AWS-Certified-Solutions-Architect-Professional Exam - AWS-Certified-Solutions-Architect-Professional

NEW QUESTION 1
After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?

• A. Disabling the Source/Destination Check attribute on the NAT instance
• B. Attaching an Elastic IP address to the instance in the private subnet
• C. Attaching a second Elastic Network Interface (ENI) to the NAT instance, and placing it in the private subnet
• D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

Answer: A

NEW QUESTION 2
You deployed your company website using Elastic Beanstalk and you enabled log file rotation to S3. An Elastic Map Reduce job is periodically analyzing the logs on S3 to build a usage dashboard that you share with your CIO.
You recently improved overall performance of the website using Cloud Front for dynamic content delivery and your website as the origin.
After this architectural change, the usage dashboard shows that the traffic on your website dropped by an order of magnitude. How do you fix your usage dashboard'?

• A. Enable Cloud Front to deliver access logs to S3 and use them as input of the Elastic Map Reduce job.
• B. Turn on Cloud Trail and use trail log tiles on S3 as input of the Elastic Map Reduce job
• C. Change your log collection process to use Cloud Watch ELB metrics as input of the Elastic MapReduce job
• D. Use Elastic Beanstalk "Rebuild Environment" option to update log delivery to the Elastic lV|ap Reduce job.
• E. Use Elastic Beanstalk 'Restart App server(s)" option to update log delivery to the Elastic Map Reduce job.

Answer: D

NEW QUESTION 3
A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?

• A. Destination: 20.0.0.0/0 and Target: 80
• B. Destination: 20.0.0.0/0 and Target: i-a12345
• C. Destination: 20.0.0.0/24 and Target: i-a12345
• D. Destination: 0.0.0.0/0 and Target: i-a12345

Answer: D

Explanation: A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry "Destination: 0.0.0.0/0 and Target: i-a12345", which allows all the instances in the private subnet to connect to the internet using NAT.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

NEW QUESTION 4
Your application provides data transformation services. Files containing data to be transformed are first uploaded to Amazon S3 and then transformed by a fileet of spot EC2 instances. Files submitted by your premium customers must be transformed with the highest priority. How should you implement such a system?

• A. Use a DynamoDB table with an attribute defining the priority leve
• B. Transformation instances will scan the table for tasks, sorting the results by priority level.
• C. Use Route 53 latency based-routing to send high priority tasks to the closest transformation instances.
• D. Use two SQS queues, one for high priority messages, the other for default priorit
• E. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue.
• F. Use a single SQS queu
• G. Each message contains the priority leve
• H. Transformation instances poll high-priority messages first.

Answer: C

NEW QUESTION 5
Which of the following is true while using an IAM role to grant permissions to applications running on Amazon EC2 instances?

• A. All applications on the instance share the same role, but different permissions.
• B. All applications on the instance share multiple roles and permissions.
• C. MuItipIe roles are assigned to an EC2 instance at a time.
• D. Only one role can be assigned to an EC2 instance at a tim

Answer: D

Explanation: Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.htmI

NEW QUESTION 6
You want to define permissions for a role in an IAM policy. Which of the following configuration formats should you use?

• A. An XML document written in the IAM Policy Language
• B. An XML document written in a language of your choice
• C. A JSON document written in the IAM Policy Language
• D. A JSON document written in a language of your choice

Answer: C

Explanation: You define the permissions for a role in an IAM policy. An IAM policy is a JSON document written in the IAM Policy Language.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_ro|es_terms-and-concepts.html

NEW QUESTION 7
An organization is having a VPC for the HR department, and another VPC for the Admin department. The HR department requires access to all the instances running in the Admin VPC while the Admin department requires access to all the resources in the HR department. How can the organization setup
this scenario?

• A. Setup VPC peering between the VPCs of Admin and HR.
• B. Setup ACL with both VPCs which will allow traffic from the CIDR of the other VPC.
• C. Setup the security group with each VPC which allows traffic from the CIDR of another VPC.
• D. It is not possible to connect resources of one VPC from another VPC.

Answer: A

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. A VPC peering connection allows the user to route traffic between the peer VPCs using private IP addresses as if they are a part of the same network.
This is helpful when one VPC from the same or different AWS account wants to connect with resources of the other VPC.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htmI

NEW QUESTION 8
Which of following IAM policy elements lets you specify an exception to a list of actions?

