2022 最新版 AWS SAP 100道练习题(含解释)
问题Q1. A company runs a legacy system on a single m4.2xlarge Amazon EC2 instance with Amazon EBS2 storage. The EC2 instance runs both the web server and a self-managed Oracle database. A snapshot is made of the EBS volume every 12 hours, and an AMI was created from the fully configured EC2 instance. A recent event that terminated the EC2 instance led to several hours of downtime. The application was successfully launched from the AMI, but the age of the EBS snapshot and the repair of the database resulted in the loss of 8 hours of data. The system was also down for 4 hours while the Systems Operators manually performed these processes. What architectural changes will minimize downtime and reduce the chance of lost data?
A. Create an Amazon CloudWatch alarm to automatically recover theinstance. Create a script that will check and repair the database uponreboot. Subscribe the Operations team to the Amazon SNS messagegenerated by the CloudWatch alarm.
B. Run the application on m4.xlarge EC2 instances behind an Elastic LoadBalancer/Application Load Balancer. Run the EC2 instances in an AutoScaling group across multiple Availability Zones with a minimum instancecount of two. Migrate the database to an Amazon RDS Oracle Multi-AZ DBinstance.
C. Run the application on m4.2xlarge EC2 instances behind an ElasticLoad Balancer/Application Load Balancer. Run the EC2 instances in anAuto Scaling group access multiple Availability Zones with a minimuminstance count of one. Migrate the database to an Amazon RDS OracleMulti-AZ DB instance.
D. Increase the web server instance count to two m4.xlarge instances anduse Amazon Route S3 round- robin load balancing to spread the load.Enable Route S3 health checks on the web servers. Migrate the databaseto an Amazon RDS Oracle Multi-AZ DB instance.
Answer:B
Analyze:
A.Not highly available C.One instance still not highly available D.Route 53 don't have round-robin load balancing(may be weighting with 50/50?). Without auto scale it is not really scalable.
问题Q2. A Solutions Architect is working with a company that operates a standard three-tier web application in AWS. The web and application tiers run on Amazon EC2 and the database tier runs on Amazon RDS. The company is redesigning the web and application tiers to use Amazon API Gateway and AWS Lambda, and the company intends to deploy the new application within 6 months. The IT Manager has asked the Solutions Architect to reduce costs in the interim. Which solution will be MOST cost effective while maintaining reliability?
A. Use Spot Instances for the web tier, On-Demand Instances for theapplication tier, and Reserved Instances for the database tier.
B. Use On-Demand Instances for the web and application tiers, andReserved Instances for the database tier.
C. Use Spot Instances for the web and application tiers, and ReservedInstances for the database tier.
D. Use Reserved Instances for the web, application, and database tiers.
Answer:B
Analyze:
A.Spot instance can be interrupted C.Spot instance can be interrupted D.RI will need at least 1 year rental term, waste money after 6 month
问题Q3. A company uses Amazon S3 to store documents that may only be accessible to an Amazon EC2 instance in a certain virtual private cloud (VPC). The company fears that a malicious insider with access to this instance could also set up an EC2 instance in another VPC to access these documents. Which of the following solutions will provide the required protection?
A. Use an S3 VPC endpoint and an S3 bucket policy to limit access tothis VPC endpoint.
B. Use EC2 instance profiles and an S3 bucket policy to limit access tothe role attached to the instance profile.
C. Use S3 client-side encryption and store the key in the instancemetadata.
D. Use S3 server-side encryption and protect the key with an encryptioncontext.
Answer:A
Analyze:
B.The same role can be attached to another EC2 in another VPC C.Instance metadata is not a safe place to store keyD.Other EC2 can use the same encryption context as well
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
问题Q4. The Solutions Architect manages a serverless application that consists of multiple API gateways, AWS Lambda functions, Amazon S3 buckets, and Amazon DynamoDB tables. Customers say that a few application components slow while loading dynamic images, and some are timing out with the "504 Gateway Timeout" error. While troubleshooting the scenario, the Solutions Architect confirms that DynamoDB monitoring metrics are at acceptable levels. Which of the following steps would be optimal for debugging these application issues? (Choose two.)
A. Parse HTTP logs in Amazon API Gateway for HTTP errors to determinethe root cause of the errors.
B. Parse Amazon CloudWatch Logs to determine processing times forrequested images at specified intervals.
C. Parse VPC Flow Logs to determine if there is packet loss between theLambda function and S3.
D. Parse AWS X-Ray traces and analyze HTTP methods to determine the rootcause of the HTTP errors.
E. Parse S3 access logs to determine if objects being accessed are fromspecific IP addresses to narrow the scope to geographic latency issues.
Answer:BD
Analyze:
A.API gateway http log(cloudwatch) won't help with root cause C.S3 is not VPC based (unless use vpc endpoint). Lambda could be VPC enabled, but not mentioned here. E.Dynamic images are most likely go through a lambda function and S3 accessed by lambda should not have latency issues.
问题Q5. A Solutions Architect is designing the storage layer for a recently purchased application. The application will be running on Amazon EC2 instances and has the following layers and requirements:* Data layer: A POSIX file system shared across many systems.* Service layer: Static file content that requires block storage with more than 100k IOPS. Which combination of AWS services will meet these needs? (Choose two.)
A. Data layer - Amazon S3
B. Data layer - Amazon EC2 Ephemeral Storage
C. Data layer - Amazon EFS
D. Service layer - Amazon EBS volumes with Provisioned IOPS
E. Service layer - Amazon EC2 Ephemeral Storage
Answer:CE
Analyze:
A.Not POSIXB.Not persistentD.Maximum EBS IOPS is 64000
问题Q6. A company has an application that runs a web service on Amazon EC2 instances and stores .jpg images in Amazon S3. The web traffic has a predictable baseline, but often demand spikes unpredictably for short periods of time. The application is loosely coupled and stateless. The .jpg images stored in Amazon S3 are accessed frequently for the first 15 to 20 days, they are seldom accessed thereafter but always need to be immediately available. The CIO has asked to find ways to reduce costs. Which of the following options will reduce costs? (Choose two.)
A. Purchase Reserved instances for baseline capacity requirements anduse On-Demand instances for the demand spikes.
B. Configure a lifecycle policy to move the .jpg images on Amazon S3 toS3 IA after 30 days.
C. Use On-Demand instances for baseline capacity requirements and useSpot Fleet instances for the demand spikes.
D. Configure a lifecycle policy to move the .jpg images on Amazon S3 toAmazon Glacier after 30 days.
E. Create a script that checks the load on all web servers andterminates unnecessary On-Demand instances.
Answer:AB
Analyze:
C.Spot instance for spike is not good as spot can be interrupted D.Glacier can take up to hours to access data E.Should use auto scale group
问题Q7. A hybrid network architecture must be used during a company's multi-year data center migration from multiple private data centers to AWS. The current data centers are linked together with private fiber. Due to unique legacy applications, NAT cannot be used. During the migration period, many applications will need access to other applications in both the data centers and AWS. Which option offers a hybrid network architecture that is secure and highly available, that allows for high bandwidth and a multi-region deployment post-migration?
A. Use AWS Direct Connect to each data center from different ISPs, andconfigure routing to failover to the other data center's Direct Connectif one fails. Ensure that no VPC CIDR blocks overlap one another or theon-premises network.
B. Use multiple hardware VPN connections to AWS from the on-premisesdata center. Route different subnet traffic through different VPNconnections. Ensure that no VPC CIDR blocks overlap one another or theon-premises network.
C. Use a software VPN with clustering both in AWS and the on-premisesdata center, and route traffic through the cluster. Ensure that no VPCCIDR blocks overlap one another or the on-premises network.
D. Use AWS Direct Connect and a VPN as backup, and configure both to usethe same virtual private gateway and BGP. Ensure that no VPC CIDR blocksoverlap one another or the on-premises network.
Answer:A
Analyze:
B. is not high bandwidth C.One VPN connection is not HA (cluster still have one connection) D.As a backup, VPN is not sufficient with high bandwidth. Also, what if the region that have the virtual private gateway fails?
问题Q8. A company is currently running a production workload on AWS that is very I/O intensive. Its workload consists of a single tier with 10 c4.8xlarge instances, each with 2 TB gp2 volumes. The number of processing jobs has recently increased, and latency has increased as well. The team realizes that they are constrained on the IOPS. For the application to perform efficiently, they need to increase the IOPS by 3,000 for each of the instances. Which of the following designs will meet the performance goal MOST cost effectively?
A. Change the type of Amazon EBS volume from gp2 to io1 and setprovisioned IOPS to 9,000.
B. Increase the size of the gp2 volumes in each instance to 3 TB.
C. Create a new Amazon EFS file system and move all the data to this newfile system. Mount this file system to all 10 instances.
D. Create a new Amazon S3 bucket and move all the data to this newbucket. Allow each instance to access this S3 bucket and use it forstorage.
Answer:B
Analyze:
A.Cost will be 3000 * 0.125 + 9000 * 0.065 B.Cost will be 3000 * 0.1 (gp2 has 3 IOPS per GB) C.EFS has higher latency than EBS provisioned IOPS (https://docs.aws.amazon.com/efs/latest/ug/ performance.html) D.S3 won't be as fast as EBS in terms of IO
问题Q9. A company's data center is connected to the AWS Cloud over a minimally used 10-Gbps AWS Direct Connect connection with a private virtual interface to its virtual private cloud (VPC). The company internet connection is 200 Mbps, and the company has a 150-TB dataset that is created each Friday. The data must be transferred and available in Amazon S3 on Monday morning. Which is the LEAST expensive way to meet the requirements while allowing for data transfer growth?
A. Order two 80-GB AWS Snowball appliances. Offload the data to theappliances and ship them to AWS.AWS will copy the data from the Snowball appliances to Amazon S3.
B. Create a VPC endpoint for Amazon S3. Copy the data to Amazon S3 byusing the VPC endpoint, forcing the transfer to use the Direct Connectconnection.
C. Create a VPC endpoint for Amazon S3. Set up a reverse proxy farmbehind a Classic Load Balancer in the VPC. Copy the data to Amazon S3using the proxy.
D. Create a public virtual interface on a Direct Connect connection, andcopy the data to Amazon S3 over the connection.
Answer:D
Analyze:
A.Won't be fast enough (courier on the weekend?~!) B.S3 VPC endpoint is Gateway Endpoint and it cannot extend across direct connect https:// docs.amazonaws.cn/en_us/vpc/latest/userguide/vpce-gateway.html#Gateway-Endpoint-Limitations C.Proxy farm is more expensive than D
问题Q10. A company has created an account for individual Development teams, resulting in a total of 200 accounts. All accounts have a single virtual private cloud (VPC) in a single region with multiple microservices running in Docker containers that need to communicate with microservices in other accounts. The Security team requirements state that these microservices must not traverse the public internet, and only certain internal services should be allowed to call other individual services. If there is any denied network traffic for a service, the Security team must be notified of any denied requests, including the source IP. How can connectivity be established between service while meeting the security requirements?
A. Create a VPC peering connection between the VPCs. Use security groupson the instances to allow traffic from the security group IDs that arepermitted to call the microservice. Apply network ACLs to and allowtraffic from the local VPC and peered VPCs only. Within the taskdefinition in Amazon ECS for each of the microservices, specify a logconfiguration by using the awslogs driver. Within Amazon CloudWatchLogs, create a metric filter and alarm off of the number of HTTP 403responses. Create an alarm when the number of messages exceeds athreshold set by the Security team.
B. Ensure that no CIDR ranges are overlapping, and attach a virtualprivate gateway (VGW) to each VPC.Provision an IPsec tunnel between each VGW and enable route propagationon the route table.Configure security groups on each service to allow the CIDR ranges ofthe VPCs on the other accounts.Enable VPC Flow Logs, and use an Amazon CloudWatch Logs subscriptionfilter for rejected traffic.Create an IAM role and allow the Security team to call the AssumeRoleaction for each account.
C. Deploy a transit VPC by using third-party marketplace VPN appliancesrunning on Amazon EC2, dynamically routed VPN connections between theVPN appliance, and the virtual private gateways (VGWs) attached to eachVPC within the region. Adjust network ACLs to allow traffic from thelocal VPC only. Apply security groups to the microservices to allowtraffic from the VPN appliances only.Install the awslogs agent on each VPN appliance, and configure logs toforward to Amazon CloudWatch Logs in the security account for theSecurity team to access.
D. Create a Network Load Balancer (NLB) for each microservice. Attachthe NLB to a PrivateLink endpoint service and whitelist the accountsthat will be consuming this service.Create an interface endpoint in the consumer VPC and associate asecurity group that allows only the security group IDs of the servicesauthorized to call the producer service. On the producer services,create security groups for each microservice and allow only the CIDRrange the allowed services.Create VPC Flow Logs on each VPC to capture rejected traffic that willbe delivered to an Amazon CloudWatch Logs group. Create a CloudWatchLogs subscription that streams the log data to a security account.
Answer:D
Analyze:
C is not correct as a VPN solution between VPC's would require traffic traversing the internet secure yes but it will traverse the internet. D would be the correct answer providing "only the CIDR range the allowed services" meant only the CIDR range of the producer services as only the ELB would be sending traffic to those services not the consumers directly.
A.HTTP 403 won't be denied requests as the request will never get to ECS VPC peering will maintain the original IP (therefore no CIDR overlap is allowed) B.Log in multiple account is not best practice. Moreover, if only one of two services in a VPC should access a particular micro service, this won't work as the SG allow the whole VPC VPN will keep the original IP, unless NAT is used before traffic going into the tunnel C.All traffic go to the same VPN appliance which means cannot actually block service access. ACLs allow local VPC only, than the transit VPC will not work.D.This will not work as PrivateLink will create a service endpoint with the local VPC's private IP, which means you will not have the source IP, and the security group in the producer cannot range the allowed services.https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-privatelink.html However, when a service is rejected on the consumer VPC, a log should have the source IP for the VPC endpoint. However, the allowed IP on the producer side is tricky. I think it means the allowed service within the same VPC. Anyway, I think this is the only solution that make sense, even though there is a lot of vague description in it
问题Q11. A company runs a dynamic mission-critical web application that has an SLA of 99.99%. Global application users access the application 24/7. The application is currently hosted on premises and routinely fails to meet its SLA, especially when millions of users access the application concurrently. Remote users complain of latency. How should this application be redesigned to be scalable and allow for automatic failover at the lowest cost?
A. Use Amazon Route 53 failover routing with geolocation-based routing.Host the website on automatically scaled Amazon EC2 instances behind anApplication Load Balancer with an additional Application Load Balancerand EC2 instances for the application layer in each region. Use aMulti-AZ deployment with MySQL as the data layer.
B. Use Amazon Route 53 round robin routing to distribute the load evenlyto several regions with health checks. Host the website on automaticallyscaled Amazon ECS with AWS Fargate technology containers behind aNetwork Load Balancer, with an additional Network Load Balancer andFargate containers for the application layer in each region. Use AmazonAurora replicas for the data layer.
C. Use Amazon Route 53 latency-based routing to route to the nearestregion with health checks. Host the website in Amazon S3 in each regionand use Amazon API Gateway with AWS Lambda for the application layer.Use Amazon DynamoDB global tables as the data layer with Amazon DynamoDBAccelerator (DAX) for caching.
D. Use Amazon Route 53 geolocation-based routing. Host the website onautomatically scaled AWS argate containers behind a Network LoadBalancer with an additional Network Load Balancer and Fargate containersfor the application layer in each region. Use Amazon Aurora Multi-Masterfor Aurora MySQL as the data layer.
Answer:C
Analyze:
A.This will be more expensive than C B.Route 53 round robin routing is not a thing NLB do not support sticky session and web application most likely will need one C.Using managed service is the best practice. S3, Lambda and DynamoDB is so much cheaper than EC2 and RDS D.Sticky session not supported in NLB, and Multi Master cannot cross region
问题Q12. A company manages more than 200 separate internet-facing web applications. All of the applications are deployed to AWS in a single AWS Region The fully qualified domain names (FQDNs) of all of the applications are made available through HTTPS using Application Load Balancers (ALBs). The ALBs are configured to use public SSL/TLS certificates. A Solutions Architect needs to migrate the web applications to a multi-region architecture. All HTTPS services should continue to work without interruption. Which approach meets these requirements?
A. Request a certificate for each FQDN using AWS KMS. Associate thecertificates with the ALBs in the primary AWS Region. Enablecross-region availability in AWS KMS for the certificates and associatethe certificates with the ALBs in the secondary AWS Region.
B. Generate the key pairs and certificate requests for each FQDN usingAWS KMS. Associate the certificates with the ALBs in both the primaryand secondary AWS Regions.
C. Request a certificate for each FQDN using AWS Certificate Manager.Associate the certificates with the ALBs in both the primary andsecondary AWS Regions.
D. Request certificates for each FQDN in both the primary and secondaryAWS Regions using AWS Certificate Manager. Associate the certificateswith the corresponding ALBs in each AWS Region.
Answer:D
Analyze:
A.KMS is not for certificate B.KMS is not for certificate C.Certificates for ELB cannot be cross region https://aws.amazon.com/certificate-manager/faqs/
问题Q13. An e-commerce company is revamping its IT infrastructure and is planning to use AWS services. The company's CIO has asked a Solutions Architect to design a simple, highly available, and loosely coupled order processing application. The application is responsible for receiving and processing orders before storing them in an Amazon DynamoDB table. The application has a sporadic traffic pattern and should be able to scale during marketing campaigns to process the orders with minimal delays. Which of the following is the MOST reliable approach to meet the requirements?
A. Receive the orders in an Amazon EC2-hosted database and use EC2instances to process them.
B. Receive the orders in an Amazon SQS queue and trigger an AWS Lambdafunction to process them.
C. Receive the orders using the AWS Step Functions program and triggeran Amazon ECS container to process them.
D. Receive the orders in Amazon Kinesis Data Streams and use Amazon EC2instances to process them.
Answer:B
Analyze:
A.Really bad...B.Lambda function is more reliable and scalableC.This is not what step function is forD.Need to config auto scale, and kinesis do not have item level ack
问题Q14. A company has an application written using an in-house software framework. The framework installation takes 30 minutes and is performed with a user data script. Company Developers deploy changes to the application frequently. The framework installation is becoming a bottleneck in this process. Which of the following would speed up this process?
A. Create a pipeline to build a custom AMI with the framework installedand use this AMI as a baseline for application deployments.
B. Employ a user data script to install the framework but compress theinstallation files to make them smaller.
C. Create a pipeline to parallelize the installation tasks and call thispipeline from a user data script.
D. Configure an AWS OpsWorks cookbook that installs the frameworkinstead of employing user data.Use this cookbook as a base for all deployments.
Answer:A
Analyze:
B.Installation cannot be parallelized... C.Installation cannot be parallelized... D.Cookbook is a collection of receipts, I think it should be receipt here. However, this still need to run the installation and won't shorter the time
问题Q15. A company wants to ensure that the workloads for each of its business units have complete autonomy and a minimal blast radius in AWS. The Security team must be able to control access to the resources and services in the account to ensure that particular services are not used by the business units. How can a Solutions Architect achieve the isolation requirements?
