AWS Certified Solutions Architect - Professional SAP-C02 考古題
- AWS專業架構師
- AWS
- AWS證照
- certified
- Professional
- SolutionsArchitect
- SAPC02
- 考古題
- 2024AWS專業架構師證照考古題大全
- AWS考古題
- AWS專業架構師證照
- 2024考古題
- AWS題庫
- AWS證照準備
AWS 專業架構師證照考古題大全20241120
Amazon Web Service(AWS 亞馬遜)全系列考古題,2024年最新題庫,持續更新,全網最完整。AWS 證照含金量高,自我進修、跨足雲端產業必備近期版本更新,隨時追蹤最新趨勢變化。
QUESTION 81
A company has hundreds of AWS accounts. The company recently implemented a centralized internal process forpurchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously. Asolutions architect needs to enforce the new process in the most secure way possible. Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)
A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
D. Create an SCP that denies the ec2:PurchaseReservedinstancesOffering action and the ec2:ModifyReservedlnstances action. Attach the SCP to each OU of the organization.
E. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.
Correct Answer: AD
Section: (none)
QUESTION 82
A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access toall accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA)is required at login, and specific roles are assigned to user groups.
The company must create separate accounts for development, staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts The development account and the stagingaccount must have access only to each other. Which combination of steps should a solutions architect take to meet these requirements? (Select THREE)
A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.
B. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate
route tables.
D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts.
E. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
F. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognito user pools and identity pools to manage access to accounts and between accounts
Correct Answer: ACE
Section: (none)
QUESTION 83
A solutions architect has developed a web application that uses an Amazon API Gateway Regional endpoint and an AWS Lambda function. The consumers of the web application are all close to the AWS Region where the application will be deployed. The Lambda function only queries an Amazon Aurora MySQL database. The solutions architect has configured the database to have three read replicas. During testing, the application does not meet performance requirements. Under high load, the application opens a large number of database connections. The solutions architect must improve the application'sperformance. Which actions should the solutions architect take to meet these requirements? (Select TWO.)
A. Use the cluster endpoint of the Aurora database.
B. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.
C. Use the Lambda Provisioned Concurrency feature.
D. Move the code for opening the database connection in the Lambda function outside of the event handler.
E. Change the API Gateway endpoint to an edge-optimized endpoint.
Correct Answer: BD
Section: (none)
QUESTION 84
A company recently deployed an application on AWS. The application uses Amazon DynamoDB. The company measured the application load and configured the RCUs and WCUs on the DynamoDB table to match the expected peak load. The peak load occurs once a week fora 4-hour period and is double the average load. The application load is close to the average loadfor the rest of the week. The access pattern includes many more writes to the table than reads of the table. A solutions architect needs to implement a solution to minimize the cost of the table.
Which solution will meet these requirements?
A. Use AWS Application Auto Scaling to increase capacity during the peak period. Purchase reserved RCUs and WCUs to match the average load.
B. Configure on-demand capacity mode for the table.
C. Configure DynamoDB Accelerator (DAX) in front of the table. Reduce the provisioned read capacity to match the new peak load on the table.
D. Configure DynamoDB Accelerator (DAX) in front of the table. Configure on-demand capacity mode for the table.
Correct Answer: A
Section: (none)
QUESTION 85
A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application isconsumed through several API calls. The third-party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet No resources that run in the company VPC areallowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?
A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that
the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
C. Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.
D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
Correct Answer: A
Section: (none)
QUESTION 86
A company is running a web application in the AWS Cloud. The application consists of dynamic content that is created on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group that is configured as a target group for an Application Load Balancer (ALB). The company is using an Amazon CloudFront distribution to distribute the applicationglobally. The CloudFront distribution uses the ALB as an origin. The company uses Amazon Route 53 for DNS and has created an A record of www.example.com for the CloudFront distribution. A solutions architect must configure the application so that it is highly available and fault tolerant.
Which solution meets these requirements?
A. Provision a full, secondary application deployment in a different AWS Region. Update the Route 53Arecord to be afailover record. Add both of the CloudFront distributions as values. Create Route 53 health checks
B. Provision an ALB, an Auto Scaling group, and EC2instances in a different AWS Region. Update the CloudFrontdistribution, and create a second origin for the new ALB. Create an origin group for the two origins. Configure one origin as primary and one origin as secondary.
C. Provision an Auto Scaling group and EC2 instances in a different AWS Region. Create a second target for the new Auto Scaling group in the ALB. Set up the failover routing algorithm on the ALB
D. Provision a full, secondary application deployment in a different AWS Region. Create a second CloudFrontdistribution, and add the new application setup as an origin. Create an AWS Global Accelerator accelerator.Add both of the CloudFront distributions as endpoints
Correct Answer: B
Section: (none)
QUESTION 87
A company is migrating some of its applications to AWS. The company wants to migrate and modernize the applications quickly after it finalizes networking and security strategies. The company has set up an AWS Direct Connect connection in a central network account. The company expects to have hundreds of AWS accounts and VPCs in the near future. The corporate network must be able to access the resources on AWS seamlessly and also must be able to communicate with all the VPCs The company also wants to route its cloud resources to the internet through its on- premises data center.
