AWS-Certified-Solutions-Architect-Professional Exam - AWS-Certified-Solutions-Architect-Professional

NEW QUESTION 1
What RAID method is used on the Cloud Block Storage back-end to implement a very high level of reliability and performance?

• A. RAID 1 (Mirror)
• B. RAID 5 (Blocks striped, distributed parity)
• C. RAID 10 (Blocks mirrored and striped)
• D. RAID 2 (Bit level striping)

Answer: C

Explanation: Cloud Block Storage back-end storage volumes employs the RAID 10 method to provide a very high level of reliability and performance.
Reference: http://www.rackspace.com/knowIedge_center/product-faq/cloud-block-storage

NEW QUESTION 2
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

• A. "Effect": "AIIow", "Action": ["Describe"], "Resource": "BiIIing"
• B. "Effect": "AIIow", "Action": ["aws-portal: ViewBi||ing"], "Resource": "*"
• C. "Effect": "AIIow", "Action": ["aws-portaI:ViewUsage"], "Resource": "*"
• D. "Effect": "AIIow", "Action": ["AccountUsage], "Resource": "*"

Answer: C

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "A||ow", "Action": [
"aws-portaI:ViewUsage"
]!
"Resource": "*"
} I
}
Reference: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html

NEW QUESTION 3
Can a Direct Connect link be connected directly to the Internet?

• A. Yes, this can be done if you pay for it.
• B. Yes, this can be done only for certain regions.
• C. Yes
• D. No

Answer: D

Explanation: AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud service. Hence, a Direct Connect link cannot be connected to the Internet directly.
Reference: http://aws.amazon.com/directconnect/faqs/

NEW QUESTION 4
How does AWS Data Pipeline execute actMties on on-premise resources or AWS resources that you manage?

• A. By supplying a Task Runner package that can be installed on your on-premise hosts
• B. None of these
• C. By supplying a Task Runner file that the resources can access for execution
• D. By supplying a Task Runnerjson script that can be installed on your on-premise hosts

Answer: A

Explanation: To enable running actMties using on-premise resources, AWS Data Pipeline does the following: It supply a Task Runner package that can be installed on your on-premise hosts.
This package continuously polls the AWS Data Pipeline service for work to perform.
When it’s time to run a particular actMty on your on-premise resources, it will issue the appropriate command to the Task Runner.
Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 5
In Amazon EIastiCache, the default cache port is:

• A. for Memcached 11210 and for Redis 6380.
• B. for Memcached 11211 and for Redis 6380.
• C. for Memcached 11210 and for Redis 6379.
• D. for Memcached 11211 and for Redis 6379.

Answer: D

Explanation: In Amazon EIastiCache, you can specify a new port number for your cache cluster, which by default is 11211 for Memcached and 6379 for Redis.
Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/GettingStarted.AuthorizeAccess.htm|

NEW QUESTION 6
Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you may need to pay for a consultant.
How do you implement the most cost-efficient architecture without compromising high availability and
quality of video delivery'?

• A. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu
• B. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day
• C. CIoudFront to serve HLS transcoded videos from EC2.
• D. Elastic Transcoder to transcode original high-resolution MP4 videos to HL
• E. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day
• F. CIoudFront to serve HLS transcoded videos from EC2.
• G. Elastic Transcoder to transcode original high-resolution MP4 videos to HL
• H. S3 to host videos with Lifecycle Management to archive original files to Glacier after a few day
• I. C|oudFront to serve HLS transcoded videos from S3.
• J. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu
• K. S3 to host videos with Lifecycle Management to archive all files to Glacier after a few day
• L. CIoudFront to serve HLS transcoded videos from Glacier.

Answer: C

NEW QUESTION 7
An organization has 4 people in the IT operations team who are responsible to manage the AWS infrastructure. The organization wants to setup that each user will have access to launch and manage an instance in a zone which the other user cannot modify. Which of the below mentioned options is the best solution to set this up?

• A. Create four AWS accounts and give each user access to a separate account.
• B. Create an IAM user and allow them permission to launch an instance of a different sizes only.
• C. Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
• D. Create a VPC with four subnets and allow access to each subnet for the indMdual IAM use

Answer: D

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also work with IAM and the organization can create IAM users who have access to various VPC services. The organization can setup access for the IAM user who can modify the security groups of the VPC. The sample policy is given below:
{
"Version": "2012-10-I7",
"Statement":
[{ "Effect": "AIIow", "Action": "ec2:RunInstances", "Resource":
["arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:accountzsubnet/subnet-1a2b3c4d", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:vo|ume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/sg-123abc123" ]
}l I
With this policy the user can create four subnets in separate zones and provide IAM user access to each subnet
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IANI.htmI

NEW QUESTION 8
An organization is hosting a scalable web application using AWS. The organization has configured ELB and Auto Scaling to make the application scalable. Which of the below mentioned statements is not required to be followed for ELB when the application is planning to host a web application on VPC?

