Set 1 Kindle SAA-003 Practice Test Flashcards
A company has two accounts for perform testing and each account has a single VPC: VPC-TEST1 and VPC-TEST2. The operations team require a method of securely copying files between Amazon EC2 instances in these VPCs. The connectivity should not have any single points of failure or bandwidth constraints. Which solution should a Solutions Architect recommend?
A. Create a VPC gateway endpoint for each EC2 instance and update route tables.
B. Attach a virtual private gateway to VPC-TEST1 and VPC-TEST2 and enable routing.
C. Attach a Direct Connect gateway to VPC-TEST1 and VPC-TEST2 and enable routing
D. Create a VPC peering connection between VPC-TEST1 and VPC-TEST2
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 49). Kindle Edition.
D. Create a VPC peering connection between VPC-TEST1 and VPC-TEST2
Explanation:
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection).
CORRECT: “Create a VPC peering connection between VPC-TEST1 and VPC-TEST2” is the correct answer.
INCORRECT: “Create a VPC gateway endpoint for each EC2 instance and update route tables” is incorrect. You cannot create VPC gateway endpoints for Amazon EC2 instances. These are used with DynamoDB and S3 only.
INCORRECT: “Attach a virtual private gateway to VPC-TEST1 and VPC-TEST2 and enable routing” is incorrect. You cannot create an AWS Managed VPN connection between two VPCs.
INCORRECT: “Attach a Direct Connect gateway to VPC-TEST1 and VPC-TEST2 and enable routing” is incorrect. Direct Connect gateway is used to connect a Direct Connect connection to multiple VPCs, it is not useful in this scenario as there is no Direct Connect connection
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 50). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 49-50). Kindle Edition.
A Solutions Architect has deployed an application on several Amazon EC2 instances across three private subnets. The application must be made accessible to internet-based clients with the least amount of administrative effort. How can the Solutions Architect make the application available on the internet?
A. Create an Amazon Machine Image (AMI) of the instances in the private subnet and launch new instances from the AMI in public subnets. Create an Application Load Balancer and add the public instances to the ALB.
B. Create an Application Load Balancer and associate three public subnets from the same Availability Zones as the private instances. Add the private instances to the ALB.
C. Create an Application Load Balancer and associate three private subnets from the same Availability Zones as the private instances. Add the private instances to the ALB.
D. Create a NAT gateway in a public subnet. Add a route to the NAT gateway to the route tables of the three private subnets.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 51). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 51). Kindle Edition.
B. Create an Application Load Balancer and associate three public subnets from the same Availability Zones as the private instances. Add the private instances to the ALB.
Explanation:
To make the application instances accessible on the internet the Solutions Architect needs to place them behind an internet-facing Elastic Load Balancer. The way you add instances in private subnets to a public facing ELB is to add public subnets in the same AZs as the private subnets to the ELB. You can then add the instances and to the ELB and they will become targets for load balancing. An example of this architecture is shown below:
CORRECT: “Create an Application Load Balancer and associate three public subnets from the same Availability Zones as the private instances. Add the private instances to the ALB” is the correct answer.
INCORRECT: “Create an Application Load Balancer and associate three private subnets from the same Availability Zones as the private instances. Add the private instances to the ALB” is incorrect. Public subnets in the same AZs as the private subnets must be added to make this configuration work.
INCORRECT: “Create an Amazon Machine Image (AMI) of the instances in the private subnet and launch new instances from the AMI in public subnets. Create an Application Load Balancer and add the public instances to the ALB” is incorrect. There is no need to use an AMI to create new instances in a public subnet. You can add instances in private subnets to a public-facing ELB.
INCORRECT: “Create a NAT gateway in a public subnet. Add a route to the NAT gateway to the route tables of the three private subnets” is incorrect. A NAT gateway is used for outbound traffic not inbound traffic and cannot make the application available to internet-based clients.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 53). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 52-53). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 52). Kindle Edition.
A video production company is planning to move some of its workloads to the AWS Cloud. The company will require around 5 TB of storage for video processing with the maximum possible I/O performance. They also require over 400 TB of extremely durable storage for storing video files and 800 TB of storage for long-term archival. Which combinations of services should a Solutions Architect use to meet these requirements?
A. Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage.
B. Amazon EBS for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage. C. Amazon EC2 instance store for maximum performance, Amazon EFS for durable data storage, and Amazon S3 for archival storage.
D. Amazon EBS for maximum performance, Amazon EFS for durable data storage, and Amazon S3 Glacier for archival storage.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 53-54). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 53). Kindle Edition.
A. Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage.
Explanation:
The best I/O performance can be achieved by using instance store volumes for the video processing. This is safe to use for use cases where the data can be recreated from the source files so this is a good use case.
For storing data durably Amazon S3 is a good fit as it provides 99.999999999% of durability. For archival the video files can then be moved to Amazon S3 Glacier which is a low cost storage option that is ideal for long-term archival.
CORRECT: “Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage” is the correct answer.
INCORRECT: “Amazon EBS for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage” is incorrect. EBS is not going to provide as much I/O performance as an instance store volume so is not the best choice for this use case.
INCORRECT: “Amazon EC2 instance store for maximum performance, Amazon EFS for durable data storage, and Amazon S3 for archival storage” is incorrect. EFS does not provide as much durability as Amazon S3 and will not be as cost-effective.
INCORRECT: “Amazon EBS for maximum performance, Amazon EFS for durable data storage, and Amazon S3 Glacier for archival storage” is incorrect. EBS and EFS are not the best choices here as described above
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 54-55). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 54). Kindle Edition.
A company provides a REST-based interface to an application that allows a partner company to send data in near-real time. The application then processes the data that is received and stores it for later analysis. The application runs on Amazon EC2 instances. The partner company has received many 503 Service Unavailable Errors when sending data to the application and the compute capacity reaches its limits and is unable to process requests when spikes in data volume occur. Which design should a Solutions Architect implement to improve scalability?
A. Use Amazon API Gateway in front of the existing application. Create a usage plan with a quota limit for the partner company. B. Use Amazon Kinesis Data Streams to ingest the data. Process the data using AWS Lambda functions.
C. Use Amazon SQS to ingest the data. Configure the EC2 instances to process messages from the SQS queue.
D. Use Amazon SNS to ingest the data and trigger AWS Lambda functions to process the data in near-real time.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 55). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 55). Kindle Edition.
