Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

EXAM SAA-C02 > saa-c02-part-06 > Flashcards

saa-c02-part-06 Flashcards

1
Q

A company has an Amazon EC2 instance running on a private subnet that needs to access a public website to download patches and updates. The company does not want external websites to see the EC2 instance IP address or initiate connections to it.
How can a solutions architect achieve this objective?

  1. Create a site-to-site VPN connection between the private subnet and the network in which the public site is deployed.
  2. Create a NAT gateway in a public subnet. Route outbound traffic from the private subnet through the NAT gateway.
  3. Create a network ACL for the private subnet where the EC2 instance deployed only allows access from the IP address range of the public website.
  4. Create a security group that only allows connections from the IP address range of the public website. Attach the security group to the EC2 instance.
A
  1. Create a NAT gateway in a public subnet. Route outbound traffic from the private subnet through the NAT gateway.

private subnet that needs to access a public website = NAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A company must migrate 20 TB of data from a data center to the AWS Cloud within 30 days. The company’s network bandwidth is limited to 15 Mbps and cannot exceed 70% utilization. What should a solutions architect do to meet these requirements?

  1. Use AWS Snowball.
  2. Use AWS DataSync.
  3. Use a secure VPN connection.
  4. Use Amazon S3 Transfer Acceleration.
A
  1. Use AWS Snowball.

migrate 20 TB = snowball

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company has a website running on Amazon EC2 instances across two Availability Zones. The company is expecting spikes in traffic on specific holidays, and wants to provide a consistent user experience. How can a solutions architect meet this requirement?

  1. Use step scaling.
  2. Use simple scaling.
  3. Use lifecycle hooks.
  4. Use scheduled scaling.
A
  1. Use scheduled scaling.

specific holidays = scheduled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An ecommerce company is running a multi-tier application on AWS. The front-end and backend tiers both run on Amazon EC2, and the database runs on Amazon RDS for MySQL. The backend tier communicates with the RDS instance. There are frequent calls to return identical datasets from the database that are causing performance slowdowns.
Which action should be taken to improve the performance of the backend?

  1. Implement Amazon SNS to store the database calls.
  2. Implement Amazon ElastiCache to cache the large datasets.
  3. Implement an RDS for MySQL read replica to cache database calls.
  4. Implement Amazon Kinesis Data Firehose to stream the calls to the database.
A
  1. Implement Amazon ElastiCache to cache the large datasets.

return identical datasets + performance = cache (read replica is not caching)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A company has an on-premises data center that is running out of storage capacity. The company wants to migrate its storage infrastructure to AWS while minimizing bandwidth costs. The solution must allow for immediate retrieval of data at no additional cost.
How can these requirements be met?

  1. Deploy Amazon S3 Glacier Vault and enable expedited retrieval. Enable provisioned retrieval capacity for the workload.
  2. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3 while retaining copies of frequently accessed data subsets locally.
  3. Deploy AWS Storage Gateway using stored volumes to store data locally. Use Storage Gateway to asynchronously back up point-in-time snapshots of the data to Amazon S3.
  4. Deploy AWS Direct Connect to connect with the on-premises data center. Configure AWS Storage Gateway to store data locally. Use Storage Gateway to asynchronously back up point-in-time snapshots of the data to Amazon S3.
A
  1. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3 while retaining copies of frequently accessed data subsets locally.

Glacier = not immediate = not 1

store data locally = out of space locally = not 3,4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company is processing data on a daily basis. The results of the operations are stored in an Amazon S3 bucket, analyzed daily for one week, and then must remain immediately accessible for occasional analysis.
What is the MOST cost-effective storage solution alternative to the current configuration?

  1. Configure a lifecycle policy to delete the objects after 30 days.
  2. Configure a lifecycle policy to transition the objects to Amazon S3 Glacier after 30 days.
  3. Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
  4. Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
A
  1. Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.

MOST cost-effective = S3 One Zone-Infrequent Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company delivers files in Amazon S3 to certain users who do not have AWS credentials. These users must be given access for a limited time. What should a solutions architect do to securely meet these requirements?

  1. Enable public access on an Amazon S3 bucket.
  2. Generate a presigned URL to share with the users.
  3. Encrypt files using AWS KMS and provide keys to the users.
  4. Create and assign IAM roles that will grant GetObject permissions to the users.
A
  1. Generate a presigned URL to share with the users.

users who do not have AWS credentials + limited time = presignedurls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A company wants to run a hybrid workload for data processing. The data needs to be accessed by on-premises applications for local data processing using an NFS protocol, and must also be accessible from the AWS Cloud for further analytics and batch processing.
Which solution will meet these requirements?

