AWS-Certified-Solutions-Architect-Professional Exam - AWS-Certified-Solutions-Architect-Professional

NEW QUESTION 1
You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.exampIe.com. You decide to use Route53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. Dunning a DR test you notice that when you disable all web sewers in one of the regions Route53 does not automatically direct all users to the other region. What could be happening? (Choose 2 answers)

• A. Latency resource record sets cannot be used in combination with weighted resource record sets.
• B. You did not setup an HTTP health check to one or more of the weighted resource record sets associated with me disabled web sewers.
• C. The value of the weight associated with the latency alias resource record set in the region with the disabled sewers is higher than the weight for the other region.
• D. One of the two working web sewers in the other region did not pass its HTTP health check.
• E. You did not set "Evaluate Target Health" to "Yes" on the latency alias resource record set associated with example com in the region where you disabled the servers.

Answer: BE

NEW QUESTION 2
An organization is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application securely in AWS VPC. What action can be recommended to the organization?

• A. The organization should setup their own NoSQL cluster on the AWS instance and configure route tables and subnets.
• B. The organization should only use a DynamoDB because by default it is always a part of the default subnet provided by AWS.
• C. The organization should use a DynamoDB while creating a table within the public subnet.
• D. The organization should use a DynamoDB while creating a table within a private subne

Answer: A

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Currently VPC does not support DynamoDB. Thus, if the user wants to implement VPC, he has to setup his own NoSQL DB within the VPC. Reference: http://docs.aws.amazon.com/AmazonVPC/Iatest/UserGuide/VPC_Introduction.htm|

NEW QUESTION 3
Mike is appointed as Cloud Consultant in ExamKi|Ier.com. ExamKiI|er has the following VPCs set-up in the US East Region:
A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24
ExamKiIIer.com is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24. Which one of the following solutions should lV|ike recommend to ExamKiI|er.com?

• A. Create 2 Virtual Private Gateways and configure one with each VPC.
• B. Create 2 Internet Gateways, and attach one to each VPC.
• C. Create a VPC Peering connection between both VPCs.
• D. Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances.

Answer: C

Explanation: A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htmI

NEW QUESTION 4
An organization has developed an application which provides a smarter shopping experience. They need to show a demonstration to various stakeholders who may not be able to access the in premise
application so they decide to host a demo version of the application on AWS. Consequently they will need a fixed elastic IP attached automatically to the instance when it is launched.
In this scenario which of the below mentioned options will not help assign the elastic IP automatically?

• A. Write a script which will fetch the instance metadata on system boot and assign the public IP using that metadata.
• B. Provide an elastic IP in the user data and setup a bootstrapping script which will fetch that elastic IP and assign it to the instance.
• C. Create a controlling application which launches the instance and assigns the elastic IP based on the parameter provided when that instance is booted.
• D. Launch instance with VPC and assign an elastic IP to the primary network interfac

Answer: A

Explanation: EC2 allows the user to launch On-Demand instances. If the organization is using an application temporarily only for demo purposes the best way to assign an elastic IP would be:
Launch an instance with a VPC and assign an EIP to the primary network interface. This way on every instance start it will have the same IP Create a bootstrapping script and provide it some metadata, such as user data which can be used to assign an EIP Create a controller instance which can schedule the start and stop of the instance and provide an EIP as a parameter so that the controller instance can check the instance boot and assign an EIP
The instance metadata gives the current instance data, such as the public/private IP. It can be of no use for assigning an EIP.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html

NEW QUESTION 5
An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network
interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet IPs.
How can the organization achieve this by running web server on a single instance?

• A. It is not possible to have two IP addresses for a single instance.
• B. The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface.
• C. The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access.
• D. The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.

Answer: C

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.
The user can create a management network using two separate network interfaces. For the present scenario it is required that the secondary network interface on the instance handles the public facing traffic and the primary network interface handles the back-end management traffic and it is connected to a separate subnet in the VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group to allow access to the server from the internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the internet, a private subnet within the VPC or a virtual private gateway.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI

NEW QUESTION 6
How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?

• A. Detach the volume and attach it to another EC2 instance in the other AZ.
• B. Simply create a new volume in the other AZ and specify the original volume as the source.
• C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ.
• D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

Answer: C

NEW QUESTION 7
Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don't want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members?

• A. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
• B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
• C. Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
• D. Use your on-premises SAML2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.