A. Create individual accounts for each business unit and add the accountto an OU in AWS Organizations.Modify the OU to ensure that the particular services are blocked.Federate each account with an IdP, and create separate roles for thebusiness units and the Security team.
B. Create individual accounts for each business unit. Federate eachaccount with an IdP and create separate roles and policies for businessunits and the Security team.
C. Create one shared account for the entire company. Create separateVPCs for each business unit.Create individual IAM policies and resource tags for each business unit.Federate each account with an IdP, and create separate roles for thebusiness units and the Security team.
D. Create one shared account for the entire company. Create individualIAM policies and resource tags for each business unit. Federate theaccount with an IdP, and create separate roles for the business unitsand the Security team.
Answer:A
Analyze:
A.Best practice with minimal blast radius and autonomy B.
问题Q16. A company is migrating a subset of its application APIs from Amazon EC2 instances to run on a serverless infrastructure. The company has set up Amazon API Gateway, AWS Lambda, and Amazon DynamoDB for the new application. The primary responsibility of the Lambda function is to obtain data from a third-party Software as a Service (SaaS) provider. For consistency, the Lambda function is attached to the same virtual private cloud (VPC) as the original EC2 instances. Test users report an inability to use this newly moved functionality, and the company is receiving 5xx errors from API Gateway. Monitoring reports from the SaaS provider shows that the requests never made it to its systems. The company notices that Amazon CloudWatch Logs are being generated by the Lambda functions. When the same functionality is tested against the EC2 systems, it works as expected What is causing the issue?
A. Lambda is in a subnet that does not have a NAT gateway attached to itto connect to the SaaS provider.
B. The end-user application is misconfigured to continue using theendpoint backed by EC2 instances.
C. The throttle limit set on API Gateway is too low and the requests arenot making their way through.
D. API Gateway does not have the necessary permissions to invoke Lambda.
Answer:A
Analyze:
B.There is Lambda logs C.If this is the case, some of the request will work D.There is lambda logs
问题Q17. A Solutions Architect is working with a company that is extremely sensitive to its IT costs and wishes to implement controls that will result in a predictable AWS spend each month. Which combination of steps can help the company control and monitor its monthly AWS usage to achieve a cost that is as close as possible to the target amount? (Choose three.)
A. Implement an IAM policy that requires users to specify a 'workload'tag for cost allocation when launching Amazon EC2 instances.
B. Contact AWS Support and ask that they apply limits to the account sothat users are not able to launch more than a certain number of instancetypes.
C. Purchase all upfront Reserved Instances that cover 100% of theaccount's expected Amazon EC2 usage.
D. Place conditions in the users' IAM policies that limit the number ofinstances they are able to launch.
E. Define 'workload' as a cost allocation tag in the AWS Billing andCost Management console.
F. Set up AWS Budgets to alert and notify when a given workload isexpected to exceed a defined cost.
Answer:AEF
Analyze:
A.aws:RequestTag/tag-key B.Bad practice C.Not going to work as this may ends up cost more D.IAM do not support this https://forums.aws.amazon.com/thread.jspa?threadID=174503 E. F.
问题Q18. A large global company wants to migrate a stateless mission-critical application to AWS. The application is based on IBM WebSphere (application and integration middleware), IBM MQ (messaging middleware), and IBM DB2 (database software) on a z/OS operating system. How should the Solutions Architect migrate the application to AWS?
A. Re-host WebSphere-based applications on Amazon EC2 behind a loadbalancer with Auto Scaling. Re- platform the IBM MQ to an AmazonEC2-based MQ. Re-platform the z/OS-based DB2 to Amazon RDS DB2.
B. Re-host WebSphere-based applications on Amazon EC2 behind a loadbalancer with Auto Scaling.Re- platform the IBM MQ to an Amazon MQ.Re-platform z/OS-based DB2 to Amazon EC2-based DB2.
C. Orchestrate and deploy the application by using AWS ElasticBeanstalk. Re-platform the IBM MQ to Amazon SQS. Re-platform z/OS-basedDB2 to Amazon RDS DB2.
D. Use the AWS Server Migration Service to migrate the IBM WebSphere andIBM DB2 to an Amazon EC2-based solution. Re-platform the IBM MQ to anAmazon MQ.
Answer:B
Analyze:
A.RDS does not support DB2 B. C.RDS does not support DB2 D.Server MIgration Service works with VM and nothing about VM is mentioned, SMS only support Linux and windows https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#os_prereqs
问题Q19. A media storage application uploads user photos to Amazon S3 for processing. End users are reporting that some uploaded photos are not being processed properly. The Application Developers trace the logs and find that AWS Lambda is experiencing execution issues when thousands of users are on the system simultaneously. Issues are caused by: * Limits around concurrent executions. * The performance of Amazon DynamoDB when saving data. Which actions can be taken to increase the performance and reliability of the application? (Choose two.)
A. Evaluate and adjust the read capacity units (RCUs) for the DynamoDBtables.
B. Evaluate and adjust the write capacity units (WCUs) for the DynamoDBtables.
C. Add an Amazon ElastiCache layer to increase the performance of Lambdafunctions
D. Configure a dead letter queue that will reprocess failed or timed-outLambda functions.
E. Use S3 Transfer Acceleration to provide lower-latency access to endusers.
Answer:BD
Analyze:
问题Q20. A company operates a group of imaging satellites. The satellites stream data to one of the company's ground stations where processing creates about 5 GB of images per minute. This data is added to network- attached storage, where 2 PB of data are already stored. The company runs a website that allows its customers to access and purchase the images over the Internet. This website is also running in the ground station. Usage analysis shows that customers are most likely to access images that have been captured in the last 24 hours. The company would like to migrate the image storage and distribution system to AWS to reduce costs and increase the number of customers that can be served. Which AWS architecture and migration strategy will meet these requirements?
A. Use multiple AWS Snowball appliances to migrate the existing imageryto Amazon S3.Create a 1-Gb AWS Direct Connect connection from the ground station toAWS, and upload new data to Amazon S3 through the Direct Connectconnection. Migrate the data distribution website to Amazon EC2instances. By using Amazon S3 as an origin, have this website serve thedata through Amazon CloudFront by creating signed URLs.
B. Create a 1-Gb Direct Connect connection from the ground station toAWS. Use the AWS Command Line Interface to copy the existing data andupload new data to Amazon S3 over the Direct Connect connection. Migratethe data distribution website to EC2 instances. By using Amazon S3 as anorigin, have this website serve the data through CloudFront by creatingsigned URLs.
C. Use multiple Snowball appliances to migrate the existing images toAmazon S3. Upload new data by regularly using Snowball appliances toupload data from the network-attached storage. Migrate the datadistribution website to EC2 instances. By using Amazon S3 as an origin,have this website serve the data through CloudFront by creating signedURLs.
D. Use multiple Snowball appliances to migrate the existing images to anAmazon EFS file system. Create a 1-Gb Direct Connect connection from theground station to AWS, and upload new data by mounting the EFS filesystem over the Direct Connect connection.Migrate the data distribution website to EC2 instances. By usingwebservers in EC2 that mount the EFS file system as the origin, havethis website serve the data through CloudFront by creating signed URLs.
Answer:A
Analyze:
A. B.1GB for 2PB will be too slow C.Snowball cannot ensure data is available for last 24 hour D.EFS is expensive in this case
问题Q21. A company ingests and processes streaming market data. The data rate is constant. A nightly process that calculates aggregate statistics is run, and each execution takes about 4 hours to complete. The statistical analysis is not mission critical to the business, and previous data points are picked up on the next execution if a particular run fails. The current architecture uses a pool of Amazon EC2 Reserved Instances with 1-year reservations running full time to ingest and store the streaming data in attached Amazon EBS volumes. On- Demand EC2 instances are launched each night to perform the nightly processing, accessing the stored data from NFS shares on the ingestion servers, and terminating the nightly processing servers when complete. The Reserved Instance reservations are expiring, and the company needs to determine whether to purchase new reservations or implement a new design. Which is the most cost-effective design?
A. Update the ingestion process to use Amazon Kinesis Data Firehose tosave data to Amazon S3. Use a fleet of On-Demand EC2 instances thatlaunches each night to perform the batch processing of the S3 data andterminates when the processing completes.
B. Update the ingestion process to use Amazon Kinesis Data Firehouse tosave data to Amazon S3. Use AWS Batch to perform nightly processing witha Spot market bid of 50% of the On-Demand price.
C. Update the ingestion process to use a fleet of EC2 Reserved Instancesbehind a Network Load Balancer with 3-year leases. Use Batch with Spotinstances with a maximum bid of 50% of the On- Demand price for thenightly processing.
D. Update the ingestion process to use Amazon Kinesis Data Firehose tosave data to Amazon Redshift.Use an AWS Lambda function scheduled to run nightly with AmazonCloudWatch Events to query Amazon Redshift to generate the dailystatistics.
Answer:B
Analyze:
A.More expensive than B B.As it is not mission critical and can pick up from previous data point, Spot instance makes sense C.If we still use EBS, each instance will have its own EBS and data is hard to aggregate. EC2 is expensive as well D.Lambda has process limit of 15 mins
问题Q22. A three-tier web application runs on Amazon EC2 instances. Cron daemons are used to trigger scripts that collect the web server, application, and database logs and send them to a centralized location every hour. Occasionally, scaling events or unplanned outages have caused the instances to stop before the latest logs were collected, and the log files were lost. Which of the following options is the MOST reliable way of collecting and preserving the log files?
A. Update the cron to run every 5 minutes instead of every hour toreduce the possibility of log messages being lost in an outage.
B. Use Amazon CloudWatch Events to trigger Amazon Systems Manager RunCommand to invoke the log collection scripts more frequently to reducethe possibility of log messages being lost in an outage.
C. Use the Amazon CloudWatch Logs agent to stream log messages directlyto CloudWatch Logs.Configure the agent with a batch count of 1 to reduce the possibility oflog messages being lost in an outage.
D. Use Amazon CloudWatch Events to trigger AWS Lambda to SSH into eachrunning instance and invoke the log collection scripts more frequentlyto reduce the possibility of log messages being lost in an outage.
Answer:C
Analyze:
Almost no delay. Most reliable
问题Q23. A company stores sales transaction data in Amazon DynamoDB tables. To detect anomalous behaviors and respond quickly, all changes to the items stored in the DynamoDB tables must be logged within 30 minutes. Which solution meets the requirements?
A. Copy the DynamoDB tables into Apache Hive tables on Amazon EMR everyhour and analyze them for anomalous behaviors. Send Amazon SNSnotifications when anomalous behaviors are detected.
B. Use AWS CloudTrail to capture all the APIs that change the DynamoDBtables. Send SNS notifications when anomalous behaviors are detectedusing CloudTrail event filtering.
C. Use Amazon DynamoDB Streams to capture and send updates to AWSLambda. Create a Lambda function to output records to Amazon KinesisData Streams. Analyze any anomalies with Amazon Kinesis Data Analytics.Send SNS notifications when anomalous behaviors are detected.
D. Use event patterns in Amazon CloudWatch Events to capture DynamoDBAPI call events with an AWS Lambda function as a target to analyzebehavior. Send SNS notifications when anomalous behaviors are detected.
Answer:C
Analyze:
B.We want to track item changes, not table changes C.Best practice D.DynamoDB is not supported by cloudwatch events, you will need cloudtrail
问题Q24. A company is running multiple applications on Amazon EC2. Each application is deployed and managed by multiple business units. All applications are deployed on a single AWS account but on different virtual private clouds (VPCs). The company uses a separate VPC in the same account for test and development purposes. Production applications suffered multiple outages when users accidentally terminated and modified resources that belonged to another business unit. A Solutions Architect has been asked to improve the availability of the company applications while allowing the Developers access to the resources they need. Which option meets the requirements with the LEAST disruption?
A. Create an AWS account for each business unit. Move each businessunit's instances to its own account and set up a federation to allowusers to access their business unit's account.
B. Set up a federation to allow users to use their corporatecredentials, and lock the users down to their own VPC. Use a network ACLto block each VPC from accessing other VPCs.
C. Implement a tagging policy based on business units. Create an IAMpolicy so that each user can terminate instances belonging to their ownbusiness units only.
D. Set up role-based access for each user and provide limitedpermissions based on individual roles and the services for which eachuser is responsible.
Answer:C
Analyze:
Principal ?Control what the person making the request (the principal) is allowed to do based on the tags that are attached to that person's IAM user or role. To do this, use the aws:PrincipalTag/key-name condition key to specify what tags must be attached to the IAM user or role before the request is allowed. https:// docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.htmlA: This would be too disruptive and Organizations should be used instead.B: Question did not say if prod\dev\test are in separate VPC or not. It could be separated using business units instead. Hence this is not feasible.D: This is too much effort and disruption.tagging policy means you can indicate the environment which allows you to terminate or start. For example, The current environment tag of the instance is Development which will be assigned to the Developer group only. When you tried to terminate the Production instance which is tagged as the Production environment, the Developer team will get access denied to terminate.Arguably, the original answer was D, as explained below, changed to C after many studies:There is no disruption to users by setting up roles and policies. Using least privileges is obviously something that was not setup and really needs to be.C is not correct as it does not cover the scenario. The issue was that people were terminating AND modifying resources of other people.A.Move instance across account lead to interruptionB.Will stop inter service communicationC.Develop and test instances won't be catered for
问题Q25. An enterprise runs 103 line-of-business applications on virtual machines in an onpremises data center. Many of the applications are simple PHP, Java, or Ruby web applications, are no longer actively developed, and serve little traffic. Which approach should be used to migrate these applications to AWS with the LOWEST infrastructure costs?
A. Deploy the applications to single-instance AWS Elastic Beanstalkenvironments without a load balancer.
B. Use AWS SMS to create AMIs for each virtual machine and run them inAmazon EC2.
C. Convert each application to a Docker image and deploy to a smallAmazon ECS cluster behind an Application Load Balancer.
D. Use VM Import/Export to create AMIs for each virtual machine and runthem in single-instance AWS Elastic Beanstalk environments byconfiguring a custom image.
Answer:C
Analyze:
A.103 EC2 still needed B.103 EC2 C.We could run all ECS container in one small EC2 and use ALB to route, which can be really cheap D.103 EC2
问题Q26. A Solutions Architect must create a cost-effective backup solution for a company's 500MB source code repository of proprietary and sensitive applications. The repository runs on Linux and backs up daily to tape. Tape backups are stored for 1 year. The current solutions are not meeting the company's needs because it is a manual process that is prone to error, expensive to maintain, and does not meet the need for a Recovery Point Objective (RPO) of 1 hour or Recovery Time Objective (RTO) of 2 hours. The new disaster recovery requirement is for backups to be stored offsite and to be able to restore a single file if needed. Which solution meets the customer's needs for RTO, RPO, and disaster recovery with the LEAST effort and expense?
A. Replace local tapes with an AWS Storage Gateway virtual tape libraryto integrate with current backup software. Run backups nightly and storethe virtual tapes on Amazon S3 standard storage in US-EAST-1. Usecross-region replication to create a second copy in US-WEST-2. UseAmazon S3 lifecycle policies to perform automatic migration to AmazonGlacier and deletion of expired backups after 1 year?
B. Configure the local source code repository to synchronize files to anAWS Storage Gateway file Amazon gateway to store backup copies in anAmazon S3 Standard bucket.Enable versioning on the Amazon S3 bucket. Create Amazon S3 lifecyclepolicies to automatically migrate old versions of objects to Amazon S3Standard 0 Infrequent Access, then Amazon Glacier, then delete backupsafter 1 year.
C. Replace the local source code repository storage with a StorageGateway stored volume.Change the default snapshot frequency to 1 hour. Use Amazon S3 lifecyclepolicies to archive snapshots to Amazon Glacier and remove old snapshotsafter 1 year. Use cross-region replication to create a copy of thesnapshots in US-WEST-2.
D. Replace the local source code repository storage with a StorageGateway cached volume.Create a snapshot schedule to take hourly snapshots. Use an AmazonCloudWatch Events schedule expression rule to run on hourly AWS Lambdatask to copy snapshots from US-EAST -1 to US-WEST- 2.
Answer:B
Analyze:
A.Cannot meet RPO of 1 hour C.Volume gateway store a snapshot, which doesn't allow restore of single file https://aws.amazon.com/ storagegateway/faqs
问题Q27. A company CFO recently analyzed the company's AWS monthly bill and identified an opportunity to reduce the cost for AWS Elastic Beanstalk environments in use. The CFO has asked a Solutions Architect to design a highly available solution that will spin up an Elastic Beanstalk environment in the morning and terminate it at the end of the day. The solution should be designed with minimal operational overhead and to minimize costs. It should also be able to handle the increased use of Elastic Beanstalk environments among different teams, and must provide a one-stop scheduler solution for all teams to keep the operational costs low. What design will meet these requirements?
A. Set up a Linux EC2 Micro instance. Configure an IAM role to allow thestart and stop of the Elastic Beanstalk environment and attach it to theinstance. Create scripts on the instance to start and stop the ElasticBeanstalk environment. Configure cron jobs on the instance to executethe scripts.
B. Develop AWS Lambda functions to start and stop the Elastic Beanstalkenvironment.Configure a Lambda execution role granting Elastic Beanstalk environmentstart/stop permissions, and assign the role to the Lambda functions.Configure cron expression Amazon CloudWatch Events rules to trigger theLambda functions.
C. Develop an AWS Step Functions state machine with "wait" as its typeto control the start and stop time.Use the activity task to start and stop the Elastic Beanstalkenvironment.Create a role for Step Functions to allow it to start and stop theElastic Beanstalk environment. Invoke Step Functions daily.
D. Configure a time-based Auto Scaling group. In the morning, have theAuto Scaling group scale up an Amazon EC2 instance and put the ElasticBeanstalk environment start command in the EC2 instance user date. Atthe end of the day, scale down the instance number to 0 to terminate theEC2 instance.
Answer:B
Analyze:
A.Need to have an EC2 running all the time B.Recommended solution https://aws.amazon.com/premiumsupport/knowledge-center/start-stop-lambda-cloudwatch/ C.Step function is not used for this, and the role with step function will not help the worker task. D.EC2 need to run during datetime..and not really good solution
问题Q28. A company plans to move regulated and security-sensitive businesses to AWS. The Security team is developing a framework to validate the adoption of AWS best practice and industryrecognized compliance standards. The AWS Management Console is the preferred method for teams to provision resources. Which strategies should a Solutions Architect use to meet the business requirements and continuously assess, audit, and monitor the configurations of AWS resources? (Choose two.)
A. Use AWS Config rules to periodically audit changes to AWS resourcesand monitor the compliance of the configuration. Develop AWS Configcustom rules using AWS Lambda to establish a testdriven developmentapproach, and further automate the evaluation of configuration changesagainst the required controls.
B. Use Amazon CloudWatch Logs agent to collect all the AWS SDK logs.Search the log data using a pre- defined set of filter patterns thatmachines mutating API calls. Send notifications using Amazon CloudWatchalarms when unintended changes are performed. Archive log data by usinga batch export to Amazon S3 and then Amazon Glacier for a long-termretention and auditability.
C. Use AWS CloudTrail events to assess management activities of all AWSaccounts. Ensure that CloudTrail is enabled in all accounts andavailable AWS services. Enable trails, encrypt CloudTrail event logfiles with an AWS KMS key, and monitor recorded activities withCloudWatch Logs.
