Cert Prep: Certified Solutions Architect - Associate for AWS (SAA-C03) Flashcards

Question

You are migrating on-premise legal files to the AWS Cloud in Amazon S3 buckets. The corporate audit team will review all legal files within the next year, but until that review is completed, you need to ensure that the legal files are not updated or deleted in the next 18 months. There are millions of objects contained in the buckets that need review, and you are concerned you will need to spend an excessive amount of time protecting each object. What steps will ensure the files can be uploaded most efficiently but have the required protection for the specific time period of 18 months? (Choose 2 answers) A. Set a default retention period of 18 months on all related S3 buckets. B. Set a retention period of 18 months on all relevant object versions via a batch operation. C. Enable object locks on all relevant S3 buckets with a retention mode of compliance mode. D. Set a default legal hold on all related S3 buckets

Answer 1

C. Amazon Comprehend Explanation: Amazon Comprehend can find documents about a particular subject using topic modeling, scan a set of documents to determine the topics discussed, and find the documents associated with each topic. The remaining choices are incorrect for the following reasons: S3 Search is not an AWS service AWS Kendra searches unstructured data and can be used for S3 but requires a greater setup process than Comprehend AWS Rekognition is used for image and video analysis

Answer 2

A. Apply an SCP granting AmazonEC2FullAccess to the Development OU and the specific AWS account. Apply the AmazonEC2FullAccess IAM policy to all IAM users in the account. Explanation: Inheritance for service control policies behaves like a filter through which permissions flow to all parts of the tree below. To allow an AWS service API at the member account level, you must allow that API at every level between the member account and the root of your organization. You must attach SCPs to every level from your organization’s root to the member account that allows the given AWS service API (such as EC2 Full Access or S3 Full Access). An allow list strategy has you remove the FullAWSAccess SCP that is attached by default to every OU and account. This means that no APIs are permitted anywhere unless you explicitly allow them. To allow a service API to operate in an AWS account, you must create your own SCPs and attach them to the account and every OU above it, up to and including the root. Every SCP in the hierarchy, starting at the root, must explicitly allow the APIs that you want to be usable in the OUs and accounts below it. Users and roles in accounts must still be granted permissions using AWS Identity and Access Management (IAM) permission policies attached to them or to groups. The SCPs only determine what permissions are available to be granted by such policies. The user can't perform any actions that the applicable SCPs don't allow.

Answer 3

D. Tag web application resources such as EC2 instances and CloudFront distributions with resource tags based on their security requirements. Using Firewall Manager, add appropriate AWS WAF rules for each resource tag. Explanation: AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, and Network Firewall firewalls just once. The service automatically applies the rules and protections across your accounts and resources, even as you add new resources. A prerequisite to using AWS Firewall Manager is to use AWS Organization, with all features enabled. Using Firewall Manager you define the WAF rules in a single place and assign those rules to resources containing a specific tag or resources of a specific type, like CloudFront distributions. Firewall Manager is particularly useful when you want to protect your entire organization rather than a small number of specific accounts and resources, or if you frequently add new resources that you want to protect. Firewall Manager also provides centralized monitoring of DDoS attacks across your organization. AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, and Network Firewall firewalls just once. The service automatically applies the rules and protections across your accounts and resources, even as you add new resources. A prerequisite to using AWS Firewall Manager is to use AWS Organization, with all features enabled. Using Firewall Manager you define the WAF rules in a single place and assign those rules to resources containing a specific tag or resources of a specific type, like CloudFront distributions. Firewall Manager is particularly useful when you want to protect your entire organization rather than a small number of specific accounts and resources, or if you frequently add new resources that you want to protect. Firewall Manager also provides centralized monitoring of DDoS attacks across your organization.

Answer 4

D. An EBS-backed instance with on-demand instance pricing. Explanation: For Amazon Web Services, the reserved instance (standard or convertible) helps the user save money if the user is going to run the same instance for a longer period. Generally if the user uses the instances around 30-40% of the year annually it is recommended to use RI. Here as the instance runs only for 1 hour 50 minutes daily, or less than 8 percent of the year, it is not recommended to have RI as it will be costlier. At its highest potential savings, you are still paying 25 percent of an annual cost for a reserved instance you are using less than 2 hours a day, (or less than 8 percent of each year) you are not saving money. Spot Instances are not ideal because the process is critical, and must run for a fixed length of time at a fixed time of day. Spot instances would stop and start based on fluctuations in instance pricing, leaving this process potentially unfinished. The user should use on-demand with EBS in this case. While it has the highest cost, it also has the greatest flexibility to ensure that a critical process like this is always completed.

