to consider moving this application to AWS. Which of the following services would be best suited in the architecture design, which would also help deliver a cost-effective solution? (Select TWO)

A. AWS Lambda

B. AWS API Gateway

C. AWS Config

D. AWS EC2

Question 13

You have a set of EC2 Instances in a custom VPC. You have installed a web application and need to ensure that only HTTP and HTTPS traffic is allowed into the instance. Which of the following would you consider for this requirement?

A. Add a security group rule to allow HTTP and HTTPS Traffic.

B. Add a security group rule to an explicit DENY all traffic and a default allow on HTTP and HTTPS Traffic.

C. Add a security group rule to deny explicit traffic on HTTP and HTTPS Traffic.

D. Add a security group rule to allow all traffic.

Question 14

A company has an application defined with the following architecture.

A fleet of EC2 Instances which are used to accept video uploads from users. A fleet of EC2 Instances which are used to process the video uploads. Which of the following would help architect an operationally excellent architecture?

A. Create an SQS queue to store the information for Video uploads. Spin up the processing servers via an Autoscaling Group. Ensure the Group scales based on the Memory utilization of the underlying processing servers.

B. Create an SQS queue to store the information for Video uploads. Spin up the processing servers via an Autoscaling Group. Ensure the Group scales based on the size of the queue.

C. Create an SNS topic to store the information for Video uploads. Spin up the processing servers via an Autoscaling Group. Ensure the Group scales based on the Memory utilization of the underlying processing servers.

D. Create an SNS topic to store the information for Video uploads. Spin up the processing servers via an Autoscaling Group. Ensure the Group scales based on the size of the queue messages.

Explanation

Answer – B
This architecture is also given in the AWS Documentation.

- Option A is incorrect. The ideal approach is to scale the instances based on the size of the queue.
Options C and D are incorrect since you should be using SQS queues. SNS topics are used for notification purposes.
As per AWS,
You can use the number of messages stored in an SQS queue as an indicator of the amount of work waiting in line for eventual processing within an Auto Scaling Group comprised of a variable number of EC2 instances. Each SQS queue reports a number of metrics to CloudWatch at five minute intervals, including
ApproximateNumberOfMessagesVisible
. If your workload is spikey in nature, you may want to build an application that can respond more quickly to changes in the size of the queue.
Memory utilization metrics are custom metrics. For this, you need to install a Cloudwatch agent on the EC2 instances and need to aggregate the dimensions.
However, AWS already has a well-defined architecture based on SQS Queuelength being used for Autoscaling EC2 instances.

Question 15

A company has an Aurora MySQL DB cluster setup, and the DB needs to invoke a Lambda function. Which of the following need to be in place for this setup to work. (Select TWO)

A. Ensure that the Lambda function has an IAM Role assigned to it which can be used to invoke functions on Amazon Aurora.

B. Ensure that the Aurora MySQL DB cluster has an IAM Role which allows it to invoke Lambda functions.

C. Allow the Lambda function to allow outbound communication to Amazon Aurora.

D. Configure the Aurora MySQL DB cluster to allow outbound connections to the Lambda function.

Explanation

Answer – B and D
The below snapshot from the AWS Documentation shows the different steps required to ensure that the Lambda function can access Amazon Aurora.

Options A and C are incorrect since the configurations need to be the other way around.

Question 16

Your company is planning on the following architecture for their application.

· A set of EC2 Instances hosting the web part of the application.

· A relational database for the backend using the AWS RDS MySQL service

· A Load balancer for distribution of traffic

There is a requirement to ensure that all data hosted in the database service is encrypted at rest. How can you achieve this requirement in the easiest manner? (Select 2)

A. Encrypt the underlying EBS volumes for the database

B. Use the Encryption feature for RDS

C. Use S3 server-side encryption

D. Use AWS Key Management Service

Question 17

A global IT Firm is working on a project to process Genomics data for a scientific organization. Researchers are looking for a quick analysis of large amounts of data they need to retrieve from any part of the world seamlessly. IT Firm has AWS Direct Connect link from on-premise Datacenter to AWS VPC. As an AWS consultant, they are looking for your guidance to provide a long-term cost-effective solution that can handle any amount of data reliably.

Which of the following solutions can be deployed to meet IT firm requirements?