D. Use the Amazon CloudWatch Events near-real-time capabilities tomonitor system events patterns, and trigger AWS Lambda functions toautomatically revert non-authorized changes in AWS resources. Also,target Amazon SNS topics to enable notifications and improve theresponse time of incident responses.
E. Use CloudTrail integration with Amazon SNS to automatically notifyunauthorized API activities. Ensure that CloudTrail is enabled in allaccounts and available AWS services.Evaluate the usage of Lambda functions to automatically revertnon-authorized changes in AWS resources.
Answer:AC
Analyze:
A. B.Management Console do not go through SDK C. D.Need cloudtrail to log resource change to cloudwatch E.Cloudtrail to SNS has no filtering so you will need to send all the logs. https://docs.aws.amazon.com/ awscloudtrail/latest/userguide/configure-sns-notifications-for- cloudtrail.html#configure-cloudtrail-to-send- notifications
问题Q29. A company is running a high-user-volume media-sharing application on premises. It currently hosts about 400 TB of data with millions of video files. The company is migrating this application to AWS to improve reliability and reduce costs. The Solutions Architecture team plans to store the videos in an Amazon S3 bucket and use Amazon CloudFront to distribute videos to users. The company needs to migrate this application to AWS 10 days with the least amount of downtime possible. The company currently has 1 Gbps connectivity to the Internet with 30 percent free capacity. Which of the following solutions would enable the company to migrate the workload to AWS and meet all of the requirements?
A. Use a multi-part upload in Amazon S3 client to parallel-upload thedata to the Amazon S3 bucket over the Internet. Use the throttlingfeature to ensure that the Amazon S3 client does not use more than 30percent of available Internet capacity.
B. Request an AWS Snowmobile with 1 PB capacity to be delivered to thedata center. Load the data into Snowmobile and send it back to have AWSdownload that data to the Amazon S3 bucket. Sync the new data that wasgenerated while migration was in flight.
C. Use an Amazon S3 client to transfer data from the data center to theAmazon S3 bucket over the Internet. Use the throttling feature to ensurethe Amazon S3 client does not use more than 30 percent of availableInternet capacity.
D. Request multiple AWS Snowball devices to be delivered to the datacenter. Load the data concurrently into these devices and send it back.Have AWS download that data to the Amazon S3 bucket. Sync the new datathat was generated while migration was in flight.
Answer:D
Analyze:
A.Takes 123 day.... Parralel still have the internet connection as bottleneck B.Snowmobile is recommended for more than 10PB C.Takes 123 days...
问题Q30. A company has developed a new billing application that will be released in two weeks. Developers are testing the application running on 10 EC2 instances managed by an Auto Scaling group in subnet31.0.0/24 within VPC A with CIDR block 172.31.0.0/16. The Developers noticed connection timeout errors in the application logs while connecting to an Oracle database running on an Amazon EC2 instance in the same region within VPC B with CIDR block 172.50.0.0/16. The IP of the database instance is hard- coded in the application instances. Which recommendations should a Solutions Architect present to the Developers to solve the problem in a secure way with minimal maintenance and overhead?
A. Disable the SrcDestCheck attribute for all instances running theapplication and Oracle Database.Change the default route of VPC A to point ENI of the Oracle Databasethat has an IP address assigned within the range of 172.50.0.0/26
B. Create and attach internet gateways for both VPCs. Configure defaultroutes to the Internet gateways for both VPCs. Assign an Elastic IP foreach Amazon EC2 instance in VPC A
C. Create a VPC peering connection between the two VPCs and add a routeto the routing table of VPC A that points to the IP address range of50.0.0/16
D. Create an additional Amazon EC2 instance for each VPC as a customergateway; create one virtual private gateway (VGW) for each VPC,configure an end-to-end VPC, and advertise the routes for 172.50.0.0/16
Answer:C
Analyze:
A.This is for NAT? And it is not going to help as the destination is the database and the source will be the EC2s B.Database connection should not go through internet D.Transit VPC is too much a trouble!
问题Q31. A Solutions Architect has been asked to look at a company's Amazon Redshift cluster, which has quickly become an integral part of its technology and supports key business process. The Solutions Architect is to increase the reliability and availability of the cluster and provide options to ensure that if an issue arises, the cluster can either operate or be restored within four hours. Which of the following solution options BEST addresses the business need in the most costeffective manner?
A. Ensure that the Amazon Redshift cluster has been set up to make useof Auto Scaling groups with the nodes in the cluster spread acrossmultiple Availability Zones.
B. Ensure that the Amazon Redshift cluster creation has been templateusing AWS CloudFormation so it can easily be launched in anotherAvailability Zone and data populated from the automated Redshiftback-ups stored in Amazon S3.
C. Use Amazon Kinesis Data Firehose to collect the data ahead ofingestion into Amazon Redshift and create clusters using AWSCloudFormation in another region and stream the data to both clusters.
D. Create two identical Amazon Redshift clusters in different regions(one as the primary, one as the secondary). Use Amazon S3 cross-regionreplication from the primary to secondary). Use Amazon S3 cross-regionreplication from the primary to secondary region, which triggers an AWSLambda function to populate the cluster in the secondary region.
Answer:B
Analyze:
A.Redshift cluster is single AZ... https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#az-considerations B.Best practice C.We have 4 hour RPO so we don't need a redundant cluster D.Not making sense, and lambda probably time out....
问题Q32. A company prefers to limit running Amazon EC2 instances to those that were launched from AMIs pre- approved by the Information Security department. The Development team has an agile continuous integration and deployment process that cannot be stalled by the solution. Which method enforces the required controls with the LEAST impact on the development process? (Choose two.)
A. Use IAM policies to restrict the ability of users or other automatedentities to launch EC2 instances based on a specific set of pre-approvedAMIs, such as those tagged in a specific way by Information Security.
B. Use regular scans within Amazon Inspector with a custom assessmenttemplate to determine if the EC2 instance that the Amazon InspectorAgent is running on is based upon a pre-approved AMI. If it is not, shutdown the instance and inform information Security by email that thisoccurred.
C. Only allow launching of EC2 instances using a centralized DevOpsteam, which is given work packages via notifications from an internalticketing system. Users make requests for resources using this ticketingtool, which has manual information security approval steps to ensurethat EC2 instances are only launched from approved AMIs.
D. Use AWS Config rules to spot any launches of EC2 instances based onnon-approved AMIs, trigger an AWS Lambda function to automaticallyterminate the instance, and publish a message to an Amazon SNS topic toinform Information Security that this occurred.
E. Use a scheduled AWS Lambda function to scan through the list ofrunning instances within the virtual private cloud (VPC) and determineif any of these are based on unapproved AMIs.Publish a message to an SNS topic to inform Information Security thatthis occurred and then shut down the instance.
Answer:AD
Analyze:
B.AWS inspector is used to find security vulnerability, not used to find AMI C.Not agile... E.Scheduled lambda is not a thing, you need cloudwatch event to trigger Lambda
问题Q33. A Company has a security event whereby an Amazon S3 bucket with sensitive information was made public. Company policy is to never have public S3 objects, and the Compliance team must be informed immediately when any public objects are identified. How can the presence of a public S3 object be detected, set to trigger alarm notifications, and automatically remediated in the future? (Choose two.)
A. Turn on object-level logging for Amazon S3. Turn on Amazon S3 eventnotifications to notify by using an Amazon SNS topic when a PutObjectAPI call is made with a public-read permission.
B. Configure an Amazon CloudWatch Events rule that invokes an AWS Lambdafunction to secure the S3 bucket.
C. Use the S3 bucket permissions for AWS Trusted Advisor and configure aCloudWatch event to notify by using Amazon SNS.
D. Turn on object-level logging for Amazon S3. Configure a CloudWatchevent to notify by using an SNS topic when a PutObject API call withpublic-read permission is detected in the AWS CloudTrail logs.
E. Schedule a recursive Lambda function to regularly change all objectpermissions inside the S3 bucket.
Answer:BD
Analyze:
Triggering the remediation Lambda function with CloudWatch Event is more efficient. A.S3 event may be lost in some cases, and could take up to minutes to arrive https:// docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html S3 event message does not contain information regarding permission https://docs.aws.amazon.com/AmazonS3/latest/dev/notification-content- structure.html C.We could take advice from trust advisor, but use a policy for trust advisor not going to help...
问题Q34. A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value. A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high. What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the Application Load Balancer to fail?
A. Create two cache behaviors for static and dynamic content. Remove theUser-Agent and Host HTTP headers from the whitelist headers section onboth if the cache behaviors.Remove the session cookie from the whitelist cookies section and theAuthorization HTTP header from the whitelist headers section for cachebehavior configured for static content.
B. Remove the User-Agent and Authorization HTTPS headers from thewhitelist headers section of the cache behavior. Then update the cachebehavior to use presigned cookies for authorization.
C. Remove the Host HTTP header from the whitelist headers section andremove the session cookie from the whitelist cookies section for thedefault cache behavior. Enable automatic object compression and useLambda@Edge viewer request events for user authorization.
D. Create two cache behaviors for static and dynamic content. Remove theUser-Agent HTTP header from the whitelist headers section on both of thecache behaviors. Remove the session cookie from the whitelist cookiessection and the Authorization HTTP header from the whitelist headerssection for cache behavior configured for static content.
Answer:D
Analyze:
A.Host header need to pass in as CloudFront and the origin are using the same certificate, which means the certificate's list of domain may not match the Origin Domain Name, and then hHost header is required https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html B.Static content perform better without session cookie C.HOST header is needed
问题Q35. An organization has a write-intensive mobile application that uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The application has scaled well, however, costs have increased exponentially because of higher than anticipated Lambda costs. The application's use is unpredictable, but there has been a steady 20% increase in utilization every month. While monitoring the current Lambda functions, the Solutions Architect notices that the executiontime averages 4.5 minutes. Most of the wait time is the result of a high-latency network call to a 3-TB MySQL database server that is on-premises. A VPN is used to connect to the VPC, so the Lambda functions have been configured with a five-minute timeout. How can the Solutions Architect reduce the cost of the current architecture?
A. Replace the VPN with AWS Direct Connect to reduce the network latencyto the on-premises MySQL database.Enable local caching in the mobile application to reduce the Lambdafunction invocation calls.Monitor the Lambda function performance;gradually adjust the timeout and memory properties to lower values whilemaintaining an acceptable execution time.Offload the frequently accessedrecords from DynamoDB to Amazon ElastiCache.
B. Replace the VPN with AWS Direct Connect to reduce the network latencyto the on-premises MySQL database.Cache the API Gateway results to Amazon CloudFront. Use Amazon EC2Reserved Instances instead of Lambda.Enable Auto Scaling on EC2, and useSpot Instances during peak times.Enable DynamoDB Auto Scaling to managetarget utilization.
C. Migrate the MySQL database server into a Multi-AZ Amazon RDS forMySQL.Enable caching of the Amazon API Gateway results in Amazon CloudFront toreduce the number of Lambda function invocations.Monitor the Lambdafunction performance; gradually adjust the timeout and memory propertiesto lower values while maintaining an acceptable execution time.EnableDynamoDB Accelerator for frequently accessed records, and enable theDynamoDB Auto Scaling feature.
D. Migrate the MySQL database server into a Multi-AZ Amazon RDS forMySQL.Enable API caching on API Gateway to reduce the number of Lambdafunction invocations.Continue to monitor the AWS Lambda functionperformance; gradually adjust the timeout and memory properties to lowervalues while maintaining an acceptable execution time.Enable AutoScaling in DynamoDB.
Answer:D
Analyze:
A.This will not help if the latency is from the on premise network (i.e. the on prem network itself is supper slow) B.EC2 is more expensive, Direct Connect is not cheap as well C.As the application is scaled well, we may not need DAX and cloudfront which cost more money. Moreover, if you use DAX, all request will go to DAX cluster first. You cannot just enable DAX for some records.
问题Q36. A company runs a video processing platform. Files are uploaded by users who connect to a web server, which stores them on an Amazon EFS share. This web server is running on a single Amazon EC2 instance. A different group of instances, running in an Auto Scaling group, scans the EFS share directory structure for new files to process and generates new videos (thumbnails, different resolution, compression, etc.) according to the instructions file, which is uploaded along with the video files. A different application running on a group of instances managed by an Auto Scaling group processes the video files and then deletes them from the EFS share. The results are stored in an S3 bucket. Links to the processed video files are emailed to the customer. The company has recently discovered that as they add more instances to the Auto Scaling Group, many files are processed twice, so image processing speed is not improved. The maximum size of these video files is 2GB. What should the Solutions Architect do to improve reliability and reduce the redundant processing of video files?
A. Modify the web application to upload the video files directly toAmazon S3. Use Amazon CloudWatch Events to trigger an AWS Lambdafunction every time a file is uploaded, and have this Lambda functionput a message into an Amazon SQS queue. Modify the video processingapplication to read from SQS queue for new files and use the queue depthmetric to scale instances in the video processing Auto Scaling group.
B. Set up a cron job on the web server instance to synchronize thecontents of the EFS share into Amazon S3. Trigger an AWS Lambda functionevery time a file is uploaded to process the video file and store theresults in Amazon S3. Using Amazon CloudWatch Events trigger an AmazonSES job to send an email to the customer containing the link to theprocessed file.
C. Rewrite the web application to run directly from Amazon S3 and useAmazon API Gateway to upload the video files to an S3 bucket. Use an S3trigger to run an AWS Lambda function each time a file is uploaded toprocess and store new video files in a different bucket. UsingCloudWatch Events, trigger an SES job to send an email to the customercontaining the link to the processed file.
D. Rewrite the application to run from Amazon S3 and upload the videofiles to an S3 bucket.Each time a new file is uploaded, trigger an AWS Lambda function to puta message in an SQS queue containing the link and the instructions.Modify the video processing application to read from the SQS queue andthe S3 bucket. Use the queue depth metric to adjust the size of the AutoScaling group for video processing instances.
Answer:D
Analyze:
A.Cloudwatch events do not support s3 https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html B.Cloudwatch events do not support s3 Lambda has concurrent limit C.Lambda has 1000 concurrent execution. If every upload tried to trigger lambda to process video, this will not work D.A queue is necessary as lambda execution has concurrent limit. Video processing can also take a long time as the maximum size is 2GB. Lambda has execution limit of 900s and 1000 concurrent execution. 2GB memory is also a lot for lambda. For option A, cloudwatch events is not supported for S3, you will need cloudtrail https:// docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html
问题Q37. A Solutions Architect must establish a patching plan for a large mixed fleet of Windows and Linux servers. The patching plan must be implemented securely, be audit ready, and comply with the company's business requirements. Which option will meet these requirements with MINIMAL effort?
A. Install and use an OS-native patching service to manage the updatefrequency and release approval for all instances. Use AWS Config toverify the OS state on each instance and report on any patch complianceissues.
B. Use AWS Systems Manager on all instances to manage patching. Testpatches outside of production and then deploy during a maintenancewindow with the appropriate approval.
C. Use AWS OpsWorks for Chef Automate to run a set of scripts that williterate through all instances of a given type. Issue the appropriate OScommand to get and install updates on each instance, including anyrequired restarts during the maintenance window.
D. Migrate all applications to AWS OpsWorks and use OpsWorks automaticpatching support to keep the OS up-to-date following the initialinstallation. Use AWS Config to provide audit and compliance reporting.
Answer:B
Analyze:
A.AWS Config cannot monitor OS state C.For OpsWorks the suggested way is to replace the old instance and during the setup security updates will be applied https://docs.aws.amazon.com/opsworks/latest/userguide/workingsecurity-updates.html D.OpsWork automatic patching only update the instance on setup https://docs.aws.amazon.com/opsworks/latest/ userguide/workingsecurity-updates.html
问题Q38. A Solutions Architect must design a highly available, stateless, REST service. The service will require multiple persistent storage layers for service object meta information and the delivery of content. Each request needs to be authenticated and securely processed. There is a requirement to keep costs as low as possible? How can these requirements be met?
A. Use AWS Fargate to host a container that runs a self-contained RESTservice. Set up an Amazon ECS service that is fronted by an ApplicationLoad Balancer (ALB). Use a custom authenticator to control access to theAPI. Store request meta information in Amazon DynamoDB with Auto Scalingand static content in a secured S3 bucket. Make secure signed requestsfor Amazon S3 objects and proxy the data through the REST serviceinterface.
B. Use AWS Fargate to host a container that runs a self-contained RESTservice. Set up an ECS service that is fronted by a cross-zone ALB. Usean Amazon Cognito user pool to control access to the API.Store request meta information in DynamoDB with Auto Scaling and staticcontent in a secured S3 bucket. Generate presigned URLs when returningreferences to content stored in Amazon S3.
C. Set up Amazon API Gateway and create the required API resources andmethods. Use an Amazon Cognito user pool to control access to the API.Configure the methods to use AWS Lambda proxy integrations, and processeach resource with a unique AWS Lambda function.Store request meta information in DynamoDB with Auto Scaling and staticcontent in a secured S3 bucket. Generate presigned URLs when returningreferences to content stored in Amazon S3.
D. Set up Amazon API Gateway and create the required API resources andmethods. Use an Amazon API Gateway custom authorizer to control accessto the API. Configure the methods to use AWS Lambda custom integrations,and process each resource with a unique Lambda function. Store requestmeta information in an Amazon ElastiCache Multi-AZ cluster and staticcontent in a secured S3 bucket.Generate presigned URLs when returning references to content stored inAmazon S3.
Answer:C
Analyze:
A.One container is not HA, and custom authenticator is not a thing in ECS (it is in API Gateway). Alb support cognito or other IDP to authorise though, but this is vague in the answer. Also, you don't need to proxy the S3 content when using signed request. B.One container is not HA, and Fargate container will not log API call logs like API gateway. ALB has access log though. This solution is overall much more expensive than C D.ElastiCache is not persistent storage layer. Lambda custom integration is hard to use to process each request with a unique function, as you will need to define mappings for different endpoint using VTL.
问题Q39. A large company experienced a drastic increase in its monthly AWS spend. This is after Developers accidentally launched Amazon EC2 instances in unexpected regions. The company has established practices around least privileges for Developers and controls access to on-premises resources using Active Directory groups. The company now want to control costs by restricting the level of access that Developers have to the AWS Management Console without impacting their productivity. The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region. How can this company achieve these new security requirements while minimizing the administrative burden on the Operations team?
A. Set up SAML-based authentication tied to an IAM role that has anAdministrativeAccess managed policy attached to it. Attach a customermanaged policy that denies access to Amazon EC2 in each region exceptfor the one required.
B. Create an IAM user for each Developer and add them to the developerIAM group that has the PowerUserAccess managed policy attached to it.Attach a customer managed policy that allows the Developers access toAmazon EC2 only in the required region.
C. Set up SAML-based authentication tied to an IAM role that has aPowerUserAccess managed policy and a customer managed policy that denyall the Developers access to any AWS services except AWS ServiceCatalog. Within AWS Service Catalog, create a product containing onlythe EC2 resources in the approved region.
D. Set up SAML-based authentication tied to an IAM role that has thePowerUserAccess managed policy attached to it. Attach a customer managedpolicy that denies access to Amazon EC2 in each region except for theone required.