Answer 5

D. Elastic File System (EFS) Explanation: Let's take a look at Amazon's storage solutions and see which would be the right choice for shared access between multiple EC2 instances: Elastic Block Storage (EBS): EBS provides block-level storage for your EC2 instances for persistent and durable data storage. EBS is an appropriate choice for storing frequently changing data or if you have specific IOPS requirements. You can attach one or more EBS volumes to an EC2 instance; however, multiple EC2 instances cannot share EBS storage. Simple Storage Service (S3): Amazon S3 is a highly available, highly durable object-based storage service that is cost-effective and accessible. Multiple EC2 instances can access this storage, but it might not be the best choice if applications running on the EC2 instance need access to a mounted file system. You cannot mount S3 storage to an EC2 instance. Also, since the applications accessing the files are expecting POSIX files, S3 would not be the right choice. ElastiCache: Amazon ElastiCache is a database service, not a storage service like the other options. ElastiCache provides an in-memory cache used by distributed applications to share data. ElastiCache is not associated with EC2 instances for shared storage as required in this scenario. Elastic File System (EFS): Amazon EFS is file-level storage optimized for low latency access that appears to users like a file manager interface. EFS uses standard file system semantics such as locking files, renaming files, updating files, and uses a hierarchy structure. You can mount EFS storage to multiple EC2 instances to enable concurrent access to the file system. Also, EFS would support POSIX files as required by the scientific tools the team is using. From these storage solutions, only EFS will provide the shared storage we are looking for in this scenario. https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html

Answer 6

C. Use Amazon SQS to delete acknowledged messages and redeliver failed messages. Explanation: The use of an SQS queue allows submitted requests to be retained as messages in the SQS queue until the application resumes normal operation and can process the requests. Using Amazon SQS to delete acknowledged messages and redeliver failed messages is decoupling the application components. Using EC2 resources, whether you use reserved or spot instances, is not cost-effective owing to the infrequency of the spikes in traffic. SQS queues are preferable to in-memory caches because in-memory storage will operate at all times and can be fairly expensive to address an issue that only comes up during spikes.

Answer 7

B. Amazon Managed Service for Prometheus Explanation: Amazon Managed Service for Prometheus is a serverless monitoring service for metrics compatible with open-source Prometheus, making it easier for you to securely monitor and alert on container environments. You should use Amazon Managed Service for Prometheus if you have adopted an open source-based monitoring strategy, have already deployed or plan to adopt Prometheus for container monitoring, and prefer a fully managed experience where AWS provides enhanced security, scalability, and availability. The remaining choices are not the most effective solution for this problem.

Answer 8

C. Create a VPC Endpoint for the S3 bucket and update the routing table for the private subnet to route traffic to the S3 bucket to the VPC Endpoint Explanation: A VPC endpoint enables you to establish a private connection between a VPC and other AWS resources. Transfers between S3 and AWS resources in the same region are free. Therefore, in this scenario using a VPC Endpoint would save on data transfer costs when compared to a NAT Gateway. A NAT instance would have similar transfer costs to a NAT Gateway. Caching data using CloudFront would not reduce the transfer costs as dramatically as using a VPC Endpoint, and depending on the type of data being transfer may have no or limited impact on costs. A Direct Connect (DX) connection would not be useful in connecting a private VPC subnet to an S3 bucket.

Answer 9

C. Use Amazon Data Lifecycle Manager to automate Amazon Machine Image (AMI) lifecycles. Explanation: In this problem scenario, we have an instance that uses EBS for its root device volume with one or more EBS data volumes. The problem states that we are looking for a way to automatically back up the system so that we can restore it completely from a recent snapshot. The primary approach to backup EBS storage is using EBS snapshots. EBS snapshots allow you to back up EBS data and store the snapshots in S3. Each snapshot saves only the incremental changes that have occurred since the last snapshot. This approach helps reduce storage costs by not duplicating data with each backup. However, the snapshot service does not alone have a way to build policies to create, retain, and delete snapshots automatically. Also, these snapshots are not in the form of an Amazon Machine Image (AMI) snapshot as is needed in this case. Luckily, there is a service that you can use to build policies to help create and manage EBS snapshots and AMIs automatically; the service is called Amazon Data Lifecycle Manager (DLM). In this case, you can use DLM to automate AMI lifecycles. For example, you can use DLM to create an EBS-backed AMI and then make additional snapshots regularly. Additionally, you can reduce storage needs by setting a policy to keep only a certain number of snapshots. EBS-backed AMIs automatically include a snapshot for each associated EBS volume. The other services that appear in the remaining choices are not services that administrators would use to backup EBS volumes or automate AMI lifecycles.

Answer 10

B. Enable Amazon Macie on the AWS account containing these buckets, define detection criteria and define finding severity settings Explanation: Amazon Macie is a data security and data privacy service that leverages machine learning and pattern recognition to discover sensitive data and protect them. In this scenario, Amazon Macie will continuously evaluate Amazon S3 buckets on the account, discover data containing PII, and take remediation actions to protect them according to HIPAA compliance. The remaining choices are incorrect for the following reasons: Amazon Detective makes it easy to analyze, investigate and determine the root cause of security assessment findings or suspicious activities. Analysis and investigation data are also presented in forms of graphs, continuously refreshed. Amazon Detective does not locate or discover sensitive data in Amazon S3 buckets. Amazon Cognito is a service for user sign-up/sign-in and access management to web and mobile applications. Amazon Cognito also enables you to authenticate users with external identity providers such Amazon, Apple, Google or Meta. it does not use machine learning to sensitive information such as PII. Amazon Inspector is a vulnerability management service; it scans AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector is a security assessment service. It does not use machine learning to detect PII in Amazon S3 or take actions to protect sensitive information. Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activities and anomalous behaviors Amazon GuardDuty leverages machine learning to identify the threats and classify them. It does not apply machine learning to buckets that you select and alert you when sensitive information is discovered.