• A. NotException
• B. ExceptionAction
• C. Exception
• D. NotAction

Answer: D

Explanation: The NotAction element lets you specify an exception to a list of actions. Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EIementDescriptions.html

NEW QUESTION 9
Your company is in the process of developing a next generation pet collar that collects biometric information to assist families with promoting healthy lifestyles for their pets Each collar will push 30kb of biometric data In JSON format every 2 seconds to a collection platform that will process and analyze the data providing health trending information back to the pet owners and veterinarians via a web portal Nlanagement has tasked you to architect the collection platform ensuring the following requirements are met.
Provide the ability for real-time analytics of the inbound biometric data Ensure processing of the biometric data is highly durable. Elastic and parallel The results of the analytic processing should be persisted for data mining
Which architecture outlined below win meet the initial requirements for the collection platform?

• A. Utilize S3 to collect the inbound sensor data analyze the data from S3 with a daily scheduled Data Pipeline and save the results to a Redshift Cluster.
• B. Utilize Amazon Kinesis to collect the inbound sensor data, analyze the data with Kinesis clients and save the results to a Redshift cluster using EMR.
• C. Utilize SQS to collect the inbound sensor data analyze the data from SQS with Amazon Kinesis and save the results to a Microsoft SQL Server RDS instance.
• D. Utilize EMR to collect the inbound sensor data, analyze the data from EUR with Amazon Kinesis and save me results to DynamoDB.

Answer: B

NEW QUESTION 10
You are developing a new mobile application and are considering storing user preferences in AWS.2w This would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be
cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?

• A. Setup an RDS MySQL instance in 2 availability zones to store the user preference dat
• B. Deploy apublic facing application on a server in front of the database to manage security and access credentials
• C. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preference
• D. The mobile application will query the user preferences directly from the DynamoDB tabl
• E. Utilize ST
• F. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access.
• G. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data .The mobile application will query the user preferences from the read replica
• H. Leverage the MySQL user management and access prMlege system to manage security and access credentials.
• I. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user’ S3 objec
• J. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.

Answer: B

NEW QUESTION 11
What is the maximum length for an instance profile name in AWS IAM?

• A. 512 characters
• B. 128 characters
• C. 1024 characters
• D. 64 characters

Answer: B

Explanation: The maximum length for an instance profile name is 128 characters.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

NEW QUESTION 12
Select the correct set of options. These are the initial settings for the default security group:

• A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other
• B. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other
• C. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other
• D. Allow all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other

Answer: A

NEW QUESTION 13
Your department creates regular analytics reports from your company's log files All log data is collected in Amazon S3 and processed by daily Amazon Elastic MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse.
Your CFO requests that you optimize the cost structure for this system.
Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data?

• A. Use reduced redundancy storage (RRS) for all data In S3. Use a combination of Spot Instances and Reserved Instances for Amazon EMR job
• B. Use Reserved Instances for Amazon Redshift.
• C. Use reduced redundancy storage (RRS) for PDF and .csv data in S3. Add Spot Instances to EMR job
• D. Use Spot Instances for Amazon Redshift.
• E. Use reduced redundancy storage (RRS) for PDF and .csv data In Amazon S3. Add Spot Instances to Amazon EMR job
• F. Use Reserved Instances for Amazon Redshift.
• G. Use reduced redundancy storage (RRS) for all data in Amazon S3. Add Spot Instances to Amazon ENIR job
• H. Use Reserved Instances for Amazon Redshift.

Answer: C

NEW QUESTION 14
How many g2.2xIarge on-demand instances can a user run in one region without taking any limit increase approval from AWS?

• A. 20
• B. 2
• C. 5
• D. 10

Answer: C

Explanation: Generally AWS EC2 allows running 20 on-demand instances and 100 spot instances at a time. This limit can be increased by requesting at https://aws.amazon.com/contact-us/ec2-request. Excluding certain types of instances, the limit is lower than mentioned above. For g2.2xIarge, the user can run only 5
on-demand instance at a time.
Reference: http://docs.aws.amazon.com/generaI/latest/gr/aws_service_|imits.htmI#Iimits_ec2

NEW QUESTION 15
An organization is setting up an application on AWS to have both High Availabilty (HA) and Disaster Recovery (DR). The organization wants to have both Recovery point objective (RPO) and Recovery time objective (RTO) of 10 minutes. Which of the below mentioned service configurations does not help the organization achieve the said RPO and RTO?