• A. The ELB and all the instances should be in the same subnet.
• B. Configure the security group rules and network ACLs to allow traffic to be routed between the subnets in the VPC.
• C. The internet facing ELB should have a route table associated with the internet gateway.
• D. The internet facing ELB should be only in a public subne

Answer: A

Explanation: Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For the internet facing ELB it is required that the ELB should be in a public subnet. After the user creates the public subnet, he should ensure to associate the route table of the public subnet with the internet gateway to enable the load balancer in the subnet to connect with the internet. The ELB and instances can be in a separate subnet. However, to allow communication between the instance and the
ELB the user must configure the security group rules and network ACLs to allow traffic to be routed between the subnets in his VPC.
Reference: http://docs.aws.amazon.com/EIasticLoadBaIancing/latest/DeveIoperGuide/CreateVPCForELB.htmI

NEW QUESTION 9
An organization is setting up a highly scalable application using Elastic Beanstalk. They are using Elastic Load Balancing (ELB) as well as a Virtual Private Cloud (VPC) with public and private subnets. They have the following requirements:
. All the EC2 instances should have a private IP
. All the EC2 instances should receive data via the ELB's. Which of these will not be needed in this setup?

• A. Launch the EC2 instances with only the public subnet.
• B. Create routing rules which will route all inbound traffic from ELB to the EC2 instances.
• C. Configure ELB and NAT as a part of the public subnet only.
• D. Create routing rules which will route all outbound traffic from the EC2 instances through NA

Answer: A

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. If the organization wants the Amazon EC2 instances to have a private IP address, he should create a public and private subnet for VPC in each Availability Zone (this is an AWS Elastic Beanstalk requirement). The organization should add their public resources, such as ELB and NAT to the public subnet, and AWS Elastic Beanstalk will assign them unique elastic IP addresses (a static, public IP address). The organization should launch Amazon EC2 instances in a private subnet so that AWS Elastic Beanstalk assigns them non-routable private IP addresses. Now the organization should configure route tables with the following rules:
. route all inbound traffic from ELB to EC2 instances
. route all outbound traffic from EC2 instances through NAT
Reference: http://docs.aws.amazon.com/elasticbeanstaIk/latest/dg/AWSHowTo-vpc.html

NEW QUESTION 10
Auto Scaling requests are signed with a signature calculated from the request and the user’s private key.

• A. SSL
• B. AES-256
• C. HMAC-SHA1
• D. X.509

Answer: C

NEW QUESTION 11
An organization is planning to host a web application in the AWS VPC. The organization does not want to host a database in the public cloud due to statutory requirements. How can the organization setup in this scenario?

• A. The organization should plan the app server on the public subnet and database in the organization’s data center and connect them with the VPN gateway.
• B. The organization should plan the app server on the public subnet and use RDS with the private subnet for a secure data operation.
• C. The organization should use the public subnet for the app server and use RDS with a storage gateway to access as well as sync the data securely from the local data center.
• D. The organization should plan the app server on the public subnet and database in a private subnet so it will not be in the public cloud.

Answer: A

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account.
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to
connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all the traffic of the VPN subnet.
If the virtual private gateway is attached with VPC and the user deletes the VPC from the console it will first automatically detach the gateway and only then delete the VPC.
Reference: http://docs.aws.amazon.com/AmazonVPC/Iatest/UserGuide/VPC_Subnets.html

NEW QUESTION 12
You have recently joined a startup company building sensors to measure street noise and air quality in urban areas. The company has been running a pilot deployment of around 100 sensors for 3 months each sensor uploads 1KB of sensor data every minute to a backend hosted on AWS.
During the pilot, you measured a peak or 10 IOPS on the database, and you stored an =average of 3GB of sensor data per month in the database.
The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database with 500GB standard storage.
The pilot is considered a success and your CEO has managed to get the attention or some potential investors. The business plan requires a deployment of at least 100K sensors which needs to be supported by the backend. You also need to store sensor data for at least two years to be able to compare year over year Improvements.
To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling. Which setup win meet the requirements?

• A. Add an SQS queue to the ingestion layer to buffer writes to the RDS instance
• B. Ingest data into a DynamoDB table and move old data to a Redshift cluster
• C. Replace the RDS instance with a 6 node Redshift cluster with 96TB of storage
• D. Keep the current architecture but upgrade RDS storage to 3TB and 10K provisioned IOPS

Answer: C

NEW QUESTION 13
Your startup wants to implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months.
Orders coming in are checked for consistency men dispatched to your manufacturing plant for production quality control packaging shipment and payment processing If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step Customers are notified via email about order status and any critical issues with their orders such as payment failure.
Your case architecture includes AWS Elastic Beanstalk for your website with an RDS MySQL instance for customer data and orders.
How can you implement the order fulfillment process while making sure that the emails are delivered reliably?

