Amazon EBS encryption
The following types of data are encrypted:
Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume
All volumes created from those snapshots
AWS X.509 client certificates
AWS Certificate Manager
Routing policies and BGP communities
Meet the Recovery Time Objective (RTO) & the Recovery Point Objective (RPO)
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
SOC 1/ISAE 3402, SOC 2, SOC 3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018
AWS auto-scaling requests’ signature
AWS IAM access S3 home directory via console
AWS provides unique characteristics among all vendors in the cloud computing landscape, including:
• Flexible • Cost Effective • Scalable and Elastic • Secure • Experienced
Online Exam Library
Your company has an on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst in web traffic due to a company announcement Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly improve your infrastructures ability to handle unexpected increases in traffic. The application currently consists of 2 tiers a web tier which consists of a load balancer and several Linux Apache web servers as well as a database tier which hosts a Linux server hosting a MySQL database.
Which scenario below will provide full site functionality, while helping to improve the ability of your application in the short timeframe required?
- A. Failover environment: Create an S3 bucket and configure it for website hosting. Migrate your DNS to Route53 using zone file import, and leverage Route53 DNS failover to failover to the S3 hosted website.
- B. Hybrid environment: Create an AMI, which can be used to launch web servers in EC2. Create an Auto Scaling group, which uses the AMI to scale the web tier based on incoming traffic. Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted in AWS.
- C. Offload traffic from on-premises environment: Setup a CIoudFront distribution, and configure CloudFront to cache objects from a custom origin. Choose to customize your object cache behavior, and select a TTL that objects should exist in cache.
- D. Migrate to AWS: Use VM Import/Export to quickly convert an on-premises web server to an AMI. Create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffic. Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database.
A customer has written an application that uses Amazon S3 exclusively as a data store. The application works well until the customer increases the rate at which the application is updating information. The customer now reports that outdated data occasionally appears when the application accesses objects in Amazon S3.
What could be the problem, given that the application logic is otherwise correct?
- A. The application is reading parts of objects from Amazon S3 using a range header.
- B. The application is reading objects from Amazon S3 using parallel object requests.
- C. The application is updating records by writing new objects with unique keys.
- D. The application is updating records by overwriting existing objects with the same keys.
A popular e-commerce application runs on AWS. The application encounters performance issues. The database is unable to handle the amount of queries and load during peak times. The database is running on the RDS Aurora engine on the largest instance size available.
What should an administrator do to improve performance?
- A. Convert the database to Amazon Redshift.
- B. Create a CloudFront distribution.
- C. Convert the database to use EBS Provisioned IOPS.
- D. Create one or more read replicas.
A Solution Architect is designing a three-tier web application. The Architect wants to restrict access to the database tier to accept traffic from the application servers only. However, these application servers are in an Auto Scaling group and may vary in quantity.
How should the Architect configure the database servers to meet the requirements?
- A. Configure the database security group to allow database traffic from the application server IP addresses.
- B. Configure the database security group to allow database traffic from the application server security group.
- C. Configure the database subnet network ACL to deny all inbound non-database traffic from the application-tier subnet.
- D. Configure the database subnet network ACL to allow inbound database traffic from the application-tier subnet.
A company is using an Amazon S3 bucket located in us-west-2 to serve videos to their customers. Their customers are located all around the world and the videos are requested a lot during peak hours. Customers in Europe complain about experiencing slow downloaded speeds, and during peak hours, customers in all locations report experiencing HTTP 500 errors.
What can a Solutions Architect do to address these issues?
- A. Place an elastic load balancer in front of the Amazon S3 bucket to distribute the load during peak hours.
- B. Cache the web content with Amazon CloudFront and use all Edge locations for content delivery.
- C. Replicate the bucket in eu-west-1 and use an Amazon Route 53 failover routing policy to determine which bucket it should serve the request to.
- D. Use an Amazon Route 53 weighted routing policy for the CloudFront domain name to distribute the GET request between CloudFront and the Amazon S3 bucket directly.
A Solutions Architect is designing a solution that includes a managed VPN connection.
To monitor whether the VPN connection is up or down, the Architect should use:
- A. an external service to ping the VPN endpoint from outside the VPC.
- B. AWS CloudTrail to monitor the endpoint.
- C. the CloudWatch TunnelState Metric.
- D. an AWS Lambda function that parses the VPN connection logs.
A bank is writing new software that is heavily dependent upon the database transactions for write consistency. The application will also occasionally generate reports on data in the database, and will do joins across multiple tables. The database must automatically scale as the amount of data grows.
Which AWS service should be used to run the database?
- A. Amazon S3
- B. Amazon Aurora
- C. Amazon DynamoDB
- D. Amazon Redshift
A Solutions Architect is designing a mobile application that will capture receipt images to track expenses. The Architect wants to store the images on Amazon S3. However, uploading images through the web server will create too much traffic.
What is the MOST efficient method to store images from a mobile application on Amazon S3?
- A. Upload directly to S3 using a pre-signed URL.
- B. Upload to a second bucket, and have a Lambda event copy the image to the primary bucket.
- C. Upload to a separate Auto Scaling group of servers behind an ELB Classic Load Balancer, and have them write to the Amazon S3 bucket.
- D. Expand the web server fleet with Spot Instances to provide the resources to handle the images.
A Solutions Architect is designing a solution to store a large quantity of event data in Amazon S3. The Architect anticipates that the workload will consistently exceed 100 requests each second.
What should the Architect do in Amazon S3 to optimize performance?
- A. Randomize a key name prefix.
- B. Store the event data in separate buckets.
- C. Randomize the key name suffix.
- D. Use Amazon S3 Transfer Acceleration.
A legacy application running in premises requires a Solutions Architect to be able to open a firewall to allow access to several Amazon S3 buckets. The Architect has a VPN connection to AWS in place.
How should the Architect meet this requirement?
- A. Create an IAM role that allows access from the corporate network to Amazon S3.
- B. Configure a proxy on Amazon EC2 and use an Amazon S3 VPC endpoint.
- C. Use Amazon API Gateway to do IP whitelisting.
- D. Configure IP whitelisting on the customer’s gateway.
A Solutions Architect is designing solution with AWS Lambda where different environments require different database passwords.
What should the Architect do to accomplish this in a secure and scalable way?
- A. Create a Lambda function for each individual environment.
- B. Use Amazon DynamoDB to store environmental variables.
- C. Use encrypted AWS Lambda environmental variables.