Which combination of steps will meet these requirements? (Select THREE.)
A. Create a Direct Connect gateway in the central account. In each of the accounts, create an association proposal byusing the Direct Connect gateway and the account ID for every virtual private gateway
B. Create a Direct Connect gateway and a transit gateway in the central network account Attach the transit gateway to the Direct Connect gateway by using a transit VIF
C. Provision an internet gateway Attach the internet gateway to subnets. Allow internet traffic through the gateway
D. Share the transit gateway with other accounts. Attach VPCs to the transit gateway
E. Provision VPC peering as necessary
F. Provision only private subnets. Open the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center
Correct Answer: BDF
Section: (none)
QUESTION 88
An application is using an Amazon RDS for MySQL Multi-AZ DB instance in the us-east-1 Region After a failover test, theapplication lost the connections to the database and could not re-establish the connections. After a restart of the application, the application re-established the connections. A solutions architect must implement a solution so that the application can re-establish connections to the database without requiring a restart.
Which solution will meet these requirements?
A. Create an Amazon Aurora MySQL Serverless v1 DB instance Migrate the RDS DB instance to the AuroraServerless v1 DB instance Update the connection settings in the application to point to the Aurora reader endpoint
B. Create an RDS proxy. Configure the existing RDS endpoint as a target Update the connection settings in the application to point to the RDS proxy endpoint
C. Create a two-node Amazon Aurora MySQL DB cluster. Migrate the RDS DB instance to the Aurora DB cluster. Createan RDS proxy. Configure the existing RDS endpoint as a target. Update the connection settings in the application to point to the RDS proxy endpoint
D. Create an Amazon S3 bucket. Export the database to Amazon S3 by using AWS Database Migration Service (AWSDMS). Configure Amazon Athena to use the S3 bucket as a data store. Install the latest Open Database Connectivity(ODBC) driver for the application Update the connection settings in the application to point to the Athena endpoint
Correct Answer: B
Section: (none)
QUESTION 89
A company has several AWS accounts A development team is building an automation framework for cloud govemance and remediation processes. The automation framework uses AWS Lambda functions in a centralized account. A solutions architect must implement a least privilege permissions policy that allows the Lambda functions to nun in each of the company's AWS accounts. Which combination of steps will meet these requirements? (Select TWO)
A. In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts
B. In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account's Lambda IAM role as a trusted entity.
C. In the centralized account, create an IAM role that has roles of the other accounts as trusted entities. Provide minimal permissions
D. In the other AWS accounts, create an IAM role that has permissions to assume the role of the centralized account Add the Lambda service as a trusted entity
E. In the other AWS accounts, create an IAM role that has minimal permissions Add the Lambda service as a trusted entity
Correct Answer: AB
Section: (none)
QUESTION 90
A company is planning to store a large number of archived documents and make the documents available to employees through the corporate intranet Employees will access the system by connecting through a client VPN service that is attachedto a VPC. The data must not be accessible to the public. The documents that the company is storing are copies of data that is held on physical media elsewhere. The number of requests will be low Availability and speed of retrieval are not concerns of the company. Which solution will meet these requirements at the LOWEST cost?
A. Create an Amazon S3 bucket Configure the S3 bucket to use the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class as default. Configure the S3 bucket for website hosting. Create an S3 interface endpoint. Configure the S3 bucket to allow access only through that endpoint
B. Launch an Amazon EC2 instance that runs a web server. Attach an Amazon Elastic File System (Amazon EFS) filesystem to store the archived data in the EFS One Zone-Infrequent Access (EFS One Zone-IA) storage class. Configure the instance security groups to allow access only from private networks
C. Launch an Amazon EC2 instance that runs a web server. Attach an Amazon Elastic Block Store
(Amazon EBS) volume to store the archived data Use the Cold HDD (sc1) volume type. Configure the instance security groups to allow access only from private networks
D. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 Glacier Deep Archive storage class as defaultConfigure the S3 bucket for website hosting. Create an S3interface endpoint. Configure the S3 bucket to allow access only through that endpoint
Correct Answer: A
Section: (none)
QUESTION 91
A company has migrated its forms-processing application to AWS. When users interact with the application, they upload scanned forms as files through a web application. A database stores user metadata and references to files that are stored in Amazon S3. The web application runs on Amazon EC2 instances and an Amazon RDS for PostgreSQL database.
When forms are uploaded, the application sends notifications to a team through Amazon Simple Notification Service (Amazon SNS).A team member then logs in and processes each form. The team member performs data validation on theform and extracts relevant data before entering the information into another system that uses an API.
A solutions architect needs to automate the manual processing of the forms. The solution must provide accurate form extraction, minimize time to market, and minimize long-term operational overhead.
Which solution will meet these requirements?
A. Develop custom libraries to perform optical character recognition (OCR) on the forms. Deploy the libraries to an AmazonElastic Kubemetes Service (Amazon EKS) cluster as an application tier. Use this tier to process the forms when forms areuploaded. Store the output in Amazon S3. Parse this output by extracting the data into an Amazon DynamoDB table. Submit the data to the target system's API. Host the new application tier on EC2 instances.
B. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to useartificial intelligence and machine learning (Al/ML) models that are trained and hosted on an EC2 instance to performoptical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system's API.
C. Host a new application tier on EC2 instances. Use this tier to call endpoints that host artificial intelligence and machinelearning (Al/ML) models that are trained and hosted in Amazon SageMaker to perform optical character recognition (OCR) on the forms. Store the output in Amazon ElastiCache. Parse this output by extracting the data that is requiredwithin the application tier. Submit the data to the target system's API.
D. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use Amazon Textract and Amazon Comprehend to perform optical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the applicationtier. Submit the data to the target system's API
Correct Answer: D
Section: (none)
QUESTION 92
An adventure company has launched a new feature on its mobile app. Users can use the feature to upload their hiking and rafting photos and videos anytime. The photos and videos are stored in Amazon S3 Standard storage in an S3 bucket and are served through Amazon CloudFront. The company needs to optimize the cost of the storage.A solutions architectdiscovers that most of the uploaded photos and videos are accessed infrequently after 30 days. However, some of the uploaded photos and videos are accessed frequently after 30 days. The solutions architect needs to implement a solution that maintains millisecond retrieval availability of the photos and videos at the lowest possible cost.
Which solution will meet these requirements?
A. Configure S3 Intelligent-Tiering on the S3 bucket.
B. Configure an S3 Lifecycle policy to transition image objects and video objects from S3 Standard to S3 Glacier Deep Archive after 30 days.
C. Replace Amazon S3 with an Amazon Elastic File System (Amazon EFS) file system that is mounted on Amazon EC2 instances.
D. Add a Cache-Control: max-age header to the S3image objects and S3video objects. Set the header to 30 days.
Correct Answer: A
Section: (none)
QUESTION 93
A company has an asynchronous HTTP application that is hosted as an AWS Lambda function.A public Amazon API Gatewayendpoint invokes the Lambda function. The Lambda function and the API Gateway endpoint reside in the us-east-1 Region.Asolutions architect needs to redesign the application to support failover to another AWS Region.
Which solution will meet these requirements?
A. Create an API Gateway endpoint in the us-west-2 Region to direct traffic to the Lambda function in us- east-1.Configure Amazon Route 53to use a failover routing policy to route traffic for the two API Gateway endpoints.
B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure API Gateway to direct traffic to the SQS queue instead of to the Lambda function. Configure the Lambda function to pull messages from the queue for processing.
C. Deploy the Lambda function to the us-west-2 Region. Create an API Gateway endpoint in us-west-2 to direct traffic to theLambda function in us-west-2. Configure AWS Global Accelerator and an Application Load Balancer to manage traffic across the two API Gateway endpoints.
D. Deploy the Lambda function and an API Gateway endpoint to the us-west-2 Region. Configure Amazon Route 53to use a failover routing policy to route traffic for the two API Gateway endpoints.
Correct Answer: D
Section: (none)
QUESTION 94
A company is hosting a critical application on a single Amazon EC2 instance. The application uses an Amazon ElastiCache for Redis single-node cluster for an in-memory data store. The application uses an Amazon RDS for MariaDB DB instance fora relational database. For the application to function, each piece of the infrastructure must be healthy and must be in an activestate. A solutions architect needs to improve the application's architecture so that the infrastructure can automatically recover from failure with the least possible downtime. Which combination of steps will meet these requirements? (Select THREE.)
A. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are part of an Auto Scaling group that has a minimum capacity of two instances.
B. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are configured in unlimited mode.
C. Modify the DB instance to create a read replica in the same Availability Zone. Promote the read replicato be the primary DB instance in failure scenarios.
D. Modify the DB instance to create a Multi-AZ deployment that extends across two Availability Zones.
E. Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum capacity of two instances.
F. Create a replication group for the ElastiCache for Redis cluster. Enable Multi-AZ on the cluster.
Correct Answer: ADF
Section: (none)
QUESTION 95
A company is hosting a monolithic REST-based API for a mobile app on five Amazon EC2 instances in public subnets of a VPC. Mobile clients connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing policy with the IP addresses of all the EC2 instances. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app has not been able to keep up with the traffic. A solutions architect needs to implement a solution so that the app can handle the new and varying load. Which solution will meet these requirements with the LEAST operational overhead?
A. Separate the API into individual AWS Lambda functions. Configure an Amazon API Gateway RESTAPI with Lambdaintegration for the backend. Update the Route 53 record to point to the API Gateway API.
B. Containerize the API logic. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Run the containers inthe cluster by using Amazon EC2. Create a Kubernetes ingress. Update the Route 53
record to point to the Kubernetes ingress.
C. Create an Auto Scaling group. Place all the EC2 instances in the Auto Scaling group. Configure the Auto Scaling group to perform scaling actions that are based on CPU utilization. Create an AWS Lambda function that reacts to Auto Scaling group changes and updates the Route 53 record.
D. Create an Application Load Balancer (ALB) in front of the API. Move the EC2 instances to private subnets in theVPC.Add the EC2 instances as targets for the ALB. Update the Route 53 record to point to the ALB.
