Amazon SAP-C02 Exam Dumps

Amazon SAP-C02 Sample Question Answers

Question # 1

A solutions architect needs to improve an application that is hosted in the AWS Cloud. Theapplication uses an Amazon Aurora MySQL DB instance that is experiencing overloadedconnections. Most of the application's operations insert records into the database. Theapplication currently stores credentials in a text-based configuration file.The solutions architect needs to implement a solution so that the application can handle thecurrent connection load. The solution must keep the credentials secure and must providethe ability to rotate the credentials automatically on a regular basis.Which solution will meet these requirements?

A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connectioncredentials as a secret in AWS Secrets Manager.
B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connectioncredentials in AWS Systems Manager Parameter Store.
C. Create an Aurora Replica. Store the connection credentials as a secret in AWS SecretsManager.
D. Create an Aurora Replica. Store the connection credentials in AWS Systems ManagerParameter Store.

Show Answer

Question # 2

A company is migrating an on-premises application and a MySQL database to AWS. Theapplication processes highly sensitive data, and new data is constantly updated in thedatabase. The data must not be transferred over the internet. The company also mustencrypt the data in transit and at rest.The database is 5 TB in size. The company already has created the database schema inan Amazon RDS for MySQL DB instance. The company has set up a 1 Gbps AWS Direct Connect connection to AWS. The company also has set up a public VIF and a private VIF.A solutions architect needs to design a solution that will migrate the data to AWS with theleast possible downtime.Which solution will meet these requirements?

A. Perform a database backup. Copy the backup files to an AWS Snowball Edge StorageOptimized device. Import the backup to Amazon S3. Use server-side encryption withAmazon S3 managed encryption keys (SSE-S3) for encryption at rest. Use TLS forencryption in transit. Import the data from Amazon S3 to the DB instance.
B. Use AWS Database Migration Service (AWS DMS) to migrate the data to AWS. Createa DMS replication instance in a private subnet. Create VPC endpoints for AWS DMS.Configure a DMS task to copy data from the on-premises database to the DB instance byusing full load plus change data capture (CDC). Use the AWS Key Management Service(AWS KMS) default key for encryption at rest. Use TLS for encryption in transit.
C. Perform a database backup. Use AWS DataSync to transfer the backup files to AmazonS3. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) forencryption at rest. Use TLS for encryption in transit. Import the data from Amazon S3 to theDB instance.
D. Use Amazon S3 File Gateway. Set up a private connection to Amazon S3 by using AWSPrivateLink. Perform a database backup. Copy the backup files to Amazon S3. Use serversideencryption with Amazon S3 managed encryption keys (SSE-S3) for encryption at rest.Use TLS for encryption in transit. Import the data from Amazon S3 to the DB instance.

Show Answer

Question # 3

A company is serving files to its customers through an SFTP server that is accessible overthe internet The SFTP server is running on a single Amazon EC2 instance with an ElasticIP address attached Customers connect to the SFTP server through its Elastic IP addressand use SSH for authentication The EC2 instance also has an attached security group thatallows access from all customer IP addresses.A solutions architect must implement a solution to improve availability minimize thecomplexity of infrastructure management and minimize the disruption to customers whoaccess files. The solution must not change the way customers connectWhich solution will meet these requirements?