- D. Implement a dedicated Lambda function for distributing variables.
A Solutions Architect is about to deploy an API on multiple EC2 instances in an Auto Scaling group behind an ELB. The support team has the following operational requirements:
- They get an alert when the requests per second go over 50,000
- They get an alert when latency goes over 5 seconds
- They can validate how many times a day users call the API requesting highly-sensitive data
Which combination of steps does the Architect need to take to satisfy these operational requirements? (Select two.)
- A. Ensure that CloudTrail is enabled.
- B. Create a custom CloudWatch metric to monitor the API for data access.
- C. Configure CloudWatch alarms for any metrics the support team requires.
- D. Ensure that detailed monitoring for the EC2 instances is enabled.
- E. Create an application to export and save CloudWatch metrics for longer term trending analysis.
A Solutions Architect is designing a highly-available website that is served by multiple web servers hosted outside of AWS. If an instance becomes unresponsive, the Architect needs to remove it from the rotation.
What is the MOST efficient way to fulfill this requirement?
- A. Use Amazon CloudWatch to monitor utilization.
- B. Use Amazon API Gateway to monitor availability.
- C. Use an Amazon Elastic Load Balancer.
- D. Use Amazon Route 53 health checks.
A Solutions Architect is designing the storage layer for a production relational database. The database will run on Amazon EC2. The database is accessed by an application that performs intensive reads and writes, so the database requires the LOWEST random I/O latency.
Which data storage method fulfills the above requirements?
- A. Store data in a filesystem backed by Amazon Elastic File System (EFS).
- B. Store data in Amazon S3 and use a third-party solution to expose Amazon S3 as a filesystem to the database server.
- C. Store data in Amazon Dynamo DB and emulate relational database semantics.
- D. Stripe data across multiple Amazon EBS volumes using RAID 0.
A Solutions Architect is designing a stateful web application that will run for one year (24/7) and then be decommissioned. Load on this platform will be constant, using a number of r4.8xlarge instances. Key drivers for this system include high availability, but elasticity is not required.
What is the MOST cost-effective way to purchase compute for this platform?
- A. Scheduled Reserved Instances
- B. Convertible Reserved Instances
- C. Standard Reserved Instances
- D. Spot Instances
A media company asked a Solutions Architect to design a highly available storage solution to serve as a centralized document store for their Amazon EC2 instances. The storage solution needs to be POSIX-compliant, scale dynamically, and be able to serve up to 100 concurrent EC2 instances.
Which solution meets these requirements?
- A. Create an Amazon S3 bucket and store all of the documents in this bucket.
- B. Create an Amazon EBS volume and allow multiple users to mount that volume to their EC2 instance(s).
- C. Use Amazon Glacier to store all of the documents.
- D. Create an Amazon Elastic File System (Amazon EFS) to store and share the documents.
A company wants to migrate a highly transactional database to AWS. Requirements state that the database has more than 6 TB of data and will grow exponentially.
Which solution should a Solutions Architect recommend?
- A. Amazon Aurora
- B. Amazon Redshift
- C. Amazon DynamoDB
- D. Amazon RDS MySQL
A company hosts a two-tier application that consists of a publicly accessible web server that communicates with a private database. Only HTTPS port 443 traffic to the web server must be allowed from the Internet.
Which of the following options will achieve these requirements? (Choose two.)
- A. Security group rule that allows inbound Internet traffic for port 443.
- B. Security group rule that denies all inbound Internet traffic except port 443.
- C. Network ACL rule that allows port 443 inbound and all ports outbound for Internet traffic.
- D. Security group rule that allows Internet traffic for port 443 in both inbound and outbound.
- E. Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic.
An organization runs an online media site, hosted on-premises. An employee posted a product review that contained videos and pictures. The review went viral and the organization needs to handle the resulting spike in website traffic.
What action would provide an immediate solution?
- A. Redesign the website to use Amazon API Gateway, and use AWS Lambda to deliver content.
- B. Add server instances using Amazon EC2 and use Amazon Route 53 with a failover routing policy.
- C. Serve the images and videos via an Amazon CloudFront distribution created using the news site as the origin.
- D. Use Amazon ElasticCache for Redis for caching and reducing the load requests from the origin.
A development team is building an application with front-end and backend application tiers. Each tier consists of Amazon EC2 instances behind an ELB Classic Load Balancer. The instances run in Auto Scaling groups across multiple Availability Zones. The network team has allocated the 10.0.0.0/24 address space for this application. Only the front-end load balancer should be exposed to the Internet. There are concerns about the limited size of the address space and the ability of each tier to scale.
What should the VPC subnet design be in each Availability Zone?
- A. One public subnet for the load balancer tier, one public subnet for the front-end tier, and one private subnet for the backend tier.
- B. One shared public subnet for all tiers of the application.
- C. One public subnet for the load balancer tier and one shared private subnet for the application tiers.
- D. One shared private subnet for all tiers of the application.
An application is running on an Amazon EC2 instance in a private subnet. The application needs to read and write data onto Amazon Kinesis Data Streams, and corporate policy requires that this traffic should not go to the internet.
How can these requirements be met?
- A. Configure a NAT gateway in a public subnet and route all traffic to Amazon Kinesis through the NAT gateway.
- B. Configure a gateway VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway VPC endpoint.
- C. Configure an interface VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway VPC endpoint.
- D. Configure an AWS Direct Connect private virtual interface for Kinesis and route all traffic to Kinesis through the virtual interface.
A Solutions Architect is defining a shared Amazon S3 bucket where corporate applications will save objects.
How can the Architect ensure that when an application uploads an object to the Amazon S3 bucket, the object is encrypted?
- A. Set a CORS configuration.
- B. Set a bucket policy to encrypt all Amazon S3 objects.
- C. Enable default encryption on the bucket.
- D. Set permission for users.
A Solutions Architect needs to allow developers to have SSH connectivity to web servers. The requirements are as follows:
- Limit access to users origination from the corporate network.
- Web servers cannot have SSH access directly from the Internet.
- Web servers reside in a private subnet.
Which combination of steps must the Architect complete to meet these requirements? (Choose two.)
- A. Create a bastion host that authenticates users against the corporate directory.
- B. Create a bastion host with security group rules that only allow traffic from the corporate network.
- C. Attach an IAM role to the bastion host with relevant permissions.
- D. Configure the web servers’ security group to allow SSH traffic from a bastion host.
- E. Deny all SSH traffic from the corporate network in the inbound network ACL.