Correct Answer: A
Section: (none)
QUESTION 96
A company is running an application in the AWS Cloud. The application collects and stores alarge amount of unstructureddata in an Amazon S3 bucket. The S3 bucket contains several terabytes of data and uses the S3 Standard storage class. The data increases in size by several gigabytes every day. The company needs to query and analyze the data. The company does not access data that is more than 1 year old.
However, the company must retain all the data indefinitely for compliance reasons. Which solution will meet these requirements MOST cost-effectively?
A. Use S3 Select to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
B. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
C. Use an AWS Glue Data Catalog and Amazon Athena to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
D. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Intelligent-Tiering
Correct Answer: C
Section: (none)
QUESTION 97
A video processing company has an application that downloads images from an Amazon S3 bucket, processes the images,stores a transformed image in a second S3 bucket, and updates metadata about the image in an Amazon DynamoDB table. The application is written in Nodejs and runs by using an AWS Lambda function. The Lambda function is invoked when a new image is uploaded to Amazon S3. The application ran without incident for a while. However, the size of the images has grown significantly. The Lambda function is now failing frequently with timeout errors. The function timeout is set to its maximum value.A solutions architect needs to refactor the application's architecture to prevent invocation failures. The company does not want to manage the underlying infrastructure. Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)
A. Modify the application deployment by building a Docker image that contains the application code. Publish the image to Amazon Elastic Container Registry (Amazon ECR)
B. Create a new Amazon Elastic Container Service (Amazon ECS) task definition with a compatibility type of AWS Fargate. Configure the task definition to use the new image in Amazon Elastic Container Registry (Amazon ECR).Adjust the Lambda function to invoke an ECS task by using the ECS task definition when a new file arrives in Amazon S3
C. Create an AWS Step Functions state machine with a Parallel state to invoke the Lambda function. Increase the provisioned concurrency of the Lambda function
D. Create anew Amazon Elastic Container Service (Amazon ECS) task definition with a compatibility type of Amazon EC2. Configure the task definition to use the new image in Amazon Elastic Container Registry (Amazon ECR).Adjust the Lambda function to invoke an ECS task by using the ECS task definition when a new file arrives in Amazon S3
E. Modify the application to store images on Amazon Elastic File System (Amazon EFS) and to store metadata on anAmazon RDS DB instance. Adjust the Lambda function to mount the EFS file share.
Correct Answer: AB
Section: (none) QUESTION 98
A solutions architect is auditing the security setup of an AWS Lambda function for a company. The Lambda function retrieves the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.
The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.
What should the solutions architect recommend to meet these requirements?
A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allowthe function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
B. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.
C. Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials inParameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modifythe Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
D. Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify theLambda function to retrieve the credentials from Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.
Correct Answer: A
Section: (none)
QUESTION 99
A company is running a traditional web application on Amazon EC2 instances. The company needs to refactor the applicationas microservices that run on containers. Separate versions of the application exist in two distinct environments: production andtesting. Load for the application is variable, but the minimum load and the maximum load are known.A solutions architect needs to design the updated application with a serverless architecture that minimizes operational complexity. Which solution will meet these requirements MOST cost-effectively?
A. Upload the container images to AWS Lambda as functions. Configure a concurrency limit for the associatedLambda functions to handle the expected peak load. Configure two separate Lambda integrations within Amazon API Gateway: one for production and one for testing.
B. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled AmazonElastic Container Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the ECS clusters.
C. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Kubernetes Service (Amazon EKS) clusters with the Fargate launch type to handle the expected load. Deploytasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the EKS clusters.
D. Upload the container images to AWS Elastic Beanstalk. In Elastic Beanstalk, create separate environments anddeployments for production and testing. Configure two separate Application Load Balancers to direct traffic to the Elastic Beanstalk deployments
Correct Answer: B
Section: (none)
QUESTION 100
A company that uses AWS Organizations allows developers to experiment on AWS. As part of the landing zone that thecompany has deployed, developers use their company email address to request an account. The company wants to ensure that developers are not launching costly services or running services unnecessarily. The company must give developers afixed monthly budget to limit their AWS costs. Which combination of steps will meet these requirements? (Select THREE.)
A. Create an SCP to set a fixed monthly account usage limit. Apply the SCP to the developer accounts.
B. Use AWS Budgets to create a fixed monthly budget for each developer's account as part of the account creation process.
C. Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts.
D. Create an IAM policy to deny access to costly services and components. Apply the IAM policy to the developer accounts.
E. Create an AWS Budgets alert action to terminate services when the budgeted amount is reached. Configure the action to terminate all services.
F. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification whenthe budgeted amount is reached. Invoke an AWS Lambda function to terminate all services.
Correct Answer: BCF
Section: (none)
QUESTION 101
A company wants to migrate its workloads from on premises to AWS. The workloads run on Linux and Windows. Thecompany has a large on-premises infrastructure that consists of physical machines and VMs that host numerous applications.
The company must capture details about the system configuration, system performance, running processes, and network connections of its on-premises workloads. The company also must divide the on- premises applications into groups for AWS migrations. The company needs recommendations for Amazon EC2 instance types so that the company can run its workloads on AWS in the most cost-effective manner. Which combination of steps should a solutions architect take to meetthese requirements? (Select THREE.)