Answer:D
Analyze:
A.AdministrativeAccess is not a managed policy. If we are talking about AdministratorAccess, this will give developer the power to change IAM policies and roles, which is not ideal and cannot stop them changing the deny policy to create EC2 B.IAM evaluation checks for at least allow if not deny is present. PowerUserAccess + allow in specific region will not stop access in other region https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval- basics C without limit other service C.This will limit access to other services
问题Q40. A company is finalizing the architecture for its backup solution for applications running on AWS. All of the applications run on AWS and use at least two Availability Zones in each tier. Company policy requires IT to durably store nightly backups f all its data in at least two locations: production and disaster recovery. The locations must be in different geographic regions. The company also needs the backup to be available to restore immediately at the production data center, and within 24 hours at the disaster recovery location. All backup processes must be fully automated. What is the MOST cost-effective backup solution that will meet all requirements?
A. Back up all the data to a large Amazon EBS volume attached to thebackup media server in the production region. Run automated scripts tosnapshot these volumes nightly, and copy these snapshots to the disasterrecovery region.
B. Back up all the data to Amazon S3 in the disaster recovery region.Use a lifecycle policy to move this data to Amazon Glacier in theproduction region immediately. Only the data is replicated; remove thedata from the S3 bucket in the disaster recovery region.
C. Back up all the data to Amazon Glacier in the production region. Setup cross-region replication of this data to Amazon Glacier in thedisaster recovery region. Set up a lifecycle policy to delete any dataolder than 60 days.
D. Back up all the data to Amazon S3 in the production region. Set upcross-region replication of this S3 bucket to another region and set upa lifecycle policy in the second region to immediately move this data toAmazon Glacier.
Answer:D
Analyze:
A.EBS is like 10 times more expensive than S3 B.Glacier retrieve can take up to hours (not S3 glacier though) C.Glacier retrieve can take up to hours
问题Q41. A company has an existing on-premises three-tier web application. The Linux web servers serve content from a centralized file share on a NAS server because the content is refreshed several times a day from various sources. The existing infrastructure is not optimized and the company would like to move to AWS in order to gain the ability to scale resources up and down in response to load. On-premises and AWS resources are connected using AWS Direct Connect. How can the company migrate the web infrastructure to AWS without delaying the content refresh process?
A. Create a cluster of web server Amazon EC2 instances behind a ClassicLoad Balancer on AWS. Share an Amazon EBS volume among all instances forthe content. Schedule a periodic synchronization of this volume and theNAS server.
B. Create an on-premises file gateway using AWS Storage Gateway toreplace the NAS server and replicate content to AWS. On the AWS side,mount the same Storage Gateway bucket to each web server Amazon EC2instance to serve the content.
C. Expose an Amazon EFS share to on-premises users to serve as the NASserve. Mount the same EFS share to the web server Amazon EC2 instancesto serve the content.
D. Create web server Amazon EC2 instances on AWS in an Auto Scalinggroup. Configure a nightly process where the web server instances areupdated from the NAS server.
Answer:C
Analyze:
A.EBS volume can't be shared across instances B.Storge gateway is stored in S3, and you can't mount a S3 bucket, officially. C.This is good as EFS is a type of NAS and easy to support in this case D.Up to 24 hour delay with the refresh process
问题Q42. A company has multiple AWS accounts hosting IT applications. An Amazon CloudWatch Logs agent is installed on all Amazon EC2 instances. The company wants to aggregate all security events in a centralized AWS account dedicated to log storage. Security Administrators need to perform near-real-time gathering and correlating of events across multiple AWS accounts. Which solution satisfies these requirements?
A. Create a Log Audit IAM role in each application AWS account withpermissions to view CloudWatch Logs, configure an AWS Lambda function toassume the Log Audit role, and perform an hourly export of CloudWatchLogs data to an Amazon S3 bucket in the logging AWS account.
B. Configure CloudWatch Logs streams in each application AWS account toforward events to CloudWatch Logs in the logging AWS account. In thelogging AWS account, subscribe an Amazon Kinesis Data Firehose stream toAmazon CloudWatch Events, and use the stream to persist log data inAmazon S3.
C. Create Amazon Kinesis Data Streams in the logging account, subscribethe stream to CloudWatch Logs streams in each application AWS account,configure an Amazon Kinesis Data Firehose delivery stream with the DataStreams as its source, and persist the log data in an Amazon S3 bucketinside the logging AWS account.
D. Configure CloudWatch Logs agents to publish data to an Amazon KinesisData Firehose stream in the logging AWS account, use an AWS Lambdafunction to read messages from the stream and push messages to DataFirehose, and persist the data in Amazon S3.
Answer:C
Analyze:
A.Not near-real-time B.CloudWatch event is not used to stream logs, and it cannot be used to stream logs C.https:// aws.amazon.com/blogs/architecture/central-logging-in-multi-account-environments/ D.CloudWatch agent cannot send logs directly to kinesis (maybe I am wrong) Officially firehose cannot stream to lambda function, although you could use data transformation lambda to kind of do the trick, but this is bad practice.
问题Q43. A company has a serverless application comprised of Amazon CloudFront, Amazon API Gateway, and AWS Lambda functions. The current deployment process of the application code is to create a new version number of the Lambda function and run an AWS CLI script to update. If the new function version has errors, another CLI script reverts by deploying the previous working version of the function. The company would like to decrease the time to deploy new versions of the application logic provided by the Lambda functions, and also reduce the time to detect and revert when errors are identified. How can this be accomplished?
A. Create and deploy nested AWS CloudFormation stacks with the parentstack consisting of the AWS CloudFront distribution and API Gateway, andthe child stack containing the Lambda function. For changes to Lambda,create an AWS CloudFormation change set and deploy; if errors aretriggered, revert the AWS CloudFormation change set to the previousversion.
B. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambdaversion, gradually shift traffic to the new version, and use pre-trafficand post-traffic test functions to verify code. Rollback if AmazonCloudWatch alarms are triggered.
C. Refactor the AWS CLI scripts into a single script that deploys thenew Lambda version.When deployment is completed, the script tests execute. If errors aredetected, revert to the previous Lambda version.
D. Create and deploy an AWS CloudFormation stack that consists of a newAPI Gateway endpoint that references the new Lambda version. Change theCloudFront origin to the new API Gateway endpoint, monitor errors and ifdetected, change the AWS CloudFront origin to the previous API Gatewayendpoint.
Answer:B
Analyze:
A.Could use this for rollback trigger. But problem is API gateway also need to update to point to a different lambda version when update or rollback B.Best practice C.Need to update api gateway to point to other version D.Not automatically. Also, API gateway endpoint with the same URL may not be possible
问题Q44. A company is running a .NET three-tier web application on AWS. The team currently uses XL storage optimized instances to store serve the website's image and video files on local instance storage. The company has encountered issues with data loss from replication and instance failures. The Solutions Architect has been asked to redesign this application to improve its reliability while keeping costs low. Which solution will meet these requirements?
A. Set up a new Amazon EFS share, move all image and video files to thisshare, and then attach this new drive as a mount point to all existingservers. Create an Elastic Load Balancer with Auto Scaling generalpurpose instances. Enable Amazon CloudFront to the Elastic LoadBalancer. Enable Cost Explorer and use AWS Trusted advisor checks tocontinue monitoring the environment for future savings.
B. Implement Auto Scaling with general purpose instance types and anElastic Load Balancer.Enable an Amazon CloudFront distribution to Amazon S3 and move imagesand video files to Amazon S3. Reserve general purpose instances to meetbase performance requirements.Use Cost Explorer and AWS Trusted Advisor checks to continue monitoringthe environment for future savings.
C. Move the entire website to Amazon S3 using the S3 website hostingfeature. Remove all the web servers and have Amazon S3 communicatedirectly with the application servers in Amazon VPC.
D. Use AWS Elastic Beanstalk to deploy the .NET application. Move allimages and video files to Amazon EFS. Create an Amazon CloudFrontdistribution that points to the EFS share.Reserve the m4.4xl instances needed to meet base performancerequirements.
Answer:B
Analyze:
A.S3 is a better option to keep cost low C.S3 cannot communicate with other service... Other service can access S3. However, for this one if the application server don't have a nat, we will need VPC endpoint D.Cloudfront cannot point to EFS directly
问题Q45. A company has developed a web application that runs on Amazon EC2 instances in one AWS Region. The company has taken on new business in other countries and must deploy its application into other to meet low-latency requirements for its users. The regions can be segregated, and an application running in one region does not need to communicate with instances in other regions. How should the company's Solutions Architect automate the deployment of the application so that it can be MOST efficiently deployed into multiple regions?
A. Write a bash script that uses the AWS CLI to query the current statein one region and output a JSON representation. Pass the JSONrepresentation to the AWS CLI, specifying the --region parameter todeploy the application to other regions.
B. Write a bash script that uses the AWS CLI to query the current statein one region and output an AWS CloudFormation template. Create aCloudFormation stack from the template by using the AWS CLI, specifyingthe --region parameter to deploy the application to other regions.
C. Write a CloudFormation template describing the application'sinfrastructure in the resources section.Create a CloudFormation stack from the template by using the AWS CLI,specify multiple regions using the --regions parameter to deploy theapplication.
D. Write a CloudFormation template describing the application'sinfrastructure in the Resources section.Use a CloudFormation stack set from an administrator account to launchstack instances that deploy the application to other regions.
Answer:D
Analyze:
C.--region exists, but --regions is not a thing in aws CLI
问题Q46. A media company has a 30-TB repository of digital news videos. These videos are stored on tape in an on- premises tape library and referenced by a Media Asset Management (MAM) system. The company wants to enrich the metadata for these videos in an automated fashion and put them into a searchable catalog by using a MAM feature. The company must be able to search based on information in the video, such as objects, scenery items, or people's faces. A catalog is available that contains faces of people who have appeared in the videos that include an image of each person. The company would like to migrate these videos to AWS. The company has a high-speed AWS Direct Connect connection with AWS and would like to move the MAM solution video content directly from its current file system. How can these requirements be met by using the LEAST amount of ongoing management overhead and causing MINIMAL disruption to the existing system?
A. Set up an AWS Storage Gateway, file gateway appliance on-premises.Use the MAM solution to extract the videos from the current archive andpush them into the file gateway.Use the catalog of faces to build a collection in Amazon Rekognition.Build an AWS Lambda function that invokes the Rekognition Javascript SDKto have Rekognition pull the video from the Amazon S3 files backing thefile gateway, retrieve the required metadata, and push the metadata intothe MAM solution.
B. Set up an AWS Storage Gateway, tape gateway appliance on-premises.Use the MAM solution to extract the videos from the current archive andpush them into the tape gateway.Use the catalog of faces to build a collection in Amazon Rekognition.Build an AWS Lambda function that invokes the Rekognition Javascript SDKto have Amazon Rekognition process the video in the tape gateway,retrieve the required metadata, and push the metadata into the MAMsolution.
C. Configure a video ingestion stream by using Amazon Kinesis VideoStreams. Use the catalog of faces to build a collection in AmazonRekognition. Stream the videos from the MAM solution into Kinesis VideoStreams. Configure Amazon Rekognition to process the streamed videos.Then, use a stream consumer to retrieve the required metadata, and pushthe metadata into the MAM solution. Configure the stream to store thevideos in Amazon S3.
D. Set up an Amazon EC2 instance that runs the OpenCV libraries. Copythe videos, images, and face catalog from the on-premises library intoan Amazon EBS volume mounted on this EC2 instance.Process the videos to retrieve the required metadata, and push themetadata into the MAM solution while also copying the video files to anAmazon S3 bucket.
Answer:A
Analyze:
B.Tape will need to be restored somewhere before it can be accessed C.I don't think you can config the video stream to save video in S3 directly (even though the video stream use S3 under the hood). You will need a consumer to so it. Also, this solution require manage a video stream, which feels a lot of overhead as we don't really need real time processing here. https://github.com/awslabs/amazon-kinesis-video- streams-producer-sdk-java/issues/22 D.EBS maximum size is 16TB
问题Q47. A company is planning the migration of several lab environments used for software testing. An assortment of custom tooling is used to manage the test runs for each lab. The labs use immutable infrastructure for the software test runs, and the results are stored in a highly available SQL database cluster. Although completely rewriting the custom tooling is out of scope for the migration project, the company would like to optimize workloads during the migration. Which application migration strategy meets this requirement?
A. Re-host
B. Re-platform
C. Re-factor/re-architect
D. Retire
Answer:B
Analyze:
问题Q48. A company is implementing a multi-account strategy; however, the Management team has expressed concerns that services like DNS may become overly complex. The company needs a solution that allows private DNS to be shared among virtual private clouds (VPCs) in different accounts. The company will have approximately 50 accounts in total. What solution would create the LEAST complex DNS architecture and ensure that each VPC can resolve all AWS resources?
A. Create a shared services VPC in a central account, and create a VPCpeering connection from the shared services VPC to each of the VPCs inthe other accounts. Within Amazon Route 53, create a privately hostedzone in the shared services VPC and resource record sets for the domainand subdomains. Programmatically associate other VPCs with the hostedzone.
B. Create a VPC peering connection among the VPCs in all accounts. Setthe VPC attributes enableDnsHostnames and enableDnsSupport to "true"for each VPC. Create an Amazon Route 53 private zone for each VPC.Create resource record sets for the domain and subdomains.Programmatically associate the hosted zones in each VPC with the otherVPCs.
C. Create a shared services VPC in a central account. Create a VPCpeering connection from the VPCs in other accounts to the sharedservices VPC. Create an Amazon Route 53 privately hosted zone in theshared services VPC with resource record sets for the domain andsubdomains. Allow UDP and TCP port 53 over the VPC peering connections.
D. Set the VPC attributes enableDnsHostnames and enableDnsSupport to"false" in every VPC. Create an AWS Direct Connect connection with aprivate virtual interface. Allow UDP and TCP port 53 over the virtualinterface. Use the on-premises DNS servers to resolve the IP addressesin each VPC on AWS.
Answer:A
Analyze:
A.One thing need to keep in mind: The association need to be done programmatically as the private hosted zone is not in the same account as the VPC we try to associate to. https://docs.aws.amazon.com/Route53/ latest/DeveloperGuide/hosted-zone-private-associate-vpcs- different-accounts.html https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs.html B.enableDnsHostnames: Used to determine if resource within VPC with public IP get a public hostname enableDnsSupport: Used to determine if AWS DNS is supported in the VPC https://docs.aws.amazon.com/ vpc/latest/userguide/vpc-dns.html This will actually work, but really not necessary as you will have 50 hosted zone to manage and 50*49 VPC peering need to config...However, as each VPC will have different Route 53 zone, this is not sharing a DNS C.You don't really need to allow port 53 as VPC peering doesn't block anything, this is NACL's job. However, the Route 53 Hosted Zone need to be associated to VPCs to work D.This can be ruled out immediately as direct connection is used for On-Prem to aws connect
问题Q49. A company has asked a Solutions Architect to design a secure content management solution that can be accessed by API calls by external customer applications. The company requires that a customer administrator must be able to submit an API call and roll back changes to existing files sent to the content management solution, as needed. What is the MOST secure deployment design that meets all solution requirements?
A. Use Amazon S3 for object storage with versioning and bucket accesslogging enabled, and an IAM role and access policy for each customerapplication. Encrypt objects using SSE-KMS.Develop the content management application to use a separate AWS KMS keyfor each customer.
B. Use Amazon WorkDocs for object storage. Leverage WorkDocs encryption,user access management, and version control. Use AWS CloudTrail to logall SDK actions and create reports of hourly access by using the AmazonCloudWatch dashboard. Enable a revert function in the SDK based on astatic Amazon S3 webpage that shows the output of the CloudWatchdashboard.
C. Use Amazon EFS for object storage, using encryption at rest for theAmazon EFS volume and a customer managed key stored in AWS KMS. Use IAMroles and Amazon EFS access policies to specify separate encryption keysfor each customer application. Deploy the content management applicationto store all new versions as new files in Amazon EFS and use a controlAPI to revert a specific file to a previous version.
D. Use Amazon S3 for object storage with versioning and enable S3 bucketaccess logging. Use an IAM role and access policy for each customerapplication. Encrypt objects using client-side encryption, anddistribute an encryption key to all customers when accessing the contentmanagement application.
Answer:A
Analyze:
A.This will work. With HTTPS we could even do encryption in transit. You can specify key on your S3 request header. https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html B.WorkDocs is really not designed for this... C.You could specify encryption key for EFS, but this should be done with KMS policies. EFS access policies is used to control things like management access, not file access https://docs.aws.amazon.com/efs/latest/ ug/efs-api-permissions-ref.html D.Deliver keys to client is not very secure.
问题Q50. A company has released a new version of a website to target an audience in Asia and South America. The website's media assets are hosted on Amazon S3 and have an Amazon CloudFront distribution to improve end-user performance. However, users are having a poor login experience the authentication service is only available in the us-east-1 AWS Region. How can the Solutions Architect improve the login experience and maintain high security and performance with minimal management overhead?
A. Replicate the setup in each new geography and use Amazon Route S3geo-based routing to route traffic to the AWS Region closest to theusers.
B. Use an Amazon Route S3 weighted routing policy to route traffic tothe CloudFront distribution. Use CloudFront cached HTTP methods toimprove the user login experience.
C. Use Amazon Lambda@Edge attached to the CloudFront viewer requesttrigger to authenticate and authorize users by maintaining a securecookie token with a session expiry to improve the user experience inmultiple geographies.
D. Replicate the setup in each geography and use Network Load Balancersto route traffic to the authentication service running in the closestregion to users.
Answer:C
Analyze:
A.Too much overhead... B.Login cannot be cached C.https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-generating-http- responses-in-requests.html D.Overhead!! And network load balancer cannot do this.
问题Q51. A company has a standard three-tier architecture using two Availability Zones. During the company's off season, users report that the website is not working. The Solutions Architect finds that no changes have been made to the environment recently, the website is reachable, and it is possible to log in. However, when the Solutions Architect selects the "find a store near you" function, the maps provided on the site by a third- party RESTful API call do not work about 50% of the time after refreshing the page. The outbound API calls are made through Amazon EC2 NAT instances. What is the MOST likely reason for this failure and how can it be mitigated in the future?
A. The network ACL for one subnet is blocking outbound web traffic. Openthe network ACL and prevent administration from making future changesthrough IAM.
B. The fault is in the third-party environment. Contact the third partythat provides the maps and request a fix that will provide betteruptime.
C. One NAT instance has become overloaded. Replace both EC2 NATinstances with a larger-sized instance and make sure to account forgrowth when making the new instance size.
D. One of the NAT instances failed. Recommend replacing the EC2 NATinstances with a NAT gateway.
Answer:D
Analyze:
A.Cannot be this as 50% of the call succeed C.Could work but not really a good solution for scalability
问题Q52. A company is migrating to the cloud. It wants to evaluate the configurations of virtual machines in its existing data center environment to ensure that it can size new Amazon EC2 instances accurately. The company wants to collect metrics, such as CPU, memory, and disk utilization, and it needs an inventory of what processes are running on each instance. The company would also like to monitor network connections to map communications between servers. Which would enable the collection of this data MOST cost effectively?
