Stuff I got wrong

Question 1

How do you troubleshoot ECS containers?

Answer 1

• Verify that the Docker daemon is running on the container instance.
• Verify that the Docker Container daemon is running on the container instance.
• Verify that the container agent is RUNNING on the container instance.
• Verify that the IAM instance profile has the necessary permissions.

Question 2

Best practices for DynamoDB?

Answer 2

• Keep item sizes small.
• If you are storing serial data in DynamoDB that will require actions based on data/time use separate tables for days, weeks, and months.
• Store more frequently and less frequently accessed data in separate tables.
• If possible compress larger attribute values.
• Store objects larger than 400KB in S3 and use pointers (S3 Object ID) in DynamoDB.

Question 3

How do you implement a high-bandwidth, low-latency connection from on-prem to multiple VPCs in multiple regions within the same account?

Answer 3

Implement an AWS Direct Connect connection to the closest region.
A Direct Connect gateway can then be used to create private virtual interfaces (VIFs) to each AWS region.

CloudHub is not reliable since it uses the internet.

Question 4

What is AWS’s position on penetration testing?

Answer 4

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services.

Question 5

Reduce request latency and the number of calls to the Amazon EC2 endpoint behind an API Gateway.

Answer 5

Create an API Gateway cache for a stage and configure a TTL.

Question 6

An ALB has been created with a Target Group that routes incoming connections to an ECS-based application. Consumers must authenticate using federated OIDC-compliant Identity Providers such as Google and Facebook. The users must be securely authenticated on the front end before they access the secured portions of the application.

How can this be configured using an ALB?

Answer 6

ALB supports authentication from OIDC-compliant identity providers such as Google, Facebook, and Amazon.

It is implemented through an authentication action on a listener rule that integrates with Amazon Cognito to create user pools.

Question 7

Connect an on-prem application to the cloud RDS database via the Internet

Answer 7

When you create the RDS instance, you need to select the option to make it PUBLICLY accessible.

A security group will need to be created and assigned to the RDS instance to allow access from the public IP address of your application (or firewall).

(NAT Gateways are only for EC2)

Question 8

What are the two types of events that can be logged in CloudTrail?

Answer 8

Data events: These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations

Management events: Management events provide insight into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account

Question 9

What is the best way to easily deploy a .NET application whilst maintaining full control of the underlying resources?

Answer 9

Elastic Beanstalk

Question 10

Enable a Lambda function to connect to an ElastiCache cluster within a VPC in the same AWS account. What do you need from the VPC?

Answer 10

To enable a Lambda function to access resources inside a private VPC, you must provide additional VPC-specific configuration information that includes:

VPC subnet IDs and
security group IDs.

AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function.

Question 11

I have an ASG with 8 EC2 instances running. I want to attach an ELB to the ASG. The ELB has 10 instances running (in the same region). It keeps failing. Why?

Answer 11

You can attach one or more Target Groups to your ASG to include instances behind an ALB and the ELBs must be in the same region. Once you do this any EC2 instance existing or added by the ASG will be automatically registered with the ASG-defined ELBs. If adding an instance to an ASG would result in exceeding the maximum capacity of the ASG the request will fail.

CORRECT: “Adding the 10 EC2 instances to the ASG would exceed the maximum capacity configured” is the correct answer.

Question 12

Using Route 53 Alias records what targets can you specify? (choose 2)

Answer 12

Alias records are used to map resource record sets in your hosted zone to:
ELBs,
API Gateway custom regional APIs,
edge-optimized APIs,
CloudFront Distributions,
AWS Elastic Beanstalk environments,
Amazon S3 buckets that are configured as website endpoints,
Amazon VPC interface endpoints, and
to other records in the same Hosted Zone.

Question 13

Copy an EBS snapshot from one account to another. It was encrypted with a custom key.

Answer 13

When an EBS volume is encrypted with a CUSTOM key you must share the custom key with the new account. You also need to modify the permissions on the snapshot to share it with the new account. The new account must copy the snapshot before it can then create volumes from the snapshot

Note that you cannot share encrypted volumes created using a default CMK key and you cannot change the CMK key that is used to encrypt a volume.