B. Use Amazon Kinesis Data Streams to ingest the data. Process the data using AWS Lambda functions.
Explanation:
Amazon Kinesis enables you to ingest, buffer, and process streaming data in real-time. Kinesis can handle any amount of streaming data and process data from hundreds of thousands of sources with very low latencies. This is an ideal solution for data ingestion. To ensure the compute layer can scale to process increasing workloads, the EC2 instances should be replaced by AWS Lambda functions. Lambda can scale seamlessly by running multiple executions in parallel.
CORRECT: “Use Amazon Kinesis Data Streams to ingest the data. Process the data using AWS Lambda functions” is the correct answer.
INCORRECT: “Use Amazon API Gateway in front of the existing application. Create a usage plan with a quota limit for the partner company” is incorrect. A usage plan will limit the amount of data that is received and cause more errors to be received by the partner company.
INCORRECT: “Use Amazon SQS to ingest the data. Configure the EC2 instances to process messages from the SQS queue” is incorrect. Amazon Kinesis Data Streams should be used for near-real time or real-time use cases instead of Amazon SQS.
INCORRECT: “Use Amazon SNS to ingest the data and trigger AWS Lambda functions to process the data in near-real time” is incorrect. SNS is not a near-real time solution for data ingestion. SNS is used for sending notifications.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 56). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 56). Kindle Edition.
A persistent database must be migrated from an on-premises server to an Amazon EC2 instances. The database requires 64,000 IOPS and, if possible, should be stored on a single Amazon EBS volume. Which solution should a Solutions Architect recommend?
A. Use an instance from the I3 I/O optimized family and leverage instance store storage to achieve the IOPS requirement.
B. Create an Amazon EC2 instance with four Amazon EBS General Purpose SSD (gp2) volumes attached. Max out the IOPS on each volume and use a RAID 0 stripe set.
C. Create a Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (i01) volume attached. Provision 64,000 IOPS for the volume.
D. Create an Amazon EC2 instance with two Amazon EBS Provisioned IOPS SSD (i01) volumes attached. Provision 32,000 IOPS per volume and create a logical volume using the OS that aggregates the capacity.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 57). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 57). Kindle Edition.
C. Create a Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (i01) volume attached. Provision 64,000 IOPS for the volume.
Explanation:
Amazon EC2 Nitro-based systems are not required for this solution but do offer advantages in performance that will help to maximize the usage of the EBS volume. For the data storage volume an i01 volume can support up to 64,000 IOPS so a single volume with sufficient capacity (50 IOPS per GiB) can be deliver the requirements. The current list of EBS volume types is in the table below:
CORRECT: “Create a Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (i01) volume attached. Provision 64,000 IOPS for the volume” is the correct answer.
INCORRECT: “Use an instance from the I3 I/O optimized family and leverage instance store storage to achieve the IOPS requirement” is incorrect.
INCORRECT: “Create an Amazon EC2 instance with four Amazon EBS General Purpose SSD (gp2) volumes attached. Max out the IOPS on each volume and use a RAID 0 stripe set” is incorrect. This is not a good use case for gp2 volumes. It is much better to use io1 which also meets the requirement of having a single volume with 64,000 IOPS.
INCORRECT: “Create an Amazon EC2 instance with two Amazon EBS Provisioned IOPS SSD (i01) volumes attached. Provision 32,000 IOPS per volume and create a logical volume using the OS that aggregates the capacity” is incorrect. There is no need to create two volumes and aggregate capacity through the OS, the Solutions Architect can simply create a single volume with 64,000 IOPS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 58-59). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 58). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 57-58). Kindle Edition.
A company uses an Amazon RDS MySQL database instance to store customer order data. The security team have requested that SSL/TLS encryption in transit must be used for encrypting connections to the database from application servers. The data in the database is currently encrypted at rest using an AWS KMS key. How can a Solutions Architect enable encryption in transit?
A. Enable encryption in transit using the RDS Management console and obtain a key using AWS KMS.
B. Add a self-signed certificate to the RDS DB instance. Use the certificates in all connections to the RDS DB instance.
C. Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption in transit enabled.
D. Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 59). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 59). Kindle Edition.
D. Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance.
Explanation:
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. You can download a root certificate from AWS that works for all Regions or you can download Region-specific intermediate certificates.
CORRECT: “Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance” is the correct answer.
INCORRECT: “Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption in transit enabled” is incorrect. There is no need to do this as a certificate is created when the DB instances is launched.
INCORRECT: “Enable encryption in transit using the RDS Management console and obtain a key using AWS KMS” is incorrect. You cannot enable/disable encryption in transit using the RDS management console or use a KMS key.
INCORRECT: “Add a self-signed certificate to the RDS DB instance. Use the certificates in all connections to the RDS DB instance” is incorrect. You cannot use self-signed certificates with RDS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 60). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 59-60). Kindle Edition.
An eCommerce company runs an application on Amazon EC2 instances in public and private subnets. The web application runs in a public subnet and the database runs in a private subnet. Both the public and private subnets are in a single Availability Zone. Which combination of steps should a solutions architect take to provide high availability for this architecture? (Select TWO.)
A. Create new public and private subnets in the same AZ but in a different Amazon VPC.
B. Create an EC2 Auto Scaling group in the public subnet and use an Application Load Balancer.
C. Create an EC2 Auto Scaling group and Application Load Balancer that spans across multiple AZs.
D. Create new public and private subnets in a different AZ. Create a database using Amazon EC2 in one AZ.
E. Create new public and private subnets in a different AZ. Migrate the database to an Amazon RDS multi-AZ deployment.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 61). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 60-61). Kindle Edition.
C. Create an EC2 Auto Scaling group and Application Load Balancer that spans across multiple AZs.
E. Create new public and private subnets in a different AZ. Migrate the database to an Amazon RDS multi-AZ deployment.
Explanation:
High availability can be achieved by using multiple Availability Zones within the same VPC. An EC2 Auto Scaling group can then be used to launch web application instances in multiple public subnets across multiple AZs and an ALB can be used to distribute incoming load. The database solution can be made highly available by migrating from EC2 to Amazon RDS and using a Multi-AZ deployment model. This will provide the ability to failover to another AZ in the event of a failure of the primary database or the AZ in which it runs. CORRECT: “Create an EC2 Auto Scaling group and Application Load Balancer that spans across multiple AZs” is a correct answer. CORRECT: “Create new public and private subnets in a different AZ. Migrate the database to an Amazon RDS multi-AZ deployment” is also a correct answer.
