SAA-C02 : AWS Certified Solutions Architect – Associate SAA-C02 : Part 25



SAA-C02 : AWS Certified Solutions Architect – Associate SAA-C02 : Part 25

  1. A company wants to use a custom distributed application that calculates various profit and loss scenarios. To achieve this goal, the company needs to provide a network connection between its Amazon EC2 instances. The connection must minimize latency and must maximize throughput

    Which solution will meet these requirements?

    • Provision the application to use EC2 Dedicated Hosts of the same instance type.
    • Configure a placement group for EC2 instances that have the same instance type.
    • Use multiple AWS elastic network interfaces and link aggregation.
    • Configure AWS PrivateLink for the EC2 instances.
  2. A company designed a stateless two-tier application that uses Amazon EC2 in a single Availability Zone and an Amazon RDS Multi-AZ DB instance. New company management wants to ensure the application is highly available.

    What should a solutions architect do to meet this requirement?

    • Configure the application to use Multi-AZ EC2 Auto Scaling and create an Application Load Balancer.
    • Configure the application to take snapshots of the EC2 instances and send them to a different AWS Region.
    • Configure the application to use Amazon Route 53 latency-based routing to feed requests to the application.
    • Configure Amazon Route 53 rules to handle incoming requests and create a Multi-AZ Application Load Balancer.
  3. A company is relocating its data center and wants to securely transfer 50 TB of data to AWS within 2 weeks. The existing data center has a Site-to-Site VPN connection to AWS that is 90% utilized.

    Which AWS service should a solutions architect use to meet these requirements?

    • AWS DataSync with a VPC endpoint
    • AWS Direct Connect
    • AWS Snowball Edge Storage Optimized
    • AWS Storage Gateway
  4. An entertainment company is using Amazon DynamoDB to store media metadata. The application is read intensive and experiencing delays. The company does not have staff to handle additional operational overhead and needs to improve the performance efficiency of DynamoDB without reconfiguring the application.

    What should a solutions architect recommend to meet this requirement?

    • Use Amazon ElastiCache for Redis.
    • Use Amazon DynamoDB Accelerator (DAX).
    • Replicate data by using DynamoDB global tables.
    • Use Amazon ElastiCache for Memcached with Auto Discovery enabled.
  5. A company wants to build a scalable key management infrastructure to support developers who need to encrypt data in their applications.

    What should a solutions architect do to reduce the operational burden?

    • Use multi-factor authentication (MFA) to protect the encryption keys.
    • Use AWS Key Management Service (AWS KMS) to protect the encryption keys.
    • Use AWS Certificate Manager (ACM) to create, store, and assign the encryption keys.
    • Use an IAM policy to limit the scope of users who have access permissions to protect the encryption keys.
  6. A company uses AWS Organizations to manage multiple AWS accounts for different departments. The management account has an Amazon S3 bucket that contains project reports. The company wants to limit access to this S3 bucket to only users of accounts within the organization in AWS Organizations.

    Which solution meets these requirements with the LEAST amount of operational overhead?

    • Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.
    • Create an organizational unit (OU) for each department. Add the aws:PrincipalOrgPaths global condition key to the S3 bucket policy.
    • Use AWS CloudTrail to monitor the CreateAccount, InviteAccountToOrganization, LeaveOrganization, and RemoveAccountFromOrganization events. Update the S3 bucket policy accordingly.
    • Tag each user that needs access to the S3 bucket. Add the aws:PrincipalTag global condition key to the S3 bucket policy.
  7. A company runs an application in the AWS Cloud and uses Amazon DynamoDB as the database. The company deploys Amazon EC2 instances to a private network to process data from the database. The company uses two NAT instances to provide connectivity to DynamoDB.

    The company wants to retire the NAT instances. A solutions architect must implement a solution that provides connectivity to DynamoDB and that does not require ongoing management.

    What is the MOST cost-effective solution that meets these requirements?

    • Create a gateway VPC endpoint to provide connectivity to DynamoDB.
    • Configure a managed NAT gateway to provide connectivity to DynamoDB.
    • Establish an AWS Direct Connect connection between the private network and DynamoDB.
    • Deploy an AWS PrivateLink endpoint service between the private network and DynamoDB.
  8. A solutions architect is designing a two-tiered architecture that has separate private subnets for compute resources and the database. An AWS Lambda function that is deployed in the compute subnets needs connectivity to the database.