Question 14

A Solutions Architect is designing an application for processing and extracting data from log files. The log files are generated by an application and the number and frequency of updates varies. The files are up to 1 GB in size and processing will take around 40 seconds for each file.

Which solution is the most cost-effective?

Answer 14

The question asks for the most cost-effective solution and therefore a serverless and automated solution will be the best choice.

AWS Lambda can run custom code in response to Amazon S3 bucket events. You upload your custom code to AWS Lambda and create a function. When Amazon S3 detects an event of a specific type (for example, an object-created event), it can publish the event to AWS Lambda and invoke your function in Lambda. In response, AWS Lambda executes your function.

CORRECT: “Write the log files to an Amazon S3 bucket. Create an event notification to invoke an AWS Lambda function that will process the files” is the correct answer.

Question 15

An application is running on EC2 instances in a private subnet of an Amazon VPC. A Solutions Architect would like to connect the application to Amazon API Gateway. For security reasons, it is necessary to ensure that no traffic traverses the Internet and to ensure all traffic uses private IP addresses only.

How can this be achieved?

Answer 15

An Interface endpoint uses AWS PrivateLink and is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supported service. Using PrivateLink you can connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.

Question 16

A manager is concerned that the default service limits my soon be reached for several AWS services. Which AWS tool can a Solutions Architect use to display current usage and limits?

Answer 16

Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.

AWS Trusted Advisor offers a Service Limits check (in the Performance category) that displays your usage and limits for some aspects of some services.

Question 17

A company has over 2000 users and is planning to migrate data into the AWS Cloud. Some of the data is user’s home folders on an existing file share and the plan is to move this data to Amazon S3. Each user will have a folder in a shared bucket under the folder structure: bucket/home/%username%.

What steps should a Solutions Architect take to ensure that each user can access their own home folder and no one else’s? (choose 2)

Answer 17

https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

CORRECT: “Create an IAM policy that applies folder-level permissions” is a correct answer.

CORRECT: “Create an IAM group and attach the IAM policy, add IAM users to the group” is also a correct answer.

Question 18

A Solutions Architect manages multiple Amazon RDS MySQL databases. To improve security, the Solutions Architect wants to enable secure user access with short-lived credentials. How can these requirements be met?

Answer 18

With MySQL, authentication is handled by AWSAuthenticationPlugin—an AWS-provided plugin that works seamlessly with IAM to authenticate your IAM users. Connect to the DB instance and issue the CREATE USER statement, as shown in the following example.

CREATE USER jane_doe IDENTIFIED WITH AWSAuthenticationPlugin AS ‘RDS’;
The IDENTIFIED WITH clause allows MySQL to use the AWSAuthenticationPlugin to authenticate the database account (jane_doe). The AS ‘RDS’ clause refers to the authentication method, and the specified database account should have the same name as the IAM user or role. In this example, both the database account and the IAM user or role are named jane_doe.

Question 19

What deployment model should I use?

I need EC2 hosts dedicated to my client. They want to be billed per instance, with automatic instance placement.

Answer 19

Dedicated INSTANCES are Amazon EC2 instances that run in a VPC on hardware that’s dedicated to a single customer. Your Dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts. Dedicated instances allow automatic instance placement and billing is per instance.

An Amazon EC2 Dedicated HOST is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. With dedicated hosts billing is on a per-HOST basis (not per instance).

Question 20

A company runs an API on a Linux server in their on-premises data center. The company are planning to migrate the API to the AWS cloud. The company require a highly available, scalable and cost-effective solution. What should a Solutions Architect recommend?

Answer 20

The best option is to use a fully serverless solution. This will provide high availability, scalability and be cost-effective. The components for this would be Amazon API Gateway for hosting the API and AWS Lambda for running the backend.