A. Use Amazon EMR with Apache Spark & data stored in Amazon S3 bucket.

B. Use Apache Spark deployed at on-premise servers with data stored in Amazon S3 bucket.

C. Use Amazon EMR with Apache Spark & data stored in Amazon EC2 instance store.

D. Use Apache Spark deployed at on-premise servers with data stored in Amazon EC2 instance store.

Explanation

Correct Answer: A
Amazon EMR is a big data platform used for processing large amounts of data. For analyzing large amounts of data, Amazon EMR can be used to provide reliable cost-effective solutions. It supports open-source tools like Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. Data can be stored in an Amazon S3 bucket to have scalable storage options & can be accessed globally. With EMR Cluster, compute & storage are decoupled. For storage, Amazon S3 can be used. For compute, clusters can be launched as per processing required & stopped when there is no requirement, saving additional cost. When Apache Spark is deployed on-premise, customers must manage physical infrastructure & large processing requirements. There is an additional cost of building new infrastructure.

- Option B & D are incorrect as deploying Apache Spark at on-premise servers would be a non-scalable solution & will incur additional cost for managing server farms.
- Option C is incorrect as storing analytical data in Amazon EC2 instance store would be ideal only for temporary solution & not for long term reliable storage.

Question 18

Your team has an application hosted on AWS. This application currently interacts with a DynamoDB table which has the Read capacity set to 10. Based on recent cloudwatch alarms which indicated that throttling was occurring in the requests to the DynamoDB table. Which of the following would help ensure the issue was resolved now and help ensure the issue does not occur in the future?

A. Add an Elastic Load Balancer in front of the DynamoDB table.

B. Change the Read Capacity for the table to 20.

C. Change the Write capacity for the table to offset the Read capacity.

D. Enable Autoscaling for the underlying DynamoDB table

Question 19

Your team is developing a Lambda function. The function would need to interact with a database. The Lambda function and the database will be deployed in different environments. Which of the following is the most secure approach for the Lambda function to get the database credentials for multiple environments?

A. Hardcode the database credentials in GitHub for different environments of the Lambda function.

B. Create a lambda function for each environment and ensure each has a different programming language.

C. Store the database credentials in AWS Secrets Manager.

D. Store the database credentials in a Lambda function tag.

Question 20

A telecom company has installed radio devices across the country. On a daily basis, they are looking to collect logs from these thousands of devices & analyze them further to monitor faults & uptime trends. For analysis of logs, they are planning to use Amazon Redshift. No additional processing needs to be done on these logs. The company is concerned about collecting data & sending compressed data to Amazon Redshift & is looking for a scalable solution without any ad-hoc administration.

Which of the following services can be used to meet this requirement?

A. Create an Amazon Kinesis Streams, save compressed data in Amazon EC2 and then copy data to Amazon Redshift.

B. Create an Amazon Kinesis Data Firehose Delivery Stream, save compressed data in the Amazon S3 bucket and then copy data to Amazon Redshift.

C. Create an Amazon Kinesis Data Firehose Delivery Stream, save compressed data in Amazon EC2 and then copy data to Amazon Redshift.

D. Create an Amazon Kinesis Streams, save compressed data in the Amazon S3 bucket and then copy data to Amazon Redshift.

Question 21

Your company currently has the following architecture for its e-commerce application.

· EC2 Instances hosting the application

· An Autoscaling group for the EC2 Instances

The users who use the application keep on complaining that the application is slow in the morning from 9:00 – 9:30, after which no issues occur. Which of the following can be done to ensure the issue is not encountered during the morning time?

A. Ensure that a Simple scaling policy is added to the Auto scaling Group.

B. Ensure that a step scaling policy is added to the Auto scaling Group.

C. Ensure that a scheduled scaling policy is added to the Auto scaling Group.

D. Ensure that a static scaling policy is added to the Auto scaling Group

Question 22

Your company has an existing Redshift cluster. The sales team currently stores historical data in the cluster. There is now a requirement to ensure that all data is encrypted at rest. What do you need to do at your end?

A. Enable the encryption feature for the cluster.

B. Enable encryption for the underlying EBS volumes.

C. Use SSL certificates to encrypt the data at rest.

D. Create a new cluster with encryption enabled and then migrate the data over to the new cluster.

Question 23

A start-up firm is developing a microservices-based application using open-source container orchestration. This application will be integrated with other Public Cloud. The firm does not have any expertise to provision & manage back-end infrastructure to set up this container. You have been assigned to provide consultation for deploying containers.

Which of the following will you suggest meeting the requirement?