  1. Use an AWS Storage Gateway file gateway to provide file storage to AWS, then perform analytics on this data in the AWS Cloud.
  2. Use an AWS Storage Gateway tape gateway to copy the backup of the local data to AWS, then perform analytics on this data in the AWS cloud.
  3. Use an AWS Storage Gateway volume gateway in a stored volume configuration to regularly take snapshots of the local data, then copy the data to AWS.
  4. Use an AWS Storage Gateway volume gateway in a cached volume configuration to back up all the local storage in the AWS cloud, then perform analytics on this data in the cloud.
A
  1. Use an AWS Storage Gateway file gateway to provide file storage to AWS, then perform analytics on this data in the AWS Cloud.

NFS = Network File Share

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A company plans to store sensitive user data on Amazon S3. Internal security compliance requirements mandate encryption of data before sending it to Amazon S3.
What should a solutions architect recommend to satisfy these requirements?

  1. Server-side encryption with customer-provided encryption keys
  2. Client-side encryption with Amazon S3 managed encryption keys
  3. Server-side encryption with keys stored in AWS key Management Service (AWS KMS)
  4. Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)
A
  1. Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)

encryption of data before = Client-side 2,4

S3 managed encryption keys = ?? doesnt exist so 4 also

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A solutions architect is moving the static content from a public website hosted on Amazon EC2 instances to an Amazon S3 bucket. An Amazon CloudFront distribution will be used to deliver the static assets. The security group used by the EC2 instances restricts access to a limited set of IP ranges. Access to the static content should be similarly restricted.
Which combination of steps will meet these requirements? (Choose two.)

  1. Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
  2. Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web ACL with the CloudFront distribution.
  3. Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the CloudFront distribution.
  4. Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the S3 bucket hosting the static content.
  5. Create a new IAM role and associate the role with the distribution. Change the permissions either on the S3 bucket or on the files within the S3 bucket so that only the newly created IAM role has read and download permissions.
A
  1. Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
  2. Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web ACL with the CloudFront distribution.

Restrict access to content in S3 buckets = origin access identity

limited set of IP ranges = WAF / CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A company is investigating potential solutions that would collect, process, and store users’ service usage data. The business objective is to create an analytics capability that will enable the company to gather operational insights quickly using standard SQL queries. The solution should be highly available and ensure Atomicity, Consistency, Isolation, and Durability (ACID) compliance in the data tier.

Which solution should a solutions architect recommend?

  1. Use an Amazon Timestream database.
  2. Use an Amazon Neptune database in a Multi-AZ design.
  3. Use a fully managed Amazon RDS for MySQL database in a Multi-AZ design.
  4. Deploy PostgreSQL on an Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS) Throughput Optimized HDD (st1) storage.
A
  1. Use a fully managed Amazon RDS for MySQL database in a Multi-AZ design.

standard SQL queries = RDS

4 is overkill

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company recently launched its website to serve content to its global user base. The company wants to store and accelerate the delivery of static content to its users by leveraging Amazon CloudFront with an Amazon EC2 instance attached as its origin.

How should a solutions architect optimize high availability for the application?

  1. Use Lambda@Edge for CloudFront.
  2. Use Amazon S3 Transfer Acceleration for CloudFront.
  3. Configure another EC2 instance in a different Availability Zone as part of the origin group.
  4. Configure another EC2 instance as part of the origin server cluster in the same Availability Zone.
A
  1. Configure another EC2 instance in a different Availability Zone as part of the origin group.

high availability = multi AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An application running on an Amazon EC2 instance in VPC-A needs to access files in another EC2 instance in VPC-B. Both are in separate. AWS accounts. The network administrator needs to design a solution to enable secure access to EC2 instance in VPC-B from VPC-A. The connectivity should not have a single point of failure or bandwidth concerns.

Which solution will meet these requirements?

  1. Set up a VPC peering connection between VPC-A and VPC-B.
  2. Set up VPC gateway endpoints for the EC2 instance running in VPC-B.
  3. Attach a virtual private gateway to VPC-B and enable routing from VPC-A.
  4. Create a private virtual interface (VIF) for the EC2 instance running in VPC-B and add appropriate routes from VPC-B.
A
  1. Set up a VPC peering connection between VPC-A and VPC-B.