INCORRECT: “Create new public and private subnets in the same AZ but in a different Amazon VPC” is incorrect. You cannot use multiple VPCs for this solution as it would be difficult to manage and direct traffic (you can’t load balance across VPCs). INCORRECT: “Create an EC2 Auto Scaling group in the public subnet and use an Application Load Balancer” is incorrect. This does not achieve HA as you need multiple public subnets across multiple AZs. INCORRECT: “Create new public and private subnets in a different AZ. Create a database using Amazon EC2 in one AZ” is incorrect. The database solution is not HA in this answer option.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 62). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 61-62). Kindle Edition.
A company runs an application on six web application servers in an Amazon EC2 Auto Scaling group in a single Availability Zone. The application is fronted by an Application Load Balancer (ALB). A Solutions Architect needs to modify the infrastructure to be highly available without making any modifications to the application. Which architecture should the Solutions Architect choose to enable high availability?
A. Create an Amazon CloudFront distribution with a custom origin across multiple Regions.
B. Modify the Auto Scaling group to use two instances across each of three Availability Zones.
C. Create a launch template that can be used to quickly create more instances in another Region.
D. Create an Auto Scaling group to launch three instances across each of two Regions.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 62-63). Kindle Edition.
B. Modify the Auto Scaling group to use two instances across each of three Availability Zones.
Explanation:
The only thing that needs to be changed in this scenario to enable HA is to split the instances across multiple Availability Zones. The architecture already uses Auto Scaling and Elastic Load Balancing so there is plenty of resilience to failure. Once the instances are running across multiple AZs there will be AZ-level fault tolerance as well.
CORRECT: “Modify the Auto Scaling group to use two instances across each of three Availability Zones” is the correct answer. INCORRECT: “Create an Amazon CloudFront distribution with a custom origin across multiple Regions” is incorrect. CloudFront is not used to create HA for your application, it is used to accelerate access to media content.
INCORRECT: “Create a launch template that can be used to quickly create more instances in another Region” is incorrect. Multi-AZ should be enabled rather than multi-Region.
INCORRECT: “Create an Auto Scaling group to launch three instances across each of two Regions” is incorrect. HA can be achieved within a Region by simply enabling more AZs in the ASG
An ASG cannot launch instances in multiple Regions
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 63). Kindle Edition.
A web application allows users to upload photos and add graphical elements to them. The application offers two tiers of service: free and paid. Photos uploaded by paid users should be processed before those submitted using the free tier. The photos are uploaded to an Amazon S3 bucket which uses an event notification to send the job information to Amazon SQS. How should a Solutions Architect configure the Amazon SQS deployment to meet these requirements?
A. Use one SQS standard queue. Use batching for the paid photos and short polling for the free photos.
B. Use a separate SQS FIFO queue for each tier. Set the free queue to use short polling and the paid queue to use long polling. C. Use a separate SQS Standard queue for each tier. Configure Amazon EC2 instances to prioritize polling for the paid queue over the free queue.
D. Use one SQS FIFO queue. Assign a higher priority to the paid photos so they are processed first.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 64). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 64). Kindle Edition.
C. Use a separate SQS Standard queue for each tier. Configure Amazon EC2 instances to prioritize polling for the paid queue over the free queue.
Explanation:
AWS recommend using separate queues when you need to provide prioritization of work. The logic can then be implemented at the application layer to prioritize the queue for the paid photos over the queue for the free photos.
CORRECT: “Use a separate SQS Standard queue for each tier. Configure Amazon EC2 instances to prioritize polling for the paid queue over the free queue” is the correct answer.
INCORRECT: “Use one SQS FIFO queue. Assign a higher priority to the paid photos so they are processed first” is incorrect. FIFO queues preserve the order of messages but they do not prioritize messages within the queue. The orders would need to be placed into the queue in a priority order and there’s no way of doing this as the messages are sent automatically through event notifications as they are received by Amazon S3.
INCORRECT: “Use one SQS standard queue. Use batching for the paid photos and short polling for the free photos” is incorrect. Batching adds efficiency but it has nothing to do with ordering or priority.
INCORRECT: “Use a separate SQS FIFO queue for each tier. Set the free queue to use short polling and the paid queue to use long polling” is incorrect. Short polling and long polling are used to control the amount of time the consumer process waits before closing the API call and trying again. Polling should be configured for efficiency of API calls and processing of messages but does not help with message prioritization.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 64-65). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 64). Kindle Edition.
A company has deployed a new website on Amazon EC2 instances behind an Application Load Balancer (ALB). Amazon Route 53 is used for the DNS service. The company has asked a Solutions Architect to create a backup website with support contact details that users will be directed to automatically if the primary website is down. How should the Solutions Architect deploy this solution cost-effectively?
A. Configure a static website using Amazon S3 and create a Route 53 weighted routing policy.
B. Deploy the backup website on EC2 and ALB in another Region and use Route 53 health checks for failover routing.
C. Create the backup website on EC2 and ALB in another Region and create an AWS Global Accelerator endpoint.
D. Configure a static website using Amazon S3 and create a Route 53 failover routing policy.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 66). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 65-66). Kindle Edition.
D. Configure a static website using Amazon S3 and create a Route 53 failover routing policy.
Explanation:
The most cost-effective solution is to create a static website using an Amazon S3 bucket and then use a failover routing policy in Amazon Route 53. With a failover routing policy users will be directed to the main website as long as it is responding to health checks successfully. If the main website fails to respond to health checks (its down), Route 53 will begin to direct users to the backup website running on the Amazon S3 bucket. It’s important to set the TTL on the Route 53 records appropriately to ensure that users resolve the failover address within a short time.
CORRECT: “Configure a static website using Amazon S3 and create a Route 53 failover routing policy” is the correct answer.
INCORRECT: “Configure a static website using Amazon S3 and create a Route 53 weighted routing policy” is incorrect. Weighted routing is used when you want to send a percentage of traffic between multiple endpoints. In this case all traffic should go to the primary until if fails, then all should go to the backup.