A. Use Amazon Elastic Kubernetes Service with Amazon EC2 launch type.

B. Use Amazon Elastic Container Service with AWS Fargate launch type.

C. Use Amazon Elastic Container Service with Amazon EC2 launch type.

D. Use Amazon Elastic Kubernetes Service with AWS Fargate launch type

Explanation

Correct Answer: D
Amazon Elastic Kubernetes Service can be used to set up open-source Container orchestration like Kubernetes. Amazon Elastic Kubernetes Service can be integrated with other public or private clouds. AWS Fargate can be used as a serverless compute for deploying containers. With AWS Fargate, there is no need to set back-end infrastructure for containers. With AWS Fargate, based upon task definitions, containers are launched. The following diagram depicts the deployment of AWS Kubernetes, with AWS Fargate, serverless containers can be deployed while using Amazon EC2, compute nodes are deployed manually as per requirement. Using Amazon EC2 provides more control on back-end infrastructure for containers. But customers have to perform management of these instances.

- Option A is incorrect as with the Amazon EC2 launch type. The firm will need to set up backend infrastructure & manage instance provisioning.
- Option B & C are incorrect as the customer is looking for integration with Public Cloud & an open-source solution. Amazon Elastic Container Service supports integration with AWS services & is an AWS Proprietary service.

Question 24

A popular podcast in English wants to expand its audience globally by translating its episodes into multiple languages. Which AWS services can be used to automate the translation and transcription of podcast episodes? (Select TWO)

A. Amazon Kendra

B. Amazon Rekognition

C. Amazon Lex

D. Amazon Transcribe

E. Amazon Translate

Question 25

In your AWS VPC, you need to add a new subnet that will allow you to host a total of 20 EC2 instances. Which IPv4 CIDR block would you use to achieve the same?

A. 151.0.0.0/27

B. 151.0.0.0/28

C. 151.0.0.0/29

D. 151.0.0.0/30

Question 26

Which of the following are correct ARNs for a Lambda function? (choose 3 options)

A. arn:aws:lambda:aws-region:acct-id:function:helloworld:$LATEST

B. arn:aws:lambda:aws-region:acct-id:function:helloworld

C. arn:aws:lambda:aws-region:acct-id:function:helloworld/$LATEST

D. arn:aws:lambda:aws-region:acct-id:function:helloworld:PROD

E. arn:aws:lambda:aws-region:acct-id:function:helloworld/1

Explanation

Answer: A, B, D

Question 27

A global sports news company has hosted its website on Amazon EC2 instance using a single Public IP address & is front-ended by TLS-enabled Application Load Balancer. For an upcoming mega sports event, they plan to launch a new website on the existing Amazon EC2 instance. The company has registered a different domain name & possesses a separate TLS certificate for this new website.

As an AWS consultant to this company, which of the following recommendations will you provide to support multiple certificates with existing Public IP addresses in the most cost-effective way?

A. Launch an additional TLS-enabled ALB front ending Amazon EC2 instance with different certificates for each domain.

B. Use Wildcard certificates on ALB matching old & new domain name.

C. Use a single certificate on ALB & add Subject Alternative Name (SAN) for additional domain name.

D. Use multiple TLS certificates on ALB using Server Name Indication (SNI).

Explanation

Correct Answer: D
ALB supports Server Name Indication (SNI), enabling hosting multiple domain names with different TLS certificates behind a single ALB. With SNI, multiple certificates can be associated with listeners in ALB, enabling each web application to use separate certificates. The below diagrams shows the process which takes place when a client tries to access a website. Client Browser starts a TLS handshake by sending a ClientHello message which consists of protocol version, extensions, cipher suites, and compression techniques. Based on browser capabilities, ALB responds with a valid certificate for a domain name of the requested web application.

- Option A is incorrect as launching additional ALB will work. But it will incur additional cost & admin work for setup.
- Option B is incorrect as using wildcard certificates can be used for related sub-domains & not different domains.
- Option C is incorrect as using SAN certificates, for any new addition of domain, all certificates need to revalidate with certificate authority.

Question 28

A company is planning to host an active-active site. One site will be deployed in AWS, and the other one on their On-premise data center. They need to ensure that the traffic is distributed to multiple resources, proportionately between both sites. Which of the following routing policy would you use for this purpose?

A. Simple Routing

B. Failover Routing

C. Latency Routing

D. Weighted Routing

Question 29

A media firm uses the Amazon S3 bucket to save all videos shared by reporters across the globe. Operation Team has instructed all reporters to use only Multipart Uploads while uploading these large-sized videos to Amazon S3 bucket in each region. Most of the reporters are working from remote areas & face challenges in uploading videos. The Finance Team is concerned about high costs incurred by saving data in the Amazon S3 bucket & seeking your guidance. Post verification, you observe a large number of incomplete uploads in Amazon S3 buckets in each region. The uncompleted uploads can be deleted after a certain period of time.

