AWS Certified Solutions Architect - Professional SAP-C02 考古題
AWS 專業架構師證照考古題大全20241025
Amazon Web Service(AWS 亞馬遜)全系列考古題,2024年最新題庫,持續更新,全網最完整。AWS 證照含金量高,自我進修、跨足雲端產業必備近期版本更新,隨時追蹤最新趨勢變化。
QUESTION 41
A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account containsmultiple VPCs. The company wants to use AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment. Which combination of steps will meet these requirements? (Select TWO.)
A. From the master account, share the transit gateway with member accounts by using AWS Resource Access Manager.
B. From the master account, share the transit gateway with member accounts by using an AWS Organizations SCP.
C. Launch an AWS CloudFormation stack set from the master account that automatically creates a new VPC and a VPC transit gateway attachment in a member account.
Associate the attachment with the transit gateway in the master account by using the transit gateway ID.
D. Launch an AWS CloudFormation stack set from the master account that automatically creates a new VPC and a peering transit gateway attachment in a member account.
Share the attachment with the transit gateway in the master account by using a transit gateway service- linked role.
E. From the master account, share the transit gateway with member accounts by using AWS Service
Catalog.
Correct Answer: AC
Section: (none)
QUESTION 42
A finance company hosts a data lake in Amazon S3. The company receives financial data records over SFTP each night from several third parties. The company runs its own SFTP server on an Amazon EC2 instance in a public subnet of a VPC. Afterthe files are uploaded, they are moved to the data lake by a cron job that runs on the same instance.
The SFTP server is reachable on DNS sftp.example.com through the use of Amazon Route 53. What should a solutions architect do to improve the reliability and scalability of the SFTP solution?
A. Move the EC2 instance into an Auto Scaling group.
Place the EC2 instance behind an Application Load Balancer (ALB). Update the DNS recordsftp.example.com in Route 53 to point to the ALB.
B. Migrate the SFTP server to AWS Transfer for SFTP.
Update the DNS record sftp.example.com in Route 53 to point to the server endpoint hostname.
C. Migrate the SFTP server to a file gateway in AWS Storage Gateway.
Update the DNS record sftp.example.com in Route 53 to point to the file gateway endpoint.
D. Place the EC2 instance behind a Network Load Balancer (NLB).
Update the DNS record sftp.example.com in Route 53 to point to the NLB.
Correct Answer: B
Section: (none)
QUESTION 43
A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances.
One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.
Which solution will meet this requirement?
A. Place the EC2 instances behind an Application Load Balancer (ALB).
Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB.
Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
B. Associate the EC2 instances with a target group.
Provision an SSL certificate using AWS Certificate Manager (ACM).
Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
C. Place the EC2 instances behind an Application Load Balancer (ALB).
Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB.
Provision a third-party SSL certificate and install it on each EC2 instance.
Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
D. Place the EC2 instances behind a Network Load Balancer (NLB).
Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB tolisten on port 443 and to forward traffic to port 443 on the instances.
Correct Answer: C
Section: (none)
QUESTION 44
A company is running several workloads in a single AWS account. A new company policy stales that engineers can provision only approved resources and that engineers must use AWS CloudFormation to provision these resources. A solutionsarchitect needs to create a solution to enforce the new restriction on the IAM role that the engineers use for access.
What should the solutions architect do to create the solution?
A. Upload AWS CloudFormation templates that contain approved resources to an Amazon S3 bucket.
Update the IAM policy for the engineers' IAM role to only allow access to Amazon S3 and AWS CloudFormation.
Use AWS CloudFormation templates to provision resources.
B. Update the IAM policy for the engineers" IAM role with permissions to only allow provisioning of approved resources and AWS CloudFormation.
Use AWS CloudFormation templates to create stacks with approved resources.
C. Update the IAM policy for the engineers' IAM role with permissions to only allow AWS CloudFormation actions.
Create a new IAM policy with permission to provision approved resources, and assign the policy to a new IAM service role.
Using the IAM service role to AWS CloudFormation during stack creation.
D. Provision resources in AWS CloudFormation stacks.
Update the IAM policy for the engineers' IAM role to only allow access to their own AWS CloudFormation stack.
Correct Answer: C
Section: (none)
QUESTION 45
A company with global offices has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company's on-premises network uses the connection to communicate with the company's resources in the AWS Cloud. The connectionhas a single private virtual interface that connects to a single VPC.
A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. Thesolution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.
Which solution meets these requirements?
A. Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both privatevirtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.
B. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new private virtualinterface on the new connection, and connect the new private virtual interface to the single VPC.
C. Keep the existing private virtual interface. Create the second Direct Connect connection. Create anew public virtualinterface on the new connection, and connect the new public virtual interface to the single VPC.
D. Provision a transit gateway Delete the existing private virtual interface from the existing connection. Create the secondDirect Connect connection Create a new private virtual interface on each connection, and connect both private virtualinterfaces to the transit gateway. Associate the transit gateway with the single VPC
Correct Answer: A
Section: (none)
QUESTION 46
A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts AWS Site-to-Site VPN connections are configured between all of the company's global offices and the transit account. The company has AWS Config enabled on all of its accounts. The company's networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices Developers will reference this list to gain access to their applications securely. Which solution meets these requirements with the LEAST amount of operational overhead?