A. Use AWS Application Discovery Service and deploy the data collectionagent to each virtual machine in the data center.
B. Configure the Amazon CloudWatch agent on all servers within the localenvironment and publish metrics to Amazon CloudWatch Logs.
C. Use AWS Application Discovery Service and enable agentless discoveryin the existing virtualization environment.
D. Enable AWS Application Discovery Service in the AWS ManagementConsole and configure the corporate firewall to allow scans over a VPN.
Answer:A
Analyze:
B.CloudWatch agent is used to send log item and do not monitor network traffic C.Agentless discovery cannot get process information https://aws.amazon.com/application-discovery/faqs/\
问题Q53. A company will several AWS accounts is using AWS Organizations and service control policies (SCPs). An Administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS account 1111-1111-1111:
{ "Version": "2012-10-27" "Statement": [ { "Side": "AllowsAllActions", "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Side": "DenyCloudTrail", "Effect": "Deny", "Action": "CloudTrail:*", "Resource": "*" } ] } Developers working in account 1111-1111-1111 complain that they cannot create Amazon S3 buckets. How should the Administrator address this problem?
A. Add s3:CreateBucket with "Allow" effect to the SCP.
B. Remove the account from the OU, and attach the SCP directly toaccount 1111-1111-1111.
C. Instruct the Developers to add Amazon S3 permissions to their IAMentities.
D. Remove the SCP from account 1111-1111-1111.
Answer:C
Analyze:
A.Explicit deny will overwrite any allow https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html B.Will still stop the action C.IAM cannot overwrite SCP, both of them need to allow the action, but the policy did not deny create s3 bucket permission D.Will work, probably not the best choice There should be a SCP written somewhere, but B,D doesn't look correct at all. https:// docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
问题Q54. A company that provides wireless services needs a solution to store and analyze log files about user activities. Currently, log files are delivered daily to Amazon Linux on Amazon EC2 instance. A batch script is run once a day to aggregate data used for analysis by a third-party tool. The data pushed to the thirdparty tool is used to generate a visualization for end users. The batch script is cumbersome to maintain, and it takes several hours to deliver the ever-increasing data volumes to the third-party tool. The company wants to lower costs, and is open to considering a new tool that minimizes development effort and lowers administrative overhead. The company wants to build a more agile solution that can store and perform the analysis in near-real time, with minimal overhead. The solution needs to be cost effective and scalable to meet the company's end-user base growth. Which solution meets the company's requirements?
A. Develop a Python script to failure the data from Amazon EC2 in realtime and store the data in Amazon S3. Use a copy command to copy datafrom Amazon S3 to Amazon Redshift.Connect a business intelligence tool running on Amazon EC2 to AmazonRedshift and create the visualizations.
B. Use an Amazon Kinesis agent running on an EC2 instance in an AutoScaling group to collect and send the data to an Amazon Kinesis DataForehose delivery stream. The Kinesis Data Firehose delivery stream willdeliver the data directly to Amazon ES. Use Kibana to visualize thedata.
C. Use an in-memory caching application running on an AmazonEBS-optimized EC2 instance to capture the log data in near real-time.Install an Amazon ES cluster on the same EC2 instance to store the logfiles as they are delivered to Amazon EC2 in near real-time.Install a Kibana plugin to create the visualizations.
D. Use an Amazon Kinesis agent running on an EC2 instance to collect andsend the data to an Amazon Kinesis Data Firehose delivery stream. TheKinesis Data Firehose delivery stream will deliver the data to AmazonS3. Use an AWS Lambda function to deliver the data from Amazon S3 toAmazon ES. Use Kibana to visualize the data.
Answer:B
Analyze:
A.Python script will be become the hard part to maintain C.Too many EC2s, very expensive D.Firehose can deliver to ES direcly https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-aws-integrations.html
问题Q55. A company wants to move a web application to AWS. The application stores session information locally on each web server, which will make auto scaling difficult. As part of the migration, the application will be rewritten to decouple the session data from the web servers. The company requires low latency, scalability, and availability. Which service will meet the requirements for storing the session information in the MOST costeffective way?
A. Amazon ElastiCache with the Memcached engine
B. Amazon S3
C. Amazon RDS MySQL
D. Amazon ElastiCache with the Redis engine
Answer:D
Analyze:
Memcached is not really HA (no replication) https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html
问题Q56. A company has an Amazon EC2 deployment that has the following architecture: * An application tier that contains 8 m4.xlarge instances * A Classic Load Balancer * Amazon S3 as a persistent data store After one of the EC2 instances fails, users report very slow processing of their requests. A Solutions Architect must recommend design changes to maximize system reliability. The solution must minimize costs. What should the Solution Architect recommend?
A. Migrate the existing EC2 instances to a serverless deployment usingAWS Lambda functions
B. Change the Classic Load Balancer to an Application Load Balancer
C. Replace the application tier with m4.large instances in an AutoScaling group
D. Replace the application tier with 4 m4.2xlarge instances
Answer:C
Analyze:
问题Q57. An on-premises application will be migrated to the cloud. The application consists of a single Elasticsearch virtual machine with data source feeds from local systems that will not be migrated, and a Java web application on Apache Tomcat running on three virtual machines. The Elasticsearch server currently uses 1 TB of storage out of 16 TB available storage, and the web application is updated every 4 months. Multiple users access the web application from the Internet. There is a 10Gbit AWS Direct Connect connection established, and the application can be migrated over a schedules 48-hour change window. Which strategy will have the LEAST impact on the Operations staff after the migration?
A. Create an Elasticsearch server on Amazon EC2 right-sized with 2 TB ofAmazon EBS and a public AWS Elastic Beanstalk environment for the webapplication. Pause the data sources, export the Elasticsearch index fromon premises, and import into the EC2 Elasticsearch server.Move data source feeds to the new Elasticsearch server and move users tothe web application.
B. Create an Amazon ES cluster for Elasticsearch and a public AWSElastic Beanstalk environment for the web application. Use AWS DMS toreplicate Elasticsearch data. When replication has finished, move datasource feeds to the new Amazon ES cluster endpoint and move users to thenew web application.
C. Use the AWS SMS to replicate the virtual machines into AWS. When themigration is complete, pause the data source feeds and start themigrated Elasticsearch and web application instances. Place the webapplication instances behind a public Elastic Load Balancer. Move thedata source feeds to the new Elasticsearch server and move users to thenew web Application Load Balancer.
D. Create an Amazon ES cluster for Elasticsearch and a public AWSElastic Beanstalk environment for the web application. Pause the datasource feeds, export the Elasticsearch index from on premises, andimport into the Amazon ES cluster. Move the data source feeds to the newAmazon ES cluster endpoint and move users to the new web application.
Answer:D
Analyze:
B.ES cannot be the source of DMS https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.html D.By import and export, I think it means snapshot and restore, otherwise there is no export or import of an index in ElasticSearch. If this is the case, this is the best answer, otherwise C will be the only viable solution....
问题Q58. A company's application is increasingly popular and experiencing latency because of high volume reads on the database server. The service has the following properties: * A highly available REST API hosted in one region using Application Load Balancer (ALB) with auto scaling. * A MySQL database hosted on an Amazon EC2 instance in a single Availability Zone. * The company wants to reduce latency, increase in-region database read performance, and have multi- region disaster recovery capabilities that can perform a live recovery automatically without any data or performance loss (HA/DR). Which deployment strategy will meet these requirements?
A. Use AWS CloudFormation StackSets to deploy the API layer in tworegions. Migrate the database to an Amazon Aurora with MySQL databasecluster with multiple read replicas in one region and a read replica ina different region than the source database cluster. Use Amazon Route 53health checks to trigger a DNS failover to the standby region if thehealth checks to the primary load balancer fail. In the event of Route53 failover, promote the cross-region database replica to be the masterand build out new read replicas in the standby region.
B. Use Amazon ElastiCache for Redis Multi-AZ with an automatic failoverto cache the database read queries. Use AWS OpsWorks to deploy the APIlayer, cache layer, and existing database layer in two regions. In theevent of failure, use Amazon Route 53 health checks on the database totrigger a DNS failover to the standby region if the health checks in theprimary region fail. Back up the MySQL database frequently, and in theevent of a failure in an active region, copy the backup to the standbyregion and restore the standby database.
C. Use AWS CloudFormation StackSets to deploy the API layer in tworegions. Add the database to an Auto Scaling group. Add a read replicato the database in the second region.Use Amazon Route 53 health checks in the primary region fail. Promotethe cross-region database replica to be the master and build out newread replicas in the standby region.
D. Use Amazon ElastiCache for Redis Multi-AZ with an automatic failoverto cache the database read queries. Use AWS OpsWorks to deploy the APIlayer, cache layer, and existing database layer in two regions. UseAmazon Route 53 health checks on the ALB to trigger a DNS failover tothe standby region if the health checks in the primary region fail. Backup the MySQL database frequently, and in the event of a failure in anactive region, copy the backup to the standby region and restore thestandby database.
Answer:A
Analyze:
A.Aurora cluster is multi AZ by default, this is the best option B.Cannot live failover DB C.Share data volume across EC2 will be painful D.Same as B
问题Q59. A company runs a three-tier application in AWS. Users report that the application performance can vary greatly depending on the time of day and functionality being accessed. The application includes the following components: * Eight t2.large front-end web servers that serve static content and proxy dynamic content from the application tier. * Four t2.large application servers. * One db.m4.large Amazon RDS MySQL Multi-AZ DB instance. Operations has determined that the web and application tiers are network constrained. Which of the following should cost effective improve application performance? (Choose two.)
A. Replace web and app tiers with t2.xlarge instances
B. Use AWS Auto Scaling and m4.large instances for the web andapplication tiers
C. Convert the MySQL RDS instance to a self-managed MySQL cluster onAmazon EC2
D. Create an Amazon CloudFront distribution to cache content
E. Increase the size of the Amazon RDS instance to db.m4.xlarge
Answer:BD
Analyze:
As the constraint is network, t2.xlarge has the same network performance as m4.large, but more expensive https://aws.amazon.com/ec2/pricing/on-demand/ https://aws.amazon.com/ec2/instance-types/
问题Q60. An online retailer needs to regularly process large product catalogs, which are handled in batches. These are sent out to be processed by people using the Amazon Mechanical Turk service, but the retailer has asked its Solutions Architect to design a workflow orchestration system that allows it to handle multiple concurrent Mechanical Turk operations, deal with the result assessment process, and reprocess failures. Which of the following options gives the retailer the ability to interrogate the state of every workflow with the LEAST amount of implementation effort?
A. Trigger Amazon CloudWatch alarms based upon message visibility inmultiple Amazon SQS queues (one queue per workflow stage) and sendmessages via Amazon SNS to trigger AWS Lambda functions to process thenext step. Use Amazon ES and Kibana to visualize Lambda processing logsto see the workflow states.
B. Hold workflow information in an Amazon RDS instance with AWS Lambdafunctions polling RDS for status changes. Worker Lambda functions thenprocess the next workflow steps. Amazon QuickSight will visualizeworkflow states directly out of Amazon RDS.
C. Build the workflow in AWS Step Functions, using it to orchestratemultiple concurrent workflows. The status of each workflow can bevisualized in the AWS Management Console, and historical data can bewritten to Amazon S3 and visualized using Amazon QuickSight.
D. Use Amazon SWF to create a workflow that handles a single batch ofcatalog records with multiple worker tasks to extract the data,transform it, and send it through Mechanical Turk.Use Amazon ES and Kibana to visualize AWS Lambda processing logs to seethe workflow states.
Answer:D
Analyze:
C.Step Function may not work really well with human intervention, and I don't think historical data can be easily pipe to S3 D.Workflow is best to be dealt with by SWF or Step Function, so A and B are excluded. As we are using Mechanical Turk HITs, manual intervention will be needed (i.e. accessed for successful result). There is also a similar use case with SWF in https://aws.amazon.com/swf/faqs/
问题Q61. An organization has two Amazon EC2 instances: * The first is running an ordering application and an inventory application. * The second is running a queuing system. During certain times of the year, several thousand orders are placed per second. Some orders were lost when the queuing system was down. Also, the organization's inventory application has the incorrect quantity of products because some orders were processed twice. What should be done to ensure that the applications can handle the increasing number of orders?
A. Put the ordering and inventory applications into their own AWS Lambdafunctions. Have the ordering application write the messages into anAmazon SQS FIFO queue.
B. Put the ordering and inventory applications into their own Amazon ECScontainers and create an Auto Scaling group for each application. Then,deploy the message queuing server in multiple Availability Zones.
C. Put the ordering and inventory applications into their own Amazon EC2instances, and create an Auto Scaling group for each application. UseAmazon SQS standard queues for the incoming orders, and implementidempotency in the inventory application.
D. Put the ordering and inventory applications into their own Amazon EC2instances. Write the incoming orders to an Amazon Kinesis data streamConfigure AWS Lambda to poll the stream and update the inventoryapplication.
Answer:C
Analyze:
A.This looks like a good solution but it actually won't work as Lambda has a concurrent limit for 1000 and we need to process thousands of orders per second. (although we could contact AWS to increase the limit, but doesn't feel like a good answer for the exam). B.Distributed queueing system will probably have duplicate messages at some point. Also, auto scale group is not a thing in ECS (it is for EC2 that backed the ECS though) D.Kinesis stream has no message level ack/fail, still will have duplicate or unprocessed items
问题Q62. A company is migrating its on-premises build artifact server to an AWS solution. The current system consists of an Apache HTTP server that serves artifacts to clients on the local network, restricted by the perimeter firewall. The artifact consumers are largely build automation scripts that download artifacts via anonymous HTTP, which the company will be unable to modify within its migration timetable. The company decides to move the solution to Amazon S3 static website hosting. The artifact consumers will be migrated to Amazon EC2 instances located within both public and private subnets in a virtual private cloud (VPC). Which solution will permit the artifact consumers to download artifacts without modifying the existing automation scripts?
A. Create a NAT gateway within a public subnet of the VPC. Add a defaultroute pointing to the NAT gateway into the route table associated withthe subnets containing consumers.Configure the bucket policy to allow the s3:ListBucket and s3:GetObjectactions using the condition IpAddress and the condition key aws:SourceIpmatching the elastic IP address if the NAT gateway.
B. Create a VPC endpoint and add it to the route table associated withsubnets containing consumers.Configure the bucket policy to allow s3:ListBucket and s3:GetObjectactions using the condition StringEquals and the condition keyaws:sourceVpce matching the identification of the VPC endpoint.
C. Create an IAM role and instance profile for Amazon EC2 and attach itto the instances that consume build artifacts. Configure the bucketpolicy to allow the s3:ListBucket ands3:GetObjects actions for the principal matching the IAM role created.
D. Create a VPC endpoint and add it to the route table associated withsubnets containing consumers.Configure the bucket policy to allow s3:ListBucket and s3:GetObjectactions using the condition IpAddress and the condition key aws:SourceIpmatching the VPC CIDR block.
Answer:B
Analyze:
A.This will go through the public internet, apparently not the best option C.Instances in private subnet cannot access the bucket D.For S3 with VPC endpoint, you cannot use sourceip with VPC CIDR block https://docs.aws.amazon.com/ vpc/latest/userguide/vpc-endpoints-s3.html
问题Q63. A group of research institutions and hospitals are in a partnership to study 2 PBs of genomic data. The institute that owns the data stores it in an Amazon S3 bucket and updates it regularly. The institute would like to give all of the organizations in the partnership read access to the data. All members of the partnership are extremely cost-conscious, and the institute that owns the account with the S3 bucket is concerned about covering the costs for requests and data transfers from Amazon S3. Which solution allows for secure datasharing without causing the institute that owns the bucket to assume all the costs for S3 requests and data transfers?
A. Ensure that all organizations in the partnership have AWS accounts.In the account with the S3 bucket, create a cross-account role for eachaccount in the partnership that allows read access to the data.Have the organizations assume and use that read role when accessing thedata.
B. Ensure that all organizations in the partnership have AWS accounts.Create a bucket policy on the bucket that owns the data. The policyshould allow the accounts in the partnership read access to the bucket.Enable Requester Pays on the bucket. Have the organizations use theirAWS credentials when accessing the data.
C. Ensure that all organizations in the partnership have AWS accounts.Configure buckets in each of the accounts with a bucket policy thatallows the institute that owns the data the ability to write to thebucket.Periodically sync the data from the institute's account to the otherorganizations. Have the organizations use their AWS credentials whenaccessing the data using their accounts.
D. Ensure that all organizations in the partnership have AWS accounts.In the account with the S3 bucket, create a cross-account role for eachaccount in the partnership that allows read access to the data.Enable Requester Pays on the bucket. Have the organizations assume anduse that read role when accessing the data.
Answer:B
Analyze:
A.The organization that owns the data will pay for everything C.This will cause double charge: write and read D.Account that owns the assumed role will be charged with Requester Pays.. https:// docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html https://amazonaws-china.com/cn/premiumsupport/knowledge-center/s3-cross-account-a ccess-denied/
问题Q64. A company currently uses a single 1 Gbps AWS Direct Connect connection to establish connectivity between an AWS Region and its data center. The company has five Amazon VPCs, all of which are connected to the data center using the same Direct Connect connection. The Network team is worried about the single point of failure and is interested in improving the redundancy of the connections to AWS while keeping costs to a minimum. Which solution would improve the redundancy of the connection to AWS while meeting the cost requirements?
A. Provision another 1 Gbps Direct Connect connection and create newVIFs to each of the VPCs.Configure the VIFs in a load balancing fashion using BGP.
B. Set up VPN tunnels from the data center to each VPC. Terminate eachVPN tunnel at the virtual private gateway (VGW) of the respective VPCand set up BGP for route management.
C. Set up a new point-to-point Multiprotocol Label Switching (MPLS)connection to the AWS Region that's being used. Configure BGP to usethis new circuit as passive, so that no traffic flows through thisunless the AWS Direct Connect fails.
D. Create a public VIF on the Direct Connect connection and set up a VPNtunnel which will terminate on the virtual private gateway (VGW) of therespective VPC using the public VIF.Use BGP to handle the failover to the VPN connection.
Answer:B
Analyze:
A.VIF is not VGW, it is associated to direct connect https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/ C.MPLS still go through direct connect https://aws.amazon.com/answers/networking/aws-network-connectivity-over-mpls/ D.You don't need a public VIF unless you need to connect to AWS public service, and you don't need public VIF for VPN connection
问题Q65. A company currently uses Amazon EBS and Amazon RDS for storage purposes. The company intends to use a pilot light approach for disaster recovery in a different AWS Region. The company has an RTO of 6 hours and an RPO of 24 hours. Which solution would achieve the requirements with MINIMAL cost?
A. Use AWS Lambda to create daily EBS and RDS snapshots, and copy themto the disaster recovery region. Use Amazon Route 53 with active-passivefailover configuration. Use Amazon EC2 in an Auto Scaling group with thecapacity set to 0 in the disaster recovery region.
B. Use AWS Lambda to create daily EBS and RDS snapshots, and copy themto the disaster recovery region. Use Amazon Route 53 with active-activefailover configuration. Use Amazon EC2 in an Auto Scaling groupconfigured in the same way as in the primary region.