Which of the following actions can minimize charges for saving video files in the Amazon S3 bucket?

A. Reporter’s need to compress video files locally before uploading to Amazon S3 bucket.

B. Reporter’s need to upload Videos to Amazon S3 Glacier to save additional charges.

C. Create a Lifecycle Policy to move all incomplete Multipart uploads to Amazon S3 Glacier after weeks’ time from initiation.

D. Create a Lifecycle Policy to delete all incomplete Multipart uploads after weeks’ time from initiation.

Question 30

You have currently contacted an AWS Partner Network (APN) Partner to carry out an audit for your AWS account. You need to ensure that the partner can carry out an audit on your resources. Which one of the following steps would you ideally carry out?

A. Create an IAM user for the partner account for login purposes.

B. Create a cross account IAM Role and share the ARN with APN

C. Create an IAM group for the partner account for login purposes.

D. Create an IAM profile for the partner account for login purposes.

Question 31

Your company is planning to make use of the Elastic Container service for managing their container-based applications. They are going to process both critical and non-critical workloads with these applications. Which of the following cost-effective setup would they consider?

A. Use ECS orchestration and Spot Instances for processing critical data and On-Demand for the non-critical data.

B. Use ECS orchestration and On-Demand Instances for processing critical data and Spot Instances for the non-critical data.

C. Use ECS orchestration and Spot Instances for both the processing of critical data and non-critical data.

D. Use ECS orchestration and On-Demand Instances for both the processing of critical data and non-critical data.

Question 32

A company has recently chosen to use the AWS API Gateway service for managing their API’s. It needs to be ensured that code hosted in other domains can access the API’s behind the API gateway service. Which of the below security features of the API gateway can be used to ensure that API’s resources can receive requests from a domain other than the API’s own domain?

A. API Stages

B. API Deployment

C. API CORS

D. API Access

Question 33

You are planning to use Auto Scaling groups to maintain the performance of your web application. How would you ensure that the scaling activity has sufficient time to stabilize without executing another scaling action?

A. Modify the Instance User Data property with a timeout interval.

B. Increase the Auto Scaling Cooldown timer value.

C. Enable the Auto Scaling cross zone balancing feature.

D. Disable CloudWatch alarms till the application stabilizes.

Question 34

An organization is planning to use AWS for its production roll-out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3, set up the ELB and Auto Scaling. Which AWS service would meet these requirements for making an orderly deployment of the software?

A. AWS Elastic Beanstalk

B. AWS CloudFront

C. AWS CodePipeline

D. AWS DevOps

Question 35

An application currently writes a large number of records to a DynamoDB table in one region. There is a requirement for a secondary application to retrieve new records written to the DynamoDB table every 2 hours and process the updates accordingly. What would be an ideal method to ensure that the secondary application gets the relevant changes from the DynamoDB table?

A. Insert a timestamp for each record and then, scan the entire table for the timestamp as per the last 2 hours.

B. Create another DynamoDB table with the records modified in the last 2 hours.

C. Use DynamoDB Streams to monitor the changes in the DynamoDB table.

D. Transfer records to S3 which were modified in the last 2 hours.

Question 36

Your organization is building a collaboration platform for which they chose AWS EC2 for web and application servers and MySQL RDS instance as the database. Due to the nature of the traffic to the application, they would like to increase the number of connections to the RDS instance. How could this be achieved?

A. Login to RDS instance and modify database config file under /etc/mysql/my.cnf

B. Create a new parameter group, attach it to DB instance and change the setting.

C. Create a new option group, attach it to DB instance and change the setting.

D. Modify setting in default options group attached to DB instance

Question 37

An IT company has a set of EC2 Instances hosted in a VPC. They are hosted in a private subnet. These instances now need to access resources stored in an S3 bucket. The traffic should not traverse the internet. The addition of which of the following would help to fulfill this requirement?

A. VPC Endpoint

B. NAT Instance

C. NAT Gateway

D. Internet Gateway

Question 38

A company is developing a big data analytics application that requires access to an object immediately after a write. A big amount of objects will be stored for the application. You need to design a proper service to store the data. Is AWS S3 service suitable?

A. No. AWS uses an eventual consistency model.

B. Yes. AWS S3 delivers strong read-after-write and list consistency automatically.

C. No. AWS S3 is not suitable for big data applications.

D. No. AWS S3 is not cost-effective to store a big amount of data.

Question 39

You created your own VPC and subnet in AWS and launched an instance in that subnet. On attaching an Internet Gateway to the VPC, you see that the instance has a public IP. The route table is shown below.