INCORRECT: “Deploy the backup website on EC2 and ALB in another Region and use Route 53 health checks for failover routing” is incorrect. This is not a cost-effective solution for the backup website. It can be implemented using Route 53 failover routing which uses health checks but would be an expensive option.
INCORRECT: “Create the backup website on EC2 and ALB in another Region and create an AWS Global Accelerator endpoint” is incorrect. Global Accelerator is used for performance as it directs traffic to the nearest healthy endpoint. It is not useful for failover in this scenario and is also a very expensive solution.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 66-67). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 66). Kindle Edition.
A company requires that all AWS IAM user accounts have specific complexity requirements and minimum password length. How should a Solutions Architect accomplish this?
A. Set a password policy for each IAM user in the AWS account.
B. Set a password policy for the entire AWS account.
C. Create an IAM policy that enforces the requirements and apply it to all users.
D. Use an AWS Config rule to enforce the requirements when creating user accounts.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 68). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 67). Kindle Edition.
A. Set a password policy for each IAM user in the AWS account.
Explanation:
The easiest way to enforce this requirement is to update the password policy that applies to the entire AWS account. When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords. However, some of the settings are enforced immediately such as the password expiration period.
CORRECT: “Set a password policy for the entire AWS account” is the correct answer.
INCORRECT: “Set a password policy for each IAM user in the AWS account” is incorrect. There’s no need to set an individual password policy for each user, it will be easier to set the policy for everyone.
INCORRECT: “Create an IAM policy that enforces the requirements and apply it to all users” is incorrect. As there is no specific targeting required it is easier to update the account password policy.
INCORRECT: “Use an AWS Config rule to enforce the requirements when creating user accounts” is incorrect. You cannot use AWS Config to enforce the password requirements at the time of creating a user account.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 68). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 68). Kindle Edition.
A company runs a dynamic website that is hosted on an on-premises server in the United States. The company is expanding to Europe and is investigating how they can optimize the performance of the website for European users. The website’s backed must remain in the United States. The company requires a solution that can be implemented within a few days. What should a Solutions Architect recommend?
A. Use Amazon CloudFront with Lambda@Edge to direct traffic to an on-premises origin.
B. Launch an Amazon EC2 instance in an AWS Region in the United States and migrate the website to it.
C. Migrate the website to Amazon S3. Use cross-Region replication between Regions and a latency-based Route 53 policy. D. Use Amazon CloudFront with a custom origin pointing to the on-premises servers.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 69). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 69). Kindle Edition.
C. Migrate the website to Amazon S3. Use cross-Region replication between Regions and a latency-based Route 53 policy.
Explanation:
A custom origin can point to an on-premises server and CloudFront is able to cache content for dynamic websites. CloudFront can provide performance optimizations for custom origins even if they are running on on-premises servers. These include persistent TCP connections to the origin, SSL enhancements such as Session tickets and OCSP stapling. Additionally, connections are routed from the nearest Edge Location to the user across the AWS global network. If the on-premises server is connected via a Direct Connect (DX) link this can further improve performance.
CORRECT: “Use Amazon CloudFront with a custom origin pointing to the on-premises servers” is the correct answer.
INCORRECT: “Use Amazon CloudFront with Lambda@Edge to direct traffic to an on-premises origin” is incorrect. Lambda@Edge is not used to direct traffic to on-premises origins.
INCORRECT: “Launch an Amazon EC2 instance in an AWS Region in the United States and migrate the website to it” is incorrect. This would not necessarily improve performance for European users.
INCORRECT: “Migrate the website to Amazon S3. Use cross-Region replication between Regions and a latency-based Route 53 policy” is incorrect. You cannot host dynamic websites on Amazon S3 (static only).
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 69-70). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 69). Kindle Edition.
A company runs an application in an on-premises data center that collects environmental data from production machinery. The data consists of JSON files stored on network attached storage (NAS) and around 5 TB of data is collected each day. The company must upload this data to Amazon S3 where it can be processed by an analytics application. The data must be transferred securely. Which solution offers the MOST reliable and time-efficient data transfer?
A. AWS Database Migration Service over the Internet.
B. Amazon S3 Transfer Acceleration over the Internet.
C. AWS DataSync over AWS Direct Connect.
D. Multiple AWS Snowcone devices.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 70-71). Kindle Edition.
C. AWS DataSync over AWS Direct Connect.
Explanation:
The most reliable and time-efficient solution that keeps the data secure is to use AWS DataSync and synchronize the data from the NAS device directly to Amazon S3. This should take place over an AWS Direct Connect connection to ensure reliability, speed, and security. AWS DataSync can copy data between Network File System (NFS) shares, Server Message Block (SMB) shares,self-managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic File System (Amazon EFS) file systems, and Amazon FSx for Windows File Server file systems.
CORRECT: “AWS DataSync over AWS Direct Connect” is the correct answer.
INCORRECT: “AWS Database Migration Service over the Internet” is incorrect. DMS is for migrating databases, not files. INCORRECT: “Amazon S3 Transfer Acceleration over the Internet” is incorrect. The Internet does not offer the reliability, speed or performance that this company requires.
INCORRECT: “Multiple AWS Snowcone devices” is incorrect. This is not a time-efficient approach as it can take time to ship these devices in both directions
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 71). Kindle Edition.
A company runs an application on an Amazon EC2 instance the requires 250 GB of storage space. The application is not used often and has small spikes in usage on weekday mornings and afternoons. The disk I/O can vary with peaks hitting a maximum of 3,000 IOPS. A Solutions Architect must recommend the most cost-effective storage solution that delivers the performance required. Which configuration should the Solutions Architect recommend?
Which solution should the solutions architect recommend?
A. Amazon EBS Cold HDD (sc1)
B. Amazon EBS General Purpose SSD (gp2)
C. Amazon EBS Provisioned IOPS SSD (i01)
D. Amazon EBS Throughput Optimized HDD (st1)
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 72). Kindle Edition.
B. Amazon EBS General Purpose SSD (gp2)
Explanation:
General Purpose SSD (gp2) volumes offer cost-effective storage that is ideal for a broad range of workloads. These volumes deliver single-digit millisecond latencies and the ability to burst to 3,000 IOPS for extended periods of time. Between a minimum of 100 IOPS (at 33.33 GiB and below) and a maximum of 16,000 IOPS (at 5,334 GiB and above), baseline performance scales linearly at 3 IOPS per GiB of volume size. AWS designsgp2volumes to deliver their provisioned performance 99% of the time. Agp2volume can range in size from 1 GiB to 16 TiB. In this configuration the volume will provide a baseline performance of 750 IOPS but will always be able to burst to the required 3,000 IOPS during periods of increased traffic.