C. Use Amazon ECS to handle long-running tasks to create daily EBS andRDS snapshots, and copy to the disaster recovery region. Use AmazonRoute 53 with active-passive failover configuration. Use Amazon EC2 inan Auto Scaling group with the capacity set to 0 in the disasterrecovery region
D. Use EBS and RDS cross-region snapshot copy capability to createsnapshots in the disaster recovery region. Use Amazon Route 53 withactive-active failover configuration. Use Amazon EC2 in an Auto Scalinggroup with the capacity set to 0 in the disaster recovery region.
Answer:D
Analyze:
A.Lambda should not be used for snapshot B.`EC2 configure the same way' will be Multi-Site D.Use built-in cross region copy will be the best solution, but EBS cannot take snapshot automatically, you will need AWS data lifecycle
问题Q66. A company needs to cost-effectively persist small data records (up to 1 KiB) for up to 30 days. The data is read rarely. When reading the data, a 5-minute delay is acceptable. Which of the following solutions achieve this goal? (Choose two.)
A. Use Amazon S3 to collect multiple records in one S3 object. Use alifecycle configuration to move data to Amazon Glacier immediately afterwrite. Use expedited retrievals when reading the data.
B. Write the records to Amazon Kinesis Data Firehose and configureKinesis Data Firehose to deliver the data to Amazon S3 after 5 minutes.Set an expiration action at 30 days on the S3 bucket.
C. Use an AWS Lambda function invoked via Amazon API Gateway to collectdata for 5 minutes. Write data to Amazon S3 just before the Lambdaexecution stops.
D. Write the records to Amazon DynamoDB configured with a Time To Live(TTL) of 30 days.Read data using the GetItem or BatchGetItem call.
E. Write the records to an Amazon ElastiCache for Redis. Configure theRedis append-only file (AOF) persistence logs to write to Amazon S3.Recover from the log if the ElastiCache instance has failed.
Answer:BD
Analyze:
Modify on 2021-3-30--AD->BD By ROC ZHUANG LU ROCAS390128K1k 30ABFirehose5S330 --------------------------------------------------- A.Glacier retrieval can be up to 1-5 mins, and Glacier has a minimum size charge of 40KB, but the minimum storage time charge is 90 days, even though it is still much cheaper than standard S3 https:// docs.aws.amazon.com/amazonglacier/latest/dev/downloading-an-archive-two-steps.html https:// aws.amazon.com/s3/storage-classes/ B.I think it means buffer interval for firehose here. The cost is tricky as each record round up to the nearest 5 KB for charging, as the record is all 1 KB, we could pay 5 times more in this case for firehose. https:// docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency C.This is not a really robust solution as we have long running lambda, which is not what lambda intend to do. It will be quite costly. API gateway will also timeout after 30s. D.AOF write to s3 is not supported https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/RedisAOF.html
问题Q67. A Development team is deploying new APIs as serverless applications within a company. The team is currently using the AWS Management Console to provision Amazon API Gateway, AWS Lambda, and Amazon DynamoDB resources. A Solutions Architect has been tasked with automating the future deployments of these serverless APIs. How can this be accomplished?
A. Use AWS CloudFormation with a Lambda-backed custom resource toprovision API Gateway. Use the AWS::DynamoDB::Table andAWS::Lambda::Function resources to create the Amazon DynamoDB table andLambda functions. Write a script to automate the deployment of theCloudFormation template.
B. Use the AWS Serverless Application Model to define the resources.Upload a YAML template and application files to the code repository. UseAWS CodePipeline to connect to the code repository and to create anaction to build using AWS CodeBuild. Use the AWS CloudFormationdeployment provider in CodePipeline to deploy the solution.
C. Use AWS CloudFormation to define the serverless application.Implement versioning on the Lambda functions and create aliases to pointto the versions. When deploying, configure weights to implement shiftingtraffic to the newest version, and gradually update the weights astraffic moves over.
D. Commit the application code to the AWS CodeCommit code repository.Use AWS CodePipeline and connect to the CodeCommit code repository. UseAWS CodeBuild to build and deploy the Lambda functions using AWSCodeDeploy. Specify the deployment preference type in CodeDeploy togradually shift traffic over to the new version.
Answer:B
Analyze:
A.API Gateway cloudformation is supported, custom resource is not necessary B.SAM deploy is just an alias of cloudformation deploy https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command- reference-sam-deploy.html Codebuild can put artifacts in S3 for later lambda deployment. https://docs.aws.amazon.com/codebuild/ latest/APIReference/API_ProjectArtifacts.html C.We will need either codedeploy or step function to achieve traffic shift, this answer is too vague D.API Gateway and lambda resource is not deployed
问题Q68. The company Security team queries that all data uploaded into an Amazon S3 bucket must be encrypted. The encryption keys must be highly available and the company must be able to control access on a per- user basis, with different users having access to different encryption keys. Which of the following architectures will meet these requirements? (Choose two.)
A. Use Amazon S3 server-side encryption with Amazon S3-managed keys.Allow Amazon S3 to generate an AWS/S3 master key, and use IAM to controlaccess to the data keys that are generated.
B. Use Amazon S3 server-side encryption with AWS KMS-managed keys,create multiple customer master keys, and use key policies to controlaccess to them.
C. Use Amazon S3 server-side encryption with customer-managed keys, anduse AWS CloudHSM to manage the keys. Use CloudHSM client software tocontrol access to the keys that are generated.
D. Use Amazon S3 server-side encryption with customer-managed keys, anduse two AWS CloudHSM instances configured in high-availability mode tomanage the keys. Use the Cloud HSM client software to control access tothe keys that are generated.
E. Use Amazon S3 server-side encryption with customer-managed keys, anduse two AWS CloudHSM instances configured in high-availability mode tomanage the keys. Use IAM to control access to the keys that aregenerated in CloudHSM.
Answer:BC
Analyze:
---B & C---. A - S3 is managing the keys - so no B - we all agree becasue manageed by KMS with multipel keys C - CLoud HSM is a service - not to be deployed on Instance. CLient get deployed on instance D - refer to C - there is no HSM instance E - refer to C - there is no HSM instance ---"B" & "D". A: customer can not control the keys! B: AWS-KMS managed keys, allow the user to create Master keys, and control them. It is high available as it is a managed service by AWS. C: CloudHSM can be high available by including a second instance in different AZ. D: Meet the requirement of management and high availability. E: Managing the keys by CloudHSM client, not IAM user!! DCloudHSM instanceHigh Availability Mode. CloudHSMHA clustermulti-azHSM You can create a cluster that has from 1 to 28 HSMs (the default limit is 6 HSMs per AWS account per AWS Region). You can place the HSMs in different Availability Zones in an AWS Region. Adding more HSMs to a cluster provides higher performance. Spreading clusters across Availability Zones provides redundancy and high availability. When you create an AWS CloudHSM cluster with more than one HSM, you automatically get load balancing. When you create the HSMs in different AWS Availability Zones, you automatically get high availability. A.S3 generated keys cannot be managed C.One HSM is not HA E.CloudHSM cannot communicate with any aws services
问题Q69. A company runs a public-facing application that uses a Java-based web service via a RESTful API. It is hosted on Apache Tomcat on a single server in a data center that runs consistently at 30% CPU utilization. Use of the API is expected to increase by 10 times with a new product launch. The business wants to migrate the application to AWS with no disruption, and needs it to scale to meet demand. The company has already decided to use Amazon Route 53 and CNAME records to redirect traffic. How can these requirements be met with the LEAST amount of effort?
A. Use AWS Elastic Beanstalk to deploy the Java web service and enableAuto Scaling. Then switch the application to use the new web service.
B. Lift and shift the Apache server to the cloud using AWS SMS. Thenswitch the application to direct web service traffic to the newinstance.
C. Create a Docker image and migrate the image to Amazon ECS. Thenchange the application code to direct web service queries to the ECScontainer.
D. Modify the application to call the web service via Amazon APIGateway. Then create a new AWS Lambda Java function to run the Java webservice code. After testing, change API Gateway to use the Lambdafunction.
Answer:A
Analyze:
A.This is best as replatform makes sense B.Re-host may not improve much C.Will need load balancer and auto scaling.. D.A lot of work as this is re-architect
问题Q70. A company is using AWS for production and development workloads. Each business unit has its own AWS account for production, and a separate AWS account to develop and deploy its applications. The Information Security department has introduced new security policies that limit access for terminating certain Amazon ECs instances in all accounts to a small group of individuals from the Security team. How can the Solutions Architect meet these requirements?
A. Create a new IAM policy that allows access to those EC2 instancesonly for the Security team. Apply this policy to the AWS Organizationsmaster account.
B. Create a new tag-based IAM policy that allows access to these EC2instances only for the Security team. Tag the instances appropriately,and apply this policy in each account.
C. Create an organizational unit under AWS Organizations. Move all theaccounts into this organizational unit and use SCP to apply a whitelistpolicy to allow access to these EC2 instances for the Security teamonly.
D. Set up SAML federation for all accounts in AWS. Configure SAML sothat it checks for the service API call before authenticating the user.Block SAML from authenticating API calls if anyone other than theSecurity team accesses these instances.
Answer:B
Analyze:
A.IAM policy will not be applied to sub account C.SCP is not for granular access control. SCP will not actually grant permission as well https:// docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html D.This just won't work as SAML will work like token base service and do not rely on the API calls
问题Q71. A company is moving a business-critical, multi-tier application to AWS. The architecture consists of a desktop client application and server infrastructure. The server infrastructure resides in an on-premises data center that frequently fails to maintain the application uptime SLA of 99.95%. A Solutions Architect must re-architect the application to ensure that it can meet or exceed the SLA. The application contains a PostgreSQL database running on a single virtual machine. The business logic and presentation layers are load balanced between multiple virtual machines. Remote users complain about slow load times while using this latency-sensitive application. Which of the following will meet the availability requirements with little change to the application while improving user experience and minimizing costs?
A. Migrate the database to a PostgreSQL database in Amazon EC2. Host theapplication and presentation layers in automatically scaled Amazon ECScontainers behind an Application Load Balancer. Allocate an AmazonWorkSpaces WorkSpace for each end user to improve the user experience.
B. Migrate the database to an Amazon RDS Aurora PostgreSQLconfiguration. Host the application and presentation layers in an AutoScaling configuration on Amazon EC2 instances behind an Application LoadBalancer. Use Amazon AppStream 2.0 to improve the user experience.
C. Migrate the database to an Amazon RDS PostgreSQL Multi-AZconfiguration. Host the application and presentation layers inautomatically scaled AWS Fargate containers behind a Network LoadBalancer.Use Amazon ElastiCache to improve the user experience.
D. Migrate the database to an Amazon Redshift cluster with at least twonodes. Combine and host the application and presentation layers inautomatically scaled Amazon ECS containers behind an Application LoadBalancer. Use Amazon CloudFront to improve the user experience.
Answer:B
Analyze:
A.Database in EC2 may not be the best option C.Using ElastiCache will require some changes to the application D.Redshift not design for this. Even though it may work, the price is high.
问题Q72. A company has a 24 TB MySQL database in its on-premises data center that grows at the rate of 10 GB per day. The data center is connected to the company's AWS infrastructure with a 50 Mbps VPN connection. The company is migrating the application and workload to AWS. The application code is already installed and tested on Amazon EC2. The company now needs to migrate the database and wants to go live on AWS within 3 weeks. Which of the following approaches meets the schedule with LEAST downtime?
A.
- Use the VM Import/Export service to import a snapshot on theon-premises database into AWS.
- Launch a new EC2 instance from the snapshot.
- Set up ongoing database replication from on premises to the EC2database over the VPN.
- Change the DNS entry to point to the EC2 database.
- Stop the replication.
B.
- Launch an AWS DMS instance.
- Launch an Amazon RDS Aurora MySQL DB instance.
- Configure the AWS DMS instance with on-premises and Amazon RDSdatabase information.
- Start the replication task within AWS DMS over the VPN.
- Change the DNS entry to point to the Amazon RDS MySQL database.
- Stop the replication.
C.
- Create a database export locally using database-native tools.
- Import that into AWS using AWS Snowball.
- Launch an Amazon RDS Aurora DB instance.
- Load the data in the RDS Aurora DB instance from the export.
- Set up database replication from the on-premises database to theRDS Aurora DB instance over the VPN.
- Change the DNS entry to point to the RDS Aurora DB instance.
- Stop the replication.
D.
- Take the on-premises application offline.
- Create a database export locally using database-native tools.
- Import that into AWS using AWS Snowball.
- Launch an Amazon RDS Aurora DB instance.
- Load the data in the RDS Aurora DB instance from the export.
- Change the DNS entry to point to the Amazon RDS Aurora DB instance.
- Put the Amazon EC2 hosted application online.
Answer:C
Analyze:
not able to deliver in 3 weeks thru VPN, need to do replication before make the DB live in production Time taken for VPN transfer os 43 days. So we can rule that out.
问题Q73. A company is designing a new highly available web application on AWS. The application requires consistent and reliable connectivity from the application servers in AWS to a backend REST API hosted in the company's on-premises environment. The backend connection between AWS and on-premises will be routed over an AWS Direct Connect connection through a private virtual interface. Amazon Route 53 will be used to manage private DNS records for the application to resolve the IP address on the backend REST API. Which design would provide a reliable connection to the backend API?
A. Implement at least two backend endpoints for the backend REST API,and use Route 53 health checks to monitor the availability of eachbackend endpoint and perform DNS-level failover.
B. Install a second Direct Connect connection from a different networkcarrier and attach it to the same virtual private gateway as the firstDirect Connect connection.
C. Install a second cross connect for the same Direct Connect connectionfrom the same network carrier, and join both connections to the samelink aggregation group (LAG) on the same private virtual interface.
D. Create an IPSec VPN connection routed over the public internet fromthe on-premises data center to AWS and attach it to the same virtualprivate gateway as the Direct Connect connection.
Answer:B
Analyze:
B- 2 DX connection to on-prem provides more reliable connectivity between AWS and data center https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/ A - The ask is, Which design would provide a "reliable connection" to the backend API? not to re-design the backend implementation for High Availability. C - 2 DX connections from the same provider create a single point of failure D - VPN over the public internet is generally less reliable than a dedicated DX connection.
问题Q74. A company has a data center that must be migrated to AWS as quickly as possible. The data center has a 500 Mbps AWS Direct Connect link and a separate, fully available 1 Gbps ISP connection. A Solutions Architect must transfer 20 TB of data from the data center to an Amazon S3 bucket. What is the FASTEST way transfer the data?
A. Upload the data to the S3 bucket using the existing DX link.
B. Send the data to AWS using the AWS Import/Export service.
C. Upload the data using an 80 TB AWS Snowball device.
D. Upload the data to the S3 bucket using S3 Transfer Acceleration
Answer:D
Analyze:
Each AWS Import/Export station is capable of loading data at over 100MB per second, but in most cases the rate of the data load will be bounded by a combination of the read or write speed of your device and, for Amazon S3 data loads, the average object size. Selecting devices with faster read or write speeds and interfaces can reduce data loading time. For more details regarding data loading performance see the AWS Import/Export Calculator. S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket, and it takes about 2 days to upload 20TB data via 1Gbps ISP connection.
问题Q75. A bank is designing an online customer service portal where customers can chat with customer service agents. The portal is required to maintain a 15-minute RPO or RTO in case of a regional disaster. Banking regulations require that all customer service chat transcripts must be preserved on durable storage for at least 7 years, chat conversations must be encrypted in-flight, and transcripts must be encrypted at rest. The Data Lost Prevention team requires that data at rest must be encrypted using a key that the team controls, rotates, and revokes. Which design meets these requirements?
A. The chat application logs each chat message into Amazon CloudWatchLogs. A scheduled AWS Lambda function invokes a CloudWatch Logs.CreateExportTask every 5 minutes to export chat transcripts to AmazonS3. The S3 bucket is configured for cross-region replication to thebackup region.Separate AWS KMS keys are specified for the CloudWatch Logs group andthe S3 bucket.
B. The chat application logs each chat message into two different AmazonCloudWatch Logs groups in two different regions, with the same AWS KMSkey applied. Both CloudWatch Logs groups are configured to export logsinto an Amazon Glacier vault with a 7-year vault lock policy with a KMSkey specified.
C. The chat application logs each chat message into Amazon CloudWatchLogs. A subscription filter on the CloudWatch Logs group feeds into anAmazon Kinesis Data Firehose which streams the chat messages into anAmazon S3 bucket in the backup region.Separate AWS KMS keys are specified for the CloudWatch Logs group andthe Kinesis Data Firehose.
D. The chat application logs each chat message into Amazon CloudWatchLogs. The CloudWatch Logs group is configured to export logs into anAmazon Glacier vault with a 7-year vault lock policy. Glaciercross-region replication mirrors chat archives to the backup region.Separate AWS KMS keys are specified for the CloudWatch Logs group andthe Amazon Glacier vault.
Answer:C
Analyze:
A.By Default, cross-region replication will not replicate SSE-KMS objects, this need to be enabled explicitly with relevant info (KMS keys access) Moreover, cloudwatch export to SSE-KMS encrypted S3 is not supported https://docs.aws.amazon.com/ AmazonCloudWatch/latest/logs/S3Export.html B.Before S3 Glacier, you couldn't export directly to glacier from cloudwatch Moreover, cloudwatch export to SSE-KMS encrypted S3 is not supported, I will apply the same to glacier And you can not use KMS CMK across region https://forums.aws.amazon.com/thread.jspa?threadID=287340 C.Kinesis Firehose can encrypt S3 at rest https://docs.aws.amazon.com/firehose/latest/dev/create- configure.html D.Before S3 Glacier, you couldn't export directly to glacier from cloudwatch Moreover, cloudwatch export to SSE-KMS encrypted S3 is not supported IF we are talking about S3 glacier, as cloudwatch only available in one region, and glacier may take hours to retrieve data, 15 mins RTO cannot be done
问题Q76. A company currently runs a secure application on Amazon EC2 that takes files from onpremises locations through AWS Direct Connect, processes them, and uploads them to a single Amazon S3 bucket. The application uses HTTPS for encryption in transit to Amazon S3, and S3 serverside encryption to encrypt at rest. Which of the following changes should the Solutions Architect recommend to make this solution more secure without impeding application's performance?
A. Add a NAT gateway. Update the security groups on the EC2 instance toallow access to and from the S3 IP range only. Configure an S3 bucketpolicy that allows communication from the NAT gateway's Elastic IPaddress only.
B. Add a VPC endpoint. Configure endpoint policies on the VPC endpointto allow access to the required Amazon S3 buckets only. Implement an S3bucket policy that allows communication from the VPC's source IP rangeonly.
C. Add a NAT gateway. Update the security groups on the EC2 instance toallow access to and from the S3 IP range only. Configure an S3 bucketpolicy that allows communication from the source public IP address ofthe on-premises network only.
D. Add a VPC endpoint. Configure endpoint policies on the VPC endpointto allow access to the required S3 buckets only. Implement an S3 bucketpolicy that allows communication from the VPC endpoint only.