VPC-A and VPC-B = peering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company currently stores symmetric encryption keys in a hardware security module (HSM). A solutions architect must design a solution to migrate key management to AWS. The solution should allow for key rotation and support the use of customer provided keys.

Where should the key material be stored to meet these requirements?

  1. Amazon S3
  2. AWS Secrets Manager
  3. AWS Systems Manager Parameter store
  4. AWS Key Management Service (AWS KMS)
A
  1. AWS Key Management Service (AWS KMS)

key rotation = KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A recent analysis of a company’s IT expenses highlights the need to reduce backup costs. The company’s chief information officer wants to simplify the on-premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. The company must preserve the existing investment in the on-premises backup applications and workflows.

What should a solutions architect recommend?

  1. Set up AWS Storage Gateway to connect with the backup applications using the NFS interface.
  2. Set up an Amazon Elastic File System (Amazon EFS) file system that connects with the backup applications using the NFS interface.
  3. Set up an Amazon Elastic File System (Amazon EFS) file system that connects with the backup applications using the iSCSI interface.
  4. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.
A
  1. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.

tapes = VTL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A company hosts an application on an Amazon EC2 instance that requires a maximum of 200 GB storage space. The application is used infrequently, with peaks during mornings and evenings. Disk I/O varies, but peaks at 3,000 IOPS. The chief financial officer of the company is concerned about costs and has asked a solutions architect to recommend the most cost-effective storage option that does not sacrifice performance.

Which solution should the solutions architect recommend?

  1. Amazon Elastic Block Store (Amazon EBS) Cold HDD (sc1)
  2. Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp2)
  3. Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io1)
  4. Amazon Elastic Block Store (Amazon EBS) Throughput Optimized HDD (st1)
A
  1. Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp2)

3,000 IOPS = gp2

Gp2 - 16000

Io1 - 64000

https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/ebs-volume-types.html

17
Q

A company’s application hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Due to data sensitivity, traffic cannot traverse the internet.

How should a solutions architect configure access?

  1. Create a private hosted zone using Amazon Route 53.
  2. Configure a VPC gateway endpoint for Amazon S3 in the VPC.
  3. Configure AWS PrivateLink between the EC2 instance and the S3 bucket.
  4. Set up a site-to-site VPN connection between the VPC and the S3 bucket.
A
  1. Configure a VPC gateway endpoint for Amazon S3 in the VPC.

EC2 to S3 = endpoint

18
Q

A company has two applications it wants to migrate to AWS. Both applications process a large set of files by accessing the same files at the same time. Both applications need to read the files with low latency.

Which architecture should a solutions architect recommend for this situation?

  1. Configure two AWS Lambda functions to run the applications. Create an Amazon EC2 instance with an instance store volume to store the data.
  2. Configure two AWS Lambda functions to run the applications. Create an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume to store the data.
  3. Configure one memory optimized Amazon EC2 instance to run both applications simultaneously. Create an Amazon Elastic Block Store (Amazon EBS) volume with Provisioned IOPS to store the data.
  4. Configure two Amazon EC2 instances to run both applications. Configure Amazon Elastic File System (Amazon EFS) with General Purpose performance mode and Bursting Throughput mode to store the data.
A
  1. Configure two Amazon EC2 instances to run both applications. Configure Amazon Elastic File System (Amazon EFS) with General Purpose performance mode and Bursting Throughput mode to store the data.

accessing the same files at the same time = concurrency = EFS

19
Q

An ecommerce company has noticed performance degradation of its Amazon RDS based web application. The performance degradation is attributed to an increase in the number of read-only SQL queries triggered by business analysts. A solutions architect needs to solve the problem with minimal changes to the existing web application.

What should the solutions architect recommend?

  1. Export the data to Amazon DynamoDB and have the business analysts run their queries.
  2. Load the data into Amazon ElastiCache and have the business analysts run their queries.
  3. Create a read replica of the primary database and have the business analysts run their queries.
  4. Copy the data into an Amazon Redshift cluster and have the business analysts run their queries.
A
  1. Create a read replica of the primary database and have the business analysts run their queries.

read-only SQL queries = read replicas

20
Q

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest.

Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?

  1. Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database volume.
  2. Deploy AWS CloudHSM, generate encryption keys, and use the customer master key (CMK) to encrypt database volumes.
  3. Configure SSL encryption using AWS Key Management Service customer master keys (AWS KMS CMKs) to encrypt database volumes.
  4. Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.
A
  1. Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.

PII + Compliance = EBS + KMS

https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/

EXAM SAA-C02 (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions