AWS Solutions Architect Professional Exam Dumps Free

AWS Solutions Architect - Professional Exam Dumps

Domain	Weightage%
Design for organizational complexity	26%
Design for new solutions.	29%
Continuously improve existing solutions.	25%
Accelerate workload migration and modernization.	20%

1 / 75

1. A company deployed an application on AWS in a single AWS Region. It is a Windows application that runs on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances run in an Amazon EC2 Auto Scaling group, and the application uses a Multi-AZ Amazon RDS DB instance to store data. A solutions architect needs to develop a cross-Region disaster-recovery (DR) scenario to help ensure business continuity. The company requires a target RTO of 3 minutes and a RPO of 30 seconds. The company does not want to make any changes to the application.

Which solution will meet these requirements?

Deploy an EC2 Auto Scaling group with a smaller number of instances and a read replica of the RDS DB instance in another AWS Region. Scale up the EC2 instances and promote the read replica to become the primary DB instance when necessary to ensure business continuity. Update the application to reference the new primary DB instance.

Back up the EC2 instances and RDS DB instance by using point-in-time backups in another Region. Restore this data when necessary to ensure business continuity. Update the application to reference the backup DB instance.

Create snapshots of the EC2 instances and a read replica of the RDS DB instance in another AWS Region. Launch the EC2 instances and promote the read replica to become the primary DB instance when necessary to ensure business continuity. Update the application to reference the new primary DB instance.

Deploy an EC2 Auto Scaling group with the same number of instances and an RDS DB instance in another Region. Always distribute the traffic across both the Regions to ensure business continuity. Set up active-active application and DB instances in each Region.

2 / 75

2. A company uses multiple Amazon DynamoDB tables to host data for three different applications. A security administrator would like to provide application administrators with the ability to manage permissions for the tables that are associated with each administrator's specific application only. The application administrators are currently part of an IAM group called DynamoDBAdmins, which has permissions on all tables. The company will create additional administrators and tables for new applications in the future.

Recently, one of the application administrators was able to create an IAM role that had permissions on tables not associated with the administrator's application. The security administrator must create a new solution that prevents application administrators from obtaining permissions on tables that are not associated with their applications.

Which solution meets this requirement with the LEAST amount of ongoing administrative effort?

Create a permission boundary policy with a statement for each administrator that provides access only to their specific tables. Attach the permission boundary to each user.

Create IAM policies to deny access to specific tables for each administrator. Attach the policies to the appropriate administrators.

Create a permission boundary policy with a statement for each administrator that provides access only to their specific tables. Attach the permission boundary to the DynamoDBAdmins group.

Create a resource-based policy that lists the appropriate administrator as the principle for each application. Apply the resource-based policy to the DynamoDB tables as needed.

3 / 75

3. A company has deployed a multi-tier web application in the AWS Cloud. The application consists of the following tiers:
• A Windows-based web tier that is hosted on Amazon EC2 instances with Elastic IP addresses
• A Linux-based application tier that is hosted on EC2 instances that run behind an Application Load Balancer (ALB) that uses path-based routing
• A MySQL database that runs on a Linux EC2 instance
All the EC2 instances are using Intel-based x86 CPUs. A solutions architect needs to modernize the infrastructure to achieve better performance. The solution must minimize the operational overhead of the application. Which combination of actions should the solutions architect take to meet these requirements? (Select TWO.)

Run the MySQL database on multiple EC2 instances.

Place the web tier instances behind an ALB.

Migrate the MySQL database to Amazon Aurora Serverless.

Migrate all EC2 instance types to Graviton2.

Replace the ALB for the application tier instances with a company-managed load balancer.

4 / 75

4. While prioritizing applications for migration to AWS, the focus is on establishing initial criteria to define workloads that are good candidates for pilot applications. Which one of these would define the highest priority application to migrate?

Business Criticality = High, Number of compute instance = 11 or more, Migration Strategy = Refractor/Re-architect

Business Criticality = High, Number of compute instance = 4-10, Migration Strategy = Relocate

Business Criticality = Medium, Number of compute instance = 1-3, Migration Strategy = Replatform

Business Criticality = Low, Number of compute instance = 1-3, Migration Strategy = Rehost

5 / 75

5. A scientific research organization is looking for a data backup solution for their on-premises data. Their hybrid cloud storage solution should include
• Seamless connection between on-premises environments and AWS
• Quick and easy to deploy
• Moving backups to the cloud, using on-premises file shares backed by durable and cost-effective cloud storage
• Providing low-latency access to data in AWS for on-premises applications
• End-to-end data protection
Which of these will be a cost-conscious architecture that satisfies all of the above?

Establish Direct Connect connection between on-premises and AWS and achieve a dedicated line for secure and fast data transfer from on-premises to AWS. All your on- premises applications can access the data in AWS using the same Direct Connect connection.

Use AWS DataSync to achieve online data transfer service that simplifies, automates, and accelerates data migration between storage systems and services.

Use AWS Storage Gateway to achieve hybrid cloud storage services that provide on- premises access to virtually unlimited cloud storage.

Implement AWS Snowball in your local data center and copy all the data to it. Then have Amazon replicate the data to AWS Cloud.

6 / 75

6. You are designing a serverless architecture for a web application on AWS. The application needs to process events from various sources asynchronously and trigger different AWS services based on these events. Which AWS service is suitable for this scenario?

Amazon Kinesis Data Streams

AWS Step Functions

AWS Lambda

AWS DataPipeline

7 / 75

7. A financial company is embarking on a journey to migrate its on-premises applications, database, and servers to AWS. They are looking for a single place to discover their existing servers, plan migrations, and track the status of each application migration.
You are hired as a migration expert. The company expects you to come up with recommendations to analyze their applications and help them determine the optimal strategy and tools to migrate and modernize at scale. Which AWS service will help you serve the company's needs?

Install AWS Application Discovery Agent on the on-premises servers and capture details of the application and their configurations, performance, etc. Use these data to plan your migration.

Use AWS Server Migration Service to perform all the migration-related analysis and then use the same to migrate on-premises applications, databases and servers to AWS.

Configure AWS Service Catalog for on-premises servers, applications and database and collect all the data required to form a migration strategy.

Use AWS Migration Hub to discover or import your on-premises server details, build a migration plan, strategy, follow recommendations, and track migration on the simple and intuitive dashboard

8 / 75

8. A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand. Which solutions meet these requirements? (Choose two.)

Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway's AWS integration type.

Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway's AWS integration type.

Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.

Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.

Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions

9 / 75

9. A Big Data company stores all its raw data in Amazon S3. Over a few days in every quarter of the calendar year, the petabyte-scale of data needs to be processed to the analytical platform. This processed data gets analyzed during Company's Quarterly Business Review (QBR) meeting and again in the annual review meeting by the year-end. As part of this solution, they plan to run their S3 data through 10 nodes of the Amazon EMR cluster hosted on c5.large EC2 instances and finally load the data to Amazon Redshift. You are a Solution Architect at the company, and the CTO
tasked you to optimize the cost of the overall solution. Which of these will be your pick?

Store the raw data in S3 Standard Infrequent Access, host the EMR cluster on EC2 On- Demand Instances and Reserved instance for Redshift.

Use S3 Intelligent Tier to store the raw data, host the EMR cluster on EC2 On-Demand Instances and Reserved instances for Redshift.

Store the raw data in S3 Standard, host the EMR cluster on EC2 Spot Instances and Reserved instances for Redshift.

Store the raw data in S3 Standard Infrequent Access, host the EMR cluster on EC2 Reserved Instances for EMR and Reserved instances for Redshift.

10 / 75

10. With respect to AWS Lambda permissions model, at the time you create a Lambda function, you specify an IAM role that AWS Lambda can assume to execute your Lambda function on your behalf. This role is also referred to as the role.

configuration

execution

delegation

dependency

11 / 75

11. By default, what is the maximum number of Cache Nodes you can run in Amazon EIastiCache?

100

12 / 75

12. A company has a three-tier application on AWS. The first two tiers consist of an enterprise Java web application and an order-processing application. Both applications run in Amazon EC2 Auto Scaling groups that the company deployed across multiple Availability Zones. The order-processing application is a complex stand-alone program. Typically, the order-processing application finishes within a few minutes. However, for large orders, the processing can take hours. The database tier consists of a MySQL database that runs on EC2 instances. The company wants to reduce the number of servers that it manages.

Which solution will meet these requirements?

Rehost the web application to run as an AWS App Runner service based on source code. Use the existing web application code as the source. Convert the order-processing application to use AWS Lambda functions. Convert the database to an Amazon Aurora database.

Retain the web application on the existing EC2 Auto Scaling Group. Convert the order-processing application to a container and run it on AWS Fargate. Convert the database to an Amazon Aurora database.

Rehost the web application to run as an AWS App Runner service based on source code. Use the existing web application code as the source. Convert the order-processing application to a container and run it on AWS Fargate. Convert the database to an Amazon RDS MySQL database.

Retain the web application on the existing EC2 Auto Scaling Group. Convert the order-processing application to use AWS Lambda functions. Convert the database to an Amazon RDS MySQL database.

13 / 75

13. A web design company builds and maintains customer products in separate AWS accounts. The company has its own AWS account and has full access to manage AWS accounts on behalf of its customers. As the number of the company's customers grows, the company's security team becomes overwhelmed with incident reports. The security team needs an efficient way to determine two things: the access to resources that is granted to external IAM identities and what sensitive information that is stored in Amazon S3 is publicly accessible.

Which solution meet these requirements with the LEAST operational overhead?

Configure AWS Organizations in the company account. Invite all customer accounts into a single Organizational Unit (OU). Configure all customer accounts as member accounts in AWS Security Hub. Turn on Amazon Macie, AWS Identity and Access Management Access Analyzer, and AWS CloudTrail in the company account and all the customer accounts. Use Security Hub to review all findings.

In each customer account, create a cross-account role that will publish findings from AWS Identity and Access Management Access Analyzer, Amazon GuardDuty, and Amazon Macie into an S3 bucket in the company account. Invoke an AWS Lambda function on new data that arrives in the S3 bucket to initiate the various inspections and to build Amazon CloudWatch dashboards in the company account by using CloudWatch metrics.

In each customer account, create a cross-account role that will publish findings from Amazon Detective, AWS Audit Manager, and Amazon Macie into an S3 bucket in the company account. Invoke an AWS Lambda function on new data that arrives in the S3 bucket to initiate the various inspections. Build Amazon CloudWatch dashboards in the company account by using CloudWatch metrics.

Configure AWS Organizations in the company account. Invite all customer accounts into a single Organizational Unit (OU). Turn on AWS Identity and Access Management Access Analyzer and Amazon Macie in all accounts. Create an AWS Lambda function that generates Amazon CloudWatch dashboards. Deploy this function based on Amazon EventBridge event rules from IAM Access Analyzer and Macie findings.

14 / 75

14. A company hosts multiple public web applications in the AWS Cloud. The company wants to give its employees the ability to work from home. Employees should have access to the company's applications. The employees also need access to a variety of Microsoft Windows desktop applications from the home computers that they regularly use for work.

Which solution will meet these requirements with the LEAST operational overhead?

Launch Amazon EC2 instances that run Windows with the required desktop software for each user. Require users to access the desktops from home by using Remote Desktop Protocol (RDP).

Implement AWS Outposts to host Amazon EC2 instances that run Windows with the required desktop software for each user. Require users to access the desktops from home by using Remote Desktop Protocol (RDP).

Deploy Windows Docker containers with an image for each user to an Amazon Elastic Container Service (Amazon ECS) cluster. Stream the desktops to each user's browser by using Amazon AppStream 2.0.

Implement Amazon WorkSpaces to host a Windows desktop for each user. Install the required desktop software. Require users to access the desktop from the Amazon Workspaces client on their home devices.

15 / 75

15. A global weather company wants to migrate its main analytics application to AWS. The analytics application receives billions of events every day from multiple sensors in various locations. The company processes data by using a long-running process that the company implements in Java to build hourly, daily, and weekly trend forecasts. Some parts of the data processing can take more than 30 minutes.

When the data processing finishes, the company stores the data in a MySQL database, where the company can retrieve it for further analysis. As the amount of weather data grows, the existing analytics application that creates the trend forecasts experiences longer data retrieval times. Interaction with the database must be significantly faster to meet a new service level agreement.

Which migration strategy will meet these requirements with the FASTEST data retrieval time?

Refactor the application layer to AWS Lambda. Replatform the database layer to Amazon Aurora Serverless.

Replatform the application layer by containerizing to Amazon Elastic Kubernetes Service (Amazon EKS). Replatform the database layer to Amazon Aurora Serverless.

Refactor the application layer to AWS Lambda. Refactor the database layer to Amazon Timestream.

Replatform the application layer by containerizing to Amazon Elastic Container Service (Amazon ECS). Refactor the database layer to Amazon Timestream.

16 / 75

16. Doug has created a VPC with CIDR 10.201.0.0/16 in his AWS account. In this VPC he has created a public subnet with CIDR block 10.201.31.0/24. While launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance. Which is the most likely reason for this issue?

Private IP address 10.201.31.6 is reserved by Amazon for IP networking purposes.

Private address IP 10.201.31.6 is currently assigned to another interface.

Private IP address 10.201.31.6 is blocked via ACLs in Amazon infrastructure as a part of platform security

Private IP address 10.201.31.6 is not part of the associated subnet's IP address range

17 / 75

17. An international media company uses an on-premises data center, which comprises over 300 servers to store and process its large amount of data for its clients spread across 100 countries. To achieve Disaster Recovery (DR), the company relies on a second nearby data center and replicates its full stack of physical tapes. The DR process is manual, requires a significant number of resources, and staff has to travel to the secondary data center to retrieve the correct tapes if a DR event occurs.
The company wants to improve and automate its business unit's DR to replicate and recover its workloads to achieve faster recovery and minimize data loss during a service interruption.
The company hired you as a Solution Architect to guide them in this journey. What would you recommend here?

Set up AWS Elastic Disaster Recovery on your source servers to initiate secure data replication. Your data is replicated to a staging area subnet in your AWS account, in the AWS Region you select.

Use AWS Server Migration Service and replicate your on-premises services to AWS. Run your on-premises AWS services in Active/Passive mode so that during DR, AWS can be up and running to avoid any interruption.

Configure AWS DataSync to automate and accelerate moving data between on-premises and AWS storage services. This will back up your data to AWS Cloud and enable a smooth and quick DR.

Replicate your on-premise data using AWS Storage Gateway and achieve hybrid cloud storage services that provide on-premises access to virtually unlimited cloud storage.

18 / 75

18. You help a team to create various AMls and Docker images through EC2 Image Builder pipelines. Other teams want to use the same EC2 Image Builder resources, including components, recipes and images in their image pipelines. You need to find a proper approach to share resources with other organizational units inside the AWS Organization or other specific AWS accounts. Which of the following methods is suitable?

In AWS Resource Access Manager (RAM), create shared pipelines by selecting the shared components, images, or recipes in EC2 Image Builder and select the target organizational units or AWS accounts

In the EC2 Image Builder, select the shared resources such as components, recipes or images and distribute the resources to other organizational units or AWS accounts

In the EC2 Image Builder image pipelines, share the resources to other organizational units or AWS accounts after the pipelines are finished successfully

In AWS Resource Access Manager (RAM), add the shared components, images, or recipes in resource shares and configure the principals which are allowed to access the shared resources

19 / 75

19. A solutions architect is designing an application for a research company. The application will perform several complex mathematical calculations on a nightly basis. Each calculation is independent of all other calculations. Each calculation can take several hours to finish running.
The application design must minimize costs and interdependencies. Calculations must be run in parallel.

What should the solutions architect do to meet these requirements?

Submit the calculations to AWS Batch as jobs. Run the jobs in separate containers within Amazon Elastic Container Service (Amazon ECS).

Submit each calculation to an Amazon API Gateway API. Use AWS Lambda functions to perform the calculations.

Submit each calculation to a primary Amazon EC2 instance. Configure the EC2 instance to forward the calculations to an appropriate EC2 node.

Submit each calculation to an Application Load Balancer (ALB). Configure the ALB to use path-based routing to forward the request to an appropriate EC2 node.

20 / 75

20. A company has a large AWS infrastructure footprint. The company needs to create some new Amazon EC2 instances and an Amazon S3 bucket. The company needs sub-second latency communications between the EC2 instances and the S3 bucket. The data and applications must reside on hardware under the company's physical control because of the sensitive nature of the information the company stores. The company wants to manage all the resources by using the AWS Management Console and the AWS CLI.

Which configuration will meet these requirements?

Enable AWS Local Zones for the account. Add new private subnets in the Local Zone as required. Launch the required EC2 instances in the new private subnet. Create the S3 bucket. Configure VPC endpoints to facilitate secure communications between the EC2 instances and the S3 bucket.

Order and install an AWS Outposts rack. Create a private subnet on the Outpost rack. Launch the required EC2 instances in the new private subnet. Create the S3 bucket in Outposts. Configure secure communications between the EC2 instances and the S3 bucket by using a private endpoint connection.

Enable AWS Wavelength Zones for the account. Create a carrier gateway and subnet as required. Launch the required EC2 instances in the new subnet. Create the S3 bucket. Configure VPC endpoints to facilitate secure communications between the EC2 instances and the S3 bucket.

Order and install an AWS Outposts server. Create a private subnet on the Outpost server. Launch the required EC2 instances in the new private subnet. Create the S3 bucket in Outposts. Configure secure communications between the EC2 instances and the S3 bucket by using a customer-owned IP endpoint connection.

21 / 75

21. Your team uses Elastic Beanstalk to manage a legacy JAVA application for a financial system. The Elastic Beanstalk
environment is based on Amazon Linux. Now you need to update the operating system to Amazon Linux 2 in order to
take advantage of the latest Elastic Beanstalk functionality. During the update, there should be minimal service impact
to the application. Which of the following options describes the correct order to perform the operating system update?
1. Turn the new environment into the production environment by swapping its CNAME with the existing environment's
CNAME.
2. In the Elastic Beanstalk console, select the environment and update the platform to Amazon Linux 2.
3. Create a new environment in Elastic Beanstalk and deploy the application code to it.
4. Find and fix any application compatibility issues in the Amazon Linux 2 environment.
5. Terminate the old Elastic Beanstalk environment.

5→2→1→4

2→3→1→5

3→4→1→5

4→2→3→1

22 / 75

22. A company has two AWS accounts: one account for production workloads and one account for development workloads. A development team and an operations team create and manage these workloads. The company needs a security strategy that meets the following requirements:
• Developers need to create and delete development application infrastructure.
• Operators need to create and delete development and production application infrastructure.
• Developers must have no access to production infrastructure.
• All users must have a single set of AWS credentials.
Which strategy will meet these requirements?

→ In the production account: • Create an operations IAM group that can create and delete application infrastructure. • Create an IAM user for each operator. Assign these users to the operations group. → In the development account: • Create a development IAM group that can create and delete application infrastructure. • Create an IAM user for each operator and developer. Assign these users to the development group.

→ In the production account: • Create an operations IAM group that can create and delete application infrastructure. → In the development account: • Create a development IAM group that can create and delete application infrastructure. • Create an IAM user for each developer. Assign these users to the development group. • Create an IAM user for each operator. Assign these users to the development group and to the operations group in the production account.

→ In the development account: • Create a shared IAM role that can create and delete application infrastructure in the production account. • Create a development IAM group that can create and delete application infrastructure. • Create an operations IAM group that can assume the shared role. • Create an IAM user for each developer. Assign these users to the development group. • Create an IAM user for each operator. Assign these users to the development group and to the operations group.

→ In the production account: • Create a shared IAM role that can create and delete application infrastructure. • Add the development account to the trust policy for the shared role. → In the development account: • Create a development IAM group that can create and delete application infrastructure. • Create an operations IAM group that can assume the shared role in the production account. • Create an IAM user for each developer. Assign these users to the development group. • Create an IAM user for each operator. Assign these users to the development group and to the operations group.

23 / 75

23. You are working in a company as an AWS engineer. Your company uses a lot of Elastic Beanstalk applications on different platforms. Most of the Elastic Beanstalk environments do not enable platform updates. So, your team has to update the platforms during scheduled maintenance windows manually. You would like to enable managed platform updates through the Elastic Beanstalk console. Which of the following options do you need to configure for the managed platform updates? (Select TWO.)

The update level

The operating system

The weekly update period

Instance reboot

Patch baseline from Systems Manager

24 / 75

24. A company uses AWS Organizations. The company recently acquired a new business unit and invited the new unit’s existing account to the company’s organization. The organization uses a deny list SCP in the root of the organization and all accounts are members of a single OU named Production. The administrators of the new business unit discovered that they are unable to access AWS Database Migration Service (DMS) to complete an in-progress migration. Which option will temporarily allow administrators to access AWS DMS and complete the migration project?

Remove the organization's root SCPs that limit access to AWS DMS. Create an SCP that allows AWS DMS actions and apply the SCP to the Production OU.

Create a temporary OU named Staging for the new account. Apply an SCP to the Staging OU to allow AWS DMS actions. Move the new account to the Production OU when the migration project is complete.

Convert the organization's root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to the organization's root that allows AWS DMS actions for principals only in the new account.

Create a temporary OU named Staging for the new account. Apply an SCP to the Staging OU to allow AWS DMS actions. Move the organization's deny list SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS DMS are complete.

25 / 75

25. As a Solution Architect of a startup company, to reduce costs and improve performance, you want to identify workload patterns based on the usage and cost for diverse workloads in AWS compute resources like Amazon EC2 instance types, Amazon Elastic Block Store (EBS) volumes, Auto Scaling Group, AWS Lambda functions, etc. and avoid overprovisioning and underprovisioning of those resources.

You are expecting some kind of dashboard view in AWS that shows the savings and performance improvement opportunities at the account level, the estimated monthly savings and the possible savings for over-provisioned resources, and the bottleneck risk with the current configuration for under-provisioned resources. Which of the below services in AWS can serve your purpose?

There is no Dashboard available to capture these metrics. You need to create one in CloudWatch Dashboards manually. Based on the CloudWatch metrics, you optimize your services and resources.

Use AWS Budgets to track AWS cost and usage, receive recommendations on resources based on the utilization and follow the recommendations to optimize your services and resources.

Configure AWS Service Catalog with the AWS resources that you want to track based on their utilization and use the recommendation to optimize.

Use AWS Compute Optimizer to avoid overprovisioning or underprovisioning the above- mentioned AWS resources based on the utilization and evaluate estimated savings and performance improvement opportunities at the account level.

26 / 75

26. A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2. Amazon S3 and Amazon DynamoDB. The developers account resides In a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:

When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy.
What should the solutions architect do to eliminate the developers' ability to use services outside the scope of this policy?

Create an explicit deny statement for each AWS service that should be constrained

Remove the Full AWS Access SCP from the developer account's OU

Modify the Full AWS Access SCP to explicitly deny all services

Add an explicit deny statement using a wildcard to the end of the SCP

27 / 75

27. A company has many AWS accounts that individual business groups own. One of the accounts was recently compromised. The attacker launched a large number of instances, resulting in a high bill for that account. The company addressed the security breach, but a solutions architect needs to develop a solution to prevent excessive spending in all accounts. Each business group wants to retain full control of its AWS account. Which solution should the solutions architect recommend to meet these requirements?

Use AWS Organizations. Add each AWS account to the management account. Create an SCP that uses the ec2:instanceType condition key to prevent the launch of high-cost instance types in each account.

Attach a new customer-managed IAM policy to an IAM group in each account. Configure the policy to use the ec2:instanceType condition key to prevent the launch of high-cost instance types. Place all the existing IAM users in each group.

Turn on billing alerts for each AWS account. Create Amazon CloudWatch alarms that send an Amazon Simple Notification Service (Amazon SNS) notification to the account administrator whenever the account exceeds a designated spending threshold.

Turn on AWS Cost Explorer in each account. Review the Cost Explorer reports for each account on a regular basis to ensure that spending does not exceed the desired amount.

28 / 75

28. You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet.
Which of the following options would you consider? (Choose two.)

Implement IDS/IPS agents on each Instance running in VPC

Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.

Implement Elastic Load Balancing with SSL listeners in front of the web applications

Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

29 / 75

29. A company operates an ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. After an order is successfully processed, the application immediately posts order data to a third-party affiliate’s external tracking system that pays sales commissions for order referrals.

During a successful marketing promotion, the number of EC2 instances increased from 2 to 20. The application continued to work correctly during this time. However, the increased request rate overwhelmed the third-party affiliate and resulted in failed requests. Which combination of architectural changes should a solutions architect make to ensure that the entire process functions correctly under load? (Select TWO.)

Move the code that calls the affiliate to a new AWS Lambda function. Modify the application to invoke the Lambda function asynchronously.

Move the code that calls the affiliate to a new AWS Lambda function. Modify the application to place the order data in an Amazon Simple Queue Service (Amazon SQS) queue. Invoke the Lambda function from the queue.

Increase the timeout of the new AWS Lambda function.

Increase the memory of the new AWS Lambda function.

Decrease the reserved concurrency of the new AWS Lambda function.

30 / 75

30. A company is hosting a three-tier web application in an on-premises environment. Due to a recent surge in traffic that resulted in downtime and a significant financial impact, company management has ordered that the application be moved to AWS. The application is written in .NET and has a dependency on a MySQL database A solutions architect must design a scalable and highly available solution to meet the demand of 200000 daily users.
Which steps should the solutions architect take to design an appropriate solution?

Use AWS Elastic Beanstalk to create a new application with a web server environment and an Amazon RDS MySQL Multi-AZ DB instance The environment should launch a Network Load Balancer (NLB) in front of an Amazon EC2 Auto Scaling group in multiple Availability Zones Use an Amazon Route 53 alias record to route traffic from the company's domain to the NLB.

Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon EC2 Auto Scaling group spanning three Availability Zones. The stack should launch a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a Retain deletion policy. Use an Amazon Route 53 alias record to route traffic from the company's domain to the ALB

Use AWS Elastic Beanstalk to create an automatically scaling web server environment that spans two separate Regions with an Application Load Balancer (ALB) in each Region. Create a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a cross-Region read replica Use Amazon Route 53 with a geoproximity routing policy to route traffic between the two Regions.

Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon ECS cluster of Spot Instances spanning three Availability Zones The stack should launch an Amazon RDS MySQL DB instance with a Snapshot deletion policy Use an Amazon Route 53 alias record to route traffic from the company's domain to the ALB

31 / 75

31. A company runs a sensitive application on Amazon EC2 instances in a VPC. The company wants to monitor and analyze network traffic for possible threats. The solution must scale to accommodate large amounts of network traffic. Additionally, the solution must offer the ability to query and visualize the data.

Which solution will meet these requirements with the LEAST operational overhead?

Create a VPC flow log. Publish the flow log to an Amazon DynamoDB table. Use an AWS Lambda function to read the data from the DynamoDB stream and write the log data to a table in Amazon Aurora. Connect the database to Amazon QuickSight to visualize the data.

Use Amazon Kinesis Data Streams to capture log files from Amazon CloudWatch. Use Amazon Kinesis Data Firehose to push the log files to Amazon S3. Create an external table in Amazon Athena to query the log files. Connect to Amazon Athena from Amazon QuickSight to visualize the data.

Create a VPC flow log. Publish the flow log into an in-memory Apache Spark application that runs on an Amazon EMR cluster. Connect to the cluster from Amazon QuickSight to visualize the data by using Spark SQL.

Create a VPC flow log. Publish the flow log to an Amazon S3 bucket. Create an external table in Amazon Athena to query the log files. Connect to Amazon Athena from Amazon QuickSight to visualize the data.

32 / 75

32. A company runs a serverless mobile app that uses Amazon API Gateway, AWS Lambda functions, Amazon Cognito, and Amazon DynamoDB. During large surges in traffic, users report intermittent system failures. The API Gateway API endpoint is returning HTTP status code 502 (Bad Gateway) errors to valid requests. Which solution will resolve this issue?

Increase the concurrency quota for the Lambda functions. Configure Amazon CloudWatch to send notification alerts when the ConcurrentExecutions metric approaches the quota.

Configure notification alerts for the quota of transactions per second on the API Gateway API endpoint. Create a Lambda function that will increase the quota when the quota is reached.

Shard users to Amazon Cognito user pools in multiple AWS Regions to reduce user authentication latency.

Use DynamoDB strongly consistent reads to ensure that the client application always receives the most recent data.

33 / 75

33. A retail company stores sales data for millions of products in a MySQL database that runs on Amazon EC2 instances. As the number of products increases, the company observes performance degradation in the database. Because of poor demand forecasts, the company frequently runs out of products. To prevent lost sales that result from product shortages, the company wants to automate the creation of demand forecasts by using analytics. The company is evaluating other AWS managed database options. The company has the following requirements:

Perform analytics on incoming data every minute.
Recognize consumer behavior trends such as daily page views, cart abandonment rate, and weekly orders based on aggregate, derivative, and correlation functions.
Efficiently store hundreds of terabytes of data, including current and historical data, to optimize performance.
Which solution will meet these requirements with the LEAST operational overhead?

Create multiple Amazon DynamoDB Standard tables to separate current and historical data.

Create a single Amazon DocumentDB collection for both current and historical data.

Create a single Amazon Timestream table for both current and historical data.

Create an Amazon Timestream table for current data and an Amazon DocumentDB collection for historical data.

34 / 75

34. XYZ Inc. is a global financial institution that manages sensitive customer data. They recently migrated their infrastructure to AWS for improved security and scalability. To continuously improve their existing solution, XYZ Inc. wants to enhance their data protection measures and implement advanced security controls. Which of the following approaches would be most effective for XYZ Inc to encrypt sensitive data at rest and in transit, which AWS service should XYZ Inc. use?

AWS Key Management Service (KMS)

AWS Key Vault

AWS Secrets Manager

AWS CloudHSM

35 / 75

35. A company has a long-running analytics process that it runs on premises. The current infrastructure consists of a cluster of high-performance servers that are connected through a low-latency fiber network. The current infrastructure is due for a major hardware upgrade that will require a large budget increase. The company is considering migrating the analytics process to AWS. A solutions architect must recommend a solution to replicate the on-premises architecture on AWS.

Which solution would meet these requirements MOST cost-effectively?

Create an Amazon EC2 fleet in a cluster placement group with reserved instances.

Create an Amazon EC2 fleet in a cluster placement group with spot instances.

Create an Amazon EC2 fleet in a partition placement group with reserved instances.

Create an Amazon EC2 fleet in a partition placement group with spot instances.

36 / 75

36. A company has built an online ticketing web application on AWS. The application is hosted on AWS App Runner and uses images that are stored in an Amazon Elastic Container Registry (Amazon ECR) repository. The application stores data in an Amazon Aurora MySQL DB cluster.
The company has set up a domain name in Amazon Route 53. The company needs to deploy the application across two AWS Regions in an active-active configuration. Which combination of steps will meet these requirements with the LEAST change to the architecture? (Select THREE.)

Set up Cross-Region Replication to the second Region for the ECR images.

Create a VPC endpoint from the ECR repository in the second Region.

Edit the App Runner configuration by adding a second deployment target to the second Region.

Deploy App Runner to the second Region. Set up Route 53 latency-based routing.

Change the database by using Amazon DynamoDB global tables in the two desired Regions.

Use an Aurora global database with write forwarding enabled in the second Region.

37 / 75

37. A company is performing a full migration of its systems from an on-premises data center to the AWS Cloud. The company needs to move all the data that is stored on premises to Amazon S3 within 4 weeks. Currently, the on-premises storage holds 900 TB of data and is connected to the internet with a 100 Mbps connection. Existing systems use up to 20% of the connection's throughput in real time.

Which solution will complete the migration in the required time frame?

Use a multipart upload to transfer the data over the existing connection.

Order a sufficient number of AWS Snowball Edge Storage Optimized devices to ship the data.

Set up two 1 Gbps AWS Direct Connect connections in a link aggregation group (LAG).

Configure a VPN tunnel for the AWS environment to upload the data.

38 / 75

38. You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet. Which of the following options would you consider? (Choose 2 answers)

Implement IDS/IPS agents on each Instance running In VPC

Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.

Implement Elastic Load Balancing with SSL listeners In front of the web applications

Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

39 / 75

39. An e-commerce company wants to continuously improve its recommendation engine by analyzing customer behavior and preferences in real-time. Which AWS service can help them collect and analyze this data?

Amazon RDS

Amazon DynamoDB

Amazon Redshift

Amazon Kinesis

40 / 75

40. A company has multiple AWS accounts in an organization in AWS Organizations. The company has integrated its on-premises Active Directory with AWS Single Sign-On (AWS SSO) to grant Active Directory users least privilege permissions to manage infrastructure across all the accounts. A solutions architect must integrate a third-party monitoring solution that requires read-only access across all AWS accounts. The monitoring solution will run in its own AWS account. What should the solutions architect do to provide the monitoring solution with the required permissions?

Create a user in an AWS SSO directory. Assign a read-only permissions set to the user. Assign all AWS accounts that need monitoring to the user. Provide the third-party monitoring solution with the user name and password.

Create an IAM role in the organization's management account. Allow the AWS account of the third-party monitoring solution to assume the role.

Invite the AWS account of the third-party monitoring solution to join the organization. Enable all features.

Create an AWS CloudFormation template that defines a new IAM role for the third-party monitoring solution. Specify the AWS account of the third-party monitoring solution in the trust policy. Create the IAM role across all linked AWS accounts by using a stack set.

41 / 75

41. A company's processing team has an AWS account with a production application. The application runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are hosted in private subnets in a VPC in the eu-west-1 Region. The VPC was assigned the CIDR block of 10.0.0.0/16. The company's billing team recently created a new AWS account and deployed an application on EC2 instances that are hosted in private subnets in a VPC in the eu-central-1 Region. The new VPC is assigned the CIDR block of 10.0.0.0/16.

The processing application needs to communicate securely with the billing application over a proprietary TCP port.

What should a solutions architect do to meet this requirement with the LEAST operational effort?

In the billing team's account, create a new VPC and subnets in eu-central-1 that use the CIDR block of 192.168.0.0/16. Redeploy the application to the new subnets. Configure a VPC peering connection between the two VPCs.

In the processing team's account, add an additional CIDR block of 192.168.0.0/16 to the VPC in eu-west-1. Restart each of the EC2 instances so that they obtain a new IP address. Configure an inter-Region VPC peering connection between the two VPCs.

In the billing team's account, create a new VPC and subnets in eu-west-1 that use the CIDR block of 192.168.0.0/16. In the processing team's account, create a VPC endpoint service that is powered by AWS PrivateLink. Create an interface VPC endpoint in the new VPC. Configure an inter-Region VPC peering connection in the billing team's account between the two VPCs.

In each account, create a new VPC with the CIDR blocks of 192.168.0.0/16 and 172.16.0.0/16. Create inter-Region VPC peering connections between the billing team's VPCs and the processing team's VPCs. Create gateway VPC endpoints to allow traffic to route between the VPCs.

42 / 75

42. A user is hosting a public website on AWS. The user wants to have the database and the app server on the AWS VPC. The user wants to setup a database that can connect to the Internet for any patch upgrade but cannot receive any request from the internet. How can the user set this up?

Setup DB in a private subnet with the security group allowing only outbound traffic.

Setup DB in a public subnet with the security group allowing only inbound data.

Setup DB in a local data center and use a private gateway to connect the application with DB.

Setup DB in a private subnet which is connected to the internet via NAT for outbound.

43 / 75

43. A company has created an OU in AWS Organizations for each of its engineering teams Each OU owns multiple AWS accounts. The organization has hundreds of AWS accounts A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts.
Which solution meets these requirements?

Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account- Allow each team to visualize the CUR through an Amazon QuickSight dashboard

Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager Allow each team to visualize the CUR through an Amazon QuickSight dashboard.

Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account Allow each team to visualize the CUR through an Amazon QuickSight dashboard.

Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager Allow each team to visualize the CUR through Systems Manager OpsCenter dashboards

44 / 75

44. A company has a series of AWS Lambda functions that perform a complex series of processing activities. The functions need to run in a specific order. The entire workflow typically finishes in a few seconds, and the workflow always finishes in less than 20 seconds. A single Amazon API Gateway REST API call handles the processing requests. The REST API requires a response when the request is finished. It is possible to process multiple requests at the same time. The API Gateway code reuses the same execution name each time the workflow is called. The company is considering AWS Step Functions as a solution to create and manage the workflow.

Which solution will meet these requirements?

Create a Step Functions Standard Workflow state machine. Invoke the state machine by using asynchronous execution.

Create a Step Functions Express Workflow state machine. Invoke the state machine by using asynchronous execution.

Create a Step Functions Standard Workflow state machine. Invoke the state machine by using synchronous execution.

Create a Step Functions Express Workflow state machine. Invoke the state machine by using synchronous execution.

45 / 75

45. You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? (Choose 3 answers)

An AWS Direct Connect link between the VPC and the network housing the internal services.

An Internet Gateway to allow a VPN connection.

An Elastic IP address on the VPC instance

An IP address space that does not conflict with the one on-premises

Entries in Amazon Route 53 that allow the Instance to resolve its dependencies' IP addresses

A VM Import of the current virtual machine

46 / 75

46. Your company uses a hybrid environment to host its infrastructure and services. Applications are mainly deployed in AWS. As a part of the company strategy, certain Amazon EC2 instances need to be exported through the VM Import/Export tool as OVA files and deployed in the on-premises VMware vSphere environment. How would you use the VM Import/ Export tool in the right way?

Use the VM Import/Export tool to install the Server Migration Connector, generate ova files and migrate the EC2 instances to VMware Sphere

Use the VM Import/Export tool to deploy the AWS discovery tools in EC2 instances and trigger migration jobs to VMware Sphere

Use the "aws ec2 create-instance-export-task" command to export EC2 instances and store the exported ova files in an S3 bucket

Use the "aws ec2 export-image" command to export EC2 instances and download the exported ova files in a local disk

47 / 75

47. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario?

The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range

The second subnet will be created

It will throw a CIDR overlaps error

It is not possible to create a subnet with the same CIDR as VPC

48 / 75

48. A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. The service runs on Amazon EC2 instances in the private subnets. An Application Load Balancer in the public subnets is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. The service uses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 ¢ ' of data from an S3 bucket each day. The company has promoted the service as highly secure. A solutions architect must reduce cloud expenditures as much as possible without compromising the service's security posture or increasing the time spent on ongoing operations.
Which solution will meet these requirements?

Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.

Move the EC2 instances to the public subnets. Remove the NAT gateways.

Set up an S3 gateway VPC endpoint in the VP Attach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.

Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the image on the EFS volume.

49 / 75

49. A company uses an on-premises data analytics platform. The system is highly available in a fully redundant configuration across 12 servers in the company's data center.
The system runs scheduled jobs, both hourly and daily, in addition to one-time requests from users. Scheduled jobs can take between 20 minutes and 2 hours to finish running and have tight SLAs. The scheduled jobs account for 65% of the system usage. User jobs typically finish running in less than 5 minutes and have no SL

Split the 12 instances across two Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand Instances with Capacity Reservations. Run four instances in each Availability Zone as Spot Instances.

Split the 12 instances across three Availability Zones in the chosen AWS Region. In one of the Availability Zones, run all four instances as On-Demand Instances with Capacity Reservations. Run the remaining instances as Spot Instances.

Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand Instances with a Savings Plan. Run two instances in each Availability Zone as Spot Instances.

Split the 12 instances across three Availability Zones in the chosen AWS Region. Run three instances in each Availability Zone as On-Demand Instances with Capacity Reservations. Run one instance in each Availability Zone as a Spot Instance.

50 / 75

50. Each development team at a company has its own nonproduction AWS accounts in AWS Organizations. In each of these accounts, developers have IAM users in developer IAM groups who grant administrative and cost permissions to their users. Each development team routinely exceeds its monthly budget. The company wants to place constraints on the development teams to reduce spending.

Which solution will prevent the development teams from launching new resources if they exceed the monthly budget?

In the management account, create a budget by using AWS Budgets for each linked development account. When a forecasted budget reaches 100% of the monthly budget, publish to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe to the topic an AWS Lambda function that adds a policy to the developer IAM group to deny the launch of any new infrastructure. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule a Lambda function that removes those policies at the beginning of each new month.

In the management account, create a budget by using AWS Budgets for each linked development account. When the forecasted budget reaches 100% of the monthly budget, publish to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe to the topic an AWS Lambda function that creates a new SCP for the account to deny the launch of any new infrastructure. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule a Lambda function that removes those SCPs at the beginning of each new month.

In Each development account, create a budget by using AWS Budgets. When the forecasted budget reaches 100% of the monthly budget, publish to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe to the topic an AWS Lambda function that adds a policy to the developer IAM group to deny the launch of any new infrastructure. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule a Lambda function that removes those policies at the beginning of each new month.

In Each development account, create a budget by using AWS Budgets. When the forecasted budget reaches 100% of the monthly budget, publish to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe to the topic an AWS Lambda function that creates a new SCP for the account to deny the launch of any new infrastructure. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule a Lambda function that removes those SCPs at the beginning of each new month.

51 / 75

51. The two policies that you attach to an IAM role are the access policy and the trust policy. The trust policy identifies who can assume the role and grants the permission in the AWS Lambda account principal by adding the action.

aws:AssumeAdmin

Iambda:InvokeAsync

sts:|nvokeAsync

sts:AssumeRoIe

52 / 75

52. You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment.
You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts.
Identify which option will allow you to achieve this goal.

Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.

Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.

Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.

Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts

53 / 75

53. Your team is developing a new Lambda function for a microservice component. You need to package and deploy the Lambda function as a container image. The container image should be built based on the python:buster image with other dependencies and libraries installed. In order to use the container image properly for the Lambda function, which of the following actions is required?

In the Dockerfile, assume the IAM role through the "aws sts assume-role" CLI for the Lambda function during runtime

Install the runtime interface client in the container image to make it compatible with Lambda

Install the CloudWatch Log agent in the container image for the Lambda function to forward its logs to a CloudWatch Log group

Install the Amazon Elastic Container Registry (Amazon ECR) agent for the Lambda function to interact with ECR to fetch the Docker image

54 / 75

54. A company is launching a new web service on an Amazon Elastic Container Service (Amazon ECS) cluster. The cluster consists of 100 Amazon EC2 instances. Company policy requires the security group on the cluster instances to block all inbound traffic except HTTPS (port 443). Which solution will meet these requirements?

Change the SSH port to 2222 on the cluster instances by using a user data script. Log in to each instance by using SSH over port 2222.

Change the SSH port to 2222 on the cluster instances by using a user data script. Use AWS Trusted Advisor to remotely manage the cluster instances over port 2222.

Launch the cluster instances with no SSH key pairs. Use AWS Systems Manager Run Command to remotely manage the cluster instances.

Launch the cluster instances with no SSH key pairs. Use AWS Trusted Advisor to remotely manage the cluster instances.

55 / 75

55. A company has a three-tier web application that runs on Amazon EC2 instances behind an Application Load Balancer. The web and application tier instances run in Amazon EC2 Auto Scaling groups. The company has implemented the data tier on a single EC2 instance that runs a PostgreSQL database. The company has already replicated the web and application tiers to a second Region by using CloudFormation Stacksets. The company manages DNS requests by using Amazon Route 53 with configured weighted record sets. A solutions architect needs to design a multi-Region failover strategy for the data tier.

Which solution will meet these requirements with the FASTEST recovery time?

Create a second PostgreSQL database on an EC2 instance in a second Region. Implement active-standby high availability.

Migrate the database to an Amazon RDS for PostgreSQL DB instance. Create a read replica in a second Region.

Migrate the database to an Amazon RDS for PostgreSQL DB instance with a Multi-AZ deployment.

Migrate the database to an Amazon Aurora global database. Create a secondary DB cluster in a second Region.

56 / 75

56. You are a Solution Architect in a Government research company. Recently in an audit by the Cloud Security Office team, most of your resources spread across multiple accounts become non-compliant. The CTO of the company has instructed you to come up with a framework to build and deploy compliance packages for all your AWS resources across multiple accounts and regions, which includes rules and remediation actions that are authored by the Cloud Security Officer. Also, the framework should have a reporting aspect and reduce the time for a resource left in a non-
compliant state. Which of the following will help you achieve this?

Include all the compliance rules from Cloud Security Officers to AWS Elastic Beanstalk while provisioning your resources.