Answer 11

A. Register the Reserved instances with a Load Balancer for the queuing. Explanation: Reserved instances are the best value for steady traffic over an extended period. Licensing agreements for reserved instances can be 1 or 3 years. On-demand instances are perfect for handling short-term traffic spikes. Spot instances are the best value for non-critical applications that can afford to be stopped. Trusted Advisor can provide valuable information on your instance utilization relative to cost savings.

Answer 12

B. Enable On-Demand backup and restore using AWS Backup Explanation: Amazon DynamoDB can help you meet regulatory compliance and business continuity requirements through enhanced backup features in AWS Backup. AWS Backup is a fully managed data protection service that makes it easy to centralize and automate backups across AWS services, in the cloud and on-premises. Enhanced backup features available through AWS Backup include: Scheduled backups - You can set up regularly scheduled backups of your DynamoDB tables using backup plans. Cross-account and cross-Region copying - You can automatically copy your backups to another backup vault in a different AWS Region or account, which allows you to support your data protection requirements.

Answer 13

B. VPC Reachability Analyzer Explanation: The correct solution, in this case, is the VPC Reachability Analyzer. VPC Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). When the destination is reachable, Reachability Analyzer produces hop-by-hop details of the virtual network path between the source and the destination. The other choices are useful in other situations: Route 53 ARC provides continual readiness checks to help make sure, on an ongoing basis, that your applications are scaled to handle failover traffic and configured so you can route around failures. Route 53 ARC helps you centrally coordinate failovers within an AWS Region or across multiple Regions. It provides extremely reliable routing control so you can recover applications by rerouting traffic, for example, across Availability Zones or Regions. To do this, you partition your applications into redundant failure-containment units, or replicas, called cells. The boundary of a cell can be an Availability Zone or a Region, or even a smaller unit within an Availability Zone. The Route 53 Resolver can contain endpoints that you configure to answer DNS queries to and from your on-premises environment. You also can integrate DNS resolution between Resolver and DNS resolvers on your network by configuring forwarding rules. Your network can include any network that is reachable from your VPC. Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements.

Answer 14

A. AWS Managed Grafana Explanation: Amazon Managed Grafana is a fully managed service for open-source Grafana developed in collaboration with Grafana Labs. Grafana is a popular open-source analytics platform that enables you to query, visualize, alert, and understand your metrics no matter where they are stored.

Answer 15

A. AWS VPN is the best short-term solution, and AWS Direct Connect is the best long-term solution. Explanation: A VPN connection is the fastest way to complete the connection between on-premises computing and your VPC. However, VPN is not as reliable or as fast as Direct Connect. VPN would satisfy the requirement to establish the connection as quickly as possible. You can subsequently request a Direct Connect connection that is not subject to inconsistencies of the internet and will be faster and more reliable than AWS VPN. Direct Connect can ultimately replace the VPN connection and all requirements will be satisfied.

Answer 16

A. AWS Volume Gateway Explanation: AWS Storage Gateway is an Amazon service that allows you to create a gateway between your on-premises storage systems and Amazon's S3 and Glacier. There are three storage gateway services you should know about: AWS File Gateway: File Gateway is a service you use to extend your on-premises file storage to the AWS cloud without needing to update existing applications that use these files. With file gateway, you can map on-premises drives to S3 so that users and applications can access these files as they usually would. Once the files are in S3, you can access them in the cloud from any applications deployed there or continue using these files from on-premises. File gateway provides access to files in S3 based on SMB or NSF protocols. AWS Volume Gateway: The Volume Gateway can provide primary storage or backup storage for your on-premises iSCSI block storage devices. There are two configuration modes when you use volume gateway: cache mode and stored mode. With cache mode, the system keeps the primary copy of your data in S3, and a local on-premises cache provides low latency access to the most frequently accessed data. In stored mode, the primary copy of the data is on-premises, and the system periodically saves a backup to S3. Stored volume gateways create EBS snapshots stored on S3 and are billed as Amazon EBS snapshots. AWS Tape Gateway: The tape gateway, also known as the Virtual Tape Library, allows you to back up your on-premises data to S3 from your corporate data center. With tape gateway, you can leverage the Glacier storage classes for data archiving at a lower cost than S3. The tape gateway is essentially a cloud-based tape backup solution that replaces physical components with virtual ones. In the problem statement for this question, we are looking for a storage service that will help transfer data stored on a block storage device on-premises to the AWS cloud. The best solution for this problem is to use the stored volume gateway. With this approach, the system will create a snapshot of the on-premises volume, save it in S3, and the solutions architect can use the snapshot to create an EBS volume to associate with the EC2 instance.

Answer 17

A. To each key, add a tag and specify the tag key and tag value. Aggregate the costs by tags. Explanation: When you add tags to your AWS resources, AWS can generate a cost allocation report with reports and costs aggregated by tag. To each key created with AWS KMS, you add a tag to it; then, you can evaluate the security cost across resources and projects using the attached tags. The remaining choices are incorrect for the following reasons: Creating symmetric or asymmetric keys does not automatically generate reports or cost aggregated by resources or projects. Although one of the features of AWS Organizations is consolidated billing, this does not provide you with a report on security const across projects or resources. Unlike tagging, you cannot use resource descriptions to aggregate security cost across resources or projects.