A. Create a JSON file that is hosted in Amazon S3and that lists all of the internal IP address ranges Configure an AmazonSimple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges
B. Create anew AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges Configure the rule to automatically remediate any noncompliant security group that is detected.
C. In the transit account, create a VPC prefix list with all of the internal IP address ranges Use AWS Resource AccessManager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
D. In the transit account, create a security group with all of the internal IP address ranges Configure the security groups inthe other accounts to reference the transit account's security group by using a nested security group reference of "<transit-account-id>/sg-1a2b3c4d"
Correct Answer: C
Section: (none)
QUESTION 47
A company is using multiple AWS accounts and has multiple DevOps teams running production and non- production workloads in these accounts. The company would like to centrally-restrict access to some of the AWS services that the DevOps teams do not use. The company decided to use AWS Organizations and successfully invited all AWS accounts intothe Organization. They would like to allow access to services that are currently in-use and deny a few specific services Also they would like to administer multiple accounts together as a single unit.
What combination of steps should the Solutions Architect take to satisfy these requirements? (Select THREE)
A. Use a Deny list strategy.
B. Review the Access Advisor in AWS IAM to determine services recently used.
C. Review the AWS Trusted Advisor report to determine services recently used.
D. Remove the default FullAWSAccess SCP.
E. Define organizational units (OUs) and place the member accounts in the OUs.
F. Remove the default DenyAWSAccess SCP.
Correct Answer: BDE
Section: (none)
QUESTION 48
A company hosts a community forum site using an Application Load Balancer (ALB) and a Docker application hosted in anAmazon ECS cluster. The site data is stored in Amazon RDS for MySQL and the container image is stored in ECR. Thecompany needs to provide their customers with a disaster recovery SIA with an RTO of no more than 24 hours and RPO of no more than 8 hours. Which of the following solutions is the MOST cost-effective way to meet the requirements?
A. Use AWS CloudFormation to deploy identical ALB, EC2, ECS and RDS resources in two regions. Schedule RDS snapshots every 8 hours. Use RDS multi-region replication to update the secondary region's copy of the database. In the event of a failure, restore from the latest snapshot, and use an Amazon Route 53 DNS failover policy toautomatically redirect customers to the ALB in the secondary region.
B. Store the Docker image in ECR in two regions. Schedule RDS snapshots every 8 hours with snapshots copied to the secondary region. In the event of a failure, use AWS CloudFormation to deploy the ALB, EC2,ECS and RDS resources inthe secondary region, restore from the latest snapshot, and update the DNS record to point to the ALB in the secondary region.
C. Use AWS CloudFormation to deploy identical ALB, EC2, ECS, and RDS resources in a secondary region. Schedule hourly RDS MySQL backups to Amazon S3 and use cross-region replication to replicate data to a bucket in the secondary region. In the event of a failure, import the latest Docker image to Amazon ECR in the secondary region,deploy to the EC2 instance, restore the latest MySQL backup, and update the DNS record to point to the ALB in the secondary region
D. Deploy a pilot light environment in a secondary region with an ALB and a minimal resource EC2 deployment for Dockerin an AWS Auto Scaling group with a scaling policy to increase instance size and number of nodes Create a cross-region read replica of the RDS data. In the event of a failure.
promote the replica to primary, and update the DNS record to point to the ALB in the second an region.
Correct Answer: B
Section: (none)
QUESTION 49
A company wants to migrate its data analytics environment from on premises to AWS. The environment
consists of two simple Node js applications. One of the applications collects sensor data and loads it into a MySQL database.The other application aggregates the data into reports. When the aggregation jobs run, some of the load jobs fail to run correctly.
The company must resolve the data loading issue. The company also needs the migration to occur without interruptions or changes for the company's customers.
What should a solutions architect do to meet these requirements?
A. Set up an Amazon Aurora MySQL database as a replication target for the on-premises database. Create an Aurora Replica for the Aurora MySQL database, and move the aggregation jobs to run against the Aurora Replica Set upcollection endpoints as AWS Lambda functions behind a Network Load Balancer (NLB).
and use Amazon RDS Proxy to write to the Aurora MySQL database. When the databases are synced disable the replication job and restart the Aurora Replica as the primary instance. Point the collector DNS record to the NLB.
B. Set up an Amazon Aurora MySQL database. Use AWS Database Migration Service (AWS DMS) to perform continuous data replication from the on-premises database to Aurora. Move the aggregation jobs to run against the Aurora MySQLdatabase. Set up collection endpoints behind an Application Load Balancer (ALB) as Amazon EC2 instances in an Auto Scaling group. When the databases are synced, point the collector DNS record to the ALB. Disable the AWS DMS sync task after the cutover from on premises to AWS.