    Which solution will provide this connectivity in the MOST secure way?

    • Configure the Lambda function to use Amazon RDS Proxy outside the VPC.
    • Associate a security group with the Lambda function. Authorize this security group in the database’s security group.
    • Authorize the compute subnet’s CIDR ranges in the database’s security group.
    • During the initialization phase, authorize all IP addresses in the database’s security group temporarily. Remove the rule after the initialization is complete.
  9. A ride-sharing company stores historical service usage data as structured .csv data files in Amazon S3. A data analyst needs to perform SQL queries on this data. A solutions architect must recommend a solution that optimizes cost-effectiveness for the queries.

    Which solution meets these requirements?

    • Create an Amazon EMR cluster. Load the data. Perform the queries.
    • Create an Amazon Redshift cluster. Import the data. Perform the queries.
    • Create an Amazon Aurora PostgreSQL DB cluster. Import the data. Perform the queries.
    • Create an Amazon Athena database. Associate the data in Amazon S3. Perform the queries.
  10. A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application’s traffic recently spiked due to fraudulent requests from botnets.

    Which steps should a solutions architect take to block requests from unauthorized users? (Choose two.)

    • Create a usage plan with an API key that is shared with genuine users only.
    • Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.
    • Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.
    • Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.
    • Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.
  11. A company has hired a solutions architect to design a reliable architecture for its application. The application consists of one Amazon RDS DB instance and two manually provisioned Amazon EC2 instances that run web servers. The EC2 instances are located in a single Availability Zone.

    An employee recently deleted the DB instance, and the application was unavailable for 24 hours as a result. The company is concerned with the overall reliability of its environment.

    What should the solutions architect do to maximize reliability of the application’s infrastructure?

    • Delete one EC2 instance and enable termination protection on the other EC2 instance. Update the DB instance to be Multi-AZ, and enable deletion protection.
    • Update the DB instance to be Multi-AZ, and enable deletion protection. Place the EC2 instances behind an Application Load Balancer, and run them in an EC2 Auto Scaling group across multiple Availability Zones.
    • Create an additional DB instance along with an Amazon API Gateway and an AWS Lambda function. Configure the application to invoke the Lambda function through API Gateway. Have the Lambda function write the data to the two DB instances.
    • Place the EC2 instances in an EC2 Auto Scaling group that has multiple subnets located in multiple Availability Zones. Use Spot Instances instead of On-Demand Instances. Set up Amazon CloudWatch alarms to monitor the health of the instances. Update the DB instance to be Multi-AZ, and enable deletion protection.
  12. An online photo-sharing company stores its photos in an Amazon S3 bucket that exists in the us-west-1 Region. The company needs to store a copy of all existing and new photos in another geographical location.

    Which solution will meet this requirement with the LEAST operational effort?

    • Create a second S3 bucket in us-east-1. Enable S3 Cross-Region Replication from the existing S3 bucket to the second S3 bucket.
    • Create a cross-origin resource sharing (CORS) configuration of the existing S3 bucket. Specify us-east-1 in the CORS rule’s AllowedOrigin element.
    • Create a second S3 bucket in us-east-1 across multiple Availability Zones. Create an S3 Lifecycle management rule to save photos into the second S3 bucket.
    • Create a second S3 bucket in us-east-1 to store the replicated photos. Configure S3 event notifications on object creation and update events that invoke an AWS Lambda function to copy photos from the existing S3 bucket to the second S3 bucket.
  13. A company wants to migrate its accounting system from an on-premises data center to the AWS Cloud in a single AWS Region. Data security and an immutable audit log are the top priorities. The company must monitor all AWS activities for compliance auditing. The company has enabled AWS CloudTrail but wants to make sure it meets these requirements.

    Which actions should a solutions architect take to protect and secure CloudTrail? (Choose two.)

    • Enable CloudTrail log file validation.
    • Install the CloudTrail Processing Library.
    • Enable logging of Insights events in CloudTrail.
    • Enable custom logging from the on-premises resources.
    • Create an AWS Config rule to monitor whether CloudTrail is configured to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
  14. A company needs to ingest and handle large amounts of streaming data that its application generates. The application runs on Amazon EC2 instances and sends data to Amazon Kinesis Data Streams, which is configured with default settings. Every other day, the application consumes the data and writes the data to an Amazon S3 bucket for business intelligence (BI) processing. The company observes that Amazon S3 is not receiving all the data that the application sends to Kinesis Data Streams.

    What should a solutions architect do to resolve this issue?

    • Update the Kinesis Data Streams default settings by modifying the data retention period.
    • Update the application to use the Kinesis Producer Library (KPL) to send the data to Kinesis Data Streams.
    • Update the number of Kinesis shards to handle the throughput of the data that is sent to Kinesis Data Streams.
    • Turn on S3 Versioning within the S3 bucket to preserve every version of every object that is ingested in the S3 bucket.
  15. A company hosts an application on AWS Lambda functions that are invoked by an Amazon API Gateway API. The Lambda functions save customer data to an Amazon Aurora MySQL database. Whenever the company upgrades the database, the Lambda functions fail to establish database connections until the upgrade is complete. The result is that customer data is not recorded for some of the event.

    A solutions architect needs to design a solution that stores customer data that is created during database upgrades.

    Which solution will meet these requirements?

    • Provision an Amazon RDS proxy to sit between the Lambda functions and the database. Configure the Lambda functions to connect to the RDS proxy.
    • Increase the run time of the Lambda functions to the maximum. Create a retry mechanism in the code that stores the customer data in the database.
    • Persist the customer data to Lambda local storage. Configure new Lambda functions to scan the local storage to save the customer data to the database.
    • Store the customer data in an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Create a new Lambda function that polls the queue and stores the customer data in the database.
  16. A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL.

    What should a solutions architect do to meet these requirements?

    • Write individual policies for each S3 bucket to grant read permission for only CloudFront access.
    • Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.
    • Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).
    • Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.
  17. A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload. A solutions architect must choose a connection solution that provides maximum resiliency.

    Which solution meets these requirements?

    • Two AWS Direct Connect connections from the primary data center terminating at two Direct Connect locations on two separate devices
    • A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on the same device
    • Two AWS Direct Connect connections from each of the primary and secondary data centers terminating at two Direct Connect locations on two separate devices
    • A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on two separate devices
  18. A company runs a fleet of web servers using an Amazon RDS for PostgreSQL DB instance. After a routine compliance check, the company sets a standard that requires a recovery point objective (RPO) of less than 1 second for all its production databases.

    Which solution meets these requirements?

    • Enable a Multi-AZ deployment for the DB instance.
    • Enable auto scaling for the DB instance in one Availability Zone.
    • Configure the DB instance in one Availability Zone, and create multiple read replicas in a separate Availability Zone.
    • Configure the DB instance in one Availability Zone, and configure AWS Database Migration Service (AWS DMS) change data capture (CDC) tasks.
  19. A company is hosting its website by using Amazon EC2 instances behind an Elastic Load Balancer across multiple Availability Zones. The instances run in an EC2 Auto Scaling group. The website uses Amazon Elastic Block Store (Amazon EBS) volumes to store product manuals for users to download. The company updates the product content often, so new instances launched by the Auto Scaling group often have old data. It can take up to 30 minutes for the new instances to receive all the updates. The updates also require the EBS volumes to be resized during business hours.

    The company wants to ensure that the product manuals are always up to date on all instances and that the architecture adjusts quickly to increased user demand. A solutions architect needs to meet these requirements without causing the company to update its application code or adjust its website.

    What should the solutions architect do to accomplish this goal?

    • Store the product manuals in an EBS volume. Mount that volume to the EC2 instances.
    • Store the product manuals in an Amazon S3 bucket. Redirect the downloads to this bucket.
    • Store the product manuals in an Amazon Elastic File System (Amazon EFS) volume. Mount that volume to the EC2 instances.
    • Store the product manuals in an Amazon S3 Standard-Infrequent Access (S3 Standard-IA) bucket. Redirect the downloads to this bucket.
  20. A gaming company hosts a browser-based application on AWS. The users of the application consume a large number of videos and images that are stored in Amazon S3. This content is the same for all users.

    The application has increased in popularity, and millions of users worldwide are accessing these media files. The company wants to provide the files to the users while reducing the load on the origin.

    Which solution meets these requirements MOST cost-effectively?

    • Deploy an AWS Global Accelerator accelerator in front of the web servers.
    • Deploy an Amazon CloudFront web distribution in front of the S3 bucket.
    • Deploy an Amazon ElastiCache for Redis instance in front of the web servers.
    • Deploy an Amazon ElastiCache for Memcached instance in front of the web servers.
  21. A company is building its web application by using containers on AWS. The company requires three instances of the web application to run at all times. The application must be highly available and must be able to scale to meet increases in demand.

    Which solution meets these requirements?

    • Use the AWS Fargate launch type to create an Amazon Elastic Container Service (Amazon ECS) cluster. Create a task definition for the web application. Create an ECS service that has a desired count of three tasks.
    • Use the Amazon EC2 launch type to create an Amazon Elastic Container Service (Amazon ECS) cluster that has three container instances in one Availability Zone. Create a task definition for the web application. Place one task for each container instance.
    • Use the AWS Fargate launch type to create an Amazon Elastic Container Service (Amazon ECS) cluster that has three container instances in three different Availability Zones. Create a task definition for the web application. Create an ECS service that has a desired count of three tasks.
    • Use the Amazon EC2 launch type to create an Amazon Elastic Container Service (Amazon ECS) cluster that has one container instance in two different Availability Zones. Create a task definition for the web application. Place two tasks on one container instance. Place one task on the remaining container instance.
  22. An online learning company is migrating to the AWS Cloud. The company maintains its student records in a PostgreSQL database. The company needs a solution in which its data is available and online across multiple AWS Regions at all times.

    Which solution will meet these requirements with the LEAST amount of operational overhead?

    • Migrate the PostgreSQL database to a PostgreSQL cluster on Amazon EC2 instances.
    • Migrate the PostgreSQL database to an Amazon RDS for PostgreSQL DB instance with the Multi-AZ feature turned on.
    • Migrate the PostgreSQL database to an Amazon RDS for PostgreSQL DB instance. Create a read replica in another Region.
    • Migrate the PostgreSQL database to an Amazon RDS for PostgreSQL DB instance. Set up DB snapshots to be copied to another Region.
  23. A solutions architect is designing a new hybrid architecture to extend a company’s on-premises infrastructure to AWS. The company requires a highly available connection with consistent low latency to an AWS Region. The company needs to minimize costs and is willing to accept slower traffic if the primary connection fails.

    What should the solutions architect do to meet these requirements?

    • Provision an AWS Direct Connect connection to a Region. Provision a VPN connection as a backup if the primary Direct Connect connection fails.
    • Provision a VPN tunnel connection to a Region for private connectivity. Provision a second VPN tunnel for private connectivity and as a backup if the primary VPN connection fails.
    • Provision an AWS Direct Connect connection to a Region. Provision a second Direct Connect connection to the same Region as a backup if the primary Direct Connect connection fails.
    • Provision an AWS Direct Connect connection to a Region. Use the Direct Connect failover attribute from the AWS CLI to automatically create a backup connection if the primary Direct Connect connection fails.
  24. A financial company hosts a web application on AWS. The application uses an Amazon API Gateway Regional API endpoint to give users the ability to retrieve current stock prices. The company’s security team has noticed an increase in the number of API requests. The security team is concerned that HTTP flood attacks might take the application offline.

    A solutions architect must design a solution to protect the application from this type of attack.

    Which solution meets these requirements with the LEAST operational overhead?

    • Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours.
    • Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.
    • Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached.
    • Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.
  25. A company is running an application on AWS to process weather sensor data that is stored in an Amazon S3 bucket. Three batch jobs run hourly to process the data in the S3 bucket for different purposes. The company wants to reduce the overall processing time by running the three applications in parallel using an event-based approach.

    What should a solutions architect do to meet these requirements?

    • Enable S3 Event Notifications for new objects to an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Subscribe all applications to the queue for processing.
    • Enable S3 Event Notifications for new objects to an Amazon Simple Queue Service (Amazon SQS) standard queue. Create an additional SQS queue for all applications, and subscribe all applications to the initial queue for processing.
    • Enable S3 Event Notifications for new objects to separate Amazon Simple Queue Service (Amazon SQS) FIFO queues. Create an additional SQS queue for each application, and subscribe each queue to the initial topic for processing.
    • Enable S3 Event Notifications for new objects to an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon Simple Queue Service (Amazon SQS) queue for each application, and subscribe each queue to the topic for processing.