Automate all your compliance checks and patching using AWS Systems Manager Run Command.

Suggest the Cloud Security Officers to write their rules in AWS Systems Manager Compliance service.

Define all the rules and remediation actions in AWS Config. Then use AWS Config Conformance Packs to deploy the AWS Config rules and remediation action as a single entity.

57 / 75

57. You've been brought in as solutions architect to assist an enterprise customer with their migration of an e-commerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3-tier VPC. The configuration is as follows:

VPC: vpc-2f8bc447
IGW: igw-2d8bc445 NACL: ad-208bc448
Subnets and Route Tables: Web sewers: subnet-258bc44d
Application servers: subnet-248bc44c Database sewers: subnet-9189c6f9
Route Tables: rrb-218bc449 rtb-238bc44b Associations: subnet-258bc44d : rtb-218bc449 subnet-248bc44c : rtb-238bc44b subnet-9189c6f9 : rtb-238bc44b
You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these sewers to retrieve updates from the Internet?

Create a bastion and NAT instance in subnet-258bc44d, add a route from rtb-238bc44b toIgw-2d8bc445, and a new NACL that allows access between subnet-258bc44d and subnet-248bc44

Create a bastion and NAT instance in subnet-248bc44c, and add a route from rtb- 238bc44b to subneb258bc44d.

Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within subnet-248bc44c.

Create a bastion and NAT instance in subnet-258bc44d, and add a route from rtb- 238bc44b to the NAT instance.

58 / 75

58. An organization is setting up a backup and restore system in AWS of their in premise system. The organization needs High AvaiIabiIity(HA) and Disaster Recovery(DR) but is okay to have a longer recovery time to save costs. Which of the below mentioned setup options helps achieve the objective of cost saving as well as DR in the most effective way?

Setup pre- configured sewers and create AMIs.. Use EIP and Route 53 to quickly switch over to AWS from in premise.

Setup the backup data on S3 and transfer data to S3 regularly using the storage gateway.

Setup a small instance with AutoScaIing; in case of DR start diverting all the load to AWS from on premise.

Replicate on premise DB to EC2 at regular intervals and setup a scenario similar to the pilot ligh

59 / 75

59. A video-sharing mobile app uploads files that are larger than 10 GB to an Amazon S3 bucket. However, when users access the application in locations that are far away from the AWS Region where the S3 bucket resides, uploads take extended periods of time. In some cases, the uploads fail before they are complete.

Which combination of steps should a solutions architect take to improve the upload performance of the application? (Select TWO.)

Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region Replication to copy the objects to the replica bucket.

Modify the application to add random prefixes to the files before uploads occur.

Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket.

Enable S3 Transfer Acceleration on the S3 bucket. Configure the application to use the S3 Transfer Acceleration endpoint for uploads.

Configure the application to break the video files into chunks. Use a multipart upload to transfer files to Amazon S3.

60 / 75

60. You are a Solution Architect in an airline company. They want your advice as they embark on their on-premises to AWS Cloud migration journey. You are guiding the customer to perform their pre-migration assessment. At the moment, you are in the application portfolio assessment phase. Due to lack of time, you must ensure that the team does not pick up
something that is irrelevant to the assessment.
Which of the below activities are Not part of the Application Portfolio Assessment phase for AWS Cloud migration? (Select Two)

Portfolio discovery and initial planning

Prioritized applications assessment

Portfolio analysis and migration planning

Establish cutover runbooks

Creating Landing Zone

61 / 75

61. A financial company is embarking on a journey to migrate its on-premises legacy applications to AWS. The company's purpose of migration is to boost agility and improve business continuity; hence, they are talking about the decomposition of the monoliths to microservices. You are hired as a solution architect to help the company guide in the process of migration. After a few meetings with the business and tech team, you plan to use AWS serverless services to build the microservices.
Which migration strategy best suits this case?

Refactor

Relocate

Replatform

Rehost

62 / 75

62. A company has deployed a trading application in several AWS Regions. The application uses third-party REST services that are also deployed on AWS in the same Regions as the trading application. For security reasons, the application uses AWS PrivateLink VPC endpoints to connect to the third-party services. Recently, one of the third-party services began sending internal error responses. The error responses caused instability in the trading application in that Region. The result was a heavy financial loss for the company. The company wants a solution to failover to a secondary Region if a third-party service does not respond properly in one of the Regions.

Which solution will meet these requirements?

Stream logs from the trading application to Amazon CloudWatch. Create a CloudWatch alarm from the logs based on response time to determine whether the third-party service is unresponsive. Configure Amazon Route 53 DNS with health checks to track the CloudWatch alarm status and to failover to the secondary Region.

Create an Amazon CloudWatch Synthetics canary that uses a heartbeat monitor blueprint to reach the third-party application. Create a CloudWatch alarm on the canary based on the number of failed attempts each minute. Configure Amazon Route 53 DNS with health checks to track the alarm status and to failover to a secondary Region.

Create an Amazon CloudWatch Synthetics canary that uses an API canary blueprint to reach the third-party application. Create a CloudWatch alarm on the canary based on the number of failed attempts each minute. Configure Amazon Route 53 DNS with health checks to track the alarm status and to failover to a secondary Region.

Activate VPC Flow Logs and configure the logs to publish to Amazon CloudWatch logs. Create a CloudWatch alarm on the CloudWatch logs based on rejected requests from the VPC endpoint. Configure Amazon Route 53 DNS with health checks to track the alarm status and to failover to a secondary Region.

63 / 75

63. A read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically.
What AWS services should be used meet these requirements?

Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaimg group monitored with CloudWatch and RDS with read replicas.

Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch and RDS with read replicas.

Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch and multi-AZ RDS.

Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch and multi-AZ RDS.

64 / 75

64. Your company plans to host a large donation website on Amazon Web Services (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS.
Which service should you use?

Amazon RDS with provisioned IOPS up to the anticipated peak write throughput.

Amazon Simple Queue Service (SQS) for capturing the writes and draining the queue to write to the database.

Amazon ElastiCache to store the writes until the writes are committed to the database.

Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughput.

65 / 75

65. A team is building an HTML form that is hosted in a public Amazon S3 bucket. The form uses JavaScript to post data to an Amazon API Gateway API endpoint. The API endpoint is integrated with AWS Lambda functions. The team has tested each method in the API Gateway console and has received valid responses. Which combination of steps must the team complete so that the form can successfully post to the API endpoint and receive a valid response? (Select TWO.)

Configure the S3 bucket to allow cross-origin resource sharing (CORS).

Host the form on Amazon EC2 rather than on Amazon S3.

Request a quota increase for API Gateway.

Enable cross-origin resource sharing (CORS) in API Gateway.

Configure the S3 bucket for web hosting.

66 / 75

66. You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. www.examp|e.com) and has a 2-tier architecture, with multiple application sewers and a database sewer. Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A MuIti-AZ RDS MySQL instance will be used for the database. During the migration you can change the application code, but you have to file a change request. How would you implement the architecture on AWS in order to maximize scalability and high availability?

Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different Azs.

Use Route 53 Alias Resource Record to distribute load on two application servers in different Azs.

File a change request to implement Latency Based Routing support in the application

. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs.

67 / 75

67. A company uses AWS Organizations to manage its accounts. The company wants to prohibit the use of unapproved services in production AWS accounts. The company also wants to minimize additional management overhead as the number of accounts increases.

Which approach will meet these requirements?

Create a new organization with only consolidated billing enabled. Create two new OUs. One OU is for production accounts, and one OU is for nonproduction accounts. In the new organization, create an IAM role that is applied to each subaccount in production to deny access to services that are not approved.