C. Set up an Amazon Aurora MySQL database Use AWS Database Migration Service (AWS DMS) to perform continuousdata replication from the on-premises database to Aurora Create an Aurora Replica for the Aurora MySQL database, and move the aggregation jobs to run against the Aurora Replica Set up collection endpoints as AWS Lambda functionsbehind an Application Load Balancer (ALB), and use Amazon RDS Proxy to write to the Aurora MySQL database. Whenthe databases are synced, point the collector DNS record to the ALB. Disable the AWS DMS sync task after the cutoverfrom on premises to AWS.
D. Set up an Amazon Aurora MySQL database. Create an Aurora Replica for the Aurora MySQL database, and move the aggregation jobs to run against the Aurora Replica Set up collection endpoints as an Amazon Kinesis data stream. Use Amazon Kinesis Data Firehose to replicate the data to the Aurora MySQL database. When the databases are synced disable the replication job and restart the Aurora Replica as the primary instance. Point the collector DNS record to the Kinesis data stream
Correct Answer: C
Section: (none)
QUESTION 50
A company is running an application on several Amazon EC2instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances.
Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?
A. Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scalinglifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:Ec2 INSTANCE TERMINATING transition to send ABANDON to the Auto Scaling group to prevent temination, run the script to copy the log files, and terminate the instance using the AWS SDK.
B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scalinglifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2INSTANCE TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and sendCONTINUE to the Auto Scaling group to terminate the instance.
C. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2instance user data Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge (CloudWatch Events) rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
D. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an
Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AS Systems Manager API SendCommand operation to run the document to copy thelog files and send ABANDON to the Auto Scaling group to terminate the instance.
Correct Answer: B
Section: (none)
QUESTION 51
A company is running a data-intensive application on AWS. The application runs on a cluster of hundreds of Amazon EC2instances. A shared file system also runs on several EC2 instances that store 200 TB of data. The application reads andmodifies the data on the shared file system and generates a report. The job runs once monthly, reads a subset of the files from the shared file system, and takes about 72 hours to complete. The compute instances scale in an Auto Scaling group,but the instances that host the shared file system run continuously. The compute and storage instances are all in the same AWS Region. A solutions architect needs to reduce costs by replacing the shared file system instances. The file system mustprovide high performance access to the needed data for the duration of the 72-hour run. Which solution will provide the LARGEST overall cost reduction while meeting these requirements?
A. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Intelligent-Tieringstorage class. Before the job runs each month, use Amazon FSx for Lustre to create anew file system with the data from Amazon S3 by using lazy loading. Use the new file system as the shared storage for the duration of the job. Delete the file system when the job is complete.
B. Migrate the data from the existing shared file system to a large Amazon Elastic Block Store (Amazon EBS) volume withMulti-Attach enabled Attach the EBS volume to each of the instances by using a user data script in the Auto Scaling group launch template. Use the EBS volume as the shared storage for the duration of the job. Detach the EBS volume when the job is complete.
C. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Standard storage classBefore the job runs each month, use Amazon FSx for Lustre to create anew file system with the data from Amazon S3 byusing hatch loading Use the new file system as the shared storage for the duration of the job. Delete the file system when the job is complete
D. Migrate the data from the existing shared file system to an Amazon S3 bucket Before the job runs each month, use AWS Storage Gateway to create a file gateway with the data from Amazon S3 Use the file gateway as the shared storage for the job. Delete the file gateway when the job is complete.
Correct Answer: A
Section: (none)
QUESTION 52
A company has an on-premises website application that provides real estate information for potential renters and buyers. The website uses a Java backend and a NoSQL MongoDB database to store subscriber data. The company needs tomigrate the entire application to AWS with a similar structure. The application must be deployed for high availability, and the company cannot make changes to the application.
Which solution will meet these requirements?
A. Use an Amazon Aurora DB cluster as the database for the subscriber data Deploy Amazon EC2 instances in an AutoScaling group across multiple Availability Zones for the Java backend application.
B. Use MongoDB on Amazon EC2 instances as the database for the subscriber data Deploy EC2 instances in anAuto Scaling group in a single Availability Zone for the Java backend application
C. Configure Amazon DocumentDB (with MongoDB compatibility) with appropriately sized instances in multiple AvailabilityZones as the database for the subscriber data. Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application.
D. Configure Amazon DocumentDB (with MongoDB compatibility) in on-demand capacity mode in multiple AvailabilityZones as the database for the subscriber data Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application.
Correct Answer: C
Section: (none)
QUESTION 53
A team collects and routes behavioral data for an entire company. The company runs a Multi-AZVPC
environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company's applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets.
A solutions architect must review the infrastructure. The solutions architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistentlyhigh. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
What should the solutions architect do to meet these requirements?
A. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed Ensure that security groups are blocking traffic that is responsible for high costs.
B. Add an interface VPC endpoint for Kinesis Data Streams to the VPC Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC Ensure that the VPC endpoint policy allows traffic from the applications.
Correct Answer: D
Section: (none)
QUESTION 54
A company is creating a sequel fora popular online game. A large number of users from all over the world will play the game within the first week after launch. Currently, the game consists of the following components deployed in a single AWS Region:
-- Amazon S3 bucket that stores game assets.
-- Amazon DynamoDB table that stores player scores.