CORRECT: “Amazon EBS General Purpose SSD (gp2)” is the correct answer.
INCORRECT: “Amazon EBS Provisioned IOPS SSD (i01)” is incorrect. The i01 volume type will be more expensive and is not necessary for the performance levels required.
INCORRECT: “Amazon EBS Cold HDD (sc1)” is incorrect. The sc1 volume type is not going to deliver the performance requirements as it cannot burst to 3,000 IOPS.
INCORRECT: “Amazon EBS Throughput Optimized HDD (st1)” is incorrect. The st1 volume type is not going to deliver the performance requirements as it cannot burst to 3,000 IOPS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 73). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 72-73). Kindle Edition.
A company offers an online product brochure that is delivered from a static website running on Amazon S3. The company’s customers are mainly in the United States, Canada, and Europe. The company is looking to cost-effectively reduce the latency for users in these regions. What is the most cost-effective solution to these requirements?
A. Create an Amazon CloudFront distribution that uses origins in U.S, Canada and Europe.
B. Create an Amazon CloudFront distribution and use Lambda@Edge to run the website’s data processing closer to the users.
C. Create an Amazon CloudFront distribution and set the price class to use only U.S, Canada and Europe.
D. Create an Amazon CloudFront distribution and set the price class to use all Edge Locations for best performance.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 73-74). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 73). Kindle Edition.
C. Create an Amazon CloudFront distribution and set the price class to use only U.S, Canada and Europe.
Explanation:
With Amazon CloudFront you can set the price class to determine where in the world the content will be cached. One of the price classes is “U.S, Canada and Europe” and this is where the company’s users are located. Choosing this price class will result in lower costs and better performance for the company’s users.
CORRECT: “Create an Amazon CloudFront distribution and set the price class to use only U.S, Canada and Europe.” is the correct answer.
INCORRECT: “Create an Amazon CloudFront distribution and set the price class to use all Edge Locations for best performance” is incorrect. This will be more expensive as it will cache content in Edge Locations all over the world.
INCORRECT: “Create an Amazon CloudFront distribution that uses origins in U.S, Canada and Europe” is incorrect. The origin can be in one place, there’s no need to add origins in different Regions. The price class should be used to limit the caching of the content to reduce cost.
INCORRECT: “Create an Amazon CloudFront distribution and use Lambda@Edge to run the website’s data processing closer to the users” is incorrect. Lambda@Edge will not assist in this situation as there is no data processing required, the content from the static website must simply be cached at an edge location.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 74). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 74). Kindle Edition.
A developer created an application that uses Amazon EC2 and an Amazon RDS MySQL database instance. The developer stored the database user name and password in a configuration file on the root EBS volume of the EC2 application instance. A Solutions Architect has been asked to design a more secure solution. What should the Solutions Architect do to achieve this requirement?
A. Move the configuration file to an Amazon S3 bucket. Create an IAM role with permission to the bucket and attach it to the EC2 instance.
B. Attach an additional volume to the EC2 instance with encryption enabled. Move the configuration file to the encrypted volume.
C. Install an Amazon-trusted root certificate on the application instance and use SSL/TLS encrypted connections to the database. D. Create an IAM role with permission to access the database. Attach this IAM role to the EC2 instance.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 75). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 75). Kindle Edition.
D. Create an IAM role with permission to access the database. Attach this IAM role to the EC2 instance.
Explanation:
The key problem here is having plain text credentials stored in a file. Even if you encrypt the volume there is still as security risk as the credentials are loaded by the application and passed to RDS. The best way to secure this solution is to get rid of the credentials completely by using an IAM role instead. The IAM role can be assigned permissions to the database instance and can be attached to the EC2 instance. The instance will then obtain temporary security credentials from AWS STS which is much more secure.
CORRECT: “Create an IAM role with permission to access the database. Attach this IAM role to the EC2 instance” is the correct answer.
INCORRECT: “Move the configuration file to an Amazon S3 bucket. Create an IAM role with permission to the bucket and attach it to the EC2 instance” is incorrect. This just relocates the file; the contents are still unsecured and must be loaded by the application and passed to RDS. This is an insecure process. INCORRECT: “Attach an additional volume to the EC2 instance with encryption enabled. Move the configuration file to the encrypted volume” is incorrect. This will only encrypt the file at rest, it still must be read, and the contents passed to RDS which is insecure. INCORRECT: “Install an Amazon-trusted root certificate on the application instance and use SSL/TLS encrypted connections to the database” is incorrect. The file is still unsecured on the EBS volume so encrypting the credentials in an encrypted channel between the EC2 instance and RDS does not solve all security issues.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 76). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 75-76). Kindle Edition.
A financial services company has a web application with an application tier running in the U.S and Europe. The database tier consists of a MySQL database running on Amazon EC2 in us-west-1. Users are directed to the closest application tier using Route 53 latency-based routing. The users in Europe have reported poor performance when running queries. Which changes should a Solutions Architect make to the database tier to improve performance?
A. Migrate the database to Amazon RDS for MySQL. Configure Multi-AZ in one of the European Regions.
B. Migrate the database to an Amazon Aurora global database in MySQL compatibility mode. Configure the application tier in Europe to use the local reader endpoint.
C. Migrate the database to Amazon RedShift. Use AWS DMS to synchronize data. Configure applications to use the RedShift data warehouse for queries.
D. Create an Amazon RDS Read Replica in one of the European regions. Configure the application tier in Europe to use the read replica for queries.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 77). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 77). Kindle Edition.
B. Migrate the database to an Amazon Aurora global database in MySQL compatibility mode. Configure the application tier in Europe to use the local reader endpoint.
Explanation:
Amazon Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages. A global database can be configured in the European region and then the application tier in Europe will need to be configured to use the local database for reads/queries. The diagram below depicts an Aurora Global Database deployment.