A Solutions Architect needs to use AWS to implement pilot light disaster recovery for a three-tier web application hosted in an on-premises datacenter.
Which solution allows rapid provision of working, fully-scaled production environment?
- A. Continuously replicate the production database server to Amazon RDS. Use AWS CloudFormation to deploy the application and any additional servers if necessary.
- B. Continuously replicate the production database server to Amazon RDS. Create one application load balancer and register - [ ] on-premises servers. Configure ELB Application Load Balancer to automatically deploy Amazon EC2 instances for application and additional servers if the on-premises application is down.
- C. Use a scheduled Lambda function to replicate the production database to AWS. Use Amazon Route 53 health checks to deploy the application automatically to Amazon S3 if production is unhealthy.
- D. Use a scheduled Lambda function to replicate the production database to AWS. Register on-premises servers to an Auto Scaling group and deploy the application and additional servers if production is unavailable.
A Solutions Architect is developing a new web application on AWS. The Architect expects the application to become very popular, so the application must scale to support the load. The Architect wants to focus on software development and deploying new features without provisioning or managing instances.
What solution is appropriate?
- A. Amazon API Gateway and AWS Lambda
- B. Elastic Load Balancing with Auto Scaling groups and Amazon EC2
- C. Amazon API Gateway and Amazon EC2
- D. Amazon CloudFront and AWS Lambda
A Solutions Architect is deploying a new production MySQL database on AWS. It is critical that the database is highly available.
What should the Architect do to achieve this goal with Amazon RDS?
- A. Create a read replica of the primary database and deploy it in a different AWS Region.
- B. Enable multi-AZ to create a standby database in a different Availability Zone.
- C. Enable multi-AZ to create a standby database in a different AWS Region.
- D. Create a read replica of the primary database and deploy it in a different Availability Zone.
An organization designs a mobile application for their customers to upload photos to a site. The application needs a secure login with MFA. The organization wants to limit the initial build time and maintenance of the solution.
Which solution should a Solutions Architect recommend to meet the requirements?
- A. Use Amazon Cognito Identity with SMS-based MFA.
- B. Edit AWS IAM policies to require MFA for all users.
- C. Federate IAM against corporate AD that requires MFA.
- D. Use Amazon API Gateway and require SSE for photos.
A Solutions Architect is designing a solution to monitor weather changes by the minute. The frontend application is hosted on Amazon EC2 instances. The backend must be scalable to a virtually unlimited size, and data retrieval must occur with minimal latency.
Which AWS service should the Architect use to store the data and achieve these requirements?
- A. Amazon S3
- B. Amazon DynamoDB
- C. Amazon RDS
- D. Amazon EBS
An application hosted on AWS uses object storage for storing internal reports that are accessed daily by the CFO. Currently, these reports are publicly available.
How should a Solutions Architect re-design this architecture to prevent unauthorized access to these reports?
- A. Encrypt the files on the client side and store the files on Amazon Glacier, then decrypt the reports on the client side.
- B. Move the files to Amazon ElastiCache and provide a username and password for downloading the reports.
- C. Specify the use of AWS KMS server-side encryption at the time of an object creation on Amazon S3.
- D. Store the files on Amazon S3 and use the application to generate S3 pre-signed URLs to users.
A Solutions Architect is designing an application on AWS that will connect to the on-premise data center through a VPN connection. The solution must be able to log network traffic over the VPN.
Which service logs this network traffic?
- A. AWS CloudTrail logs
- B. Amazon VPC flow logs
- C. Amazon S3 bucket logs
- D. Amazon CloudWatch Logs
A team has an application that detects new objects being uploaded into an Amazon S3 bucket. The uploads trigger a Lambda function to write object metadata into an Amazon DynamoDB table and RDS PostgreSQL database.
Which action should the team take to ensure high availability?
- A. Enable cross-region replication in the Amazon S3 bucket.
- B. Create a Lambda function for each Availability Zone the application is deployed in.
- C. Enable multi-AZ on the RDS PostgreSQL database.
- D. Create a DynamoDB stream for the DynamoDB table.
A Solutions Architect is designing a customer order processing application that will likely have high usage spikes.
What should the Architect do to ensure that customer orders are not lost before being written to an Amazon RDS database? (Choose two.)
- A. Use Amazon CloudFront to deliver the application front end.
- B. Use Elastic Load Balancing with a round-robin routing algorithm.
- C. Have the orders written into an Amazon SQS queue.
- D. Scale the number of processing nodes based on pending order volume.
- E. Have a standby Amazon RDS instance in a separate Availability Zone.
Employees from several companies use an application once a year during a specific 30-day period. The periods are different for each company. Traffic to the application spikes during these 30-day periods.
How can the application be designed to handle these traffic spikes?
- A. Use an Amazon Route 53 latency routing policy to route traffic to an Amazon EC2 instance with the least lag time.
- B. Use Amazon S3 to cache static elements of the website requests.
- C. Use an Auto Scaling group to scale the number of EC2 instances to match the site traffic.
- D. Use Amazon Cloud Front to serve static assets to decrease the load on the EC2 instances.
A company has a popular multi-player mobile game hosted in its on-premises datacenter. The current infrastructure can no longer keep up with demand and the company is considering a move to the cloud.
Which solution should a Solutions Architect recommend as the MOST scalable and cost-effective solution to meet these needs?
- A. Amazon EC2 and an Application Load Balancer
- B. Amazon S3 and Amazon CloudFront
- C. Amazon EC2 and Amazon Elastic Transcoder
- D. AWS Lambda and Amazon API Gateway
An organization runs an online voting system for a television program. During broadcasts, hundreds of thousands of votes are submitted within minutes and sent to a front-end fleet of auto-scaled Amazon EC2 instances. The EC2 instances push the votes to an RDBMS database. The database is unable to keep up with the front-end connection requests.
What is the MOST efficient and cost-effective way of ensuring that votes are processed in a timely manner?
- A. Each front-end node should send votes to an Amazon SQS queue. Provision worker instances to read the SQS queue and process the message information into RDBMS database.
- B. As the load on the database increases, horizontally-scale the RDBMS database with additional memory-optimized instances. When voting has ended, scale down the additional instances.
- C. Re-provision the RDBMS database with larger, memory-optimized instances. When voting ends, re-provision the back-end database with smaller instances.
- D. Send votes from each front-end node to Amazon DynamoDB. Provision worker instances to process the votes in DynamoDB into the RDBMS database.