A solutions architect needs to design a multi-Region solution that will reduce latency, improve reliability, and require the least effort to implement.
What should the solutions architect do to meet these requirements?
A. Create an Amazon CloudFront distribution to serve assets from the S3 bucket Configure S3 Cross- Region Replication.
Create a new DynamoDB table in a new Region. Use the new table as a replica target for DynamoDB global tables.
B. Create an Amazon CloudFront distribution to serve assets from the S3 bucket Configure S3 Same- Region Replication.
Create a new DynamoDB table in a new Region Configure asynchronous replication between the DynamoDB tables byusing AWS Database Migration Service (AWS DMS) with change data capture (CDC).
C. Create another S3 bucket in a new Region, and configure S3 Cross-Region Replication between the buckets. Create an Amazon CloudFront distribution and configure origin failover with two origins accessing the S3 buckets in each Region.
Configure DynamoDB global tables by enabling Amazon DynamoDB Streams, and add a replica table in a new Region.
D. Create another S3 bucket in the same Region, and configure S3 Same-Region Replication between the buckets. Create an Amazon CloudFront distribution and configure origin failover with two origins accessing the S3 buckets. Create a new DynamoDB table in a new Region Use the new table as a replica target for DynamoDB global tables.
Correct Answer: C
Section: (none)
QUESTION 55
A company has created an OU in AWS Organizations for each of its engineering teams. Each OU owns multiple AWS accounts. The organization has hundreds of AWS accounts. A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts.
Which solution meets these requirements?
A. Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
B. Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account.
Allow each team to visualize the CUR through an Amazon QuickSight dashboard
C. Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account Allow each team to visualize the CUR through an Amazon QuickSight dashboard
D. Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager. Allow each team to visualize the CUR through Systems Manager OpsCenter dashboards.
Correct Answer: B
Section: (none)
QUESTION 56
A company's factory and automation applications are running in a single VPC. More than 20 applications run on a combination of Amazon EC2, Amazon Elastic Container Service (Amazon ECS), and Amazon RDS.
The company has software engineers spread across three teams. One of the three teams owns each application, andeach team is responsible for the cost and performance of all of its applications Team resources have tags that represent their application and team.
The teams use IAM access for daily activities
The company needs to determine which costs on the monthly AWS bill are attributable to each application or team. Thecompany also must be able to create reports to compare costs from the last 12 months and to help forecast costs for the next 12months. A solutions architect must recommend an AWS Billing and Cost Management solution that provides these cost reports. Which combination of actions will meet these requirements? (Select THREE)
A. Activate the user-defined cost allocation tags that represent the application and the team.
B. Activate the AWS generated cost allocation tags that represent the application and the team
C. Create a cost category for each application in Billing and Cost Management
D. Activate IAM access to Billing and Cost Management
E. Create a cost budget.
F. Enable Cost Explorer
Correct Answer: ADF
Section: (none)
QUESTION 57
A company wants to deploy an AWS WAF solution to manage AWS WAF rules across multiple AWS accounts. The accounts are managed under different OUs in AWS Organizations Administrators must be able to add or remove accounts or OUs from managed AWS WAF rule sets as needed. Administrators also must have the ability to automatically update and remediate noncompliant AWS WAF rules in all accounts. Which solution meets these requirements with the LEAST amount of operational overhead?
A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.
B. Deploy an organization-wide AWS Config rule that requires all resources in the selected OUs to associate the AWS WAF rules. Deploy automated remediation actions by using AWS Lambda to fix noncompliant resources Deploy AWSWAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied.
C. Create AWS WAF rules in the management account of the organization. Use AWS Lambda environment variables tostore account numbers and OUs to manage. Update environment variables as needed to add or remove accounts or OUs. Create cross-account IAM roles in member accounts. Assume the roles by using AWS Security Token Service (AWS STS) in the Lambda function to create and update AWS WAF rules in the member accounts.
D. Use AWS Control Tower to manage AWS WAF rules across accounts in the organization Use AWS Key Management Service (AWS KMS) to store account numbers and OUs to manage. Update AWS KMS as needed to add or removeaccounts or OUs. Create IAM users in member accounts Allow AWS Control Tower in the management account to use the access key and secret access key to create and update AWS WAF rules in the member accounts
Correct Answer: A
Section: (none)
QUESTION 58
A solutions architect must analyze a company's Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS)volumes to determine whether the company is using resources efficiently. The company is running several large, high-memoryEC2 instances to host database clusters that are deployed in active/ passive configurations. The utilization of these EC2instances varies by the applications that use the databases, and the company has not identified a pattern.
The solutions architect must analyze the environment and take action based on the findings Which solution meets these requirements MOST cost-effectively?
A. Create a dashboard by using AWS Systems Manager Ops Center. Configure visualizations for Amazon CloudWatch metrics that are associated with the EC2 instances and their EBS volumes. Review the dashboard periodically, andidentify usage patterns. Rightsize the EC2 instances based on the peaks in the metrics.