CORRECT: “Migrate the database to an Amazon Aurora global database in MySQL compatibility mode. Configure the application tier in Europe to use the local reader endpoint” is the correct answer. INCORRECT: “Migrate the database to Amazon RDS for MySQL. Configure Multi-AZ in one of the European Regions” is incorrect. You cannot configure a multi-AZ DB instance to run in another Region, it must be in the same Region but in a different Availability Zone. INCORRECT: “Migrate the database to Amazon RedShift. Use AWS DMS to synchronize data. Configure applications to use the RedShift data warehouse for queries” is incorrect. RedShift is a data warehouse and used for running analytics queries on data that is exported from transactional database systems. It should not be used to reduce latency for users of a database, and is not a live copy of the data. INCORRECT: “Create an Amazon RDS Read Replica in one of the European regions. Configure the application tier in Europe to use the read replica for queries” is incorrect. You cannot create an RDS Read Replica of a database that is running on Amazon EC2. You can only create read replicas of databases running on Amazon RDS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 78-79). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 78). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 77-78). Kindle Edition.
A company runs an application that uses an Amazon RDS PostgreSQL database. The database is currently not encrypted. A Solutions Architect has been instructed that due to new compliance requirements requirements all existing and new data in the database must be encrypted. The database experiences high volumes of changes and no data can be lost. How can the Solutions Architect enable encryption for the database without incurring any data loss?
A. Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot.
B. Create a new RDS DB instance from the encrypted snapshot. Configure the application to use the new DB endpoint. Create an RDS read replica and specify an encryption key. Promote the encrypted read replica to primary. Update the application to point to the new RDS DB endpoint.
C. Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot and update the application. Use AWS DMS to synchronize data between the source and destination RDS DBs.
D. Update the RDS DB to Multi-AZ mode and enable encryption for the standby replica. Perform a failover to the standby instance and then delete the unencrypted RDS DB instance.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 80). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 79-80). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 79). Kindle Edition.
C. Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot and update the application. Use AWS DMS to synchronize data between the source and destination RDS DBs.
Explanation:
You cannot change the encryption status of an existing RDS DB instance. Encryption must be specified when creating the RDS DB instance. The best way to encrypt an existing database is to take a snapshot, encrypt a copy of the snapshot and restore the snapshot to a new RDS DB instance. This results in an encrypted database that is a new instance. Applications must be updated to use the new RDS DB endpoint. In this scenario as there is a high rate of change, the databases will be out of sync by the time the new copy is created and is functional. The best way to capture the changes between the source (unencrypted) and destination (encrypted) DB is to use AWS Database Migration Service (DMS) to synchronize the data. The slide below depicts the process for encrypting an unencrypted RDS DB instance:
CORRECT: “Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot and update the application. Use AWS DMS to synchronize data between the source and destination RDS DBs” is the correct answer.
INCORRECT: “Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot. Configure the application to use the new DB endpoint” is incorrect. This answer creates an encrypted DB instance but does not synchronize the data.
INCORRECT: “Create an RDS read replica and specify an encryption key. Promote the encrypted read replica to primary. Update the application to point to the new RDS DB endpoint” is incorrect. You cannot create an encrypted read replica of an unencrypted RDS DB. The read replica will always have the same encryption status as the RDS DB it is created from.
INCORRECT: “Update the RDS DB to Multi-AZ mode and enable encryption for the standby replica. Perform a failover to the standby instance and then delete the unencrypted RDS DB instance” is incorrect. You also cannot have an encrypted Multi-AZ standby instance of an unencrypted RDS DB.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 81-82). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 80-81). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 80). Kindle Edition.
A company runs an application in a factory that has a small rack of physical compute resources. The application stores data on a network attached storage (NAS) device using the NFS protocol. The company requires a daily offsite backup of the application data. Which solution can a Solutions Architect recommend to meet this requirement?
A. Use an AWS Storage Gateway file gateway hardware appliance on premises to replicate the data to Amazon S3.
B. Use an AWS Storage Gateway volume gateway with stored volumes on premises to replicate the data to Amazon S3.
C. Use an AWS Storage Gateway volume gateway with cached volumes on premises to replicate the data to Amazon S3.
D. Create an IPSec VPN to AWS and configure the application to mount the Amazon EFS file system. Run a copy job to backup the data to EFS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 82). Kindle Edition.
A. Use an AWS Storage Gateway file gateway hardware appliance on premises to replicate the data to Amazon S3.
Explanation:
The AWS Storage Gateway Hardware Appliance is a physical, standalone, validated server configuration for on-premises deployments. It comes pre-loaded with Storage Gateway software, and provides all the required CPU, memory, network, and SSD cache resources for creating and configuring File Gateway, Volume Gateway, or Tape Gateway. A file gateway is the correct type of appliance to use for this use case as it is suitable for mounting via the NFS and SMB protocols.
CORRECT: “Use an AWS Storage Gateway file gateway hardware appliance on premises to replicate the data to Amazon S3” is the correct answer.
INCORRECT: “Use an AWS Storage Gateway volume gateway with stored volumes on premises to replicate the data to Amazon S3” is incorrect. Volume gateways are used for block-based storage and this solution requires NFS (file-based storage).
INCORRECT: “Use an AWS Storage Gateway volume gateway with cached volumes on premises to replicate the data to Amazon S3” is incorrect. Volume gateways are used for block-based storage and this solution requires NFS (file-based storage).
INCORRECT: “Create an IPSec VPN to AWS and configure the application to mount the Amazon EFS file system. Run a copy job to backup the data to EFS” is incorrect. It would be better to use a Storage gateway which will automatically take care of synchronizing a copy of the data to AWS
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 83). Kindle Edition.
A company is deploying a fleet of Amazon EC2 instances running Linux across multiple Availability Zones within an AWS Region. The application requires a data storage solution that can be accessed by all of the EC2 instances simultaneously. The solution must be highly scalable and easy to implement. The storage must be mounted using the NFS protocol. Which solution meets these requirements?
A. Create an Amazon S3 bucket and create an S3 gateway endpoint to allow access to the file system using the NFS protocol.
B. Create an Amazon EFS file system with mount targets in each Availability Zone. Configure the application instances to mount the file system.
C. Create an Amazon EBS volume and use EBS Multi-Attach to mount the volume to all EC2 instances across each Availability Zone.
D. Create an Amazon RDS database and store the data in a BLOB format. Point the application instances to the RDS endpoint.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 84). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 84). Kindle Edition.
B. Create an Amazon EFS file system with mount targets in each Availability Zone. Configure the application instances to mount the file system.