• A. Take a snapshot of the data every 10 minutes and copy it to the other region.
• B. Use an elastic IP to assign to a running instance and use Route 53 to map the user’s domain with that IP.
• C. Create ELB with multi- region routing to allow automated failover when required.
• D. Use an AMI copy to keep the AMI available in other region

Answer: C

Explanation: AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances and the organization should create an AMI of the running instance. Copy the AMI to another region to enable Disaster Recovery (DR) in case of region failure. The organization should also use EBS for persistent storage and take a snapshot every 10 minutes to meet Recovery time objective (RTO). They should also setup an elastic IP and use it with Route 53 to route requests to the same IP.
When one of the instances fails the organization can launch new instances and assign the same EIP to a new instance to achieve High Availability (HA). The ELB works only for a particular region and does not route requests across regions.
Reference: http://d36cz9buwru1tt.c|oudfront.net/AWS_Disaster_Recovery.pdf

NEW QUESTION 16
A customer has a 10 GB AWS Direct Connect connection to an AWS region where they have a web application hosted on Amazon Elastic Computer Cloud (EC2). The application has dependencies on an on-premises mainframe database that uses a BASE (Basic Available. Sort stale Eventual consistency) rather than an ACID (Atomicity. Consistency isolation. Durability) consistency model. The application is exhibiting undesirable behavior because the database is not able to handle the volume of writes. How can you reduce the load on your on-premises database resources in the most cost-effective way?

• A. Use an Amazon Elastic Map Reduce (EMR) S3DistCp as a synchronization mechanism between the on-premises database and a Hadoop cluster on AWS.
• B. Modify the application to write to an Amazon SQS queue and develop a worker process to flush the queue to the on-premises database.
• C. Modify the application to use DynamoDB to feed an EMR cluster which uses a map function to write to the on-premises database.
• D. Provision an RDS read-replica database on AWS to handle the writes and synchronize the two databases using Data Pipeline.

Answer: A

NEW QUESTION 17
You require the ability to analyze a large amount of data, which is stored on Amazon S3 using Amazon Elastic Map Reduce. You are using the cc2 8x large Instance type, whose CPUs are mostly idle during processing. Which of the below would be the most cost efficient way to reduce the runtime of the job?

• A. Create more smaller flies on Amazon S3.
• B. Add additional cc2 8x large instances by introducing a task group.
• C. Use smaller instances that have higher aggregate I/O performance.
• D. Create fewer, larger files on Amazon S3.

Answer: C

NEW QUESTION 18
An organization is hosting a scalable web application using AWS. The organization has configured internet facing ELB and Auto Scaling to make the application scalable. Which of the below mentioned
statements is required to be followed when the application is planning to host a web application on VPC?

• A. The ELB can be in a public or a private subnet but should have the ENI which is attached to an elastic IP.
• B. The ELB must not be in any subnet; instead it should face the internet directly.
• C. The ELB must be in a public subnet of the VPC to face the internet traffic.
• D. The ELB can be in a public or a private subnet but must have routing tables attached to divert the internet traffic to it.

Answer: C

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For internet facing ELB it is required that ELB should be in a public subnet.
After the user creates the public subnet, he should ensure to associate the route table of the public subnet with the internet gateway to enable the load balancer in the subnet to connect with the internet. Reference: http://docs.aws.amazon.com/EIasticLoadBalancing/latest/DeveIoperGuide/CreateVPCForELB.htmI

NEW QUESTION 19
A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPSec VPN. The application must authenticate against the
on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? (Choose 2 answers)

• A. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.
• B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the use
• C. The application then calls the IAM Security Token Service to assume that IAM rol
• D. The application can use the temporary credentials to access the appropriate S3 bucket.
• E. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credential
• F. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
• G. The application authenticates against LDAP the application then calls the AWS identity and AccessManagement (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.
• H. The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.

Answer: BC

NEW QUESTION 20
A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CIoudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open. Which of the following is correct in regards to those security groups?

• A. A security group that has no ports open to your network.
• B. A security group that has only port 3389 (for RDP) open to your network.
• C. A security group that has only port 22 (for SSH) open to your network.
• D. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your networ

Answer: D

Explanation: AWS CIoudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.
AWS C|oudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the AWS CIoudHSM service.
One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into this subnet.
One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this subnet.
An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources to AWS CIoudHSM.
An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed. This instance is referred to as the control instance and is used to connect to and manage the HSM appliance.
A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This security group is attached to your control instances so you can access them remotely.