B. Turn on Amazon CloudWatch detailed monitoring for the EC2instances and their EBS volumes. Create and review a
dashboard that is based on the metrics. Identify usage patterns. Rightsize the EC2 instances based on the peaks in the Metrics.
C. Install the Amazon CloudWatch agent on each of the EC2 instances. Turn on AWS Compute Optimizer, and let it run forat least 12 hours. Review the recommendations from Compute Optimizer, and rightsize the EC2 instances as directed.
D. Sign up for the AWS Enterprise Support plan. Tum on AWS Trusted Advisor. Wait 12 hours Review the recommendations from Trusted Advisor, and rightsize the EC2 instances as directed.
Correct Answer: C
Section: (none)
QUESTION 59
A company runs a serverless application in a single AWS Region. The application accesses external URLs and extracts metadata from those sites. The company uses an Amazon Simple Notification Service (Amazon SNS) topic to publish URLs to an Amazon Simple.
Queue Service (Amazon SQS) queue. An AWS Lambda function uses the queue as an event source and processes the URLs from the queue. Results are saved to an Amazon S3 bucket. The company wants to process each URL in other Regions to compare possible differences in site localization URLs must be published from the existing Region. Results mustbe written to the existing S3 bucket in the current Region. Which combination of changes will produce multi-Region deployment that meets these requirements? (Select TWO)
A. Deploy the SQS queue with the Lambda function to other Regions
B. Subscribe the SNS topic in each Region to the SQS queue
C. Subscribe the SQS queue in each Region to the SNS topic
D. Configure the SQS queue to publish URLs to SNS topics in each Region
E. Deploy the SNS topic and the Lambda function to other Regions
Correct Answer: AC
Section: (none)
QUESTION 60
A video streaming company recently launched a mobile app for video sharing. The app uploads various files to an Amazon S3 bucket in the us-east-1 Region. The files range in size from 1 GB to 10 GB. Users who access the app from Australia haveexperienced uploads that take long periods of time. Sometimes the files fail to completely upload for these users. A solutions architect must improve the app's performance for these uploads.
Which solutions will meet these requirements? (Select TWO)
A. Enable S3Transfer Acceleration on the S3 bucket. Configure the app to use the Transfer Acceleration endpoint for uploads
B. Configure an S3 bucket in each Region to receive the uploads Use S3 Cross-Region Replication to copy the files to the distribution S3 bucket
C. Set up Amazon Route 53with latency-based routing to route the uploads to the nearest S3 bucket
Region.
D. Configure the app to break the video files into chunks. Use a multipart upload to transfer files to Amazon S3
E. Modify the app to add random prefixes to the files before uploading
Correct Answer: AD
Section: (none)
QUESTION 61
A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture tomake the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.
Which solutions meet these requirements? (Select TWO)
A. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API
Gateway's AWS integration type.
B. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to DynamoDB by using API
Gateway's AWS integration type.
C. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
D. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.
E. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions
Correct Answer: AC
Section: (none)
QUESTION 62
A retail company has anon-premises data center in Europe The company also has a multi-Region AWS presence that includes the eu-west-1 and us-east-1 Regions. The company wants to be able to route network traffic from its on-premisesinfrastructure into VPCs in either of those Regions. The company also needs to support traffic that is routed directly between VPCs in those Regions.
No single points of failure can exist on the network.
The company already has created two 1 Gbps AWS Direct connect connections from its on-premises data center. Each connection goes into a separate Direct Connect location in Europe for high availability. These two locations are named DX-Aand DX-B, respectively Each Region has a single AWS Transit Gateway that is configured to route all inter-VPC traffic within that Region.
Which solution will meet these requirements?
A. Create a private VIF from the DX-A connection into a Direct Connect gateway Create a private VIF from the DX-B
connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transitgateways with the Direct Connect gateway Peer the transit gateways with each other to support cross-Region routing.
B. Create a transit VIF from the DX-A connection into a Direct connect gateway. Associate the eu-west-1 transit gatewaywith this Direct Connect gateway. Create a transit MF from the DX-B connection into a separate Direct Connect gateway.
Associate the us-east-n transit gateway with this separate Direct Connect gateway. Peer the Direct Connect gateways
with each other to support high availability and cross-Region routing.
C. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B
connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Configure the Direct Connect gateway to route traffic between the transit gateways.
D. Create a transit VIF from the DX-A connection into a Direct Connect gateway Create a transit VIF from the DX-B
connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and
us-east-1 transit gateways with this Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.
Correct Answer: D
Section: (none)
QUESTION 63
A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions,and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.
A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical,and clients can tolerate retries of unsuccessful calls However, the errors are displayed to customers and are causing damage to the APIs reputation.
What should the solutions architect recommend to improve the customer experience?
A. Implement retry logic with exponential backoff and irregular variation in the client application Ensure that the errors are caught and handled with descriptive error messages
B. Implement API throttling through a usage plan at the API Gateway level Ensure that the client application handles code 429 replies without error
C. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is appropriate for the workload.
D. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic
Correct Answer: A
Section: (none)
QUESTION 64
A retail company needs to provide a series of data files to another company, which is its business partner. These files aresaved in an Amazon S3 bucket under Account A which belongs to the retail company. The business partner company wants one of its IAM users, User_DataProcessor, to access the files from its own AWS account (Account B).