Still, the instance cannot reach the Internet. What changes are required to be made to the route table to ensure that the issue is resolved?

A. Add the following entry to the route table – Destination as 0.0.0.0/0 and Target as Internet Gateway.

B. Modify the above route table – Destination as 10.0.0.0/16 and Target as Internet Gateway.

C. Add the following entry to the route table – Destination as 10.0.0.0/16 and Target as Internet Gateway.

D. Add the following entry to the route table - Destination as 0.0.0.0/16 and Target as Internet Gateway.

Explanation

Correct Answer – A
The route table needs to be modified as shown below to ensure that routes from the Instance reach the Internet.

Hence by default, all other options become invalid.

Question 40

You have been assigned the task of architecting an application in AWS. The architecture would consist of EC2, the Application Load Balancer, Auto Scaling, and Route 53. You need to ensure that Blue-Green deployments are possible in this architecture. Which routing policy should you ideally use in Route 53 to achieve Blue-Green deployments?

A. Simple

B. Multivalue Answer

C. Latency

D. Weighted

Question 41

A company is planning to deploy an application in AWS. This application requires an EC2 Instance to continuously perform log processing activities requiring Max 500MiB/s of data throughput. Which of the following is the most cost-effective storage option for this requirement?

A. General Purpose SSD volumes

B. Provisioned IOPS SSD volumes

C. Throughput Optimized HDD volumes

D. Cold HDD volumes

Explanation

Correct Answer – C
While considering storage volume types for batch processing activities with large throughput, consider using the EBS Throughput Optimized HDD volume type.
AWS Documentation mentions this, as shown below.

Question 42

There are two folders, A and B, in an S3 bucket. Folder A stores objects that are frequently accessed. Folder B saves objects that are infrequently accessed and non-critical. The retrieval time for files in folder B should be within milliseconds. You want to use different storage classes for objects in these two folders to save cost. Which storage classes are suitable for the requirement?

A. Standard for folder A and S3 Glacier Instant Retrieval for folder B.

B. Intelligent-Tiering for folder A and Reduced Redundancy for folder B.

C. Standard for folder A and One Zone-IA for folder B.

D. Two S3 buckets are required as an S3 bucket cannot have two storage classes simultaneously

Question 43

You are developing a new mobile application which is expected to be used by thousands of customers. You are considering to store user preferences in AWS and need a non-relational data store to save the same. Each data item is expected to be 20KB in size. The solution needs to be cost-effective, highly available, scalable, and secure. Which of the following designs is the most suitable?

A. Create a new Amazon RDS instance and store the user data there.

B. Create a Amazon DynamoDB table with the required Read and Write capacity and use it as the data layer.

C. Use Amazon Glacier to store the user data.

D. Use an Amazon Redshift Cluster for managing the user preferences.

Question 44

Instances hosted in the private subnet of your VPC need to access some important documents from the S3 bucket which is outside the VPC. Due to the confidential nature of these documents, you have to ensure that the traffic does not traverse through the internet. As an architect, how would you implement this solution?

A. Consider using a VPC Endpoint.

B. Consider using an EC2 Endpoint.

C. Move the instances to a public subnet.

D. Create a VPN connection and access the S3 resources from the EC2 Instance.

Question 45

A company currently hosts its architecture in the us-east-1 region. They now need to duplicate this architecture to the eu-west-1 region and extend the application hosted on this architecture to the new AWS Region. To ensure that users in both AWS Regions get the same seamless experience, what should be done?

A. Create an Elastic Load Balancer setup to route traffic to both locations.

B. Create a weighted Route 53 policy to route the policy based on the weightage for each location.

C. Create an Auto Scaling Group to route traffic to both locations.

D. Create a Latency-based Route 53 Policy to route the traffic based on the location.

Explanation

Correct Answer - D
A latency-based Route 53 policy directs traffic to the AWS Region that provides the lowest latency for users. This ensures a seamless experience for users in both us-east-1 and eu-west-1, optimizing performance.

Question 46

Your Development team wants to use EC2 Instances to host their Application and Web servers. In the automation space, they want the Instances always to download the latest version of the Web and Application servers when launched. As an architect, what would you recommend for this scenario?

A. Ask the Development team to create scripts which can be added to the User Data section when the instance is launched.

B. Ask the Development team to create scripts which can be added to the Meta Data section when the instance is launched.

C. Use Auto Scaling Groups to install the Web and Application servers when the instances are launched.

D. Use EC2 Config to install the Web and Application servers when the instances are launched.

Question 47

A company website is set to launch in the upcoming weeks. There is a probability that the traffic will be quite high during the initial weeks. How is it possible to set up DNS failover to a static website in the event of a load failure?