Answer 18

C. Amazon Elastic Kubernetes Service (EKS) with self-managed node groups Explanation: The key requirement in this question is Windows nodes and being sure which service option supports them and which does not. In this question, the company wants AWS to manage as much as possible. AWS Fargate, which manages the highest level of management, does not support Windows. Amazon ECS supports Windows, but the Fargate EKS option does not. Amazon EKS with EKS-managed nodes does not support Windows nodes. Amazon EKS with self-managed nodes DOES support Windows nodes Amazon EC2 supports Windows, but is an IaaS service. Therefore the best option is EKS with self-managed nodes.

Answer 19

A. Customer-managed KMS key Explanation: When you enable encryption for an EBS volume, you have two types of KMS keys to choose from: Customer-managed KMS key AWS-managed KMS key In this scenario, the customer has specific requirements about how often the key is rotated. Therefore the best choice would be to use a customer-managed KMS key. If the customer did not have specific key rotation requirements or no need to update key management policies, then an AWS-managed KMS key would be a better choice. Additional Resources AWS Key Management Service Concepts

Answer 20

C. Store the logs in Amazon S3 in the S3 Glacier Deep Archive storage class. Configure a lifecycle policy that deletes the logs after two years. Explanation: Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within a default time of 12 hours. The other options offer some cost savings compared to the Amazon S3 Standard storage class, but Intelligent-Tiering would not cycle the files to an archive storage class for roughly 120 days. While the One Zone-IA storage class would provide some cost savings, it offers less durable storage, so the likelihood of losing logs is higher.

Answer 21

B. KMS keys can operate on a multi-region scope, but AWS recommends region-specific keys for most cases. Explanation: KMS has been a regional service for many years, and while can complicate the design of multi-region architecture, there are security benefits to the regional limitations. KMS has a multi-region key option, but region-specific keys cannot be converted to multi-region AND there are significantly more security issues to consider with using a multi-region key. The benefit it offers customers also expands the risk if the key is compromised or deleted, so something to keep in mind. AWS mentions it here: You cannot convert an existing single-Region key to a multi-Region key. This design ensures that all data protected with existing single-Region keys maintain the same data residency and data sovereignty properties. For most data security needs, the Regional isolation and fault tolerance of Regional resources make standard AWS KMS single-Region keys a best-fit solution. However, when you need to encrypt or sign data in client-side applications across multiple Regions, multi-Region keys might be the solution.

Answer 22

D. Enable CloudWatch monitoring for your EC2 auto scaling group with detailed monitoring. Explanation: With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the target value, a target tracking scaling policy also adjusts to the changes in the metric due to a changing load pattern. To ensure a faster response to changes in the metric value, AWS recommends that you scale on metrics with a 1-minute frequency. Scaling on metrics with a 5-minute frequency can result in slower response times and scaling on stale metric data. To get this level of data for Amazon EC2 metrics, you must specifically enable detailed monitoring. By default, Amazon EC2 instances are enabled for basic monitoring, which means metric data for instances is available at 5-minute frequency.

Answer 23

A. Deploy a DynamoDB VPC endpoint in the data analysis application's private subnet, and a DynamoDB VPC endpoint in the public website's public subnet. Explanation: DynamoDB VPC endpoints are Gateway endpoints. You can configure multiple gateway endpoints in a single VPC for the same AWS service, and route different resources to different gateways with different policies based on the specific permissions granted to those resources.

Answer 24

D. Use IAM (Identity and Access Management) to control file system data access with an EFS file system policy that includes the condition aws:SecureTransport set to true. Explanation: The key to setting up encryption in-transit with an EFS filesystem is to mount the filesystem using Transport Layer Security (TLS). There is no setting for an EFS filesystem configuration that will let you enforce TLS for a mount operation, nor is there a way to do this with an AMI. Of the two remaining choices, you could create a script that administrators use to always mount the filesystem using TLS; however, a better choice is to use IAM to establish an EFS filesystem policy that includes the condition aws:SecureTransport set to true. Using a filesystem policy is the best choice because this will cause AWS to raise an error if a user tries to mount the filesystem without specifying TLS.

Answer 25

B. 1) Backup the data using AWS Storage Gateway volume gateways. 2) Store the data in Amazon S3 in the S3 Glacier Flexible Retrieval storage class. Explanation: Review the questions and consider the key points in bold: A company stores its application data onsite using iSCSI connections to archival disk storage located at an on-premises data center. Now management wants to identify cloud solutions to backup that data to the cloud and store it at minimal expense. The company needs to back up 200 TB of data to the cloud over the course of a month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours. What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers) So why is Storage Gateway the better option? It is cheaper - compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway. Speed is not an issue - the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync. While the amount of data may be ideal for Snowball devices, this option is not as cost-effective. If this were a one-time data upload, or perhaps more sensitive data that should be migrated as securely as possible, then a Snowball device would be a better choice. Why use S3 Glacier and not S3 Glacier Deep Archive? You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive. See more information on storage classes here.

Answer 26

B. Pause multipart uploads during peak network usage. Explanation: The ability to pause multipart uploads offers great flexibility in its usage. A pause could be initiated for a number of reasons, but pausing to relieve network traffic is a prime use case. If a multipart upload aborts, it is good practice to have a lifecycle policy, which will delete incomplete uploads after a predetermined number of days. This will reduce storage costs. The other choices would not address network bandwidth issues in a cost-effective way: Using AWS Direct Connect would increase network expenses. VPC endpoints can be used for communication between AWS resources deployed in a VPC and Amazon S3. This does not assist in this case because objects are uploaded from an on-premises environment. Compressing objects before initiating multi-part uploads would only have a marginal effect. Multipart uploads already divide large objects into smaller, separate parts, so modest changes in object size from compressing an object would have a minor overall impact.