A. Disassociate the Elastic IP address from the EC2 instance Create an Amazon S3 bucketto be used for SFTP file hosting Create an AWS Transfer Family server. Configure theTransfer Family server with a publicly accessible endpoint Associate the SFTP Elastic IPaddress with the new endpoint. Point the Transfer Family server to the S3 bucket Sync allfiles from the SFTP server to the S3 bucket.
B. Disassociate the Elastic IP address from the EC2 instance Create an Amazon S3 bucketto be used for SFTP file hosting Create an AWS Transfer Family Server Configure theTransfer Family server with a VPC-hosted, internet-facing endpoint Associate the SFTPElastic IP address with the new endpoint Attach the security group with customer IPaddresses to the new endpoint Point the Transfer Family server to the S3 bucket. Sync allfiles from the SFTP server to the S3 bucket.
C. Disassociate the Elastic IP address from the EC2 instance. Create a new AmazonElastic File System (Amazon EFS) file system to be used for SFTP file hosting. Create anAWS Fargate task definition to run an SFTP server Specify the EFS file system as a mountin the task definition Create a Fargate service by using the task definition, and place aNetwork Load Balancer (NLB) in front of the service. When configuring the service, attachthe security group with customer IP addresses to the tasks that run the SFTP serverAssociate the Elastic IP address with the NLB Sync all files from the SFTP server to the S3bucket.
D. Disassociate the Elastic IP address from the EC2 instance. Create a multi-attachAmazon Elastic Block Store (Amazon EBS) volume to be used for SFTP file hosting.Create a Network Load Balancer (NLB) with the Elastic IP address attached. Create anAuto Scaling group with EC2 instances that run an SFTP server. Define in the Auto Scalinggroup that instances that are launched should attach the new multi-attach EBS volumeConfigure the Auto Scaling group to automatically add instances behind the NLB. configurethe Auto Scaling group to use the security group that allows customer IP addresses for theEC2 instances that the Auto Scaling group launches Sync all files from the SFTP server tothe new multi-attach EBS volume.

Show Answer

Question # 4

An online retail company hosts its stateful web-based application and MySQL database inan on-premises data center on a single server. The company wants to increase itscustomer base by conducting more marketing campaigns and promotions. In preparation,the company wants to migrate its application and database to AWS to increase thereliability of its architecture.Which solution should provide the HIGHEST level of reliability?

A. Migrate the database to an Amazon RDS MySQL Multi-AZ DB instance. Deploy theapplication in an Auto Scaling group on Amazon EC2 instances behind an Application LoadBalancer. Store sessions in Amazon Neptune.
B. Migrate the database to Amazon Aurora MySQL. Deploy the application in an AutoScaling group on Amazon EC2 instances behind an Application Load Balancer. Storesessions in an Amazon ElastiCache for Redis replication group.
C. Migrate the database to Amazon DocumentDB (with MongoDB compatibility). Deploythe application in an Auto Scaling group on Amazon EC2 instances behind a Network LoadBalancer. Store sessions in Amazon Kinesis Data Firehose.
D. Migrate the database to an Amazon RDS MariaDB Multi-AZ DB instance. Deploy theapplication in an Auto Scaling group on Amazon EC2 instances behind an Application LoadBalancer. Store sessions in Amazon ElastiCache for Memcached.

Show Answer

Question # 5

A car rental company has built a serverless REST API to provide data to its mobile app.The app consists of an Amazon API Gateway API with a Regional endpoint, AWS Lambdafunctions, and an Amazon Aurora MySQL Serverless DB cluster. The company recentlyopened the API to mobile apps of partners. A significant increase in the number of requestsresulted, causing sporadic database memory errors. Analysis of the API traffic indicatesthat clients are making multiple HTTP GET requests for the same queries in a short periodof time. Traffic is concentrated during business hours, with spikes around holidays andother events.The company needs to improve its ability to support the additional usage while minimizingthe increase in costs associated with the solution.Which strategy meets these requirements?

A. Convert the API Gateway Regional endpoint to an edge-optimized endpoint. Enablecaching in the production stage.
B. Implement an Amazon ElastiCache for Redis cache to store the results of the databasecalls. Modify the Lambda functions to use the cache.
C. Modify the Aurora Serverless DB cluster configuration to increase the maximum amountof available memory.
D. Enable throttling in the API Gateway production stage. Set the rate and burst values tolimit the incoming calls.

Show Answer

Question # 6

A company has a web application that securely uploads pictures and videos to an AmazonS3 bucket. The company requires that only authenticated users are allowed to postcontent. The application generates a presigned URL that is used to upload objects througha browser interface. Most users are reporting slow upload times for objects larger than 100MB.What can a Solutions Architect do to improve the performance of these uploads whileensuring only authenticated users are allowed to post content?