Create a new organization with all features enabled. Create two new OUs. One OU is for production accounts, and one OU is for nonproduction accounts. In the new organization, create an IAM role that is applied to each subaccount in production to deny access to services that are not approved.

Create a new organization with all features enabled. Create two new OUs. One OU is for production accounts, and one OU is for nonproduction accounts. In the new organization, create an SCP that will deny access to services that are not approved. Apply the SCP to the production OU.

Create a new organization with only consolidated billing enabled. Create two new OUs. One OU is for production accounts, and one OU is for nonproduction accounts. In the new organization, create an SCP that will deny access to services that are not approved. Apply the SCP to the production OU.

68 / 75

68. An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party.
Which of the following would meet all of these conditions?

From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the SaaS application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

69 / 75

69. A company has a requirement to store documents that will be accessed by a serverless application. The documents will be accessed frequently for the first 3 months, and rarely after that. The documents must be retained for 7 years. What is the MOST cost-effective solution to meet these requirements?

Store the documents in an encrypted EBS volume and create a cron job to delete the documents after 7 years.

Store the documents in Amazon EFS. Create a cron job to move the documents that are older than 3 months to Amazon S3 Glacier. Create an AWS Lambda function to delete the documents in S3 Glacier that are older than 7 years.

Store the documents in a secured Amazon S3 bucket with a lifecycle policy to move the documents that are older than 3 months to Amazon S3 Glacier, then expire the documents from Amazon S3 Glacier that are more than 7 years old.

Store the documents in a secured Amazon S3 bucket with a lifecycle policy to move the documents that are older than 3 months to Amazon S3 Glacier. Create an AWS Lambda function to delete the documents in S3 Glacier that are older than 7 years.

70 / 75

70. A company is storing data on premises on a Windows file server. The company produces 5 GB of new data daily.
The company migrated part of its Windows-based workload to AWS and needs the data to be available on a file system in the cloud. The company already has established an AWS Direct Connect connection between the on-premises network and AWS.
Which data migration strategy should the company use?

Use the file gateway option in AWS Storage Gateway to replace the existing Windows file server, and point the existing file share to the new file gateway.

Use AWS Data Pipeline to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File System (Amazon EFS).

Use AWS DataSync to schedule a daily task lo replicate data between the on-premises Windows file server and Amazon Elastic File System (Amazon EFS)

Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon FSx.

71 / 75

71. An international travel-booking service company that sees 100 million unique users monthly for their web app, has built and deployed its applications in Amazon EC2 behind Elastic Load Balancer (ELB). To manage the surge in traffic, EC2 instances are configured with Auto Scaling Groups.
To improve the user experience and resolve latency, downtime related issues for global customers, the company is looking for a cross-region traffic management solution to route user traffic to the optimal endpoint based on performance, user's location, and instant reaction to the changes in application health.
You have been hired as a Solution Architect to implement this solution. Which is the best option in your opinion?

Place Amazon CloudFront in front of the ELB to enable edge location cache for low latency and better user experience

Use AWS Global Accelerator in front of ELB to improve the availability, performance, and user experience.

Use AWS NetworkLoadBalancer to handle a high volume of traffic and achieve low latency. This will also improve user experience.

Modify the application from its existing platform to AWS Serverless (API Gateway, Lambda, DynamoDB, etc.) to handle the dynamic load, solve latency issues and improve user experience.

72 / 75

72. A solutions architect needs to reduce costs for a big data application. The application environment consists of hundreds of devices that send events to Amazon Kinesis Data Streams. The device ID is used as the partition key, so each device gets a separate shard. Each device sends between 50 KB and 450 KB of data each second. An AWS Lambda function polls the shards, processes the data, and stores the result in Amazon S3.
Every hour, another Lambda function runs an Amazon Athena query against the result data to identify outliers. This Lambda function places the outliers in an Amazon Simple Queue Service (Amazon SQS) queue. An Amazon EC2 Auto Scaling group of two EC2 instances monitors the queue and runs a 30- second process to address the outliers. The devices submit an average of 10 outlying values every hour. Which combination of changes to the application will MOST reduce costs? (Select TWO.)

Change the Auto Scaling group launch configuration to use smaller instance types in the same instance family

Replace the Auto Scaling group with a Lambda function that is invoked when messages arrive in the queue.

Reconfigure the devices and data stream to set a ratio of 10 devices to 1 data stream shard.

Reconfigure the devices and data stream to set a ratio of 2 devices to 1 data stream shard.

Change the desired capacity of the Auto Scaling group to a single EC2 instance.

73 / 75

73. A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company's AWS accounts.
The company's security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.
Which solution will meet these requirements?

Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).

Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using AWS SSO permission sets.

In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.

In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.

74 / 75

74. A company uses a service to collect metadata from applications that the company hosts on premises. Consumer devices such as TVs and internet radios access the applications. Many older devices do not support certain HTTP headers and exhibit errors when these headers are present in responses. The company has configured an on-premises load balancer to remove the unsupported headers from responses sent to older devices, which the company identified by the User-Agent headers. The company wants to migrate the service to AWS, adopt serverless technologies, and retain the ability to support the older devices. The company has already migrated the applications into a set of AWS Lambda functions.
Which solution will meet these requirements?

Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a CloudFront function to remove the problematic headers based on the value of the User-Agent header.

Create an Amazon API Gateway REST API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Modify the default gateway responses to remove the problematic headers based on the value of the User-Agent header.

Create an Amazon API Gateway HTTP API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Create a response mapping template to remove the problematic headers based on the value of the User-Agent. Associate the response data mapping with the HTTP API.

Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.

75 / 75

75. A company is migrating an application from its data center to the AWS Cloud. The application currently stores an API key that is used to access a third-party service in a local file. When the application is deployed on AWS, the application will run on Amazon EC2 instances. As part of the migration, the application must make the API key more secure. Specifically, the application has these requirements:

Each environment (such as development, test, and production) must have its own API key.
All API key access requests must be logged for auditing purposes.
The API keys must be encrypted at rest with a customer managed key.
Access permissions must be granular. For example, the development environment cannot access the production API key.
What is the MOST secure way to meet these requirements?

Create an AWS Systems Manager Parameter Store secure string for each API key. Encrypt the secure strings by using a customer managed AWS Key Management Service (AWS KMS) CMK. Create an IAM role for each environment with permissions to the kms:Decrypt action for the CMK and the ssm:GetParameter action for the proper API key. Launch each EC2 instance with the proper IAM role.

Create an AWS Systems Manager Parameter Store secure string for each API key. Encrypt the secure strings by using a customer managed AWS Key Management Service (AWS KMS) CMK. Create an IAM user with permissions to the kms:Decrypt action for the CMK and the ssm:GetParameter action for the API key for the environment. Store an access key for that user in a credential store on each EC2 instance.

Create an Amazon Elastic File System (Amazon EFS) standard volume in the correct AWS Region and VPC. Mount the EFS volume on the EC2 instances. Store each API key in a unique file on the EFS volume encrypted with an AWS Key Management Service (AWS KMS) CMK. Create an IAM role for each environment with permissions to the kms:Decrypt action for the CMK. Launch each EC2 instance with the proper IAM role.

Pass the proper API key to each EC2 instance upon launch by using user data. Assign an IAM role to each EC2 instance with permissions to the kms:Encrypt and the kms:Decrypt actions for a customer managed AWS Key Management Service (AWS KMS) CMK. In the user data script, encrypt the API key by using the CMK. Store the encrypted API key on each EC2 instance.

Your score is

The average score is 20%

Exit