An application publishes Amazon SNS messages in response to several events. An AWS Lambda function subscribes to these messages. Occasionally the function will fail while processing a message, so the original event message must be preserved for root cause analysis.
What architecture will meet these requirements without changing the workflow?
- A. Subscribe an Amazon SQS queue to the Amazon SNS topic and trigger the Lambda function from the queue.
- B. Configure Lambda to write failures to an SQS Dead Letter Queue.
- C. Configure a Dead Letter Queue for the Amazon SNS topic.
- D. Configure the Amazon SNS topic to invoke the Lambda function synchronously.
A company is using Amazon S3 as its local repository for weekly analysis reports. One of the company-wide requirements is to secure data at rest using encryption. The company chose Amazon S3 server-side encryption. The company wants to know how the object is decrypted when a GET request is issued.
Which of the following answers this question?
- A. The user needs to place a PUT request to decrypt the object.
- B. The user needs to decrypt the object using a private key.
- C. Amazon S3 manages encryption and decryption automatically.
- D. Amazon S3 provides a server-side key for decrypting the object.
One company wants to share the contents of their Amazon S3 bucket with another company. Security requirements mandate that only the other company’s AWS accounts have access to the contents of the Amazon S3 bucket.
Which Amazon S3 feature will allow secure access to the Amazon S3 bucket?
- A. Bucket policy
- B. Object tagging
- C. CORS configuration
- D. Lifecycle policy
A company plans to use an Amazon VPC to deploy a web application consisting of an elastic load balancer, a fleet of web and application servers, and an Amazon RDS MySQL database that should not be accessible from the Internet. The proposed design must be highly available and distributed over two Availability Zones.
What would be the MOST appropriate VPC design for this specific use case?
- A. Two public subnets for the elastic load balancer, two public subnets for the web servers, and two public subnets for Amazon RDS.
- B. One public subnet for the elastic load balancer, two private subnets for the web servers, and two private subnets for Amazon RDS.
- C. One public subnet for the elastic load balancer, one public subnet for the web servers, and one private subnet for the database.
- D. Two public subnets for the elastic load balancer, two private subnets for the web servers, and two private subnets for RDS.
A Solutions Architect is designing a microservice to process records from Amazon Kinesis Streams. The metadata must be stored in Amazon DynamoDB. The microservice must be capable of concurrently processing 10,000 records daily as they arrive in the Kinesis stream.
The MOST scalable way to design the microservice is:
- A. As an AWS Lambda function.
- B. As a process on an Amazon EC2 instance.
- C. As a Docker container running on Amazon ECS.
- D. As a Docker container on an EC2 instance.
An application runs on EC2 instances behind an Elastic Load Balancing Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The application provides a RESTful interface with both synchronous and asynchronous operations. The asynchronous operations require up to 5 minutes to complete. Although the application must remain available at all times, after business hours, the traffic going to the application is greatly reduced and often results in the Auto Scaling group running the minimum number of On-Demand Instances.
What should the Solutions Architect recommend to optimize the cost of the environment after business hours?
- A. Change the Availability Zones in which the instances were created to another Availability Zone in the same region with a lower cost.
- B. Replace all On-Demand Instances with Spot Instances in the Auto Scaling group.
- C. Purchase Reserved Instances for the minimum number of Auto Scaling instances.
- D. Reduce the number of minimum instances to 0. New requests to the Application Load Balancer create new instances.
A company is building a critical ingestion service on AWS that will receive 1,000 incoming events per second. The events must be processed in order, and no events may be lost. Multiple applications will need to process each event. The company will expose the service as RESTful calls through an API Gateway.
What should a Solutions Architect use to receive the events based on these requirements?
- A. Amazon Kinesis Data Stream
- B. Amazon DynamoDB
- C. Amazon SQS
- D. Amazon SNS
An AWS Lambda function requires access to an Amazon RDS for SQL Server instance. It is against company policy to store passwords in Lambda functions.
How can a Solutions Architect enable the Lambda function to retrieve the database password without violating company policy?
- A. Add an IAM policy for IAM database access to the Lambda execution role.
- B. Store a one-way hash of the password in the Lambda function.
- C. Have the Lambda function use the AWS Systems Manager Parameter Store.
- D. Connect to the Amazon RDS for SQL Server instance by using a role assigned to the Lambda function.
A company has two different types of reporting needs on their 200-GB data warehouse:
Data scientists run a small number of concurrent ad hoc SQL queries that can take several minutes each to run.
Display screens throughout the company run many fast SQL queries to populate dashboards.
Which design would meet these requirements with the LEAST cost?
- A. Replicate relevant data between Amazon Redshift and Amazon DynamoDB. Data scientists use Redshift. Dashboards use DynamoDB.
- B. Configure auto-replication between Amazon Redshift and Amazon RDS. Data scientists use Redshift. Dashboards use RDS.
- C. Use Amazon Redshift for both requirements, with separate query queues configured in workload management.
- D. Use Amazon Redshift for Data Scientists. Run automated dashboard queries against Redshift and store the results in Amazon ElastiCache. Dashboards query ElastiCache.
A company is rolling out a new web service, but is unsure how many customers the service will attract. However, the company is unwilling to accept any downtime.
What could a Solutions Architect recommend to the company in order to keep track of customers’ current session data?
- A. Amazon EC2
- B. Amazon RDS
- C. AWS CloudTrail
- D. Amazon DynamoDB
A company has asked the Solutions Architect to modify its AWS-hosted internal application to allow for load balancing. The customer requests always come from the company domain (example.net). The company requires that incoming HTTP and HTTPS traffic is routed based on the path element of the URL in the request.
Which implementation can satisfy all requirements?
- A. Configure a Network Load Balancer with listeners for appropriate path patterns for the target groups.
- B. Configure an Application Load Balancer with host-based routing based on the domain field in the HTTP header.
- C. Configure a Network Load Balancer and enable cross-zone load balancing to ensure that all EC2 instances are used.
- D. Configure an Application Load Balancer with listeners for appropriate path patterns for the target group.
A Solutions Architect has been asked to deliver video content stored on Amazon S3 to specific users from Amazon CloudFront while restricting access by unauthorized users.
How can the Architect implement a solution to meet these requirements?
- A. Configure CloudFront to use signed-URLs to access Amazon S3.
- B. Store the videos as private objects in Amazon S3, and let CloudFront serve the objects by using only Origin Access Identity (OAI).