A. Duplicate the exact application architecture in another region and configure DNS Weight-based routing.

B. Enable failover to an on-premises data center to the application hosted there.

C. Use Route 53 with the failover option, to failover to a static S3 website bucket or CloudFront distribution.

D. Add more servers in case the application fails

Question 48

A company is running web server reserved EC2 Instances with EBS-backed root volumes. These instances have a consistent CPU load of 80%. Traffic is being distributed to these instances by an Elastic Load Balancer. They also have Multi-AZ RDS MySQL databases in both development and production environments. What recommendation would you make to reduce cost without affecting the availability of mission-critical systems? Choose the correct answer from the options given below.

A. Consider using On-demand instances instead of Reserved EC2 instances.

B. Consider not using the Multi-AZ RDS deployment for the database in the development environment.

C. Consider using Spot instances instead of Reserved EC2 instances.

D. Consider removing the Elastic Load Balancer

Question 49

Currently, you’re responsible for the design and architect of a highly available application. After building the initial environment, you discover that your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take for the application to work correctly?

A. Generally, it takes 2-5 minutes for the rules to propagate.

B. Immediately after a reboot of the EC2 Instances, belonging to that security group.

C. Changes apply instantly to the security group, and the application should be able to respond to requests on port 443.

D. It will take 60 seconds for the rules to apply to all Availability Zones within the region.

Question 50

A company is planning to use the AWS ECS service to work with containers in the “us-east-1” region. There is a need for the least amount of administrative overhead while provisioning and managing containers. How could this be achieved?

A. Use the Fargate launch type in AWS ECS.

B. Use the EC2 launch type in AWS ECS.

C. Use the Auto Scaling launch type in AWS ECS.

D. Use the ELB launch type in AWS ECS.

Question 51

A mid-sized company is planning to migrate a large, legacy database to AWS. The company is primarily concerned with minimizing downtime and cost during the migration process.

Which AWS service is best suited for migrating a large, legacy database to AWS while minimizing downtime and cost?

A. AWS Application Discovery Service

B. AWS Application Migration Service

C. AWS Database Migration Service (AWS DMS)

D. AWS DataSync

Question 52

A 50 year old Computer Solutions company has a very big application that needs to be deployed to the AWS cloud from its existing server. The application is media access control (MAC) address dependent as per the application licensing terms. This application will be deployed in an on-demand EC2 instance with instance type r4.2xlarge. In this scenario, how can you ensure that the MAC address of the EC2 instance will not change even if the instance is restarted or rebooted?

A. Assign static MAC Address to EC2 instance while setting up the server.

B. Use a VPC with an elastic network interface that has a fixed MAC Address.

C. Use a VPC with a private subnet for the EC2, by default MAC address will be fixed.

D. Use a VPC with a private subnet and configure the MAC address to be tied to that subnet

Question 53

One of your colleagues, who is new to the company where you work as a cloud Architect, has some issues with IP Addresses. He has created an Amazon VPC with an IPV4 CIDR block 10.0.0.0/24, but now there is a requirement of hosting a few more resources to that VPC. As per his knowledge, he is thinking of creating a new VPC with a greater range. Could you suggest to him a better way that should be reliable?

A. Delete the existing subnets in the VPC and create new Subnets in VPC.

B. He is thinking of the right approach.

C. You can create new VPC and connect old VPC with a new one.

D. You can expand existing VPC by adding Secondary CIDR to your current VPC

Question 54

You have an application running on EC2. The operation fails when the application tries to upload a 7 GB file to S3. What could be the reason for failure, and what could be the solution?

A. With a single PUT operation, you can upload objects up to 5 GB in size. Use multi-part upload for larger file uploads.

B. EC2 is designed to work best with EBS volumes. Use EBS Provisioned IOPs and use an Amazon EBS-optimized instance.

C. NAT gateway only supports data transfers going out upto 5 GB. Use EBS Provisioned IOPs and use an Amazon EBS-optimized instance.

D. VPC Endpoints only supports data transfers going out upto 5 GB. Use EBS Provisioned IOPs and use an Amazon EBS-optimized instance.

Explanation

Answer: A
AWS recommends using multi-part uploads for larger objects.

Option B, Amazon EBS is a storage for the drives of your virtual machines. It stores data as blocks of the same size and organizes them through a hierarchy similar to a traditional file system. EBS is not a standalone storage service like Amazon S3. So you can use it only in combination with Amazon EC2.
Objects can be stored on EBS volumes, but not cost-effective and not highly resilient and fault-tolerant compared to S3.
Options C and D are incorrect. NAT Gateway ad VPC endpoints do not have any data transfer limitations.