Answer:D
Analyze:
A.Request go through the internet will be even less secure B.You cannot use sourceIp in s3 bucket policy for VPC endpoint https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html C.Same as A D.aws:sourceVpce
问题Q77. As a part of building large applications in the AWS Cloud, the Solutions Architect is required to implement the perimeter security protection. Applications running on AWS have the following endpoints: * Application Load Balancer * Amazon API Gateway regional endpoint * Elastic IP address-based EC2 instances. * Amazon S3 hosted websites. * Classic Load Balancer The Solutions Architect must design a solution to protect all of the listed web front ends and provide the following security capabilities: * DDoS protection * SQL injection protection * IP address whitelist/blacklist * HTTP flood protection * Bad bot scraper protection How should the Solutions Architect design the solution?
A. Deploy AWS WAF and AWS Shield Advanced on all web endpoints. Add AWSWAF rules to enforce the company's requirements.
B. Deploy Amazon CloudFront in front of all the endpoints. TheCloudFront distribution provides perimeter protection. Add AWSLambda-based automation to provide additional security.
C. Deploy Amazon CloudFront in front of all the endpoints. Deploy AWSWAF and AWS Shield Advanced.Add AWS WAF rules to enforce the company's requirements. Use AWS Lambdato automate and enhance the security posture.
D. Secure the endpoints by using network ACLs and security groups andadding rules to enforce the company's requirements. Use AWS Lambda toautomatically update the rules.
Answer:C
Analyze:
CloudFront and AWS Shield Advanced is good with DDoS while WAF will support blocking IPs, SQL injection attacks and Bad Bots.
问题Q78. A company has more than 100 AWS accounts, with one VPC per account, that need outbound HTTPS connectivity to the internet. The current design contains one NAT gateway per Availability Zone (AZ) in each VPC. To reduce costs and obtain information about outbound traffic, management has asked for a new architecture for internet access. Which solution will meet the current needs, and continue to grow as new accounts are provisioned, while reducing costs?
A. Create a transit VPC across two AZs using a third-party routingappliance. Create a VPN connection to each VPC. Default route internettraffic to the transit VPC.
B. Create multiple hosted-private AWS Direct Connect VIFs, one peraccount, each with a Direct Connect gateway. Default route internettraffic back to an on-premises router to route to the internet.
C. Create a central VPC for outbound internet traffic. Use VPC peeringto default route to a set of redundant NAT gateway in the central VPC.
D. Create a proxy fleet in a central VPC account. Create an AWSPrivateLink endpoint service in the central VPC. Use PrivateLinkinterface for internet connectivity through the proxy fleet.
Answer:D
Analyze:
A.does not provide a full solution, only showing transit VPC, and VPN but without the exiting solution to internet. Also, it is a costly solution. B.Route traffic back to on-prem for internet access is a bad practice C.You cannot route traffic to NAT gateway through a VPC peering
问题Q79. A company runs an e-commerce platform with front-end and e-commerce tiers. Both tiers run on LAMP stacks with the front-end instances running behind a load balancing appliance that has a virtual offering on AWS. Currently, the Operations team uses SSH to log in to the instances to maintain patches and address other concerns. The platform has recently been the target of multiple attacks, including * A DDoS attack. * An SQL injection attack. * Several successful dictionary attacks on SSH accounts on the web servers. The company wants to improve the security of the e-commerce platform by migrating to AWS. The company's Solutions Architects have decided to use the following approach: * Code review the existing application and fix any SQL injection issues. * Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial security patching. * Install AWS Systems Manager to manage patching and allow the system administrators to run commands on all instances, as needed. What additional steps will address all of other identical attack types while providing high availability and minimizing risk?
A. Enable SSH access to the Amazon EC2 instances using a security groupthat limits access to specific IPs. Migrate on-premises MySQL to AmazonRDS Multi-AZ. Install the third-party load balancer from the AWSMarketplace and migrate the existing rules to the load balancer's AWSinstances. Enable AWS Shield Standard for DDoS protection.
B. Disable SSH access to the Amazon EC2 instances. Migrate on-premisesMySQL to Amazon RDS Multi- AZ. Leverage an Elastic Load Balancer tospread the load and enable AWS Shield Advanced for protection. Add anAmazon CloudFront distribution in front of the website. Enable AWS WAFon the distribution to manage the rules.
C. Enable SSH access to the Amazon EC2 instances through a bastion hostsecured by limiting access to specific IP addresses. Migrate on-premisesMySQL to a self-managed EC2 instance. Leverage an AWS Elastic LoadBalancer to spread the load and enable AWS Shield Standard for DDoSprotection.Add an Amazon CloudFront distribution in front of the website.
D. Disable SSH access to the EC2 instances. Migrate on-premises MySQL toAmazon RDS Single-AZ.Leverage an AWS Elastic Load Balancer to spread the load. Add an AmazonCloudFront distribution in front of the website. Enable AWS WAF on thedistribution to manage the rules.
Answer:B
Analyze:
A.We don't need SSH anymore as system manager can run command and do patches. C.We don't need SSH anymore as system manager can run command and do patches. Also mysql with ec2 is not that good D.RDS Single-AZ is not HA
问题Q80. A company has a High Performance Computing (HPC) cluster in its on-premises data center which runs thousands of jobs in parallel for one week every month, processing petabytes of images. The images are stored on a network file server, which is replicated to a disaster recovery site. The onpremises data center has reached capacity and has started to spread the jobs out over the course of month in order to better utilize the cluster, causing a delay in the job completion. The company has asked its Solutions Architect to design a cost-effective solution on AWS to scale beyond the current capacity of 5,000 cores and 10 petabytes of data. The solution must require the least amount of management overhead and maintain the current level of durability. Which solution will meet the company's requirements?
A. Create a container in the Amazon Elastic Container Registry with theexecutable file for the job. Use Amazon ECS with Spot Fleet in AutoScaling groups. Store the raw data in Amazon EBS SC1 volumes and writethe output to Amazon S3.
B. Create an Amazon EMR cluster with a combination of On Demand andReserved Instance Task Nodes that will use Spark to pull data fromAmazon S3. Use Amazon DynamoDB to maintain a list of jobs that need tobe processed by the Amazon EMR cluster.
C. Store the raw data in Amazon S3, and use AWS Batch with ManagedCompute Environments to create Spot Fleets. Submit jobs to AWS Batch JobQueues to pull down objects from Amazon S3 onto Amazon EBS volumes fortemporary storage to be processed, and then write the results back toAmazon S3.
D. Submit the list of jobs to be processed to an Amazon SQS to queue thejobs that need to be processed.Create a diversified cluster of Amazon EC2 worker instances using SpotFleet that will automatically scale based on the queue depth. Use AmazonEFS to store all the data sharing it across all instances in thecluster.
Answer:C
Analyze:
A.It is hard to do and maintain as EBS has maximum size limit of 16TB and cannot be mounted to multiple instances B.DynamoDb is not the best places to store job item because of its nature of eventual consistency D.S3 could be the better storage option here
问题Q81. A large company has many business units. Each business unit has multiple AWS accounts for different purposes. The CIO of the company sees that each business unit has data that would be useful to share with other parts of the company in total, there are about 10 PB of data that needs to be shared with users in 1,000 AWS accounts. The data is proprietary, so some of it should only be available to users with specific job types. Some of the data is used for throughput of intensive workloads, such as simulations. The number of accounts changes frequently because of new initiatives, acquisitions, and divestitures. A Solutions Architect has been asked to design a system that will allow for sharing data for use in AWS with all of the employees in the company. Which approach will allow for secure data sharing in scalable way?
A. Store the data in a single Amazon S3 bucket. Create an IAM role forevery combination of job type and business unit that allows toappropriate read/write access based on object prefixes in the S3 bucket.The roles should have trust policies that allow the business unit's AWSaccounts to assume their roles.Use IAM in each business unit's AWS account to prevent them fromassuming roles for a different job type. Users get credentials to accessthe data by using AssumeRole from their business unit's AWS account.Users can then use those credentials with an S3 client.
B. Store the data in a single Amazon S3 bucket. Write a bucket policythat uses conditions to grant read and write access where appropriate,based on each user's business unit and job type. Determine the businessunit with the AWS account accessing the bucket and the job type with aprefix in the IAM user's name. Users can access data by using IAMcredentials from their business unit's AWS account with an S3 client.
C. Store the data in a series of Amazon S3 buckets. Create anapplication running in Amazon EC2 that is integrated with the company'sidentity provider (IdP) that authenticates users and allows them todownload or upload data through the application. The application usesthe business unit and job type information in the IdP to control whatusers can upload and download through the application. The users canaccess the data through the application's API.
D. Store the data in a series of Amazon S3 buckets. Create an AWS STStoken vending machine that is integrated with the company's identityprovider (IdP). When a user logs in, have the token vending machineattach an IAM policy that assumes the role that limits the user'saccess and/or upload only the data the user is authorized to access.Users can get credentials by authenticating to the token vendingmachine's website or API and then use those credentials with an S3client.
Answer:D
Analyze:
A.For best practice, we should use IAM Role. However, this solution will mean every time an account get added, we will need to create role for all job type in the account, and in the account we need to attach IAM policies to prevent them assume other job type roles. This could be a lot of work. B.his is not the ideal solution, but it requires minimal effort when we add or remove an account. We could use deny rule to achieve this by deny account or job type not in a list. 10PB in a single bucket seems too much and we need to update the policy every time a new company joins. C.Too much overhead. D.token vending machine is majorly used by mobile app and I don't think it is a good solution here. However, in terms of management, I think this is the best solution
问题Q82. A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege. A Solutions Architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster. What steps are required after the deployment to meet the requirements? (Choose two.)
A. Create tasks using the bridge network mode.
B. Create tasks using the awsvpc network mode.
C. Apply security groups to Amazon EC2 instances, and use IAM roles forEC2 instances to access other resources.
D. Apply security groups to the tasks, and pass IAM credentials into thecontainer at launch time to access other resources.
E. Apply security groups to the tasks, and use IAM roles for tasks toaccess other resources.
Answer:BE
Analyze:
A.As in bridge mode all containers in the same instance share the same security group of the instance, we could open ports that are not necessary. This is not good for least privilege. B.As each task gets its own ENI and security group, we could do fine grained permission here C.If we don't pick A, this is not necessary D.Pass IAM credential is bad practice E.https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
问题Q83. A company is migrating its marketing website and content management system from an onpremises data center to AWS. The company wants the AWS application to be developed in a VPC with Amazon EC2 instances used for the web servers and an Amazon RDS instance for the database. The company has a runbook document that describes the installation process of the on-premises system. The company would like to base the AWS system on the processes referenced in the runbook document. The runbook document describes the installation and configuration of the operating systems, network settings, the website, and content management system software on the servers. After the migration is complete, the company wants to be able to make changes quickly to take advantage of other AWS features. How can the application and environment be deployed and automated in AWS, while allowing for future changes?
A. Update the runbook to describe how to create the VPC, the EC2instances, and the RDS instance for the application by using the AWSConsole. Make sure that the rest of the steps in the runbook are updatedto reflect any changes that may come from the AWS migration.
B. Write a Python script that uses the AWS API to create the VPC, theEC2 instances, and the RDS instance for the application. Write shellscripts that implement the rest of the steps in the runbook. Have thePython script copy and run the shell scripts on the newly createdinstances to complete the installation.
C. Write an AWS CloudFormation template that creates the VPC, the EC2instances, and the RDS instance for the application. Ensure that therest of the steps in the runbook are updated to reflect any changes thatmay come from the AWS migration.
D. Write an AWS CloudFormation template that creates the VPC, the EC2instances, and the RDS instance for the application. Include EC2 userdata in the AWS CloudFormation template to install and configure thesoftware.
Answer:D
Analyze:
A.Not the best solution B.Cloudformation is a better choice C.We could automate the rest of the steps D.https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html
问题Q84. A company is adding a new approved external vendor that only supports IPv6 connectivity. The company's backend systems sit in the private subnet of an Amazon VPC. The company uses a NAT gateway to allow these systems to communicate with external vendors over IPv4. Company policy requires systems that communicate with external vendors use a security group that limits access to only approved external vendors. The virtual private cloud (VPC) uses the default network ACL. The Systems Operator successfully assigns IPv6 addresses to each of the backend systems. The Systems Operator also updates the outbound security group to include the IPv6 CIDR of the external vendor (destination). The systems within the VPC are able to ping one another successfully over IPv6. However, these systems are unable to communicate with the external vendor. What changes are required to enable communication with the external vendor?
A. Create an IPv6 NAT instance. Add a route for destination 0.0.0.0/0pointing to the NAT instance.
B. Enable IPv6 on the NAT gateway. Add a route for destination ::/0pointing to the NAT gateway.
C. Enable IPv6 on the internet gateway. Add a route for destination0.0.0/0 pointing to the IGW.
D. Create an egress-only internet gateway. Add a route for destination::/0 pointing to the gateway.
Answer:D
Analyze:
IPv6 is not supported by Nat gateway or Nat instance https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html https://docs.aws.amazon.com/ vpc/latest/userguide/VPC_NAT_Instance.html https://docs.aws.amazon.com/vpc/latest/userguide/egress- only-internet-gateway.html
问题Q85. A finance company is running its business-critical application on current-generation Linux EC2 instances. The application includes a self-managed MySQL database performing heavy I/O operations. The application is working fine to handle a moderate amount of traffic during the month. However, it slows down during the final three days of each month due to month-end reporting, even though the company is using Elastic Load Balancers and Auto Scaling within its infrastructure to meet the increased demand. Which of the following actions would allow the database to handle the month-end load with the LEAST impact on performance?
A. Pre-warming Elastic Load Balancers, using a bigger instance type,changing all Amazon EBS volumes to GP2 volumes.
B. Performing a one-time migration of the database cluster to AmazonRDS, and creating several additional read replicas to handle the loadduring end of month.
C. Using Amazon CloudWatch with AWS Lambda to change the type, size, orIOPS of Amazon EBS volumes in the cluster based on a specific CloudWatchmetric.
D. Replacing all existing Amazon EBS volumes with new PIOPS volumes thathave the maximum available storage size and I/O per second by takingsnapshots before the end of the month and reverting back afterwards.
Answer:B
Analyze:
A\C\D: Would not solve the problem as the bottleneck is on the DB. Amazon ELB is able to handle the vast majority of use cases for our customers without requiring "pre-warming" (configuring the load balancer to have the appropriate level of capacity based on expected traffic). In certain scenarios, such as when flash traffic is expected, or in the case where a load test cannot be configured to gradually increase traffic, we recommend that you contact us to have your load balancer "pre-warmed". We will then configure the load balancer to have the appropriate level of capacity based on the traffic that you expect. We will need to know the start and end dates of your tests or expected flash traffic, the expected request rate per second and the total size of the typical request/response that you will be testing.
A: is not appropriate as the pre-warming ELB requires to contact AWS, and that is recommended if the traffic is expecting to have sudden increase in 5 minutes duration.C: not practical.D: does not add much enhancement. Plus the question never talked about snapshots!
问题Q86. A Solutions Architect is designing the storage layer for a data warehousing application. The data files are large, but they have statically placed metadata at the beginning of each file that describes the size and placement of the file's index. The data files are read in by a fleet of Amazon EC2 instances that store the index size, index location, and other category information about the data file in a database. That database is used by Amazon EMR to group files together for deeper analysis. What would be the MOST cost- effective, high availability storage solution for this workflow?
A. Store the data files in Amazon S3 and use Range GET for each file'smetadata, then index the relevant data.
B. Store the data files in Amazon EFS mounted by the EC2 fleet and EMRnodes.
C. Store the data files on Amazon EBS volumes and allow the EC2 fleetand EMR to mount and unmount the volumes where they are needed.
D. Store the content of the data files in Amazon DynamoDB tables withthe metadata, index, and data as their own keys.
Answer:A
Analyze:
S3 object data will be a good fit here as we do not need to load the file for metadata information as we can do range get. https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
问题Q87. A company uses an Amazon EMR cluster to process data once a day. The raw data comes from Amazon S3, and the resulting processed data is also stored in Amazon S3. The processing must complete within 4 hours; currently, it only takes 3 hours. However, the processing time is taking 5 to 10 minutes. longer each week due to an increasing volume of raw data. The team is also concerned about rising costs as the compute capacity increases. The EMR cluster is currently running on three m3 xlarge instances (one master and two core nodes). Which of the following solutions will reduce costs related to the increasing compute needs?
A. Add additional task nodes, but have the team purchase an all-upfrontconvertible Reserved Instance for each additional node to offset thecosts.
B. Add additional task nodes, but use instance fleets with the masternode in on-Demand mode and a mix of On-Demand and Spot Instances for thecore and task nodes. Purchase a scheduled Reserved Instances for themaster node.
C. Add additional task nodes, but use instance fleets with the masternode in Spot mode and a mix of On- Demand and Spot Instances for thecore and task nodes. Purchase enough scheduled Reserved Instances tooffset the cost of running any On-Demand instances.
D. Add additional task nodes, but use instance fleets with the masternode in On-Demand mode and a mix of On-Demand and Spot Instances for thecore and task nodes. Purchase a standard allupfront Reserved Instancefor the master node.
Answer:B
Analyze:
A.Spot instance will be cheaper C.Master node should not be spot instance D.All upfront should be more expensive than scheduled reserved instnace
问题Q88. A company is building an AWS landing zone and has asked a Solutions Architect to design a multi-account access strategy that will allow hundreds of users to use corporate credentials to access the AWS Console. The company is running a Microsoft Active Directory and users will use an AWS Direct Connect connection to connect to AWS. The company also wants to be able to federate to third-party services and providers, including custom applications. Which solution meets the requirements by using the LEAST amount of management overhead?
A. Connect the Active Directory to AWS by using single sign-on and anActive Directory Federation Services (AD FS) with SAML 2.0, and thenconfigure the identity Provider (IdP) system to use formbasedauthentication. Build the AD FS portal page with corporate branding, andintegrate third- party applications that support SAML 2.0 as required.
B. Create a two-way Forest trust relationship between the on-premisesActive Directory and the AWS Directory Service. Set up AWS SingleSign-On with AWS Organizations. Use single sign-on integrations forconnections with third-party applications.
C. Configure single sign-on by connecting the on-premises ActiveDirectory using the AWS Directory Service AD Connector. Enablefederation to the AWS services and accounts by using the IAMapplications and services linking function. Leverage third-party singlesign-on as needed.
D. Connect the company's Active Directory to AWS by using AD FS andSAML 2.0. Configure the AD FS claim rule to leverage Regex third-partysingle sign-on as needed, and add it to the AD FS server.
Answer:B
Analyze:
A.This will work but you will need to build login page in your on-prem environment and AD FS portal page and the AD FS server C.I don't think service linking function is used in this way. We should use AWS SSO for federations so that we could leverage third-party SSO. https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service- linked-roles.html https://aws.amazon.com/blogs/security/how-to-create-and-manage-users-within-aws-sso/ D.Will need to maintain the AD FS server
问题Q89. A Solutions Architect is designing a network solution for a company that has applications running in a data center in Northern Virginia. The applications in the company's data center require predictable performance to applications running in a virtual private cloud (VPC) located in us-east-1, and a secondary VPC in us- west-2 within the same account. The company data center is collocated in an AWS Direct Connect facility that serves the us-est-1 region. The company has already ordered an AWS Direct Connect connection and a cross-connect has been established. Which solution will meet the requirements at the LOWEST cost?