- C. Use Amazon S3 static website as the origin of CloudFront, and configure CloudFront to deliver the videos by generating a signed URL for users.
- D. Use OAI for CloudFront to access private S3 objects and select the Restrict Viewer Access option in CloudFront cache behavior to use signed URLs.
A company has a website running on Amazon EC2. The application DNS name points to an Elastic IP address associated with the EC2 instance. In the event of an attack on the website coming from a specific IP address, the company wants a way to block the offending IP address.
Which tool or service should a Solutions Architect recommend to block the IP address?
- A. Security groups
- B. Network ACL
- C. AWS WAF
- D. AWS Shield
A Solution Architect is designing a two-tier application for maximum security, with a web tier running on EC2 instances and the data stored in an RDS DB instance. The web tier should accept user access only through HTTPS connections (port 443) from the Internet, and the data must be encrypted in transit to and from the database.
What combination of steps will MOST securely meet the stated requirements? (Choose two.)
- A. Create a security group for the web tier instances that allows inbound traffic only over port 443.
- B. Enforce Transparent Data Encryption (TDE) on the RDS database.
- C. Create a network ACL that allows inbound traffic only over port 443.
- D. Configure the web servers to communicate with RDS by using SSL, and issue certificates to the web tier EC2 instances.
- E. Create a customer master key in AWS KMS and apply it to encrypt the RDS instance.
A Solutions Architect is trying to bring a data warehouse workload to an Amazon EC2 instance. The data will reside in Amazon EBS volumes and full table scans will be executed frequently.
What type of Amazon EBS volume would be most suitable in this scenario?
- A. Throughput Optimized HDD (st1)
- B. Provisioned IOPS SSD (io1)
- C. General Purpose SSD (gp2)
- D. Cold HDD (sc1)
A client has set up an Auto Scaling group associated with a load balancer. The client has noticed that instances launched by the Auto Scaling group are reported unhealthy as the result of an Elastic Load Balancing (ELB) health check, but these unhealthy instances are not being terminated.
What can a Solutions Architect do to ensure that the instances marked unhealthy will be terminated and replaced?
- A. Increase the value for the health check interval set on the ELB load balancer.
- B. Change the thresholds set on the Auto Scaling group health check.
- C. Change the health check type to ELB for the Auto Scaling group.
- D. Change the health check set on the ELB load balancer to use TCP rather than HTTP checks.
A Solutions Architect is designing a solution to send Amazon CloudWatch Alarm notifications to a group of users on a smartphone mobile application.
What are the key steps to this solution? (Choose two.)
- A. Configure the CloudWatch Alarm to send the notification to an Amazon SNS topic whenever there is an alarm.
- B. Configure the CloudWatch Alarm to send the notification to a mobile phone number whenever there is an alarm.
- C. Configure the CloudWatch Alarm to send the notification to the email addresses whenever there is an alarm.
- D. Create the platform endpoints for mobile devices and subscribe the SNS topic with platform endpoints.
- E. Subscribe the SNS topic with an Amazon SQS queue, and poll the messages continuously from the queue. Use each mobile platform’s libraries to send the message to the mobile application.
A company uses Amazon S3 for storing a variety of files. A Solutions Architect needs to design a feature that will allow users to instantly restore any deleted files within 30 days of deletion.
Which is the MOST cost-efficient solution?
- A. Create lifecycle policies that move the objects to Amazon Glacier and delete them after 30 days.
- B. Enable cross-region replication. Empty the replica bucket every 30 days using an AWS Lambda function.
- C. Enable versioning and create a lifecycle policy to remove expired versions after 30 days.
- D. Enable versioning and MFA Delete. Using a Lambda function, remove MFA delete from objects more than 30 days old.
A Solutions Architect must design an Amazon DynamoDB table to store data about customer activities. The data is used to analyze recent customer behavior, so data that is less than a week old is heavily accessed and older data is accessed infrequently. Data that is more than one month old never needs to be referenced by the application, but needs to be archived for year-end analytics.
What is the MOST cost-efficient way to meet these requirements? (Choose two.)
- A. Use DynamoDB time-to-live settings to expire items after a certain time period.
- B. Provision a higher write capacity unit to minimize the number of partitions.
- C. Create separate tables for each week’s data with higher throughput for the current week.
- D. Pre-process data to consolidate multiple records to minimize write operations.
- E. Export the old table data from DynamoDB to Amazon S3 using AWS Data Pipeline, and delete the old table.
An application uses an Amazon SQS queue as a transport mechanism to deliver data to a group of EC2 instances for processing. The application owner wants to add a mechanism to archive the incoming data without modifying application code on the EC2 instances.
How can this application be re-architected to archive the data without modifying the processing instances?
- A. Trigger a Lambda function by using Amazon CloudWatch Events to retrieve messages from the SQS queue and archive to Amazon S3.
- B. Use an Amazon SNS topic to fan out the data to the SQS queue in addition to a Lambda function that records the data to an S3 bucket.
- C. Set up an Amazon Kinesis Data Stream so that multiple instances can receive data. Add a separate EC2 instance that is configured to archive all data it receives.
- D. Write the data to an S3 bucket, and use an SQS queue for S3 event notifications to tell the instances where to retrieve the data.
A Solutions Architect must select the most cost-efficient architecture for a service that responds to web requests. These web requests are small and query a DynamoDB table. The request rate ranges from zero to several hundred each second, without any predictable patterns.
What is the MOST cost-efficient architecture for this service?
- A. Network Load Balancer/Amazon EC2
- B. Application Load Balancer/Amazon ECS
- C. API Gateway/AWS Lambda
- D. AWS Elastic Beanstalk/AWS Lambda
A company has a web application running in a Docker container that connects to a MySQL server in an on-premises data center. The deployment and maintenance of this application are becoming time-consuming and slowing down new feature releases. The company wants to migrate the application to AWS and use services that helps facilitate infrastructure management and deployment.
Which architectures should the company consider on AWS? (Choose two.)
- A. Amazon ECS for the web application, and an Amazon RDS for MySQL for the database.
- B. AWS Elastic Beanstalk Docker Multi-container either for the web application or database.
- C. AWS Elastic Beanstalk Docker Single Container for the web application, and an Amazon RDS for MySQL for the database.
- D. AWS CloudFormation with Lambda Custom Resources without VPC for the web application, and an Amazon RDS for MySQL database.
- E. AWS CloudFormation with Lambda Custom Resources running in a VPC for the web application, and an Amazon RDS for MySQL database.