Explanation:
Amazon EFS provides scalable file storage for use with Amazon EC2. You can use an EFS file system as a common data source for workloads and applications running on multiple instances. The EC2 instances can run in multiple AZs within a Region and the NFS protocol is used to mount the file system. With EFS you can create mount targets in each AZ for lower latency. The application instances in each AZ will mount the file system using the local mount target.
CORRECT: “Create an Amazon EFS file system with mount targets in each Availability Zone. Configure the application instances to mount the file system” is the correct answer. INCORRECT: “Create an Amazon S3 bucket and create an S3 gateway endpoint to allow access to the file system using the NFS protocol” is incorrect. You cannot use NFS with S3 or with gateway endpoints. INCORRECT: “Create an Amazon EBS volume and use EBS Multi-Attach to mount the volume to all EC2 instances across each Availability Zone” is incorrect. You cannot use Amazon EBS Multi-Attach across multiple AZs. INCORRECT: “Create an Amazon RDS database and store the data in a BLOB format. Point the application instances to the RDS endpoint” is incorrect. This is not a suitable storage solution for a file system that is mounted over NFS.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 85). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 84-85). Kindle Edition.
A company is working with a strategic partner that has an application that must be able to send messages to one of the company’s Amazon SQS queues. The partner company has its own AWS account. How can a Solutions Architect provide least privilege access to the partner?
A. Create a user account that and grant the sqs:SendMessage permission for Amazon SQS. Share the credentials with the partner company.
B. Create a cross-account role with access to all SQS queues and use the partner’s AWS account in the trust document for the role. C. Update the permission policy on the SQS queue to grant all permissions to the partner’s AWS account.
D. Update the permission policy on the SQS queue to grant the sqs:SendMessage permission to the partners AWS account
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 85-86). Kindle Edition.
D. Update the permission policy on the SQS queue to grant the sqs:SendMessage permission to the partners AWS account
Explanation:
Amazon SQS supports resource-based policies. The best way to grant the permissions using the principle of least privilege is to use a resource-based policy attached to the SQS queue that grants the partner company’s AWS account the sqs:SendMessage privilege. The following policy is an example of how this could be configured:
CORRECT: “Update the permission policy on the SQS queue to grant the sqs:SendMessage permission to the partner’s AWS account” is the correct answer.
INCORRECT: “Create a user account that and grant the sqs:SendMessage permission for Amazon SQS. Share the credentials with the partner company” is incorrect. This would provide the permissions for all SQS queues, not just the queue the partner company should be able to access.
INCORRECT: “Create a cross-account role with access to all SQS queues and use the partner’s AWS account in the trust document for the role” is incorrect. This would provide access to all SQS queues and the partner company should only be able to access one SQS queue.
INCORRECT: “Update the permission policy on the SQS queue to grant all permissions to the partner’s AWS account” is incorrect. This provides too many permissions; the partner company only needs to send messages to the queue.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 86-87). Kindle Edition.
A company is investigating methods to reduce the expenses associated with on-premises backup infrastructure. The Solutions Architect wants to reduce costs by eliminating the use of physical backup tapes. It is a requirement that existing backup applications and workflows should continue to function. What should the Solutions Architect recommend?
A. Connect the backup applications to an AWS Storage Gateway using an iSCSI-virtual tape library (VTL).
B. Create an Amazon EFS file system and connect the backup applications using the NFS protocol.
C. Create an Amazon EFS file system and connect the backup applications using the iSCSI protocol.
D. Connect the backup applications to an AWS Storage Gateway using the iSCSI protocol.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 88). Kindle Edition.
A. Connect the backup applications to an AWS Storage Gateway using an iSCSI-virtual tape library (VTL).
Explanation:
The AWS Storage Gateway Tape Gateway enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows. Tape Gateway emulates physical tape libraries, removes the cost and complexity of managing physical tape infrastructure, and provides more durability than physical tapes.
CORRECT: “Connect the backup applications to an AWS Storage Gateway using an iSCSI-virtual tape library (VTL)” is the correct answer.
INCORRECT: “Create an Amazon EFS file system and connect the backup applications using the NFS protocol” is incorrect. The NFS protocol is used by AWS Storage Gateway File Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.
INCORRECT: “Create an Amazon EFS file system and connect the backup applications using the iSCSI protocol” is incorrect. The NFS protocol is used by AWS Storage Gateway File Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.
INCORRECT: “Connect the backup applications to an AWS Storage Gateway using the NFS protocol” is incorrect. The iSCSI protocol is used by AWS Storage Gateway Volume Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 89). Kindle Edition.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 88-89). Kindle Edition.
A Solutions Architect has been tasked with re-deploying an application running on AWS to enable high availability. The application processes messages that are received in an ActiveMQ queue running on a single Amazon EC2 instance. Messages are then processed by a consumer application running on Amazon EC2. After processing the messages the consumer application writes results to a MySQL database running on Amazon EC2. Which architecture offers the highest availability and low operational complexity?
A. Deploy a second Active MQ server to another Availability Zone. Launch an additional consumer EC2 instance in another Availability Zone. Use MySQL database replication to another Availability Zone.
B. Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Launch an additional consumer EC2 instance in another Availability Zone. Use MySQL database replication to another Availability Zone.
C. Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Launch an additional consumer EC2 instance in another Availability Zone. Use Amazon RDS for MySQL with Multi-AZ enabled.
D. Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Create an Auto Scaling group for the consumer EC2 instances across two Availability Zones. Create an Auto Scaling group for the consumer EC2 instances across two Availability Zones. Use an Amazon RDS MySQL database with Multi AZ enabled
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 89-90). Kindle Edition.
D. Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Create an Auto Scaling group for the consumer EC2 instances across two Availability Zones. Create an Auto Scaling group for the consumer EC2 instances across two Availability Zones. Use an Amazon RDS MySQL database with Multi AZ enabled
Explanation:
The correct answer offers the highest availability as it includes Amazon MQ active/standby brokers across two AZs, an Auto Scaling group across two AZ,s and a Multi-AZ Amazon RDS MySQL database deployment. This architecture not only offers the highest availability it is also operationally simple as it maximizes the usage of managed services.
CORRECT: “Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Create an Auto Scaling group for the consumer EC2 instances across two Availability Zones. Use an Amazon RDS MySQL database with Multi-AZ enabled” is the correct answer.