Which combination of steps must the companies take so that User_DataProcessor can access the S3 bucket successfully? (Select TWO.)
A. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A .
B. In Account A, set the S3 bucket policy to the following:
{"Effect":"Allow", "Action":[ "g3:Getobject", "g3:ListBucket"
],
"Resource":"arn:aws:s3:::AccountABucketName/*"
}
C. In Account A, set the S3 bucket policy to the following
{
"Effect":"Allow"
"Principa1":{
"AMS":"arn:aws:iam: :AccountB:user/User Dataprocesso
},
"Action":[ "g3:Getobject", "g3:LietBucket"
],
D. In Account B, set the permissions of User DataProcessor to the following { "Effect": "Allow", "Action":[
"s3:Getobject", "g3:LigtBucket"
],
"Resource":"arn:aws:s3:::AccountABucketName/*"
}
E. In Account B, set the permissions of User_DataProcessor to the following:
{
"Effect":"Allow", "Principal":{
"ANS":"arn:aws:iam::AccountB:user/User_Dataprocessor"
},
"Action":[ "s3:Getobject", "s3:ListBucket"
],
"Resource":[ "arn:aws:s3:::AccountABucketName/*"
]
}
Correct Answer: CD
Section: (none)
QUESTION 65
A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization.
The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to and from the company's on-premises network. Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the otherAWS accounts when changes are made to the allow list. The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team's AWS account. Deploy an AWS Lambda function in each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the
account. Instruct the security team to distribute changes by publishing messages to its SNS topic.
B. Create new customer-managed prefix lists in each AWS account within the organization. Populate the prefix lists in eachaccount with all internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups. Instruct the security team to share updates with each AWS account owner.
C. Create a new customer-managed prefix list in the security team's AWS account. Populate the customer- managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
D. Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team's AWS account. Configure the Lambda function to take a list of internal IPaddresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.
Correct Answer: C
Section: (none)
QUESTION 66
A company has developed a web application. The company is hosting the application on a group of Amazon EC2 instancesbehind an Application Load Balancer. The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs. The solution must not adversely affect legitimate traffic to the application.
How should a solutions architect configure the web ACLs to meet these requirements?
A. Set the action of the web ACL rules to Count Enable AWS WAF logging. Analyze the requests for false positives. Modifythe rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.
B. Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking
C. Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs.
Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
D. Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze therequests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block
Correct Answer: A
Section: (none)
QUESTION 67
A solutions architect needs to implement a client-side encryption mechanism for objects that will be stored in anew AmazonS3 bucket. The solutions architect created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose.
The solutions architect created the following IAM policy and attached it to an IAM role:
During tests, the solutions architect was able to successfully get existing test objects in the S3 bucket. However, attempts toupload a new object resulted in an error message. The error message stated that the action was forbidden.
Which action must the solutions architect add to the IAM policy to meet all the requirements?
A. kms:GenerateDataKey
B. kms:GetKeyPolicy
C. kms:GetPublicKey
D. kms:Sign
Correct Answer: A
Section: (none)
QUESTION 68
A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. Thesolutions architect finds out that the company's developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.
The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch. Which solution will meet these requirements?
A. Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed.
Attach the rule to an event to run each time a new EC2 instance is launched.
B. In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers' IAM accounts
C. Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers.
D. Use EC2Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.
Correct Answer: C
Section: (none)
QUESTION 69
A company is building an electronic document management system in which users upload their documents. The application stack is entirely serverless and runs on AWS in the eu-central-1 Region. The system includes a web application that uses anAmazon CloudFront distribution for delivery with Amazon S3 as the origin. The web application communicates with Amazon API Gateway Regional endpoints. The API Gateway APIs call AWS Lambda functions that store metadata in an Amazon Aurora Serverless database and put the documents into an S3 bucket.
The company is growing steadily and has completed a proof of concept with its largest customer. The company must improve latency outside of Europe.
Which combination of actions will meet these requirements?(Select TWO.)
A. Enable S3 Transfer Acceleration on the S3 bucket. Ensure that the web application uses the Transfer Acceleration signed URLs
B. Create an accelerator in AWS Global Accelerator. Attach the accelerator to the CloudFront distribution.
C. Change the API Gateway Regional endpoints to edge-optimized endpoints
D. Provision the entire stack in two other locations that are spread across the world. Use global databases on the Aurora Serverless cluster.
E. Add an Amazon RDS proxy between the Lambda functions and the Aurora Serverless database.
Correct Answer: AC
Section: (none)
QUESTION 70
A health insurance company stores personally identifiable information (PII) in an Amazon S3 bucket. The company uses server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the objects.
According to a new requirement, all current and future
objects in the S3 bucket must be encrypted by keys that the company's security team manages. The S3 bucket does not have versioning enabled.
Which solution will meet these requirements?