• A. Add a business process management application to your Elastic Beanstalk app sewers and re-use the ROS database for tracking order status use one of the Elastic Beanstalk instances to send emails to customers.
• B. Use SWF with an Auto Scaling group of actMty workers and a decider instance in another Auto Scaling group with min/max=1 Use the decider instance to send emails to customers.
• C. Use SWF with an Auto Scaling group of actMty workers and a decider instance in another Auto Scaling group with min/max=1 use SES to send emails to customers.
• D. Use an SQS queue to manage all process tasks Use an Auto Scaling group of EC2 Instances that poll the tasks and execute the
• E. Use SES to send emails to customers.

Answer: C

NEW QUESTION 14
Which of the following statements is correct about the number of security groups and rules applicable for an EC2-Classic instance and an EC2-VPC network interface?

• A. In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 50 rules to a security grou
• B. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 100 rules to a security group.
• C. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 50 rules to a security grou
• D. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 100 rules to a security group.
• E. In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 100 rules to a security grou
• F. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 50 rules to a security group.
• G. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security grou
• H. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.

Answer: D

Explanation: A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group. If you're using EC2-VPC, you must use security groups created specifically for your VPC. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

NEW QUESTION 15
You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers)

• A. Route 53 Record Sets
• B. IAM Roles
• C. Elastic IP Addresses (EIP)
• D. EC2 Key Pairs
• E. Launch configurations
• F. Security Groups

Answer: AC

NEW QUESTION 16
True or False : "|n the context of Amazon EIastiCache, from the appIication's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an indMdual cache node."

• A. True, from the appIication's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an indMdual cache node since, each has a unique node identifier.
• B. True, from the appIication's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an indMdual cache node.
• C. False, you can connect to a cache node, but not to a cluster configuration endpoint.
• D. False, you can connect to a cluster configuration endpoint, but not to a cache nod

Answer: B

Explanation: This is true. From the appIication's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an indMdual cache node. In the process of connecting to cache nodes, the application resolves the configuration endpoint's DNS name. Because the configuration endpoint maintains CNAME entries for all of the cache nodes, the DNS name resolves to one of the nodes; the client can then connect to that node.
Reference: http://docs.aws.amazon.com/AmazonEIastiCache/latest/UserGuide/AutoDiscovery.HowAutoDiscoveryW orks.htmI

NEW QUESTION 17
A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the appIication’s X.509 certificate that contains the private key.

• A. Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers.
• B. Configure the web servers to retrieve the certificate upon boot from an CIoudHSM is managed by the security officers.
• C. Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers
• D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.

Answer: D

NEW QUESTION 18
In IAM, which of the following is true of temporary security credentials?

• A. Once you issue temporary security credentials, they cannot be revoked.
• B. None of these are correct.
• C. Once you issue temporary security credentials, they can be revoked only when the virtual MFA device is used.
• D. Once you issue temporary security credentials, they can be revoke

Answer: A

Explanation: Temporary credentials in IAM are valid throughout their defined duration of time and hence can't be revoked. However, because permissions are evaluated each time an AWS request is made using the credentials, you can achieve the effect of revoking the credentials by changing the permissions for the
credentials even after they have been issued. Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentiaIs_temp_controI-access_disable-perms.h tml

NEW QUESTION 19
One of your AWS Data Pipeline actMties has failed consequently and has entered a hard failure state after retrying thrice. You want to try it again. Is it possible to increase the number of automatic retries to more than thrice?

• A. Yes, you can increase the number of automatic retries to 6.
• B. Yes, you can increase the number of automatic retries to indefinite number.
• C. No, you cannot increase the number of automatic retries.
• D. Yes, you can increase the number of automatic retries to 10.

Answer: D

Explanation: In AWS Data Pipeline, an actMty fails if all of its actMty attempts return with a failed state. By default, an actMty retries three times before entering a hard failure state. You can increase the number of automatic retries to 10. However, the system does not allow indefinite retries.
Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 20
The AWS IT infrastructure that AWS provides, complies with the following IT security standards, including:

• A. SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2 and SOC 3
• B. FISMA, DIACAP, and FedRA|V|P
• C. PCI DSS Level 1, ISO 27001, ITAR and FIPS 140-2
• D. HIPAA, Cloud Security Alliance (CSA) and Motion Picture Association of America (NIPAA)
• E. All of the above

Answer: ABC