INCORRECT: “Deploy a second Active MQ server to another Availability Zone. Launch an additional consumer EC2 instance in another Availability Zone. Use MySQL database replication to another Availability Zone” is incorrect. This architecture does not offer the highest availability as it does not use Auto Scaling. It is also not the most operationally efficient architecture as it does not use AWS managed services.
INCORRECT: “Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Launch an additional consumer EC2 instance in another Availability Zone. Use MySQL database replication to another Availability Zone” is incorrect. This architecture does not use Auto Scaling for best HA or the RDS managed service.
INCORRECT: “Deploy Amazon MQ with active/standby brokers configured across two Availability Zones. Launch an additional consumer EC2 instance in another Availability Zone. Use Amazon RDS for MySQL with Multi-AZ enabled” is incorrect. This solution does not use Auto Scaling.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 90-91). Kindle Edition.
Storage capacity has become an issue for a company that runs application servers on-premises. The servers are connected to a combination of block storage and NFS storage solutions. The company requires a solution that supports local caching without re-architecting its existing applications. Which combination of changes can the company make to meet these requirements? (Select TWO.)
A. Use an AWS Storage Gateway file gateway to replace the NFS storage.
B. Use the mount command on servers to mount Amazon S3 buckets using NFS. C. Use AWS Direct Connect and mount an Amazon FSx for Windows File Server using iSCSI.
D. Use an AWS Storage Gateway volume gateway to replace the block storage. E..Use Amazon Elastic File System (EFS) volumes to replace the block storage.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 92). Kindle Edition.
A. Use an AWS Storage Gateway file gateway to replace the NFS storage.
D. Use an AWS Storage Gateway volume gateway to replace the block storage.
Explanation:
In this scenario the company should use cloud storage to replace the existing storage solutions that are running out of capacity. The on-premises servers mount the existing storage using block protocols (iSCSI) and file protocols (NFS). As there is a requirement to avoid re-architecting existing applications these protocols must be used in the revised solution. The AWS Storage Gateway volume gateway should be used to replace the block-based storage systems as it is mounted over iSCSI and the file gateway should be used to replace the NFS file systems as it uses NFS. CORRECT: “Use an AWS Storage Gateway file gateway to replace the NFS storage” is a correct answer. CORRECT: “Use an AWS Storage Gateway volume gateway to replace the block storage” is a correct answer. INCORRECT: “Use the mount command on servers to mount Amazon S3 buckets using NFS” is incorrect. You cannot mount S3 buckets using NFS as it is an object-based storage system (not file-based) and uses an HTTP REST API. INCORRECT: “Use AWS Direct Connect and mount an Amazon FSx for Windows File Server using iSCSI” is incorrect. You cannot mount FSx for Windows File Server file systems using iSCSI, you must use SMB. INCORRECT: “Use Amazon Elastic File System (EFS) volumes to replace the block storage” is incorrect. You cannot use EFS to replace block storage as it uses NFS rather than iSCSI.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 92-93). Kindle Edition.
A company hosts an application on Amazon EC2 instances behind Application Load Balancers in several AWS Regions. Distribution rights for the content require that users in different geographies must be served content from specific regions. Which configuration meets these requirements?
A. Create Amazon Route 53 records with a geolocation routing policy.
B. Create Amazon Route 53 records with a geoproximity routing policy.
C. Configure Amazon CloudFront with multiple origins and AWS WAF.
D. Configure Application Load Balancers with multi-Region routing.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 93-94). Kindle Edition.
A. Create Amazon Route 53 records with a geolocation routing policy.
Explanation:
To protect the distribution rights of the content and ensure that users are directed to the appropriate AWS Region based on the location of the user, the geolocation routing policy can be used with Amazon Route 53. Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights.
CORRECT: “Create Amazon Route 53 records with a geolocation routing policy” is the correct answer.
INCORRECT: “Create Amazon Route 53 records with a geoproximity routing policy” is incorrect. Use this routing policy when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
INCORRECT: “Configure Amazon CloudFront with multiple origins and AWS WAF” is incorrect. AWS WAF protects against web exploits but will not assist with directing users to different content (from different origins).
INCORRECT: “Configure Application Load Balancers with multi-Region routing” is incorrect. There is no such thing as multi-Region routing for ALBs.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 94-95). Kindle Edition.
A company plans to make an Amazon EC2 Linux instance unavailable outside of business hours to save costs. The instance is backed by an Amazon EBS volume. There is a requirement that the contents of the instance’s memory must be preserved when it is made unavailable. How can a solutions architect meet these requirements?
A. Stop the instance outside business hours. Start the instance again when required.
B. Hibernate the instance outside business hours. Start the instance again when required.
C. Use Auto Scaling to scale down the instance outside of business hours. Scale up the instance when required.
D. Terminate the instance outside business hours. Recover the instance again when required.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (p. 95). Kindle Edition.
B. Hibernate the instance outside business hours. Start the instance again when required.
Explanation:
When you hibernate an instance, Amazon EC2 signals the operating system to perform hibernation (suspend-to-disk). Hibernation saves the contents from the instance memory (RAM) to your Amazon Elastic Block Store (Amazon EBS) root volume. Amazon EC2 persists the instance’s EBS root volume and any attached EBS data volumes. When you start your instance: The EBS root volume is restored to its previous state The RAM contents are reloaded The processes that were previously running on the instance are resumed Previously attached data volumes are reattached and the instance retains its instance ID CORRECT: “Hibernate the instance outside business hours. Start the instance again when required” is the correct answer. INCORRECT: “Stop the instance outside business hours. Start the instance again when required” is incorrect. When an instance is stopped the operating system is shut down and the contents of memory will be lost. INCORRECT: “Use Auto Scaling to scale down the instance outside of business hours. Scale out the instance when required” is incorrect. Auto Scaling scales does not scale up and down, it scales in by terminating instances and out by launching instances. When scaling out new instances are launched and no state will be available from terminated instances. INCORRECT: “Terminate the instance outside business hours. Recover the instance again when required” is incorrect. You cannot recover terminated instances, you can recover instances that have become impaired in some circumstances.
Davis, Neal. AWS Certified Solutions Architect Associate Practice Tests 2022 [SAA-C03]: 390 AWS Practice Exam Questions with Answers & detailed Explanations (pp. 95-96). Kindle Edition.