Answer 27

A. Enable object locks on all relevant S3 buckets with a retention mode of compliance mode. B. Set a default retention period of 18 months on all related S3 buckets. Explanation: The key points of this question are: the difference between compliance mode and governance mode - compliance prevents objects from being updated or deleted, governance only prevents deletion. Default Retention periods can be set at bucket level and then applied to all objects uploaded into the bucket. Otherwise, they have to be set at an object version level. Legal holds have no specific time frame associated with them, and cannot be configured at a bucket level. They must be configured at an object version level. Object lock settings cannot be configured via batch operations.

Answer 28

B. CloudFront Signed URLs Explanation: CloudFront Signed URLs, specifically custom signed URLs, allow AWS users to limit access to specific content stored on Amazon CloudFront. No other option provides this type of control.

Answer 29

B. Create a route in the route table to direct traffic from the private subnet to the NAT Gateway. D. Allocate an Elastic IP address and associate it with the NAT Gateway. Explanation: You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances. To create a NAT gateway, you must specify the public subnet in which the NAT gateway will reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you've created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. Disabling source/destination checks is a feature of NAT Instances not NAT Gateways.

Answer 30

A. Do nothing - empty EBS volumes do not require initialization Explanation: Initializing volumes (formerly known as pre-warming) has changed from its prior functionality. Formerly, you would have to initialize (pre-warm) a newly created volume from scratch. This is no longer necessary. Newly created volumes created from snapshots still need to be pre-warmed by reading from the blocks that contain data.

Answer 31

C. Add read replicas to the DAX cluster Explanation: Adding read replicas to the DAX cluster can help improve the throughput.

Answer 32

C. Assign permissions using an Inline Policy. Explanation: The best choice in this situation is an Inline Policy because this policy type is part of the IAM identity itself, and cannot be accidentally reassigned to other users, roles, or groups. AWS-Managed and Customer-Managed policies can be reassigned, and IAM Identity Federation would only work if the user were signing in through a separate Identity Provider (IdP) like Facebook, Twitter, or Google.

Answer 33

A. Launch the database server in a private VPC, use AWS Outposts to provide secure internet access to the database when needed. Explanation: When you launch an instance, you launch it into a subnet in your VPC. You can use subnets to isolate the tiers of your application like web, application, and database servers within a single VPC. You can use private subnets for your instances if they should not be accessed directly from the internet. You can also use a NAT gateway for internet access from an instance in a private subnet as needed. The remaining choices are incorrect for the following reasons: ● AWS Outposts is used to build and run applications on premises using the same programming interfaces as in AWS Regions, not for DB security. ● You can use the AWS CloudFront service to set up a distribution that will allow you to use edge servers to cache content down to globally distributed end users to allow for better performance of static data. AWS CloudFront does not provide protection for database servers. ● Application Load Balancers automatically distribute your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It does not deal with security.

Answer 34

A. AWS Well-Architected Tool Explanation: The AWS Well-Architected Tool is designed to help you review the state of your applications and workloads, and it provides a central place for architectural best practices and guidance. The AWS Well-Architected Tool is based on the AWS Well-Architected Framework, which was developed to help cloud architects build secure, high-performing, resilient, and efficient application infrastructures. The Framework has been used in thousands of workload reviews by AWS solutions architects. It provides a consistent approach for evaluating your cloud architecture and implementing designs that will scale with your application needs over time. The remaining tools help more with vulnerabilities or cost savings rather than best practices, except for the Well-Architected Framework, which is not an AWS service.

Answer 35

A. Network Load Balancer Explanation: Amazon offers several load balancers, and the one you choose depends on your application and how you plan to distribute the traffic across your resources. Here is a summary of each load balancer: Application Load Balancer (ALB) - An application load balancer operates at layer 7 of the open systems interconnection (OSI) model and distributes HTTP and HTTPS traffic. The ALB can make routing decisions based on application-specific information included inside each HTTP/HTTPS request. Network Load Balancer - A network load balancer operates at layer 4 of the open systems interconnection (OSI) model and distributes traffic based on the TCP and UDP protocols. The network load balancer can process millions of requests per second and still maintain ultra-low latencies. Classic Load Balancer - This is a legacy load balancer you would use if your application uses the EC2-Classic network. If you are using a VPC, Amazon recommends using either the Application Load Balancer or the Network Load Balancer instead of a Classic Load Balancer. This load balancer supports the following protocols: TCP, SSL/TLS, HTTP, and HTTPS. Gateway Load Balancer - You use a Gateway Load Balancer to distribute traffic between third-party virtual appliances. The correct answer in this scenario is the Network Load Balancer because the company needs the incoming traffic to be distributed based on UDP traffic at layer 4. Additional resources: AWS Partner Network (APN) Blog

Answer 36

B. Amazon DynamoDB Global Table Explanation: A DynamoDB Global Table is the most appropriate database for this use case because it provides highly scalable cross-region reads and writes. Also, because the database does not yet have a fixed schema, a NoSQL data store would have better performance than a relational database. Here are a few reasons the remaining choices are not the correct choice: Amazon RDS Read Replicas: Setting up read replicas is a good choice when the database services a read-heavy workload; that is not the situation described in this problem statement. Also, RDS is a relational database service, and this might not be the best choice since the data schema for this project is not well defined. Relational database is a better choice when the schema is well-defined and not expected to change significantly. Amazon Redshift is a fast, fully-managed, petabyte-scale data warehouse. Redshift is designed for high-performance data analysis and is capable of storing and processing petabytes of data. A Multi-region Redshift cluster is not the appropriate service for this use case because the application does not need a data warehouse. Amazon Neptune is a graph database service that customers use when building applications that use highly connected data sets. The application in this problem does not describe a need to work with a highly connected data set.

Answer 37

B. Attach an elastic network interface (ENI) to the instance configured with the private IP address. Move the ENI to the standby instance if the primary instance becomes unreachable. Explanation: A secondary ENI can be added to an instance. While primary ENIs cannot be detached from an instance, secondary ENIs can be detached and attached to a different instance.

Answer 38

A. Stop the instance, detach the root volume and attach it to another EC2 instance as a data volume. C. Modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance. Explanation: A key pair, consisting of a private key and a public key, is a set of security credentials that you use to prove your identity when connecting to an instance. Amazon EC2 stores the public key, and you store the private key. You use the private key, instead of a password, to securely access your instances. When you launch an instance, you are prompted for a key pair. If you plan to connect to the instance using SSH, you must specify a key pair. You can choose an existing key pair or create a new one. If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance. This procedure is not supported for instances with instance store-backed root volumes.

Answer 39

A. Create an Elastic File System (EFS) and enable the Max I/O performance mode. Explanation: When we discuss EFS performance, there are two types of EFS configuration settings we need to look at: Performance mode: There are two performance modes: General Purpose (default) and Max I/O. You choose the performance mode when creating the file system, and once the file system is created, you cannot modify the performance mode. If you need to change the performance mode, you need to create a new file system and migrate your files to the new system. There are no additional costs associated with either performance mode. Max I/O is a good choice for workloads when there is a lot of parallel file system work needed or if you need more than 7,000 operations per second. Throughput mode: There are two throughput modes: Bursting Throughput (default) and Provisioned Throughput. Unlike performance modes, there is a cost difference between these throughput modes, and you can change the throughput for the file system after creation. With bursting throughput mode, the amount of throughput scales as your file system grows; the more data you store, the more throughput is available to you. With provisioned throughput mode, you can specify the throughput irrespective of the amount of storage the file system uses. Provisioned throughput is a good choice when you may need more throughput than you would receive based on the file system's size. The correct answer, in this case, is to choose the Max I/O performance mode for the file system. Max I/O is the best choice in this case because the scenario given is for a highly parallel application with the requirement of the highest possible throughput and operations per second. Provisioned throughput would not be the best answer because the problem does not state that throughput needs are high compared to the amount of data stored on the file system. Several choices mention taking the default file system settings and then changing the performance mode later if needed. Once a file system is created, you cannot change the performance mode without creating a new file system. If you are unsure which performance mode is right for a given workload; you can monitor the file system with Amazon CloudWatch, and then create a new file system with a new performance mode.

Answer 40

C. Configure Route 53 CloudWatch Alarm Health Checks Explanation: Most of these choices improve the responsiveness of CloudWatch in some way, but the aspect of this question is improving the responsiveness of CloudWatch alarms you have already implemented. This means you are not interested in additional metric information outside of the custom metrics you've already created in CloudWatch, and any features that increase responsiveness to metrics other than what you want will not be beneficial. So, creating CloudWatch Log metric filters for default RDS metrics will not help, even though this can provide 1-second granularity, it is unlikely the logs will indicate overall latency and throughput of reads and writes, as these performance metrics are not related to specific API calls, but rather general database performance. Performance Insights allow you to review and analyze your RDS database performance overall, but is not ideal for identifying a performance issue in real-time. Enabling Enhanced monitoring does provide increased insight into RDS database performance, and with the increased granularity of 5 seconds instead of 60 seconds, or potentially even 1-second granularity through CloudWatch Log Streams. However, Enhanced Monitoring provides specific operating system metrics and other performance metrics, and would not apply to the custom metric you have created using CloudWatch. In addition, creating a Route 53 CloudWatch Alarm Health Check will monitor the transmission of data to CloudWatch, and can effectively alert you before the CloudWatch alarm is even triggered. How does this alarm health check work? According to AWS: When you create a health check that is based on a CloudWatch alarm, Route 53 monitors the data stream for the corresponding alarm instead of monitoring the alarm state. If the data stream indicates that the state of the alarm is OK, the health check is considered healthy. If the data stream indicates that the state is Alarm, the health check is considered unhealthy. If the data stream doesn't provide enough information to determine the state of the alarm, the health check status depends on the setting for Health check status: healthy, unhealthy, or last known status.

Answer 41

A. When creating the EFS filesystem enable encryption using the default AWS-managed KMS key for Amazon EFS. Explanation: First, let's eliminate the choices suggesting mounting the EFS filesystem using either the AWS-managed KMS key or a customer-managed KMS key. These answers are incorrect because EFS encryption is not related to mounting the filesystem to an EC2 instance. You enable encryption for an EFS filesystem when you create the filesystem. When setting up EFS encryption you have the choice to use an AWS-managed key or a customer-managed key. In this scenario, the customer does not need to manage the cryptographic key rotation or any policies associated with managing the key. Therefore the best choice would be to use the AWS-managed key. If the customer did have specific key rotation policies or update the policies associated with key management, then a customer-managed key would be a better choice.