A company is moving to AWS. Management has identified a set of approved AWS services that meet all deployment requirements. The company would like to restrict access to all other unapproved services to which employees would have access.
Which solution meets these requirements with the LEAST amount of operational overhead?
- A. Configure the AWS Trusted Advisor service utilization compliance report. Subscribe to Amazon SNS notifications from Trusted Advisor. Create a custom AWS Lambda function that can automatically remediate the use of unauthorized services.
- B. Use AWS Config to evaluate the configuration settings of AWS resources. Subscribe to Amazon SNS notifications from AWS Config. Create a custom AWS Lambda function that can automatically remediate the use of unauthorized services.
- C. Configure AWS Organizations. Create an organizational unit (OU) and place all AWS accounts into the OU. Apply a service control policy (SCP) to the OU that denies the use of certain services.
- D. Create a custom AWS IAM policy. Deploy the policy to each account using AWS CloudFormation StackSets. Include deny statements in the policy to restrict the use of certain services. Attach the policies to all IAM users in each account.
A customer is running a critical payroll system in a production environment in one data center and a disaster recovery (DR) environment in another. The application includes load-balanced web servers and failover for the MySQL database. The customer’s DR process is manual and error-phone. For this reason, management has asked IT to migrate the application to AWS and make it highly available so that IT no longer has to manually fail over the environment.
How should a Solutions Architect migrate the system to AWS?
- A. Migrate the production and DR environments to different Availability Zones within the same region. Let AWS manage failover between the environments.
- B. Migrate the production and DR environments to different regions. Let AWS manage failover between the environments.
- C. Migrate the production environment to a single Availability Zone, and set up instance recovery for Amazon EC2. Decommission the DR environment because it is no longer needed.
- D. Migrate the production environment to span multiple Availability Zones, using Elastic Load Balancing and Multi-AZ Amazon RDS. Decommission the DR environment because it is no longer needed.
A Solutions Architect is designing a highly available web application on AWS. The data served on the website is dynamic and is pulled from Amazon DynamoDB. All users are geographically close to one another.
How can the Solutions Architect make the application highly available?
- A. Host the website data on Amazon S3 and set permissions to enable public read-only access for users.
- B. Host the web server data on Amazon CloudFront and update the objects in the Cloudfront distribution when they change.
- C. Host the application on EC2 instances across multiple Availability Zones. Use an Auto Scaling group coupled with an Application Load Balancer.
- D. Host the application on EC2 instances in a single Availability Zone. Replicate the EC2 instances to a separate region, and use an Application Load Balancer for high availability.
A company is migrating on-premises databases to AWS. The company’s backend application produces a large amount of database queries for reporting purposes, and the company wants to offload some of those reads to Read Replica, allowing the primary database to continue performing efficiently.
Which AWS database platforms will accomplish this? (Select TWO.)
- A. Amazon RDS for Oracle
- B. Amazon RDS for PostgreSQL
- C. Amazon RDS for MariaDB
- D. Amazon DynamoDB
- E. Amazon RDS for Microsoft SQL Server
A data-processing application runs on an i3.large EC2 instance with a single 100 GB EBS gp2 volume. The application stores temporary data in a small database (less than 30 GB) located on the EBS root volume. The application is struggling to process the data fast enough, and a Solutions Architect has determined that the I/O speed of the temporary database is the bottleneck.
What is the MOST cost-efficient way to improve the database response times?
- A. Enable EBS optimization on the instance and keep the temporary files on the existing volume.
- B. Put the temporary database on a new 50-GB EBS gp2 volume.
- C. Move the temporary database onto instance storage.
- D. Put the temporary database on a new 50-GB EBS io1 volume with a 3-K IOPS provision.
A Solutions Architect is designing a system that will store Personally Identifiable Information (PII) in an Amazon S3 bucket. Due to compliance and regulatory requirements, both the master keys and unencrypted data should never be sent to AWS.
What Amazon S3 encryption technique should the Architect choose?
- A. Amazon S3 client-side encryption with an AWS KMS-managed customer master key (CMK)
- B. Amazon S3 server-side encryption with an AWS KMS-managed key
- C. Amazon S3 client-side encryption with a client-side master key
- D. Amazon S3 server-side encryption with a customer-provided key
An application is scanning an Amazon DynamoDB table that was created with default settings. The application occasionally reads stale data when it queries the table.
How can this issue be corrected?
- A. Increase the provisioned read capacity of the table.
- B. Enable AutoScaling on the DynamoDB table.
- C. Update the application to use strongly consistent reads.
- D. Re-create the DynamoDB table with eventual consistency disabled.
A Solution Architect is designing a web application that runs on Amazon EC2 instances behind a load balancer. All data in transit must be encrypted.
Which solutions will meet the encryption requirement? (Select TWO.)
- A. Use an Application Load Balancer (ALB) in passthrough mode, then terminate SSL on EC2 instances.
- B. Use an Application Load Balancer (ALB) with a TCP listener, then terminate SSL on EC2 instances.
- C. Use a Network Load Balancer (NLB) with a TCP listener, then terminate SSL on EC2 instances.
- D. Use an Application Load Balancer (ALB) with an HTTPS listener, then install SSL certificates on the ALB and EC2 instances.
- E. Use a Network Load Balancer (NLB) with an HTTPS listener, then install SSL certificates on the NLB and EC2 instances.
A user is designing a new service that receives location updates from 3,600 rental cars every hour. The cars upload their location to an Amazon S3 bucket. Each location must be checked for distance from the original rental location.
Which services will process the updates and automatically scale?
- A. Amazon EC2 and Amazon EBS
- B. Amazon Kinesis Firehouse and Amazon S3
- C. Amazon ECS and Amazon RDS
- D. Amazon S3 events and AWS Lambda
A company is writing a new service running on Amazon EC2 that must create thumbnail images of thousands of images in a large archive. The system will write scratch data to storage during the process.
Which storage service is best suited for this scenario?
- A. EC2 instance store
- B. Amazon EFS
- C. Amazon CloudSearch
- D. Amazon EBS Throughput Optimized HDD (st1)
A Solutions Architect is designing a new architecture that will use an Amazon EC2 Auto Scaling group.
Which of the following factors determine the health check grace period? (Select TWO.)
- A. How frequently the Auto Scaling group scales up or down.
- B. How many Amazon CloudWatch alarms are configured for status checks.
- C. How much of the application code is embedded in the AMI.
- D. How long it takes for the Auto Scaling group to detect a failure.