A. Assess the existing applications by installing AWS Application Discovery Agent on the physical machines and VMs.
B. Assess the existing applications by installing AWS Systems Manager Agent on the physical machines and VMs
C. Group servers into applications for migration by using AWS Systems Manager Application Manager.
D. Group servers into applications for migration by using AWS Migration Hub
E. Generate recommended instance types and associated costs by using AWS Migration Hub.
F. Import data about server sizes into AWS Trusted Advisor. Follow the recommendations for cost optimization.
Correct Answer: ADE
Section: (none)
QUESTION 102
A publishing company's design team updates the icons and other static assets that an ecommerce web application uses.The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company's production account.The company also uses a development account that members of the design team can access
After the design team tests the static assets in the development account, the design team needs to load the assets into the S3bucket in the production account. A solutions architect must provide the design team with access to the production accountwithout exposing other parts of the web application to the risk of unwanted changes
Which combination of steps will meet these requirements? (Select THREE.)
A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket
B. In the development account, create a new IAM policy that allows read and write access to the S3 bucket.
C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity
D. In the development account, create a role. Attach the new policy to the role. Define the production account as a trusted entity.
E. In the development account, create a group that contains all the IAM users of the design team. Attach a
different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account
F. In the development account, create a group that contains all the IAM users of the design team.Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the development account
Correct Answer: ACE
Section: (none)
QUESTION 103
A company has a multi-tier web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB and the Auto Scaling group are replicated in a backupAWS Region. The minimum value and the maximum value for the Auto Scaling group are set to zero.An Amazon RDS Multi-AZ DB instance stores the application's data. The DB instance has a read replica in the backup Region The applicationpresents an endpoint to end users by using an Amazon Route 53 record.
The company needs to reduce its RTO to less than 15 minutes by giving the application the ability to automatically failover to the backup Region. The company does not have a large enough budget for an active-active strategy
What should a solutions architect recommend to meet these requirements?
A. Reconfigure the application's Route 53 record with a latency-based routing policy that load balances traffic betweenthe two ALBS. Create an AWS Lambda function in the backup Region to promote the read replica and modify the AutoScaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX Count metricfor the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function
B. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Configure Route 53 with a health check that monitors the web application and sends an Amazon Simple Notification Service (Amazon SNS) notification to the Lambda function when the health check status is unhealthy. Updatethe application's Route 53 record with a failover policy that routes traffic to the ALB in the backup Region when a health check failure occurs
C. Configure the Auto Scaling group in the backup Region to have the same values as the Auto Scaling group in theprimary Region. Reconfigure the application's Route 53 record with a latency-based routing policy that load balances traffic between the two ALBS. Remove the read replica. Replace the read replica with a standalone RDS DB instance. Confiaure Cross-Reaion Replication between the RDS DB instances by using snapshots and Amazon S3
D. Configure an endpoint in AWS Global Accelerator with the two ALBS as equal weighted targets. Create an AWS Lambdafunction in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.
Correct Answer: B
Section: (none)
QUESTION 104
A company uses an on-premises data analytics platform. The system is highly available in a fully redundant configurationacross 12 servers in the company's data center. The system runs scheduled jobs, both hourly and daily, in addition to one-timerequests from users. Scheduled jobs can take between 20 minutes and 2 hours to finish running and have tight SLAs. The scheduled jobs account for 65% of the system usage.
User jobs typically finish running in less than 5 minutes and have no SLA. The user jobs account for 35% of system usage.During system failures, scheduled jobs must continue to meet SLAs. However, user jobs can be delayed. A solutions architect needs to move the system to Amazon EC2instances and adopt a consumption-based model to reduce costs with no long-term commitments. The solution must maintain high availability and must not affect the SLAs.
Which solution will meet these requirements MOST cost-effectively?
A. Split the 12 instances across two Availability Zones in the chosen AWS Region. Run two instances in each AvailabilityZone as On-Demand Instances with Capacity Reservations. Run four instances in each Availability Zone as Spot Instances.
B. Split the 12 instances across three Availability Zones in the chosen AWS Region. In one of the Availability Zones, run
all four instances as On-Demand Instances with Capacity Reservations. Run the remaining instances as Spot Instances.
C. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two instances in each AvailabilityZone as On-Demand Instances with a Savings Plan. Run two instances in each Availability Zone as Spot Instances.
D. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run three instances in each AvailabilityZone as On-Demand Instances with Capacity Reservations. Run one instance in each Availability Zone as a Spot Instance.
Correct Answer: D
Section: (none)
QUESTION 105
A company that has multiple AWS accounts is using AWS Organizations. The company's AWS accounts host VPCs,Amazon EC2instances, and containers.
The company's compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2instances and send information to the AWS account that is dedicated for the compliance team. Thecompany has tagged all the compliance-related resources with a key of "costCenter" and a value of "compliance.",
The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company cancharge the compliance team's AWS account. The costcalculation must be as accurate as possible.
What should a solutions architect do to meet these requirements?
A. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWSCost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources.
B. In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWSCostand Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total costfor the costCenter tagged resources.
C. In the member accounts of the organization, activate the costCenter user-defined tag. From the management account,schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources.
D. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthlybilling summary for the costCenter tagged resources in the compliance team's AWS account.
Correct Answer: A
Section: (none)
QUESTION 106
A company's solutions architect is reviewing a web application that runs on AWS. The application references static assets in an Amazon S3 bucket in the us-east-1 Region. The company needs resiliency across multiple AWS Regions. The companyalready has created an S3 bucket in a second Region. Which solution will meet these requirements with the LEAST operational overhead?
A. Configure the application to write each object to both S3 buckets. Set up an Amazon Route 53public hosted zone with a record set by using a weighted routing policy for each S3bucket. Configure the application to reference the objects by using the Route 53 DNS name.
B. Create an AWS Lambda function to copy objects from the S3 bucket in us-east-1to the S3 bucket in the second Region. Invoke the Lambda function each time an object is written to the S3 bucket in us-east- 1.
Set up an Amazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.
C. Configure replication on the S3 bucket in us-east-1to replicate objects to the S3 bucket in the second Region. Set up anAmazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.
D. Configure replication on the S3 bucket in us-east-1to replicate objects to the S3 bucket in the second Region. If failoveris required, update the application code to load S3 objects from the S3 bucket in the
second Region.
Correct Answer: C
Section: (none)
QUESTION 107
A government solution runs on a fleet of more than 2,000 Amazon EC2 instances. Each EC2 instance runs highly secure software on Windows Server OS with an AWS Systems Manager Agent(SSM Agent) installed. The TCP/443 inbound port is open to the fleet of instances. All the other inbound ports are closed.Currently, any changes to the port configuration requiresa lengthy multi-level review process. Which solution will provide secure access to run scripts on the fleet of instances with the LEAST amount of administrative overhead?
A. Configure AWS OpsWorks for Puppet Enterprise with a connection to the SSM Agent on the instances Manage the scripts by using Puppet stacks
B. Open the required ports. Manage the fleet of instances by using Session Manager, a capability of AWS Systems Manager
C. Add interface endpoints and an IAM role. Manage the fleet of instances by using Run Command, a capability of AWS Systems Manager.
D. Open Port TCP/22 and copy scripts onto each instance. Manage instances at scale by using scripts
Correct Answer: B
Section: (none)
QUESTION 108
A company recently migrated a web application from an on-premises data center to the AwS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with AmazonElastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application isaccessible by using both CloudFront and ALB endpoints. However, the company requires that the web application must be accessible only by using the CloudFront endpoint.
Which solution will meet this requirement with the LEAST amount of effort?
A. Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group
B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list
C. Create a com.amazonaws.region.elasticloadbalancing VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal
D. Extract CloudFront IPs from the AWS provided ip-ranges json document. Update ALB security group ingress to allow access only from CloudFront IPs
Correct Answer: C
Section: (none)
QUESTION 109
A company has developed APIs that use Amazon API Gateway with Regional endpoints. The APIs call AWS Lambda functions that use API Gateway authentication mechanisms. After a design review, a solutions architect identifies a set ofAPIs that do not require public access. The solutions architect must design a solution to make the set of APIs accessible onlyfrom a VPC. All APIs need to be called with an authenticated user.
Which solution will meet these requirements with the LEAST amount of effort?
A. Create an internal Application Load Balancer (ALB). Create a target group. Select the Lambda function to call. Use the ALB DNS name to call the API from the VPC
B. Remove the DNS entry that is associated with the API in API Gateway. Create a hosted zone in Amazon Route 53. Createa CNAME record in the hosted zone. Update the API in API Gateway with the CNAME record. Use the CNAME record to call the API from the VPC
C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPC. Create a resource policy, and attach it to the API. Use the VPC endpoint to call the API from the VPC
D. Deploy the Lambda functions inside the VPC. Provision an EC2 instance,and install an Apache server. From the Apache server, call the Lambda functions. Use the internal CNAME record of the EC2 instance to call the API from the VPC
Correct Answer: C
Section: (none)
QUESTION 110
A company has its cloud infrastructure on AWS. A solutions architect needs to define the infrastructure as code. Theinfrastructure is currently deployed in one AWS Region.The company's business expansion plan includes deployments in multiple Regions across multiple AWS accounts. What should the solutions architect do to meet these requirements?
A. Use AWS CloudFormation templates. Add IAM policies to control the various accounts. Deploy the templates across the multiple Regions
B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management account. Use AWS Control Tower to manage deployments across accounts
C. Use AWS Organizations and AWS CloudFormation StackSets. Deploy a CloudFormation template from an account that has the necessary IAM permissions
D. Use nested stacks with AWS CloudFormation templates. Change the Region by using nested stacks
Correct Answer: C
Section: (none)
QUESTION 111
A retail company has structured its AWS accounts to be part of an organization in AWS Organizations. The company has set up consolidated billing and has mapped its departments to the following OUs: Finance Sales, Human Resources (HR), Marketing, and Operations. Each OU has multiple AWS accounts, one for each environment within a department. These environments are development. test.pre-production. and Production.
The HR department is releasing a new system that will launch in 3 months. In preparation. the HR department has purchased several Reserved Instances (RIs) in its production AWS account. The HR department will install the newapplication on this account. The HR department wants to make sure that other departments cannot share the RI discounts
Which solution will meet these requirements?
A. In the AWS Billing and Cost Management console for the HR department's production account, turn off RI sharing
B. Remove the HR department's production AWS account from the organization. Add the account to the consolidating billing configuration only
C. In the AWS Billing and Cost Management console, use the organization's management account to turn off RI sharing for the HR department's production AWS account
D. Create an SCP in the organization to restrict access to the RIs. Apply the SCP to the OUs of the other departments
Correct Answer: C
Section: (none)
QUESTION 112
A company has an organization in AWS Organizations that includes multiple AWS accounts. Each account has a single VPC.In an account named Shared Services, there is a transit gateway that is connected to a Direct Connect gateway that provides access to the company's on-premises network.The company configured AWS Resource Access Manager (AWS RAM) to share the transit gateway to all the accounts that are in the organization. The company has attached all the VPCs to the transit gateway to facilitate routing between each other.
The company uses a DNS server for on-premises servers.There are a pair of DNS servers on premises and in the Shared Services account VPC.The company discovers that Amazon EC2 instances that the company starts within the VPCs are not able to resolve addresses in the private on-premises domain.
Which solution will allow EC2 instances in all VPCs to resolve on-premises addresses?
A. Define an Amazon Route 53 Resolver outbound endpoint for the on-premises domain in the Shared Services accountVPC. Configure the outbound endpoint to use the IP addresses of the DNS servers for
the on-premises domain. Configure a forwarder on the DNS servers to point to the internal DNS resolver of the VPC
B. Create an Amazon Route 53 private hosted zone for the on-premises domain in the Shared Services account VPC.Configure AWS Resource Access Manager (AWS RAM) to share the hosted zone to all accounts in the organization. Associate the Route 53 private hosted zone with each VPC
C. Define an Amazon Route 53 Resolver outbound endpoint for the on-premises domain in the Shared Services accountVPC. Configure the outbound endpoint to use the IP addresses of the DNS servers for the on-premises domain. Configure AWS Resource Access Manager (AWS RAM) to share the Route 53 Resolver rule to all accounts in the organization. Associate the Route 53 Resolver rule with each VPC
D. Define an Amazon Route 53 Resolver inbound endpoint for the on-premises domain in the Shared Services accountVPC. Configure the inbound endpoint to use the IP addresses of the DNS servers for the on-premises domain. Configure AWS Resource Access Manager (AWS RAM) to share the Route 53 Resolver rule to all accounts in the organization. Associate the Route 53 Resolver rule with each VPC
Correct Answer: C
Section: (none)
QUESTION 113
A company is running an application in the AWS Cloud. The company's security team must approve the creation of all newIAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account.
Which combination of steps will meet these requirements?(Select THREE.)
A. Create an Amazon EventBridge rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser
B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic
C. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access
D. Invoke an AWS Step Functions state machine to remove access
E. Use Amazon Simple Notification Service(Amazon SNS) to notify the security team
F. Use Amazon Pinpoint to notify the security team
Correct Answer: ADE
Section: (none)
QUESTION 114
An international delivery company hosts a delivery management system on AWS. Drivers use the system to upload confirmation of delivery. Confirmation includes the recipient's signature or a photo of the package with the recipient. The driver's handheld device uploads signatures and photos through FTP to a single Amazon EC2 instance.Each handheld device saves a file in a directory based on the signed-in user, and the file name matches the delivery number. The EC2 instance then adds metadata to the file after querying a central database to pull delivery information.The file is then placed in Amazon S3 for archiving. As the company expands, drivers report that the system is rejecting connections.The FTP server is having problems because of dropped connections and memory issues. In response to these problems,a system engineer schedules a cron task to reboot the EC2 instance every 30 minutes. The billing team reports that files are not always in the archive and that the central system is not always updated. A solutions architect needs to design a solution that maximizes scalability toensure that the archive always receives the files and that systems are always updated. The handheld devices cannot bemodified, so the company cannot deploy a new application.
Which solution will meet these requirements?
A. Create an AMI of the existing EC2 instance. Create an Auto Scaling group of EC2 instances behind an Application Load Balancer. Configure the Auto Scaling group to have a minimum of three instances
B. Use AWS Transfer Family to create an FTP server that places the files in Amazon Elastic File System (Amazon EFS).Mount the EFS volume to the existing EC2 instance. Point the EC2 instance to the new path for file processing
C. Use AWS Transfer Family to create an FTP server that places the files in Amazon S3. Use an S3 event
notification through Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function. Configure the Lambda function to add the metadata and update the delivery system
D. Update the handheld devices to place the files directly in Amazon S3. Use an S3 event notification through AmazonSimple Queue Service (Amazon SQS) to invoke an AWS Lambda function. Configure the Lambda function to add the metadata and update the delivery system
Correct Answer: C
Section: (none)
QUESTION 115
A company is running a critical application that uses an Amazon RDS for MySQL database to store data.The RDS DB instance is deployed in Multi-AZ mode.
A recent RDS database failover test caused a 40-second outage to the application. A solutions architect needs to design asolution to reduce the outage time to less than 20 seconds. Which combination of steps should the solutions architect take to meet these requirements?(Select THREE.)