A. Provision a Direct Connect gateway and attach the virtual private(VGW) for the VPC in us-east-1 and the VGW for the VPC in us-west-2.Create a private VIF on the Direct Connect connection and associate itto the Direct Connect gateway.
B. Create private VIFs on the Direct Connect connection for each of thecompany's VPCs in the us-east-1 and us-west-2 regions. Configure thecompany's data center router to connect directly with the VPCs in thoseregions via the private VIFs.
C. Deploy a transit VPC solution using Amazon EC2-based router instancesin the us-east-1 region.Establish IPsec VPN tunnels between the transit routers and virtualprivate gateways (VGWs) located in the us-east-1 and us-west-2 regions,which are attached to the company's VPCs in those regions.Create a public VIF on the Direct Connect connection and establish IPsecVPN tunnels over the public VIF between the transit routers and thecompany's data center router.
D. Order a second Direct Connect connection to a Direct Connect facilitywith connectivity to the us-west-2 region. Work with partner toestablish a network extension link over dark fiber from the DirectConnect facility to the company's data center. Establish private VIFson the Direct Connect connections for each of the company's VPCs in therespective regions.Configure the company's data center router to connect directly with theVPCs in those regions via the private VIFs.
Answer:A
Analyze:
A.Direct Connect Gateway is global resource, which makes connect to other region fast as well https:// docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html B.A is better as less latency https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/ C.I don't we think we need public VIF here. Also, maintaining a EC2 server is overhead. D.This will work, but A is much cheaper
问题Q90. A company has a web service deployed in the following two AWS Regions: us-west-2 and us-east-1. Each AWS region runs an identical version of the web service. Amazon Route 53 is used to route customers to the AWS Region that has the lowest latency. The company wants to improve the availability of the web service in case an outage occurs in one of the two AWS Regions. A Solutions Architect has recommended that a Route 53 health check be performed. The health check must detect a specific text on an endpoint. What combination of conditions should the endpoint meet to pass the Route 53 health check? (Choose two.)
A. The endpoint must establish a TCP connection within 10 seconds.
B. The endpoint must return an HTTP 200 status code.
C. The endpoint must return an HTTP 2xx or 3xx status code.
D. The specific text string must appear within the first 5,120 bytes ofthe response.
E. The endpoint must respond to the request within the number of secondsspecified when creating the health check.
Answer:CD
Analyze:
A.The limit is 4 seconds B.2xx or 3xx is good. E.Must response within 2 seconds https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of- endpoints.html#dns-failover-determining-health-of-endpoints-monitor-endpoint
问题Q91. A company operating a website on AWS requires high levels of scalability, availability and performance. The company is running a Ruby on Rails application on Amazon EC2. It has a data tier on MySQL 5.6 on Amazon EC2 using 16 TB of Amazon EBS storage Amazon CloudFront is used to cache application content. The Operations team is reporting continuous and unexpected growth of EBS volumes assigned to the MySQL database. The Solutions Architect has been asked to design a highly scalable, highly available, and high-performing solution. Which solution is the MOST cost-effective at scale?
A. Implement Multi-AZ and Auto Scaling for all EC2 instances in thecurrent configuration.Ensure that all EC2 instances are purchased as reserved instances.Implement new elastic Amazon EBS volumes for the data tier.
B. Design and implement the Docker-based containerized solution for theapplication using Amazon ECS.Migrate to an Amazon Aurora MySQL Multi-AZ cluster. Implement storagechecks for Aurora MySQL storage utilization and an AWS Lambda functionto grow the Aurora MySQL storage, as necessary.Ensure that Multi-AZ architectures are implemented.
C. Ensure that EC2 instances are right-sized and behind an Elastic LoadBalancing load balancer.Implement Auto Scaling with EC2 instances. Ensure that the reservedinstances are purchased for fixed capacity and that Auto Scalinginstances run on demand. Migrate to an Amazon Aurora MySQL Multi-AZcluster. Ensure that Multi-AZ architectures are implemented.
D. Ensure that EC2 instances are right-sized and behind an Elastic LoadBalancer. Implement Auto Scaling with EC2 instances. Ensure thatReserved instances are purchased for fixed capacity and that AutoScaling instances run on demand. Migrate to an Amazon Aurora MySQLMulti-AZ cluster.Implement storage checks for Aurora MySQL storage utilization and an AWSLambda function to grow Aurora MySQL storage, as necessary. EnsureMulti-AZ architectures are implemented.
Answer:C
Analyze:
A.Database with EC2 is expensive, and EBS has maximum size of 16TB B.Aurora storage can sacale automatically https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/ Aurora.Managing.Performance.html#Aurora.Managing.Performance.StorageScaling D.Aurora storage can sacale automatically
问题Q92. The Security team needs to provide a team of interns with an AWS environment so they can build the serverless video transcoding application. The project will use Amazon S3, AWS Lambda, Amazon API Gateway, Amazon Cognito, Amazon DynamoDB, and Amazon Elastic Transcoder. The interns should be able to create and configure the necessary resources, but they may not have access to create or modify AWS IAM roles. The Solutions Architect creates a policy and attaches it to the interns' group. How should the Security team configure the environment to ensure that the interns are selfsufficient?
A. Create a policy that allows creation of project-related resourcesonly. Create roles with required service permissions, which areassumable by the services.
B. Create a policy that allows creation of all project-relatedresources, including roles that allow access only to specifiedresources.
C. Create roles with the required service permissions, which areassumable by the services.Have the interns create and use a bastion host to create the projectresources in the project subnet only.
D. Create a policy that allows creation of project-related resourcesonly. Require the interns to raise a request for roles to be createdwith the Security team. The interns will provide the requirements forthe permissions to be set in the role.
Answer:A
Analyze:
B.Intern should not have access to IAM C.This just won't work. Some of the mentioned resources are global resources and they do not belong to a subnet or a VPC, and you will need IAM to do this, not just a bastion server. D.Raise request is not self sufficient
问题Q93. A company is running a commercial Apache Hadoop cluster on Amazon EC2. This cluster is being used daily to query large files on Amazon S3. The data on Amazon S3 has been curated and does not require any additional transformations steps. The company is using a commercial business intelligence (BI) tool on Amazon EC2 to run queries against the Hadoop cluster and visualize the data. The company wants to reduce or eliminate the overhead costs associated with managing the Hadoop cluster and the BI tool. The company would like to remove to a more cost-effective solution with minimal effort. The visualization is simple and requires performing some basic aggregation steps only. Which option will meet the company's requirements?
A. Launch a transient Amazon EMR cluster daily and develop an ApacheHive script to analyze the files on Amazon S3. Shut down the Amazon EMRcluster when the job is complete. The use the Amazon QuickSight toconnect to Amazon EMR and perform the visualization.
B. Develop a stored procedure invoked from a MySQL database running onAmazon EC2 to analyze EC2 to analyze the files in Amazon S3. Then use afast in-memory BL tool running on Amazon EC2 to visualize the data.
C. Develop a script that uses Amazon Athena to query and analyze thefiles on Amazon S3.Then use Amazon QuickSight to connect to Athena and perform thevisualization.
D. Use a commercial extract, transform, load (ETL) tool that runs onAmazon EC2 to prepare the data for processing. Then switch to a fasterand cheaper Bl tool that runs on Amazon EC2 to visualize the data fromAmazon S3.
Answer:C
Analyze:
A.This could work but EMR spin up daily still expensive. Also, to connect quicksight to EMR you will need presto running in the cluster... B.this is just bad...and I do not think you can access s3 from a stored proc... D.Bad practice...ETL could take very long time...
问题Q94. A large multinational company runs a timesheet application on AWS that is used by staff across the world. The application runs on Amazon EC2 instances in an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer, and stores in an Amazon RDS MySQL Multi-AZ database instance. The CFO is concerned about the impact on the business if the application is not available. The application must not be down for more than two hours, but he solution must be as cost-effective as possible. How should the Solutions Architect meet the CFO's requirements while minimizing data loss?
A. In another region, configure a read replica and create a copy of theinfrastructure. When an issue occurs, promote the read replica andconfigure as an Amazon RDS Multi-AZ database instance.Update the DNS to point to the other region's ELB.
B. Configure a 1-day window of 60-minute snapshots of the Amazon RDSMulti-AZ database instance.Create an AWS CloudFormation template of the application infrastructurethat uses the latest snapshot.When an issue occurs, use the AWS CloudFormation template to create theenvironment in another region. Update the DNS record to point to theother region's ELB.
C. Configure a 1-day window of 60-minute snapshots of the Amazon RDSMulti-AZ database instance which is copied to another region. Create anAWS CloudFormation template of the application infrastructure that usesthe latest copied snapshot. When an issue occurs, use the AWSCloudFormation template to create the environment in another region.Update the DNS record to point to the other region's ELB.
D. Configure a read replica in another region. Create an AWSCloudFormation template of the application infrastructure. When an issueoccurs, promote the read replica and configure as an Amazon RDS Multi-AZ database instance and use the AWS CloudFormation template to createthe environment in another region using the promoted Amazon RDSinstance.Update the DNS record to point to the other region's ELB.
Answer:D
Analyze:
A.Multi site is expensive and we probably do not need it for 2 hour RTO B.Under the hood, snapshot is regional resource, you will need to copy to other region to use it. C.Compare to D, there could be 1 hour data lost. D.This is a typical pilot light structure and almost had no data lost
问题Q95. A development team has created a series of AWS CloudFormation templates to help deploy services. They created a template for a network/virtual private (VPC) stack, a database stack, a bastion host stack, and a web application-specific stack. Each service requires the deployment of at least: * A network/VPC stack * A bastion host stack * A web application stack Each template has multiple input parameters that make it difficult to deploy the services individually from the AWS CloudFormation console. The input parameters from one stack are typically outputs from other stacks. For example, the VPC ID, subnet IDs, and security groups from the network stack may need to be used in the application stack or database stack. Which actions will help reduce the operational burden and the number of parameters passed into a service deployment? (Choose two.)
A. Create a new AWS CloudFormation template for each service. After theexisting templates to use cross- stack references to eliminate passingmany parameters to each template. Call each required stack for theapplication as a nested stack from the new stack. Call the newly createdservice stack from the AWS CloudFormation console to deploy the specificservice with a subset of the parameters previously required.
B. Create a new portfolio in AWS Service Catalog for each service.Create a product for each existing AWS CloudFormation template requiredto build the service. Add the products to the portfolio that representsthat service in AWS Service Catalog. To deploy the service, select thespecific service portfolio and launch the portfolio with the necessaryparameters to deploy all templates
C. Set up an AWS CodePipeline workflow for each service. For eachexisting template, choose AWS CloudFormation as a deployment action. Addthe AWS CloudFormation template to the deployment action. Ensure thatthe deployment actions are processed to make sure that dependences areobeyed.Use configuration files and scripts to share parameters between thestacks. To launch the service, execute the specific template by choosingthe name of the service and releasing a change.
D. Use AWS Step Functions to define a new service. Create a new AWSCloudFormation template for each service. After the existing templatesto use cross-stack references to eliminate passing many parameters toeach template. Call each required stack for the application as a nestedstack from the new service template. Configure AWS Step Functions tocall the service template directly. In the AWS Step Functions console,execute the step.
E. Create a new portfolio for the Services in AWS Service Catalog.Create a new AWS CloudFormation template for each service. After theexisting templates to use cross-stack references to eliminate passingmany parameters to each template. Call each required stack for theapplication as a nested stack from the new stack. Create a product foreach application. Add the service template to the product. Add each newproduct to the portfolio.Deploy the product from the portfolio to deploy the service with thenecessary parameters only to start the deployment.
Answer:CE
Analyze:
A.Cloudformation console is not very good to handle multiple services B.A service should not be a portfolio, it is more like a product. Also, I don't think it is possible to launch a portfolio C.Use CodePipeline is good, but I am not comfortable to share parameter with config files and scripts. We still could use cross-stack reference for this, but this is one of the best two D.You can't deploy a cloudformation template directly from Step Function https://docs.aws.amazon.com/step-functions/latest/dg/ concepts-service-integrations.html E.A nested stack with cross stack reference example https://cloudacademy.com/blog/understanding-nested-cloudformation-stacks/
问题Q96. A company has an application behind a load balancer with enough Amazon EC2 instances to satisfy peak demand. Scripts and third-party deployment solutions are used to configure EC2 instances when demand increases or an instance fails. The team must periodically evaluate the utilization of the instance types to ensure that the correct sizes are deployed. How can this workload be optimized to meet these requirements?
A. Use CloudFormer` to create AWS CloudFormation stacks from thecurrent resources.Deploy that stack by using AWS CloudFormation in the same region. UseAmazon CloudWatch alarms to send notifications about underutilizedresources to provide cost-savings suggestions.
B. Create an Auto Scaling group to scale the instances, and use AWSCodeDeploy to perform the configuration. Change from a load balancer toan Application Load Balancer. Purchase a third-party product thatprovides suggestions for cost savings on AWS resources.
C. Deploy the application by using AWS Elastic Beanstalk with defaultoptions. Register for an AWS Support Developer plan. Review the instanceusage for the application by using Amazon CloudWatch, and identify lessexpensive instances that can handle the load. Hold monthly meetings toreview new instance types and determine whether Reserved instancesshould be purchased.
D. Deploy the application as a Docker image by using Amazon ECS. Set upAmazon EC2 Auto Scaling and Amazon ECS scaling. Register for AWSBusiness Support and use Trusted Advisor checks to provide suggestionson cost savings.
Answer:D
Analyze:
A.We don't need cloudformation here B.CodeDeploy is not really used to config infrastructures (config auto scale group) C.This answer solve nothing.....
问题Q97. A large global financial services company has multiple business units. The company wants to allow Developers to try new services, but there are multiple compliance requirements for different workloads. The Security team is concerned about the access strategy for on-premises and AWS implementations. They would like to enforce governance for AWS services used by business team for regulatory workloads, including Payment Card Industry (PCI) requirements. Which solution will address the Security team's concerns and allow the Developers to try new services?
A. Implement a strong identity and access management model that includesusers, groups, and roles in various AWS accounts. Ensure thatcentralized AWS CloudTrail logging is enabled to detect anomalies.Build automation with AWS Lambda to tear down unapproved AWS resourcesfor governance.
B. Build a multi-account strategy based on business units, environments,and specific regulatory requirements. Implement SAML-based federationacross all AWS accounts with an on-premises identity store. Use AWSOrganizations and build organizational units (OUs) structure based onregulations and service governance. Implement service control policiesacross OUs.
C. Implement a multi-account strategy based on business units,environments, and specific regulatory requirements. Ensure that onlyPCI-compliant services are approved for use in the accounts. Build IAMpolicies to give access to only PCI-compliant services for governance.
D. Build one AWS account for the company for the strong securitycontrols. Ensure that all the service limits are raised to meet companyscalability requirements. Implement SAML federation with an on- premisesidentity store, and ensure that only approved services are used in theaccount.
Answer:B
Analyze:
B.Should try to stop service get created at the first place C.SCP is better fit here? D.Not the best practice
A: stop developers from trying new services.C: does not show the enforcement tool.D: one account contradict with the requirement.
B is correct !!!
问题Q98. A company had a tight deadline to migrate its on-premises environment to AWS. It moved over Microsoft SQL Servers and Microsoft Windows Servers using the virtual machine import/export service and rebuild other applications native to the cloud. The team created both Amazon EC2 databases and used Amazon RDS. Each team in the company was responsible for migrating their applications, and they have created individual accounts for isolation of resources. The company did not have much time to consider costs, but now it would like suggestions on reducing its AWS spend. Which steps should a Solutions Architect take to reduce costs?
A. Enable AWS Business Support and review AWS Trusted Advisor's costchecks. Create Amazon EC2 Auto Scaling groups for applications thatexperience fluctuating demand. Save AWS Simple Monthly Calculatorreports in Amazon S3 for trend analysis. Create a master account underOrganizations and have teams join for consolidating billing.
B. Enable Cost Explorer and AWS Business Support Reserve Amazon EC2 andAmazon RDS DB instances. Use Amazon CloudWatch and AWS Trusted Advisorfor monitoring and to receive costsavings suggestions. Create a masteraccount under Organizations and have teams join for consolidatedbilling.
C. Create an AWS Lambda function that changes the instance size based onAmazon CloudWatch alarms.Reserve instances based on AWS Simple Monthly Calculator suggestions.Have an AWS Well- Architected framework review and applyrecommendations.Create a master account under Organizations and have teams join forconsolidated billing.
D. Create a budget and monitor for costs exceeding the budget. CreateAmazon EC2 Auto Scaling groups for applications that experiencefluctuating demand. Create an AWS Lambda function that changes instancesizes based on Amazon CloudWatch alarms. Have each team upload theirbill to an Amazon S3 bucket for analysis of team spending. Use Spotinstances on nightly batch processing jobs.
Answer:B
Analyze:
A.Simple monthly aculator report is not really a report for analysis trends . C.Resize instance may require stop the instance first, which is not ideal for production environments.... D.Consolidate billing is a must, this is out
问题Q99. A company wants to replace its call system with a solution built using AWS managed services. The company call center would like the solution to receive calls, create contact flows, and scale to handle growth projections. The call center would also like the solution to use deep learning capabilities to recognize the intent of the callers and handle basic tasks, reducing the need to speak an agent. The solution should also be able to query business applications and provide relevant information back to calls as requested. Which services should the Solution Architect use to build this solution? (Choose three.)
A. Amazon Rekognition to identity who is calling.
B. Amazon Connect to create a cloud-based contact center.
C. Amazon Alexa for Business to build conversational interface.
D. AWS Lambda to integrate with internal systems.
E. Amazon Lex to recognize the intent of the caller.
F. Amazon SQS to add incoming callers to a queue.
Answer:BDE
Analyze:
A.Recognition is for image and video B.Amazon connect is a call centre service C.Alexa is for devices E.Lex is used to build conversational interface F.Caller queue is manage by Amazon connect as well, and SQS is not designed for this.
问题Q100. A large company is migrating its entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon. The Finance department requires a centralized method for payment but must maintain visibility into each group's spending to allocate costs. The Security team requires a centralized mechanism to control IAM usage in all the company's accounts. What combination of the following options meet the company's needs with LEAST effort? (Choose two.)
A. Use a collection of parameterized AWS CloudFormation templatesdefining common IAM permissions that are launched into each account.Require all new and existing accounts to launch the appropriate stacksto enforce the least privilege model.
B. Use AWS Organizations to create a new organization from a chosenpayer account and define an organizational unit hierarchy. Invite theexisting accounts to join the organization and create new accounts usingOrganizations.
C. Require each business unit to use its own AWS accounts. Tag each AWSaccount appropriately and enable Cost Explorer to administerchargebacks.
D. Enable all features of AWS Organizations and establish appropriateservice control policies that filter IAM permissions for sub-accounts.
E. Consolidate all of the company's AWS accounts into a single AWSaccount. Use tags for billing purposes and IAM's Access Advice featureto enforce the least privilege model.
Answer:BD
Analyze:
A.This will work, but the process will have a bit effort. C.We will like consolidate billing as well... D.https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails- across-accounts-in-your-aws-organization/ E.Single account is not a good option
如要更多,可以私我啊!还有中文版
文章来自于网络,如果侵犯了您的权益,请联系站长删除!