Question 21

A Solutions Architect just completed the implementation of a 2-tier web application for a client. The application uses Amazon EC2 instances, Amazon ELB and Auto Scaling across two subnets. After deployment the Solutions Architect noticed that only one subnet has EC2 instances running in it. What might be the cause of this situation?

Answer 21

You can specify which subnets Auto Scaling will launch new instances into. Auto Scaling will try to distribute EC2 instances evenly across AZs. If only one subnet has EC2 instances running in it the first thing to check is that you have added all relevant subnets to the configuration.

Question 22

A Solutions Architect is creating a design for a two-tier application with a MySQL RDS back-end. The performance requirements of the database tier are hard to quantify until the application is running and the Architect is concerned about right-sizing the database.

What methods of scaling are possible after the MySQL RDS database is deployed? (choose 2)

Answer 22

To handle a higher load in your database, you can vertically scale up your master database with a simple push of a button. In addition to scaling your master database vertically, you can also improve the performance of a read-heavy database by using read replicas to horizontally scale your database.

There is no such thing as a Multi-Master MySQL RDS DB (there is for Aurora).

Question 23

A Solutions Architect is designing an application that consists of AWS Lambda and Amazon RDS Aurora MySQL. The Lambda function must use database credentials to authenticate to MySQL and security policy mandates that these credentials must not be stored in the function code.

How can the Solutions Architect securely store the database credentials and make them available to the function?

Answer 23

In this case, the scenario requires that credentials are used for authenticating to MySQL. The credentials need to be securely stored OUTSIDE of the function code.

Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.

Question 24

An application needs to retrieve a subset of data from a large CSV file stored in an Amazon S3 bucket by using simple SQL expressions. The queries are made within Amazon S3 and must only return the needed data.

How?

Answer 24

S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increases.

Amazon S3 is composed of buckets, object keys, object metadata, object tags, and many other components as shown below:

An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts.

An Amazon S3 object key refers to the key name, which UNIQUELY identifies the object in the bucket.

An Amazon S3 object metadata is a name-value pair that provides information about the object.

An Amazon S3 object tag is a key-pair value used for object tagging to categorize storage.

You can perform S3 Select to query only the necessary data inside the CSV files based on the bucket’s name and the object’s key.

Question 25

An online stocks trading application that stores financial data in an S3 bucket has a lifecycle policy that moves older data to Glacier every month. There is a strict compliance requirement where a surprise audit can happen at anytime and you should be able to retrieve the required data in under 15 minutes under all circumstances. Your manager instructed you to ensure that retrieval capacity is available when you need it and should handle up to 150 MB/s of retrieval throughput.

Which of the following should you do to meet the above requirement? (Select TWO.)

Answer 25

EXPEDITED RETRIEVALS allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

PROVISIONED CAPACITY ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes. Without provisioned capacity Expedited retrievals are accepted, except for rare situations of unusually high demand. However, if you require access to Expedited retrievals under all circumstances, you must purchase provisioned retrieval capacity.

Question 26

A media company recently launched their newly created web application. Many users tried to visit the website, but they are receiving a 503 Service Unavailable Error. The system administrator tracked the EC2 instance status and saw the capacity is reaching its maximum limit and unable to process all the requests. To gain insights from the application’s data, they need to launch a real-time analytics service.

Which of the following allows you to read records in batches?

Answer 26

Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources. You can use an AWS Lambda function to process records in Amazon KDS. By default, Lambda invokes your function as soon as records are available in the stream. Lambda can process up to 10 BATCHES in each shard simultaneously. If you increase the number of concurrent batches per shard, Lambda still ensures in-order processing at the partition-key level.

Question 27

A company needs to use Amazon Aurora as the Amazon RDS database engine of their web application. The Solutions Architect has been instructed to implement a 90-day backup retention policy. How?

Answer 27

AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup your application data across AWS services in the AWS Cloud.

In this scenario, you can use AWS Backup to create a backup plan with a retention period of 90 days. A backup plan is a policy expression that defines when and how you want to back up your AWS resources. You assign resources to backup plans, and AWS Backup then automatically backs up and retains backups for those resources according to the backup plan.