A. In the S3bucket properties, change the default encryption to SSE-S3 with a customer managed key. Use the AWS CLI tore-upload all objects in the S3 bucket. Set an S3 bucket policy to deny unencrypted PutObject requests
B. In the S3bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket
C. In the S3bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).Set an S3 bucket policy to automatically encrypt objects on GetObject and PutObject requests
D. In the S3bucket properties, change the default encryption to AES-256 with a customer managed key. Attach a policy todeny unencrypted PutObject requests to any entities that access the S3 bucket. Use the AWS CLI to re-upload all objects in
the S3 bucket.
Correct Answer: B
Section: (none)
QUESTION 71
A company is building a software-as-a-service (SaaS) solution on AWS. The company has deployed an Amazon API GatewayRESTAPI with AWS Lambda integration in multiple AWS Regions and in the same production account.
The company offers tiered pricing that gives customers the ability to pay for the capacity to make a certain number of API callsper second. The premium tier offers up to 3,000 calls per second. And customers are identified by a unique API key. Severalpremium tier customers in various Regions report that they receive error responses of 429 Too Many Requests from multiple API methods during peak usage hours. Logs indicate that the Lambda function is never invoked.
What could be the cause of the error messages for these customers?
A. The Lambda function reached its concurrency limit.
B. The Lambda function reached its Region limit for concurrency.
C. The company reached its API Gateway account limit for calls per second.
D. The company reached its API Gateway default per-method limit for calls per second
Correct Answer: C
Section: (none)
QUESTION 72
A company manages multiple AWS accounts by using AWS Organizations. Under the root ou,the company has two OUs: Research and DataOps.
Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types.
A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiencyand must minimize ongoing maintenance. Which combination of steps will meet these requirements? (Select TWO)
A. Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance types.
B. Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1
C. Create an SCP Use the aws:RequestedRegion condition key to restrict access to all AWS Regions exceptap-northeast-1.Apply the SCP to the root OU
D. Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap- northeast-1. Apply the SCP to the root OU,the DataOps OU,and the Research OU
E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU
Correct Answer: CE
Section: (none)
QUESTION 73
A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. EachAvailability Zone contains one public subnet and one private subnet. The service runs on Amazon EC2 instances in the privatesubnets. An Application Load Balancer in the public subnets
is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. Theservice uses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 TB of data from an S3 bucket each day.
The company has promoted the service as highly secure A solutions architect must reduce cloud expenditures as much aspossible without compromising the service's security posture or increasing the time spent on ongoing operations.
Which solution will meet these requirements?
A. Replace the NAT gateways with NAT instances. in the VPC route table, create a route from the private subnets to the NAT instances
B. Move the EC2 instances to the public subnets Remove the NAT gateways.
C. Set up an S3 gateway VPC endpoint in the VPC. Attach an endpoint policy to the endpoint to allow the required
actions on the S3 bucket.
D. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2instances. Host the images on the EFS volume
Correct Answer: C
Section: (none)
QUESTION 74
A video processing company wants to build a machine learning (ML) model by using 600 TB of compressed data that is stored as thousands of files in the company's on-premises network attached storage system.
The company does not have the necessary compute resources on premises for ML experiments and wants to use AWS.
The company needs to complete the data transfer to AWS within 3 weeks. The data transfer will be a one- time transfer. The data must be encrypted in transit.
The measured upload speed of the company's internet connection is 100 Mbps, and multiple departments share the connection.
Which solution will meet these requirements MOST cost-effectively? 01-05-06
A. Order several AWS Snowball Edge Storage Optimized devices by using the AWS Management Console. Configurethe devices with a destination S3 bucket. Copy the data to the devices. Ship the devices back to AWS
B. Set up a 10 Gbps AWS Direct Connect connection between the company location and the nearest AWS Region. Transfer the data over a VPN connection into the Region to store the data in Amazon S3
C. Create a VPN connection between the on-premises network attached storage and the nearest AWS Region. Transfer the data over the VPN connection
D. Deploy an AWS Storage Gateway file gateway on premises. Configure the file gateway with a destination S3bucket Copy the data to the file gateway
Correct Answer: A
Section: (none)
QUESTION 75
A company runs a content management application on a single Windows Amazon EC2instance in a developmentenvironment The application reads and writes static content to a 2 TB Amazon Elastic Block Store (Amazon EBS) volume that is attached to the instance as the root device. The company plans to deploy this application in production as a highlyavailable and fault-tolerant solution that runs on at least three EC2 instances across multiple Availability Zones.
A solutions architect must design a solution that joins all the instances that run the application to an Active Directory domain.The solution also must implement Windows ACLS to control access to file contents. The application always must maintain exactly the same content on all running instances at any given point in time.