Answer: D

NEW QUESTION 8
A 3-tier e-commerce web application is current deployed on-premises and will be migrated to AWS for greater scalability and elasticity The web server currently shares read-only data using a network distributed file system The app server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast The database tier uses shared-storage clustering to provide database fall over capability, and uses several read slaves for scaling Data on all servers and the distributed file system directory is backed up weekly to off-site tapes
Which AWS storage and database architecture meets the requirements of the application?

• A. Web servers: store read-only data in S3, and copy from S3 to root volume at boot tim
• B. App servers: share state using a combination of DynamoDB and IP unicas
• C. Database: use RDS with multi-AZ deployment and one or more read replica
• D. Backup: web sewers, app sewers, and database backed up weekly to Glacier using snapshots.
• E. Web sewers: store read-only data in an EC2 NFS sewer; mount to each web server at boot tim
• F. App servers: share state using a combination of DynamoDB and IP multicas
• G. Database: use RDS with multi-AZ deployment and one or more Read Replica
• H. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
• I. Web sewers: store read-only data in S3, and copy from S3 to root volume at boot tim
• J. App sewers: share state using a combination of DynamoDB and IP unicas
• K. Database: use RDS with multi-AZ deployment and one or more Read Replica
• L. Backup: web and app sewers backed up weekly via AMIs, database backed up via DB snapshots.
• M. Web sewers: store read-only data in S3, and copy from S3 to root volume at boot tim
• N. App sewers: share state using a combination of DynamoDB and IP unicas
• O. Database: use RDS with multi-AZ deploymen
• P. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.

Answer: C

NEW QUESTION 9
How can a user list the IAM Role configured as a part of the launch config?

• A. as-describe-Iaunch-configs --iam-profiIe
• B. as-describe-Iaunch-configs --show-Iong
• C. as-describe-Iaunch-configs —iam-role
• D. as-describe-Iaunch-configs —roIe

Answer: B

Explanation: As-describe-launch-configs describes all the launch config parameters created by the AWS account in the specified region. Generally it returns values, such as Launch Config name, Instance Type and AMI ID. If the user wants additional parameters, such as the IAM Profile used in the config , he has to run command: as-describe-Iaunch-configs --show-Iong

NEW QUESTION 10
You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a world-wide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon
RDS database Static content resides on Amazon S3, and is distributed through Amazon CIoudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization, you use an Amazon RDSextra large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range.
Web analytics reports show that the average load time of your web pages is around 1.5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds.
How would you improve page load times for your users? (Choose 3 answers)

• A. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively.
• B. Add an Amazon EIastiCache caching layer to your application for storing sessions and frequent DB quenes
• C. Configure Amazon CIoudFront dynamic content support to enable caching of re-usable content from your site
• D. Switch the Amazon RDS database to the high memory extra large Instance type
• E. Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.

Answer: ABD

NEW QUESTION 11
What does elasticity mean to AWS?

• A. The ability to scale computing resources up easily, with minimal friction and down with latency.
• B. The ability to scale computing resources up and down easily, with minimal friction.
• C. The ability to provision cloud computing resources in expectation of future demand.
• D. The ability to recover from business continuity events with minimal frictio

Answer: B

NEW QUESTION 12
In Amazon EIastiCache, which of the following statements is correct?

• A. When you launch an EIastiCache cluster into an Amazon VPC private subnet, every cache node is assigned a public IP address within that subnet.
• B. You cannot use EIastiCache in a VPC that is configured for dedicated instance tenancy.
• C. If your AWS account supports only the EC2-VPC platform, E|astiCache will never launch your cluster in a VPC.
• D. EIastiCache is not fully integrated with Amazon Virtual Private Cloud (VPC).

Answer: B

Explanation: The VPC must allow non-dedicated EC2 instances. You cannot use EIastiCache in a VPC that is configured for dedicated instance tenancy.
Reference: http://docs.aws.amazon.com/AmazonE|astiCache/latest/UserGuide/AmazonVPC.EC.htmI

NEW QUESTION 13
IAM Secure And Scalable is an organization which provides scalable and secure SAAS to its clients. They are planning to host a web server and App server on AWS VPC as separate tiers. The organization wants to implement the scalability by configuring Auto Scaling and load balancer with their app servers (middle tier) too. Which of the below mentioned options suits their requirements?