Question 28

A company must upload JSON data stored on-prem on NAS to Amazon S3 where it can be processed by an analytics application. The data must be transferred securely.

Which solution offers the MOST reliable and time-efficient data transfer?

Answer 28

The most reliable and time-efficient solution that keeps the data secure is to use AWS DataSync and synchronize the data from the NAS device directly to Amazon S3. This should take place over an AWS Direct Connect connection to ensure reliability, speed, and security.

AWS DataSync can copy data between Network File System (NFS) shares, Server Message Block (SMB) shares, self-managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic File System (Amazon EFS) file systems, and Amazon FSx for Windows File Server file systems.

Transfer Acceleration does not offer the reliability, speed, or performance that this company requires.

Question 29

Limitation on Multi-AZ for databases.

Answer 29

You cannot configure a multi-AZ DB instance to run in another Region, it must be in the same Region but in a different Availability Zone.

Question 30

API Gateway API on the frontend, persist data in a backend database using key-value requests. Initially, the data requirements will be around 1 GB and future growth is unknown. Requests can range from 0 to over 800 requests per second.

Which combination of AWS services would meet these requirements?

Answer 30

In this case AWS Lambda can perform the computation and store the data in an Amazon DynamoDB table. Lambda can scale concurrent executions to meet demand easily and DynamoDB is built for key-value data storage requirements and is also serverless and easily scalable. This is therefore a cost effective solution for unpredictable workloads.

Question 31

The developer stored the database user name and password in a configuration file on the root EBS volume of the EC2 application instance. A Solutions Architect has been asked to design a more secure solution.

Answer 31

The best way to secure this solution is to get rid of the credentials completely by using an IAM role instead. The IAM role can be assigned permissions to the database instance and can be attached to the EC2 instance. The instance will then obtain temporary security credentials from AWS STS which is much more secure.

Question 32

A Solutions Architect has deployed an application on several Amazon EC2 instances across three private subnets. The application must be made accessible to internet-based clients with the least amount of administrative effort.

Answer 32

Solutions Architect needs to place them behind an internet-facing Elastic Load Balancer. The way you add instances in private subnets to a public facing ELB is to add public subnets in the same AZs as the private subnets to the ELB. You can then add the instances and to the ELB and they will become targets for load balancing.

Question 33

To serve a static website hosted on Amazon S3, you can deploy a CloudFront distribution using one of these configurations:

Answer 33

Using a REST API endpoint as the origin with access restricted by an origin access identity (OAI)

Using a website endpoint as the origin with anonymous (public) access allowed

Using a website endpoint as the origin with access restricted by a Referer header

Question 34

How can a Solutions Architect enable encryption for an unencrypted database without incurring any data loss?

Answer 34

You cannot change the encryption status of an existing RDS DB instance. Encryption must be specified when creating the RDS DB instance. The best way to encrypt an existing database is to take a snapshot, encrypt a copy of the snapshot and restore the snapshot to a new RDS DB instance. This results in an encrypted database that is a new instance. Applications must be updated to use the new RDS DB endpoint.

❗️❗️In this scenario, as there is a high rate of change, the databases will be OUT OF SYNC by the time the new copy is created and is functional. The best way to capture the changes between the source (unencrypted) and destination (encrypted) DB is to use AWS Database Migration Service (DMS) to synchronize the data.

Question 35

❗️Amazon EC2 instances in a development environment run between 9am and 5pm Monday-Friday.

Production instances run 24/7.

Which pricing models should be used? I want cheapest.

Answer 35

Capacity reservations have no commitment and can be created and canceled as needed. This is ideal for the development environment as it will ensure that capacity is available. There is no price advantage but none of the other options provide a price advantage whilst also ensuring capacity is available.
(❗️”Use Reserved instances for the development environment” is incorrect as they require a long-term commitment which is not ideal for a development environment.)

Reserved instances are a good choice for workloads that run continuously. This is a good option for the production environment.
(❗️”Use On-Demand instances for the production environment” is incorrect. There is no long-term commitment required when you purchase On-Demand Instances. However, you do not get any discount and therefore this is the most expensive option.)