Which solution will meet these requirements with the LEAST management overhead? 01-05-32
A. Create an Amazon Elastic File System (Amazon EFS) file share. Create an Auto Scaling group that extends acrossthree Availability Zones and maintains a minimum size of three instances. Implement a user data script to install the application, join the instance to the AD domain, and mount the EFS file share
B. Create a new AMI from the current EC2 instance that is running. Create an Amazon FSX for Lustre file system. Create an Auto Scaling group that extends across three Availability Zones and maintains a
minimum size of three instances. Implement a user data script to join the instance to the AD domain and mount the FSX for Lustre file system
C. Create an Amazon FSX for Windows File Server file system. Create an Auto Scaling group that extends across threeAvailability Zones and maintains a minimum size of three instances. Implement a user data script to install the application and mount the FSX for Windows File Server file system. Perform a seamless domain join to join the instance to the AD domain
D. Create a new AMI from the current Ec2 instance that is running. Create an Amazon Elastic File System (Amazon EFS) file system. Create an Auto Scaling group that extends across three Availability Zones and maintains a minimum size of three instances. Perform a seamless domain join to join the instance to the AD domain
Correct Answer: C
Section: (none)
QUESTION 76
A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company's marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error. The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions thatthey need. Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)
A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account.
B. Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key
C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role
D. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to an anonymous user.
E. Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
Correct Answer: ACF
Section: (none)
QUESTION 77
A retail company is hosting an ecommerce website on AWS across multiple AWS Regions. The company wants the websiteto be operational at all times for online purchases The website stores data in an Amazon RDS for MySQL DB instance.
Which solution will provide the HIGHEST availability for the database?
A. Configure automated backups on Amazon RDS. In the case of disruption, promote an automated backup to be astandalone DB instance. Direct database traffic to the promoted DB instance. Create a replacement read replica that has the promoted DB instance as its source
B. Configure global tables and read replicas on Amazon RDS. Activate the cross-Region scope. In the case of disruption, use AWS Lambda to copy the read replicas from one Region to another Region
C. Configure global tables and automated backups on Amazon RDS. In the case of disruption,use AWS Lambda to copy the read replicas from one Region to another Region
D. Configure read replicas on Amazon RDS In the case of disruption, promote a cross-Region read replica to be a standalone DB instance Direct database traffic to the promoted DB instance. Create a replacement read replica that has the promoted DB instance as its source
Correct Answer: D
Section: (none)
QUESTION 78
An external audit of a company's serverless application reveals IAM policies that grant too many permissions. These policiesare attached to the company's AWS Lambda execution roles Hundreds of the company's Lambda functions have broad access permissions, such as full access to Amazon S3buckets and Amazon DynamoDB tables. The company wants eachfunction to have only the minimum permissions that the function needs to complete its task.
A solutions architect must determine which permissions each Lambda function needs. What should the solutions architect do to meet this requirement with the LEAST amount of effort?
A. Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls Create an inventory of the
required API calls and resources for each Lambda function Create new IAM access policies for each Lambda function
Review the new policies to ensure that they meet the company's business requirements
B. Turn on AWS CloudTrail logging for the AWS account. Use AWS identity and Access Management Access Analyzer to
generate IAM access policies based on the activity recorded in the CloudTrail log Review the generated policies to ensure that they meet the company's business requirements
C. Turn on AWS Cloudrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API
calls by Lambda execution role,and create a summary report Review the report Create IAM access polices that provide
more restrictive permissions for each Lambda function
D. Turn on AWS CloudTrail logging for the AWS account Export the CloudTrail logs to Amazon S3 Use Amazon EMR to
process the CloudTrail logs in Amazon S3and produce a report of API calls and resources used by each execution role
Create a new IAM access policy for each role Export the generated roles to an S3bucket Review the generated policies
to ensure that they meet the company's business requirements
Correct Answer: B
Section: (none)
QUESTION 79
A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using aVPN. The company is hosting internal applications with VPCS in multiple AWS accounts Currently, the applications areaccessible from the Company's on-premises office network through an AWS Site-to-Site VPN connection The VPC in the company's main AWS account has peering connections established with VPCS in other AWS accounts.
A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home
What is the MOST cost-effective solution that meets these requirements?
A. Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications
B. Create a client VPN endpoint in the main AWS account Configure required routing that allows access to internal
applications
C. Create a Client VPN endpoint in the main AWS account Provision a transit gateway that is connected to each AWS
account Configure required routing that allows access to internal applications
D. Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN
Correct Answer: B
Section: (none)
QUESTION 80
A company is refactoring its on-premises order-processing platform in the AWS Cloud. The platform
includes a web front end that is hosted on a fleet of VMs, RabbitMQ to connect the front end to the backend, and aKubernetes cluster to run a containerized backend system to process the orders. The company does not want to make anymajor changes to the application. Which solution will meet these requirements with the LEAST operational overhead? 2022032562
A. Create an AMI of the web server VM. Create an Amazon EC2Auto Scaling group that uses the AMI and an Application Load Balancer. Set up Amazon MQ to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order-processing backend.
B. Create a custom AWS Lambda runtime to mimic the web server environment. Create an Amazon API Gateway API to replace the front-end web servers, Set up Amazon MQ to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order- processing backend
C. Create an AMl of the web server VM. Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer. Set up Amazon MQ to replace the on-premises messaging queue.Install Kubernetes on a fleet of different EC2 instances to host the order-processing backend
D. Create an AMI of the web server VM. Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer. Set up an Amazon Simple Queue Service (Amazon SQS) queue to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order-processing backend
Correct Answer: A
Section: (none)