Question 55

You are a solutions architect working for a media company that produces and stores image and video content that is sold as stock content to other companies that wish to use your stock content in their web and mobile apps. You are storing your stock content in S3 and you need to optimize for cost. Some of your images are small, less than 128 KB in size. However, most of your stock content is much larger. The amount of content you manage is very large, with over 1 million objects in S3. These objects have varying access patterns. Some are accessed frequently, while others are accessed very infrequently. Also, the access patterns for the stock objects change over time.

Which S3 storage class should you choose for your stock content to optimize your costs while also providing the best overall performance?

A. S3 Standard

B. S3 Standard-IA

C. S3 Intelligent-Tiering

D. S3 One Zone-IA

Question 56

You have an application that writes application logs to version enabled S3 bucket. Each object has multiple versions attached to it. After 60 days, the application deletes the objects in S3 through DELETE API on the object. However, in next month’s bill, you see charges for S3 usage on the bucket. What could have caused this?

A. DELETE API call on the object only deletes latest version.

B. DELETE API call on the object does not delete the actual object, but places delete marker on the object.

C. DELETE API call moves the object and its versions to S3 recycle bin from where the object can be restored till 30 days.

D. DELETE API for all versions of the object in version enabled bucket cannot be done through API. It can be only done by bucket owners through the console.

Explanation

Answer: B
When versioning is enabled, a simple DELETE cannot permanently delete an object.
Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a
delete marker, Amazon S3 behaves as though the object has been deleted (even though it has not been erased) and returns a 404 error.
The following figure shows that a simple DELETE does not actually remove the specified object. Instead, Amazon S3 inserts a delete marker.

To permanently delete versioned objects, you must use DELETE Object versioned.
The following figure shows that deleting a specified object version permanently removes that object.

- Option A is not true. DELETE call on an object does not delete the latest version unless the DELETE call is made with the latest version id.
- Option C is not true. AWS S3 does not have to recycle bin.
- Option D is not true. DELETE call on a versioned object can be made through API by providing the version id of the object’s version to be deleted.

Question 57

You are uploading multiple files ranging 10 GB – 20 GB in size to the AWS S3 bucket by using a multi-part upload from an application on EC2. Once the upload is complete, you would like to notify a group of people who do not have AWS IAM accounts. How can you achieve this? (Select TWO)

A. Use S3 event notification and configure Lambda function which sends email using AWS SES non-sandbox.

B. Use S3 event notification and configure SNS, which sends email to subscribed email addresses.

C. Write a custom script on your application side to poll S3 bucket for new files and send email through SES non-sandbox.

D. Write a custom script on your application side to poll S3 bucket for new files and send email through SES sandbox.

Explanation

Answer: A and B
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration identifying the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the event notifications.

AWS Simple Email Service (SES) is a cost-effective email service built on the reliable and scalable infrastructure that Amazon.com developed to serve its own customer base. With Amazon SES, you can send transactional emails, marketing messages, or any other type of high-quality content.
While your account is in the sandbox, you can use all of the features of Amazon SES. However, when your account is in the sandbox, we apply the following restrictions to your account:
You can only send mail to verified email addresses and domains or to the Amazon SES mailbox simulator.
You can only send mail from verified email addresses and domains.
- Option A triggers Lambda function which uses non-sandbox SES to send email to people who does not have an AWS IAM account nor are verified in AWS SES.
- Option B is correct as it triggers SNS.
Options C and D are incorrect because they needs compute resources to monitor S3 for new files continuously.

Question 58

You are planning to launch the AWS ECS container instance. You would like to set the ECS container agent configuration during the ECS container instance initial launch. What should you perform to configure container agent information?

A. Set configuration in the ECS metadata parameter during cluster creation.

B. Set configuration in the user data parameter of EC2 instance.

C. Define configuration in the task definition.

D. Define configuration in the service definition.

Explanation

Answer: B
When you launch an Amazon ECS container instance, you have the option of passing user data to the instance. The data can be used to perform common automated configuration tasks and even run scripts when the instance boots. For Amazon ECS, the most common use cases for user data are to pass configuration information to the Docker daemon and the Amazon ECS container agent.

Question 59

You are working for an organization which is actively using AWS. They have noticed that few AWS ECS clusters are running and they do not know who and when the clusters are created. They tasked you to find out the logs regarding this. What will you do?