Question 36

❗️An application running on an Amazon ECS container instance using the EC2 launch type needs permissions to write data to Amazon DynamoDB.

How can you assign these permissions only to the specific ECS task that is running the application?

Answer 36

To specify permissions for a specific task on Amazon ECS you should use IAM Roles for Tasks. The permissions policy can be applied to tasks when creating the task definition, or by using an IAM task role override using the AWS CLI or SDKs. The taskRoleArn parameter is used to specify the policy.

Question 37

❗️A new application is to be published in multiple regions around the world. The Architect needs to ensure only 2 IP addresses need to be whitelisted. The solution should intelligently route traffic for lowest latency and provide fast regional failover.

How can this be achieved?

Answer 37

“Launch EC2 instances into multiple regions behind an NLB and use AWS Global Accelerator” is the correct answer.

AWS Global Accelerator uses the vast, congestion-free AWS global network to route TCP and UDP traffic to a healthy application endpoint in the closest AWS Region to the user.

This means it will intelligently route traffic to the closest point of presence (reducing latency). Seamless failover is ensured as AWS Global Accelerator uses anycast IP address which means the IP does not change when failing over between regions so there are no issues with client caches having incorrect entries that need to expire.

Question 38

A solutions architect is creating a system that will run analytics on financial data for several hours a night, 5 days a week. The analysis is expected to run for the same duration and cannot be interrupted once it is started. The system will be required for a minimum of 1 year.

What should the solutions architect configure to ensure the EC2 instances are available when they are needed?

Answer 38

On-Demand Capacity Reservations enable you to reserve compute capacity for your Amazon EC2 instances in a specific Availability Zone for any duration. This gives you the ability to create and manage Capacity Reservations independently from the billing discounts offered by Savings Plans or Regional Reserved Instances.

By creating Capacity Reservations, you ensure that you always have access to EC2 capacity when you need it, for as long as you need it. You can create Capacity Reservations at any time, without entering a one-year or three-year term commitment, and the capacity is available immediately.

Question 39

A team are planning to run analytics jobs on log files each day and require a storage solution. The size and number of logs is unknown and data will persist for 24 hours only.

What is the MOST cost-effective solution?

Answer 39

S3 standard is the best choice in this scenario for a short term storage solution. In this case the size and number of logs is unknown and it would be difficult to fully assess the access patterns at this stage. Therefore, using S3 standard is best as it is cost-effective, provides immediate access, and there are no retrieval fees or minimum capacity charge per object.

CORRECT: “Amazon S3 Standard” is the correct answer.

INCORRECT: “Amazon S3 Intelligent-Tiering” is incorrect as there is an additional fee for using this service and for a short-term requirement it may not be beneficial.

Question 40

A company hosts a multiplayer game on AWS. The application uses Amazon EC2 instances in a single Availability Zone and users connect over Layer 4. Solutions Architect has been tasked with making the architecture highly available and also more cost-effective.

How can the solutions architect best meet these requirements? (Select TWO.)

Answer 40

To enable high availability an Amazon EC2 Auto Scaling group should be created to add and remove instances across multiple availability zones.

In order to distribute the traffic to the instances, the architecture should use a NETWORK Load Balancer which operates at Layer 4. This architecture will also be cost-effective as the Auto Scaling group will ensure the right number of instances are running based on demand.

Question 41

A company uses an RDS MySQL database instance. The security team have requested SSL/TLS encryption in transit. The data in the database is currently encrypted at rest using an AWS KMS key.

How can a Solutions Architect enable encryption in transit?

Answer 41

Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.

You can download a root certificate from AWS that works for all Regions or you can download Region-specific intermediate certificates.

CORRECT: “Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance” is the correct answer.

Question 42

Multiple Amazon EC2 Linux instances. Data is on EBS volumes.
Increase the resiliency of the application in case of failure.

Answer 42

use Auto Scaling groups to launch and terminate instances across multiple availability zones

An application load balancer (ALB) can be used to direct traffic to the web application running on the EC2 instances.