A. Use Amazon ElastiCache for Memcached in front of the database
B. Use Amazon ElastiCache for Redis in front of the database
C. Use RDS Proxy in front of the database
D. Migrate the database to Amazon Aurora MySQL
E. Create an Amazon Aurora Replica
F. Create an RDS for MySQL read replica
Correct Answer: CDE
Section: (none)
QUESTION 116
A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts. In an AWS application account, the company's application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company'sdatabase administrators have a separate DBA account and use the account to centrally manage all the databases across theorganization.The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access anRDS database that is deployed in the application account.
The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. Theapplication team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution thatgives the database administrators access to the database and eliminates the need to manually share the secrets.
Which solution will meet these requirements?
A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBAaccount. In the DBA account, create an IAM role that is named DBA-Admin.Grant the role the required permissions toaccess the shared secrets.Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions toaccess the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role thereguired permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
C. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to accessthe secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
D. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBAaccount. Attach the DBA-Admin role to the EC2 instance for access to the cross account secrets
Correct Answer: D
Section: (none)
QUESTION 117
A company is planning to migrate its business-critical applications from an on-premises data center to AWS. The companyhas an on-premises installation of a Microsoft SQL Server Always On cluster. The company wants to migrate to an AWSmanaged database service. A solutions architect must design a heterogeneous database migration on AWS
Which solution will meet these requirements?
A. Migrate the SQL Server databases to Amazon RDS for MySQL by using backup and restore utilities
B. Use an AWS Snowball Edge Storage Optimized device to transfer data to Amazon S3. Set up Amazon RDS for MySQL
Use S3 integration with SQL Server features, such as BULK INSERT
C. Use the AWS Schema Conversion Tool to translate the database schema to Amazon RDS for MySQL.Then use AWS
Database Migration Service (AWS DMS) to migrate the data from on-premises databases to Amazon RDS
D. Use AWS DataSync to migrate data over the network between on-premises storage and Amazon S3. Set up AmazonRDS for MySQL. Use S3 integration with SQL Server features. such as BULK INSERT
Correct Answer: C
Section: (none)
QUESTION 118
A company is running an application in the AWS Cloud. The application runs on containers in an Amazon Elastic Container Service (Amazon ECS) cluster.The ECS tasks use the Fargate launch type.The application's data is relational and is stored in Amazon Aurora MySQL. To meet regulatory requirements, the application must be able to recover to a separate AWS Regionin the event of an application failure. In case of a failure, no data can be lost.
Which solution will meet these requirements with the LEAST amount of operational overhead?
A. Provision an Aurora Replica in a different Region
B. Set up AWS DataSync for continuous replication of the data to a different Region
C. Set up AWS Database Migration Service (AWS DMS) to perform a continuous replication of the data to a different Region
D. Use Amazon Data Lifecycle Manager (Amazon DLM) to schedule a snapshot every 5 minutes
Correct Answer: A
Section: (none)
QUESTION 119
A company has deployed an Amazon Connect contact center. Contact center agents are reporting large numbers ofcomputer-generated calls.The company is concerned about the cost and productivity effects of these calls. The companywants a solution that will allow agents to flag the call as spam and automatically block the numbers from going to an agent in the future.
What is the MOST operationally efficient solution to meet these requirements?
A. Customize the Contact Control Panel (CCP) by adding a flag call button that will invoke an AWS Lambda function that calls the UpdateContactAttributes API.
Use an Amazon DynamoDB table to store the spam numbers. Modify the contact flows to look for the updated attribute and to use a Lambda function to read and write to the DynamoDB table
B. Use a Contact Lens for Amazon Connect rule that will look for spam calls. Use an Amazon DynamoDB table to store the spam numbers. Modify the contact flows to look for the rule and to invoke an AWS Lambda function to read and write to the DynamoDB table
C. Use an Amazon DynamoDB table to store the spam numbers. Create a quick connect that the agents can transfer the spam call to from the Contact Control Panel(CCP). Modify the quick connect contact flow to invoke an AWS Lambda function to write to the DynamoDB table
D. Modify the initial contact flow to ask for caller input. If the agent does not receive input, the agent should mark the caller as spam. Use an Amazon
DynamoDB table to store the spam numbers. Use an AWS Lambda function to read and write to the DynamoDB table
Correct Answer: A
Section: (none)
QUESTION 120
A company consists of two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3 bucket in each account and configured two-way replication between the S3buckets. The S3 buckets have millions of objects Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3) What is the MOST operationallyefficient solution that meets these requirements?
A. Turn on SSE-S3 on both S3 buckets.Use S3 Batch Operations to copy and encrypt the objects in the same location
B. Create an AWS Key Management Service (AWS KMS) key in each account.Turn on server-side encryption with AWSKMS keys(SSE-KMS)on each S3 bucket by using the corresponding KMS key in that AWS account. Encrypt the existing objects by using an S3 copy command in the AWS CLI
C. Turn on SSE-S3 on both S3 buckets.Encrypt the existing objects by using an S3 copy command in the AWS CLI
D. Create an AWS Key Management Service (AWS KMS) key in each account. Turn on server-side encryption with AWSKMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS account. Use S3 Batch Operations to copy the objects into the same location
Correct Answer: A
Section: (none)