A. Check CloudWatch event logs.

B. Check CloudTrail logs.

C. Check CloudWatch metrics dashboard.

D. Check Trusted Advisor.

Explanation

Answer: B
Amazon ECS is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or AWS service in Amazon ECS. CloudTrail captures all API calls for Amazon ECS as events, including calls from the Amazon ECS console and from code calls to the Amazon ECS APIs.

Options A and C are for monitoring the ECS resources, not for the API actions made on ECS. You can monitor your Amazon ECS resources using Amazon CloudWatch, which collects and processes raw data from Amazon ECS into readable, near real-time metrics.

Question 60

Which of the following are valid integration sources for API Gateway? (choose 3 options)

A. Public facing HTTP-based endpoints outside AWS network.

B. Lambda functions from another account.

C. Database connections on internet outside AWS network.

D. VPC Link

E. SFTP connection

Explanation

Answer: A, B, D
- Option A is correct. AWS API Gateway can integrate with any HTTP-based endpoints available over the internet.

Q: With what backends can Amazon API Gateway communicate?
Amazon API Gateway can execute AWS Lambda functions in your account, start AWS Step Functions state machines, or call HTTP endpoints hosted on AWS Elastic Beanstalk, Amazon EC2, and also non-AWS hosted HTTP based operations that are accessible via the public Internet. API Gateway also allows you to specify a mapping template to generate static content to be returned, helping you mock your APIs before the backend is ready. You can also integrate API Gateway with other AWS services directly. For example, you could expose an API method in API Gateway that sends data directly to Amazon Kinesis.
- Option B is correct. AWS can use Lambda function from another account as an integration type.

- Option C is incorrect. AWS API gateway can connect to AWS services, making proxy calls only to their respective AWS APIs. There is no integration type for database connections directly from API Gateway. You can use the Lambda function to connect with the database and make Lambda as an integration type for API Gateway.
- Option D is correct. AWS has introduced VPC Link, a way to connect to the resources within a private VPC.

Question 61

You are a solutions architect working for a financial services firm. Your firm requires a very low latency response time for requests via API Gateway and Lambda integration to your securities master database. The securities master database, housed in Aurora, contains data about all of the securities your firm trades. The data consists of the security ticker, the trading exchange, trading partner firm for the security, etc. As this securities data is relatively static, you can improve the performance of your API Gateway REST endpoint by using API Gateway caching. Your REST API calls for equity security request types and fixed income security request types to be cached separately. Which of the following options is the most efficient way to separate your cache responses via request type using API Gateway caching?

A. Payload compression

B. Custom domain name

C. API Stage

D. Query string

Question 62

You are a solutions architect working for a healthcare provider. Your company uses REST APIs to expose critical patient data to internal front-end systems used by doctors and nurses. The data for your patient information is stored in Aurora.

How can you ensure that your patient data REST endpoint is only accessed by your authorized internal users? (Select TWO)

A. Run your Aurora DB cluster on an EC2 instance in a private subnet

B. Use a Gateway VPC Endpoint to make your REST endpoint private and only accessible from within your VPC

C. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceVpce condition to the API Gateway resource policy

D. Use an Interface VPC Endpoint to make your REST endpoint private and only accessible from within your VPC and through your VPC endpoint.

E. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceArn condition to the API Gateway resource policy

Question 63

Which of the following are AWS CloudFront events that can trigger AWS Lambda@edge function? (choose 3 options)

A. Viewer Request

B. CloudFront Cache

C. Sender Request

D. Origin Request

E. Origin Response

Explanation

Answer: A, D, E

Question 64

You created an AWS Lambda function to process files uploaded to AWS S3 bucket. Lambda function started receiving requests and working properly. You have changed the code and uploaded new version of code to AWS Lambda function. What will happen to the requests sent right after the AWS lambda function update?

A. Requests will queue until the changes are fully propagated. You could experience up to 5 minutes of wait during this period.

B. Requests will be served by old version till you enable new version as latest.

C. When you have multiple versions of Lambda function, in the code you need to define which version of function to be used. Otherwise, requests would fail.

D. Requests might be served by old or new version for a brief period of less than one minute

Explanation

Answer: D

- Option A is not a valid statement. It will not continually queue automatically or 5 minute wait time.
- Option B is not correct. By default, whenever you update the code, it updates the LATEST version.

- Option C is not correct. There is no need to define in code which version to be used. However, you can define which version to be used at the source which triggers Lambda function by providing version qualified ARN if you have published version.

Question 65

Which of the following services use event source mappings to invoke AWS Lambda functions? (Select THREE)

A. Amazon SNS

B. Amazon Kinesis

C. Amazon SQS

D. Amazon DynamoDB

E. AWS CodePipeline