Elastic File System (EFS) can assist with increasing the resilience of the application by providing a shared file system that can be mounted by multiple EC2 instances from multiple availability zones.

Question 43

A company runs a large batch processing job at the end of every quarter. The processing job runs for 5 days and uses 15 Amazon EC2 instances. The processing must run uninterrupted for 5 hours per day. The company is investigating ways to reduce the cost of the batch processing job.

Which pricing model should the company choose?

Answer 43

This time duration is insufficient to warrant reserved instances as these require a commitment of a minimum of 1 year and the discounts would not outweigh the costs of having the reservations unused for a large percentage of the time. In this case, there are no options presented that can reduce the cost, and therefore ON-DEMAND instances should be used.

Question 44

A solutions architect is designing the infrastructure to run an application on Amazon EC2 instances. The application requires high availability and must dynamically scale based on demand to be cost efficient.

Answer 44

The Amazon EC2-based application must be highly available and elastically scalable. Auto Scaling can provide the elasticity by dynamically launching and terminating instances based on demand. This can take place across availability zones for high availability.

Incoming connections can be distributed to the instances by using an Application Load Balancer (ALB).

❗️NOT an API Gateway.

Question 45

Static website running on Amazon S3. The company’s customers are mainly in the United States, Canada, and Europe. The company is looking to cost-effectively reduce the latency for users in these regions.

What is the most cost-effective solution to these requirements?

Answer 45

With Amazon CloudFront you can set the price class to determine where in the world the content will be cached. One of the price classes is “U.S, Canada and Europe” and this is where the company’s users are located. Choosing this price class will result in lower costs and better performance for the company’s users.

❗️”Create an Amazon CloudFront distribution that uses origins in U.S, Canada and Europe” is incorrect. The origin can be in one place, there’s no need to add origins in different Regions. The price class should be used to limit the caching of the content to reduce cost.

Question 46

A web application allows users to upload photos and add graphical elements to them. The application offers two tiers of service: free and paid. Photos uploaded by paid users should be processed before those submitted using the free tier. The photos are uploaded to an Amazon S3 bucket which uses an event notification to send the job information to Amazon SQS.

How should a Solutions Architect configure the Amazon SQS deployment to meet these requirements?

Answer 46

AWS recommends using separate queues when you need to provide prioritization of work. The logic can then be implemented at the application layer to prioritize the queue for the paid photos over the queue for the free photos.

CORRECT: “Use a separate SQS Standard queue for each tier. Configure Amazon EC2 instances to prioritize polling for the paid queue over the free queue” is the correct answer.

Question 47

An application is hosted on the U.S west coast. Users there have no problems, but users on the east coast are experiencing performance issues. The users have reported slow response times with the search bar autocomplete and display of account listings.

How can you improve the performance for users on the east coast?

Answer 47

ElastiCache can be deployed in the U.S east region to provide high-speed access to the content. ElastiCache Redis has a good use case for autocompletion (see links below).

CORRECT: “Create an ElastiCache database in the U.S east region” is the correct answer.

Question 48

An Amazon RDS PostgreSQL database is configured as Multi-AZ. A solutions architect needs to scale read performance and the solution must be configured for high availability. What is the most cost-effective solution?

Answer 48

You can create a read replica as a Multi-AZ DB instance. Amazon RDS creates a standby of your replica in another Availability Zone for failover support for the replica. Creating your read replica as a Multi-AZ DB instance is independent of whether the source database is a Multi-AZ DB instance.

CORRECT: “Create a read replica as a Multi-AZ DB instance” is the correct answer.

Question 49

A Solutions Architect is designing a web application that runs on Amazon EC2 instances behind an Elastic Load Balancer. All data in transit must be encrypted.

Which solution options meet the encryption requirement? (choose 2)

Answer 49

You can passthrough encrypted traffic with an NLB and terminate the SSL on the EC2 instances, so this is a valid answer.