• A. Since ELB is internet facing, it is recommended to setup HAProxy as the Load balancer within the VPC.
• B. Create an Internet facing ELB with VPC and configure all the App servers with it.
• C. The user should make ELB with EC2-CLASSIC and enable SSH with it for security.
• D. Create an Internal Load balancer with VPC and register all the App sewers with i

Answer: D

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances.
There are two ELBs available with VPC: internet facing and internal (private) ELB. For internal servers, such as App sewers the organization can create an internal load balancer in their VPC and then place back-end application instances behind the internal load balancer. The internal load balancer will route
requests to the back-end application instances, which are also using private IP addresses and only accept requests from the internal load balancer.
Reference:
http://docs.aws.amazon.com/EIasticLoadBalancing/latest/DeveIoperGuide/vpc-IoadbaIancer-types.html

NEW QUESTION 14
A bucket owner has allowed another account’s IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

• A. It is not possible to give permission to multiple IAM users
• B. AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object
• C. The bucket policy may not be created as S3 will give error due to conflict of Access Rights
• D. It is not possible that the IAM user of one account accesses objects of the other IAM user

Answer: B

Explanation: If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.
Reference:
http://docs.aws.amazon.com/AmazonS3/Iatest/dev/access-control-auth-workflow-object-operation.htmI

NEW QUESTION 15
Once the user has set EIastiCache for an application and it is up and running, which services, does Amazon not provide for the user:

• A. The ability for client programs to automatically identify all of the nodes in a cache cluster, and to initiate and maintain connections to all of these nodes
• B. Automating common administrative tasks such as failure detection and recovery, and software patching
• C. Providing default Time To Live (TTL) in the AWS Elasticache Redis Implementation for different type of data.
• D. Providing detailed monitoring metrics associated with your Cache Nodes, enabling you to diagnose and react to issues very quickly

Answer: C

Explanation: Amazon provides failure detection and recovery, and software patching and monitoring tools which is called CIoudWatch. In addition it provides also Auto Discovery to automatically identify and initialize all nodes of cache cluster for Amazon EIastiCache.
Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/Whatls.html

NEW QUESTION 16
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

• A. Create IAM users in the Master account with full Admin permission
• B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
• C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
• D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
• E. Link the accounts using Consolidated Billin
• F. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Answer: C

NEW QUESTION 17
The two policies that you attach to an IAM role are the access policy and the trust policy. The trust policy identifies who can assume the role and grants the permission in the AWS Lambda account principal by adding the action.

• A. aws:AssumeAdmin
• B. Iambda:InvokeAsync
• C. sts:|nvokeAsync
• D. sts:AssumeRoIe

Answer: D

Explanation: The two policies that you attach to an IAM role are the access policy and the trust policy.
Remember that adding an account to the trust policy of a role is only half of establishing the trust relationship. By default, no users in the trusted accounts can assume the role until the administrator for that account grants the users the permission to assume the role by adding the Amazon Resource Name (ARN) of the role to an Allow element for the sts:AssumeRoIe action.
Reference: http://docs.aws.amazon.com/|AM/Iatest/UserGuide/id_ro|es_manage_modify.html

NEW QUESTION 18
In the context of AWS IAM, identify a true statement about user passwords (login profiles).

• A. They must contain Unicode characters.
• B. They can contain any Basic Latin (ASCII) characters.
• C. They must begin and end with a fonrvard slash (/).
• D. They cannot contain Basic Latin (ASCII) characters.

Answer: B

Explanation: The user passwords (login profiles) of IAM users can contain any Basic Latin (ASCII) characters. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

NEW QUESTION 19
Which is a valid Amazon Resource name (ARN) for IAM?

• A. aws:iam::123456789012:instance-profile/Nebserver
• B. arn:aws:iam::123456789012:instance-profile/Webserver
• C. 123456789012:aws:iam::instance-profi|e/Nebserver
• D. arn:aws:iam::123456789012::instance-profile/Nebserver

Answer: B

NEW QUESTION 20
An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.
How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

• A. The organization should not accept the request as sharing the credentials means compromising on security.
• B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.
• C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
• D. The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization’s data center.

Answer: C

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also works with IAM and the organization can create IAM users who have access to various VPC services.
If an auditor wants to have access to the AWS VPC to verify the rules, the organization should be careful before sharing any data which can allow making updates to the AWS infrastructure. In this scenario it is recommended that the organization creates an IAM user who will have read only access to the VPC. Share the above mentioned credentials with the auditor as it cannot harm the organization. The sample policy is given below:
{
"Effect":"AI|ow",
"Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeInternetGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeVpnGateways", "ec2:DescribeVpnConnections", "ec2:DescribeRouteTabIes", "ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcIs", "ec2:DescribeDhcpOptions", "ec2:DescribeTags", "ec2:DescribeInstances"
]!
"Resource":"*"
}
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IANI.htmI