Answer 42

B. Deploy a partition placement group across multiple Availability Zones Explanation: There are three types of placement groups: cluster, partition, and spread. Cluster placement groups provide the closest physical placement of instances. Instances in the same cluster placement group have a higher throughput limit for each flow for TCP/IP traffic and are placed in the same high-bisection bandwidth segment of the network. Cluster placement groups are Single-AZ deployments only. When resiliency is most important, partition and spread placement groups provide options of Single-AZ or Multi-AZ deployments while ensuring that individual nodes run on separate racks. Partition placement groups divide the cluster into three partitions that are physically separated in the Availability Zone. Spread placement groups place each instance on its own rack inside the Availability Zone. Service quotas can be a factor in the selection of a placement group. The remaining choices are incorrect for the following reasons: Partition placement groups help reduce the likelihood of correlated hardware failures for an application. A partition placement group can place partitions in multiple Availability Zones in the same AWS Region. By limiting deployment to a single Availability Zone, the SysOps administrator has not implemented the most resilient solution. A cluster placement group is a logical grouping of instances within a single Availability Zone. This solution helps workloads achieve the low-latency network performance necessary for tightly coupled node-to-node communication. This solution does not provide the most resiliency because a localized hardware failure could impact multiple EC2 instances. A cluster placement group is a logical grouping of instances within a single Availability Zone. A cluster placement group cannot extend across multiple Availability Zones.

Answer 43

A. Choose the HDD storage type when creating the file system. Explanation: When you create an Amazon FSx for Windows file system, several configuration selections impact your costs: Storage Capacity, Storage Type (HDD or SSD) Throughput Capacity Deployment type (single-AZ or multi-AZ) Enabling backups In addition to managing costs by making the appropriate configuration choices, you can also choose to enable data deduplication for the file system. This step can reduce your storage costs by 30 - 80% by reducing the amount of data you store in your file system. In this problem scenario, the IT team needs storage to support user directories and department file shares. The primary choice that will drive the cost here is the type of storage for the file system. The HDD storage type is the lowest cost and most appropriate for the workload needed to support home directories; SSD is more expensive and provides more performance than is required for this workload. Finally, the team can enable data deduplication to reduce costs for the configuration further. The problem and choice list do not mention the need for a Multi-AZ deployment or backups. However, both of these options would increase costs.

Answer 44

A. Amazon EBS Throughput Optimized HDD (st1) Explanation: There are four volume types available with Amazon EBS: General Purpose SSD (gp2): Use a general-purpose volume for workloads where IOPS is more critical than throughput, and the cost is more important than performance. Provisioned IOPS SSD (io2): Use Provisioned IOPS volumes for workloads when you are more concerned with IOPS performance and your workload is primarily smaller random I/O operations. Throughput Optimized HDD (st1): Choose Throughput Optimized volumes when you are primarily concerned with throughput and your storage pattern aligns with larger sequential I/O operations. Cold HDD (sc1): Use Cold HDD volumes when storage is infrequently accessed and when minimizing storage costs is more important than performance. In the problem statement for this question, we are most concerned with high throughput performance optimized for a large sequential I/O workload. Therefore, choosing an Amazon EBS Throughput Optimized HDD (st1) volume would be the best choice.

Answer 45

B. AWS Snowball Storage Optimized Explanation: Consider Snowball Edge if you need to run computing in rugged, austere, mobile, or disconnected (or intermittently connected) environments. Also consider it for large-scale data transfers and migrations when bandwidth is not available for use of a high-speed online transfer service, such as AWS DataSync. Snowball Edge Storage Optimized is the optimal data transfer choice if you need to securely and quickly transfer terabytes to petabytes of data to AWS. You can use Snowball Edge Storage Optimized if you have a large backlog of data to transfer or if you frequently collect data that needs to be transferred to AWS and your storage is in an area where high-bandwidth internet connections are not available or cost-prohibitive. A Snowcone is far too small while a Snowmobile is far too large. Storage-optimized Snowball devices offer more than twice the storage capacity of compute-optimized.

Answer 46

A. Enable EBS encryption by default for the AWS account. Explanation: The best way to ensure that your EBS volumes are encrypted is to enable EBS encryption by default for the AWS Account. When you enable encryption by default, there is no action you need to take to encrypt the volume at creation time; the system will automatically take care of it even if using an unencrypted snapshot. Though you can explicitly enable encryption during the creation process, it is not required. Here are a few points about the remaining choices: Though Amazon Data Lifecycle Manager is a valuable service you can use to automate management tasks for EBS volumes and snapshots; however, you would not use it to enable encryption by default for all EBS volumes. In theory, you could use AWS CloudTrail to monitor your EBS resources for security compliance. However, you would also need to combine this with other services such as AWS CloudWatch Events to trigger an action. Also, this is a more complicated solution than is necessary. There are no IAM identity-based policy settings that would allow you to specify that users can only create encrypted EBS volumes. These settings do exist for EFS filesystems, but not EBS. Additional Resources Encryption by default

Answer 47

A. AWS Audit Manager Explanation: AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to reduce the “all hands on deck” manual effort that often happens for audits and enable you to scale your audit capability in the cloud as your business grows. With Audit Manager, it is easy to assess if your policies, procedures, and activities – also known as controls – are operating effectively. When it is time for an audit, AWS Audit Manager helps you manage stakeholder reviews of your controls and enables you to build audit-ready reports with much less manual effort.