You can use a HTTPS listener with an ALB and install certificates on both the ALB and EC2 instances. This does not use passthrough, instead it will terminate the first SSL connection on the ALB and then re-encrypt the traffic and connect to the EC2 instances.

CORRECT: “Use a Network Load Balancer (NLB) with a TCP listener, then terminate SSL on EC2 instances” is the correct answer.

CORRECT: “Use an Application Load Balancer (ALB) with an HTTPS listener, then install SSL certificates on the ALB and EC2 instances” is the correct answer.

Question 50

A company runs an internal browser-based application. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales up to 20 instances during work hours but scales down to 2 instances overnight. Staff are complaining that the application is very slow when the day begins, although it runs well by midmorning

How should the scaling be changed to address the staff complaints and keep costs to a minimum?

Answer 50

Though this sounds like a good use case for scheduled actions, both answers using scheduled actions will have 20 instances running regardless of actual demand. A better option to be more cost-effective is to use a target tracking action that triggers at a lower CPU threshold.

With this solution, the scaling will occur before the CPU utilization gets to a point where performance is affected. This will result in resolving the performance issues whilst minimizing costs. Using a reduced cooldown period will also more quickly terminate unneeded instances, further reducing costs.

CORRECT: “Implement a target tracking action triggered at a lower CPU threshold, and decrease the cooldown period” is the correct answer.

INCORRECT: “Implement a scheduled action that sets the minimum and maximum capacity to 20 shortly before the office opens” is incorrect as this is not the most cost-effective option. Note you can choose min, max, or desired for a scheduled action.

Question 51

An application is running on Amazon EC2 behind an Elastic Load Balancer (ELB). Content is being published using Amazon CloudFront and you need to restrict the ability for users to circumvent CloudFront and access the content directly through the ELB.

How can you configure this solution?

Answer 51

The only way to get this working is by using a VPC Security Group for the ELB that is configured to allow only the internal service IP ranges associated with CloudFront. As these are updated from time to time, you can use AWS Lambda to automatically update the addresses. This is done using a trigger that is triggered when AWS issues an SNS topic update when the addresses are changed.

CORRECT: “Create a VPC Security Group for the ELB and use AWS Lambda to automatically update the CloudFront internal service IP addresses when they change” is the correct answer.

INCORRECT: “Create an Origin Access Identity (OAI) and associate it with the distribution” is incorrect. You can use an OAI to restrict access to content in Amazon S3 but ❗️❗️❗️not on EC2 or ELB.

Question 52

A Solutions Architect must select the most appropriate database service for two use cases. A team of data scientists performs complex queries on a data warehouse that take several hours to complete. Another team of scientists needs to run fast, repeat queries, and update dashboards for customer support staff.

Which solution delivers these requirements MOST cost-effectively?

Answer 52

RedShift is a columnar data warehouse DB that is ideal for running long complex queries. RedShift can also improve performance for repeat queries by caching the result and returning the cached result when queries are re-run. Dashboard, visualization, and business intelligence (BI) tools that execute repeat queries see a significant boost in performance due to result caching.

CORRECT: “RedShift for both use cases” is the correct answer.

INCORRECT: “RedShift for the analytics use case and ElastiCache in front of RedShift for the customer support dashboard” is incorrect. You could put ElastiCache in front of the RedShift DB and this would provide good performance for the fast, repeat queries. However, it is not essential and would add cost to the solution so is not the most cost-effective option available.

Question 53

A solutions architect is optimizing a website for real-time streaming and on-demand videos. The website’s users are located around the world and the solutions architect needs to optimize the performance for both the real-time and on-demand streaming.

Which service should the solutions architect choose?

Answer 53

Amazon CloudFront can be used to stream video to users across the globe using a wide variety of protocols that are layered on top of HTTP. This can include both on-demand video as well as real-time streaming video.

CORRECT: “Amazon CloudFront” is the correct answer.

INCORRECT: “AWS Global Accelerator” is incorrect as this would be an expensive way of getting the content closer to users compared to using CloudFront. As this is a use case for CloudFront and there are so many edge locations it is the better option.