- E. How long the bootstrap script takes to run.
A company plans to deploy a new application in AWS that reads and writes information to a database. The company wants to deploy the application in two different AWS Regions in an active-active configuration. The databases need to replicate to keep information in sync.
What should be used to meet these requirements?
- A. Amazon Athena with Amazon S3 cross-region replication
- B. AWS Database Migration Service with change data capture
- C. Amazon DynamoDB with global tables
- D. Amazon RDS for P
A company hosts a website using Amazon API Gateway on the front end. Recently, there has been heavy traffic on the website and the company wants to control access by allowing authenticated traffic only.
How should the company limit access to authenticated users only? (Select TWO.)
- A. Allow users that are authenticated through Amazon Cognito.
- B. Limit traffic through API Gateway.
- C. Allow X.509 certificates to authenticate traffic.
- D. Deploy AWS KMS to identify users.
- E. Assign permissions in AWS IAM to allow users.
When designing an Amazon SQS message-processing solution, messages in the queue must be processed before the maximum retention time has elapsed.
Which actions will meet this requirement? (Choose two.)
- A. Use AWS STS to process the messages
- B. Use Amazon EBS-optimized Amazon EC2 instances to process the messages
- C. Use Amazon EC2 instances in an Auto Scaling group with scaling triggered based on the queue length
- D. Increase the SQS queue attribute for the message retention period
- E. Convert the SQS queue to a first-in first-out (FIFO) queue
A Solutions Architect is building an online shopping application where users will be able to browse items, add items to a cart, and purchase the items. Images of items will be stored in Amazon S3 buckets organized by item category. When an item is no longer available for purchase, the item image will be deleted from the S3 bucket. Occasionally, during testing, item images deleted from the S3 bucket are still visible to some users.
What is a flaw in this design approach?
- A. Defining S3 buckets by item may cause partition distribution errors, which will impact performance.
- B. Amazon S3 DELETE requests are eventually consistent, which may cause other users to view items that have already been purchased
- C. Amazon S3 DELETE requests apply a lock to the S3 bucket during the operation, causing other users to be blocked
- D. Using Amazon S3 for persistence exposes the application to a single point of failure
A company is developing a new stateless web service with low memory requirements. The service needs to scale based on demand.
What is the MOST cost-effective solution?
- A. Deploy the application onto AWS Elastic Beanstalk
- B. Deploy the application onto AWS Lambda with access through Amazon API Gateway
- C. Deploy the application onto an Amazon EC2 Spot Fleet
- D. Deploy the application onto a container with an Amazon ECS EC2 launch type
A Solutions Architect plans to migrate a load balancer tier from a data center to AWS. Several websites have multiple domains that require secure load balancing. The Architect decides to use Elastic Load Balancing Application Load Balancers.
What is the MOST efficient method for achieving secure communication?
- A. Create a wildcard certificate and upload it to the Application Load Balancer
- B. Create an SNI certificate and upload it to the Application Load Balancer
- C. Create a secondary proxy server to terminate SSL traffic before the traffic reaches the Application Load Balancer
- D. Let a third-party Certificate Manager manage certificates required to all domains and upload them to the Application Load Balancer
An application stores data in an Amazon RDS MySQL DB instance. The database traffic primarily consists of read queries, which are overwhelming the current database. A Solutions Architect wants to scale the database.
What combination of steps will achieve the goal? (Choose two.)
- A. Add the MySQL database instances to an Auto Scaling group
- B. Migrate the MySQL database to Amazon Aurora
- C. Migrate the MySQL database to a PostgreSQL database
- D. Create read replicas in different Availability Zones
- E. Create an ELB Application Load Balancer
A Solutions Architect is designing an application that is expected to have millions of users. The Architect needs options to store session data.
Which option is the MOST performant?
- A. Amazon ElastiCache
- B. Amazon RDS
- C. Amazon S3
- D. Amazon EFS
A customer has an application that is used by enterprise customers outside of AWS. Some of these customers use legacy firewalls that cannot whitelist by DNS name, but whitelist based only on IP address. The application is currently deployed in two Availability Zones, with one EC2 instance in each that has Elastic IP addresses. The customer wants to whitelist only two IP addresses, but the two existing EC2 instances cannot sustain the amount of traffic.
What can a Solutions Architect do to support the customer and allow for more capacity? (Choose two.)
- A. Create a Network Load Balancer with an interface in each subnet, and assign a static IP address to each subnet.
- B. Create additional EC2 instances and put them on standby. Remap an Elastic IP address to a standby instance in the event of a failure.
- C. Use Amazon Route 53 with a weighted, round-robin routing policy across the Elastic IP addresses to resolve one at a time.
- D. Add additional EC2 instances with Elastic IP addresses, and register them with Amazon Route 53
- E. Switch the two existing EC2 instances for an Auto Scaling group, and register them with the Network Load Balancer.
A Solutions Architect designed a system based on Amazon Kinesis Data Streams. After the workflow was put into production, the company noticed it performed slowly and identified Kinesis Data Streams as the problem. One of the streams has a total of 10 Mb/s throughput.
What should the Solutions Architect recommend to improve performance?
- A. Use AWS Lambda to preprocess the data and transform the records into a simpler format, such as CSV.
- B. Run the MergeShard command to reduce the number of shards that the consumer can more easily process.
- C. Change the workflow to use Amazon Kinesis Data Firehose to gain a higher throughput.
- D. Run the UpdateShardCount command to increase the number of shards in the stream
A Solutions Architect is designing a three-tier web application that will allow customers to upload pictures from a mobile application. The application will then generate a thumbnail of the picture and return a message to the user confirming that the image was successfully uploaded. Generation of the thumbnail may take up to 5 seconds. To provide a sub second response time to the customers uploading the images, the Solutions Architect wants to separate the web tier from the application tier.
Which service would allow the presentation tier to asynchronously dispatch the request to the application tier?
- A. AWS Step Functions
- B. AWS Lambda
- C. Amazon SNS
- D. Amazon SQS
An organization uses Amazon S3 to store video content served via its website. It only has rights to deliver this content to users within its own country and needs to restrict access.
How can the organization ensure that these files are only accessible from within its country?
- A. Use a custom Amazon S3 bucket policy to allow access only to users inside the organization’s country
- B. Use Amazon CloudFront and Geo Restriction to allow access only to users inside the organization’s country
- C. Use an Amazon S3 bucket ACL to allow access only to users inside the organization’s country
- D. Use file-based ACL permissions on each video file to allow access only to users inside the organization’s country
A company is storing data in an Amazon DynamoDB table and needs to take daily backups and retain them for 6 months.