Answer 48

B. Apply patches and OS updates C. Enroll an instance into a directory service D. Install application software Explanation: When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives.

Answer 49

A. Assign IAM policies to the Dev/Test IAM group that authorize S3 object operation based on object tags. B. Implement an object tagging policy using AWS Config's Auto Remediation feature. Explanation: One of the key benefits of object tagging is that it "enables fine-grained control of permissions." You also have the Auto Remediation feature within AWS Config to help not only alert you to non-compliant resources but automatically bring the resources into compliance based on permissions and actions you configure. The other choices are not ideal. Batch operations are designed for updating millions to billions of objects at a time, and setting up a batch operation requires several steps. Going through these manual steps to ensure that very temporary resources are properly tagged is not efficient. Each batch operation is a one-time fix as well that would only address the issue for existing resources, and continue to allow non-compliant resources to be created. The Lambda functions are not an efficient option because checking the tags for each S3 object would result in a large number of functions, and require manually configuring the lambda functions and ensuring that they work as designed. It would essentially be a manual, managed version of the service already available through AWS Config Auto Remediation.

Answer 50

A. Deploy 4 servers to 2 availability zones with an application load balancer distributing requests across the 8 servers. Set up an auto-scaling group that uses the load balancer health checks and set the same minimum, maximum, and desired capacity. Explanation: The critical point in this question is that you need to identify a solution that will automatically maintain a fixed number of servers. Added to this, you need to decide whether to use 1 or 2 availability zones. Let's start with the number of availability zones. If you want your application to be highly available and resilient, distributing your resource across multiple availability zones is the best choice. If one availability zone becomes unavailable, the servers in the remaining availability zone can support your application load. We can disregard any solution that includes using a single availability zone and only consider those that use two availability zones. The last thing we need to do is determine how to set up an AWS service to maintain a fixed number of servers. It turns out you can use AWS auto-scaling for more than scaling-out your compute resources. You can also use auto-scaling to build resilient systems by configuring it to maintain a fixed number of resources. When used in this way, the auto-scaling service can monitor your resources and replace unhealthy instances. The choice that suggests using the load balancer to replace unhealthy instances is incorrect because a load balancer cannot replace unhealthy instances. Additional Resources: Maintaining Fixed Number of Instances

Answer 51

A. Use a VPC Endpoint to deliver static S3 content to the internet instead of a NAT Gateway. B. Use Amazon CloudFront as your CDN rather than creating a custom CDN. C. Transfer on-premise Windows File Server files to S3 using Storage Gateway rather than migrating a Windows File Server to AWS using FSx. Explanation: All of the above are helpful ways to reduce spending except for storing locally rather than in S3. Because the logs are business-critical and relevant to EC2 instances on the AWS network, it makes the most sense to also analyze and store audit logs within the AWS environment. Data transfer costs may otherwise incur.

Answer 52

B. Upload all files to the Amazon S3 Intelligent Tiering storage class and review costs related to the frequency of access over time Explanation: There are essentially three types of answers here - choices that use no automation, choices that use the incorrect type of automation given the situation, and a choice that uses the correct type of automation. First, the choices that use little to no automation in this case would be the least recommended decision. Uploading millions of files to either Standard or Standard-IA and then waiting to review costs and access patterns could be very costly. Second, the choice to use storage class analysis could work eventually, if you have the time to wait for analytics to be gathered (which could still be as costly as the choice above) and the time to then review the analytics, and then sift through the files to migrate them to the correct storage class. This is a better choice, but not the best choice. Finally, the correct answer would be to use Intelligent_Tiering, which continuously monitors the access frequency and shifts the objects between a standard and infrequent-access tier depending on how access patterns may change. This happens automatically, and starts immediately, so it is the best choice of the options provided.

Answer 53

D. EFS One Zone-IA Explanation: The EFS One Zone–IA storage class reduces storage costs for files that are not accessed every day. We recommend EFS One Zone–IA storage if you need your full dataset to be readily accessible and want to automatically save on storage costs for files that are less frequently accessed. One Zone-IA storage is compatible with all Amazon EFS features, and is available in all AWS Regions where Amazon EFS is available.

Answer 54

B. AWS Certificate Manager Explanation: For this application, you need SSL/TLS certificates to encrypt data in transit and establish the identity of websites over the internet. With AWS Certificate Manager, you easily provision, and manage the renewal and deployment of SSL/TLS certificates. This is your solution. The remaining choices are incorrect for the following reasons: AWS DataSync is a data transfer service that enables you to optimize network bandwidth and accelerate data transfer between on-premises storage and AWS storage. DataSync does not manage SSL/TLS certificates. AWS DataBrew is a data visualization tool that cleans and normalizes data for analytics and machine learning, without writing any code. While AWS IQ enables you to complete projects faster with the help of third-party AWS-certified experts, AWS Data Exchange allows you to easily exchange data in a secure and compliant way.