How should the Solutions Architect meet these requirements without impacting the production workload?
- A. Use DynamoDB replication and restore the table from the replica
- B. Use AWS Data Pipeline and create a scheduled job to back up the DynamoDB table daily
- C. Use Amazon CloudWatch Events to trigger an AWS Lambda function that makes an on-demand backup of the table
- D. Use AWS Batch to create a scheduled backup with the default template, then back up to Amazon S3 daily.
During a review of business applications, a Solutions Architect identifies a critical application with a relational database that was built by a business user and is running on the user’s desktop. To reduce the risk of a business interruption, the Solutions Architect wants to migrate the application to a highly available, multi- tiered solution in AWS.
What should the Solutions Architect do to accomplish this with the LEAST amount of disruption to the business?
- A. Create an import package of the application code for upload to AWS Lambda, and include a function to create another Lambda function to migrate data into an Amazon RDS database
- B. Create an image of the user’s desktop, migrate it to Amazon EC2 using VM Import, and place the EC2 instance in an Auto Scaling group
- C. Pre-stage new Amazon EC2 instances running the application code on AWS behind an Application Load Balancer and an Amazon RDS Multi-AZ DB instance
- D. Use AWS DMS to migrate the backend database to an Amazon RDS Multi-AZ DB instance. Migrate the application code to AWS Elastic Beanstalk
A photo-sharing website running on AWS allows users to generate thumbnail images of photos stored in Amazon S3. An Amazon DynamoDB table maintains the locations of photos, and thumbnails are easily re-created from the originals if they are accidentally deleted.
How should the thumbnail images be stored to ensure the LOWEST cost?
- A. Amazon S3 Standard-Infrequent Access (S3 Standard-IA) with cross-region replication
- B. Amazon S3
- C. Amazon Glacier
- D. Amazon S3 with cross-region replication
A company is implementing a data lake solution on Amazon S3. Its security policy mandates that the data stored in Amazon S3 should be encrypted at rest.
Which options can achieve this? (Select TWO.)
- A. Use S3 server-side encryption with an Amazon EC2 key pair.
- B. Use S3 server-side encryption with customer-provided keys (SSE-C).
- C. Use S3 bucket policies to restrict access to the data at rest.
- D. Use client-side encryption before ingesting the data to Amazon S3 using encryption keys.
- E. Use SSL to encrypt the data while in transit to Amazon S3.
An organization hosts 10 microservices, each in an Auto Scaling group behind individual Classic Load Balancers. Each EC2 instance is running at optimal load.
Which of the following actions would allow the organization to reduce costs without impacting performance?
- A. Reduce the number of EC2 instances behind each Classic Load Balancer.
- B. Change instance types in the Auto Scaling group launch configuration.
- C. Change the maximum size but leave the desired capacity of the Auto Scaling groups.
- D. Replace the Classic Load Balancers with a single Application Load Balancer.
A company plans to use Amazon GuardDuty to detect unexpected and potentially malicious activity. The company wants to use Amazon CloudWatch to ensure that when findings occur, remediation takes place automatically.
Which CloudWatch feature should be used to trigger an AWS Lambda function to perform the remediation?
- A. Events
- B. Dashboards
- C. Metrics
- D. Alarms
A Solutions Architect must create a solution whereby user access to multiple Amazon Aurora MySQL databases is securely managed with short-lived connection credentials.
How can the Solutions Architect meet these requirements?
- A. Create a database user to run the GRANT statement with a short-lived token.
- B. Create the user account to use the AWS-provided AWSAuthenticationPlugin with IAM.
- C. Use AWS Systems Manager to securely save the connection secrets, and use the secrets while connecting.
- D. Use AWS KMS to securely save the connection secrets, and use the secrets while connecting.
A customer has a legacy application with a large amount of data. The files accessed by the application are approximately 10 GB each, but are rarely accessed. However, when files are accessed, they are retrieved sequentially. The customer is migrating the application to AWS and would like to use Amazon EC2 and Amazon EBS.
What is the Least expensive EBS volume type for this use case?
- A. Cold HDD (sc1)
- B. Provisioned IOPS SSD (io1)
- C. General Purpose SSD (gp2)
- D. Throughput Optimized HDD (st1)
A Solutions Architect is designing a disaster recovery (DR) environment in a separate AWS region from an application’s primary workload. The application uses a multi-tier architecture, and only the RDS instance will have frequent changes. The application installation process takes 60 minutes on average. The disaster recovery plan must have an RPO of less than 90 minutes and an RTO of less than 30 minutes.
Which of the following would enable the Solutions Architect to meet these requirements? (Choose two.)
- A. An Aurora instance as the primary database with a read replica in the DR region.
- B. Inter-region VPC peering between the primary workload VPC and the DR VPC
- C. A cross-region Amazon EC2 Amazon Machine Image (AMI) copy
- D. Amazon S3 cross-region replication of application-tier installers
- E. Amazon CloudWatch Events in the primary region that trigger the failover to the DR region
A Solutions Architect is creating a multi-tiered architecture for an application that includes a public-facing web tier. Security requirements state that the Amazon EC2 instances running in the application tier must not be accessible directly from the internet.
What should be done to accomplish this?
- A. Create a multi-VPC peering mesh with network access rules limiting communications to specific ports. Implement an internet gateway on each VPC for external connectivity.
- B. Place all instances in a single Amazon VPC with AWS WAF as the web front-end communication conduit. Configure a NAT gateway for external communications.
- C. Use VPC peering to peer with on-premises hardware. Direct enterprise traffic through the VPC peer connection to the instances hosted in the private VPC.
- D. Deploy the web and application instances in a private subnet. Provision an Application Load Balancer in the public subnet. Install an internet gateway and use security groups to control communications between the layers.
A Lambda function must execute a query against an Amazon RDS database in a private subnet.
Which steps are required to allow the Lambda function to access the Amazon RDS database? (Select two.)
- A. Create a VPC Endpoint for Amazon RDS.
- B. Create the Lambda function within the Amazon RDS VPC.
- C. Change the ingress rules of Lambda security group, allowing the Amazon RDS security group.
- D. Change the ingress rules of the Amazon RDS security group, allowing the Lambda security group.
- E. Add an Internet Gateway (IGW) to the VPC, route the private subnet to the IGW.