A. Set up an Amazon API Gateway with an edge-optimized API endpoint that has aresource as an S3 service proxy. Configure the PUT method for this resource to exposethe S3 PutObject operation. Secure the API Gateway using a COGNITO_USER_POOLSauthorizer. Have the browser interface use API Gateway instead of the presigned URL toupload objects.
B. Set up an Amazon API Gateway with a regional API endpoint that has a resource as anS3 service proxy. Configure the PUT method for this resource to expose the S3 PutObjectoperation. Secure the API Gateway using an AWS Lambda authorizer. Have the browserinterface use API Gateway instead of the presigned URL to upload API objects.
C. Enable an S3 Transfer Acceleration endpoint on the S3 bucket. Use the endpoint whengenerating the presigned URL. Have the browser interface upload the objects to this URLusing the S3 multipart upload API.
D. Configure an Amazon CloudFront distribution for the destination S3 bucket. Enable PUTand POST methods for the CloudFront cache behavior. Update the CloudFront origin touse an origin access identity (OAI). Give the OAI user s3:PutObject permissions in the bucket policy. Have the browser interface upload objects using the CloudFront distribution.

Show Answer

Question # 7

A company has a website that runs on four Amazon EC2 instances that are behind anApplication Load Balancer (ALB). When the ALB detects that an EC2 instance is no longeravailable, an Amazon CloudWatch alarm enters the ALARM state. A member of thecompany's operations team then manually adds a new EC2 instance behind the ALB.A solutions architect needs to design a highly available solution that automatically handlesthe replacement of EC2 instances. The company needs to minimize downtime during theswitch to the new solution.Which set of steps should the solutions architect take to meet these requirements?

A. Delete the existing ALB. Create an Auto Scaling group that is configured to handle theweb application traffic. Attach a new launch template to the Auto Scaling group. Create anew ALB. Attach the Auto Scaling group to the new ALB. Attach the existing EC2 instancesto the Auto Scaling group.
B. Create an Auto Scaling group that is configured to handle the web application traffic.Attach a new launch template to the Auto Scaling group. Attach the Auto Scaling group tothe existing ALB. Attach the existing EC2 instances to the Auto Scaling group.
C. Delete the existing ALB and the EC2 instances. Create an Auto Scaling group that isconfigured to handle the web application traffic. Attach a new launch template to the AutoScaling group. Create a new ALB. Attach the Auto Scaling group to the new ALB. Wait forthe Auto Scaling group to launch the minimum number of EC2 instances.
D. Create an Auto Scaling group that is configured to handle the web application traffic. Attach a new launch template to the Auto Scaling group. Attach the Auto Scaling group tothe existing ALB. Wait for the existing ALB to register the existing EC2 instances with theAuto Scaling group.

Show Answer

Question # 8

A company is deploying a third-party firewall appliance solution from AWS Marketplace tomonitor and protect traffic that leaves the company's AWS environments. The companywants to deploy this appliance into a shared services VPC and route all outbound internetboundtraffic through the appliances.A solutions architect needs to recommend a deployment method that prioritizes reliabilityand minimizes failover time between firewall appliances within a single AWS Region. Thecompany has set up routing from the shared services VPC to other VPCs.Which steps should the solutions architect recommend to meet these requirements?(Select THREE.)

A. Deploy two firewall appliances into the shared services VPC, each in a separateAvailability Zone.
B. Create a new Network Load Balancer in the shared services VPC. Create a new targetgroup, and attach it to the new Network Load Balancer. Add each of the firewall applianceinstances to the target group.
C. Create a new Gateway Load Balancer in the shared services VPC. Create a new targetgroup, and attach it to the new Gateway Load Balancer. Add each of the firewall applianceinstances to the target group.
D. Create a VPC interface endpoint. Add a route to the route table in the shared servicesVPC. Designate the new endpoint as the next hop for traffic that enters the shared servicesVPC from other VPCs.
E. Deploy two firewall appliances into the shared services VPC. each in the sameAvailability Zone.
F. Create a VPC Gateway Load Balancer endpoint. Add a route to the route table in theshared services VPC. Designate the new endpoint as the next hop for traffic that enters theshared services VPC from other VPCs.

Show Answer

Question # 9

An ecommerce company runs an application on AWS. The application has an Amazon APIGateway API that invokes an AWS Lambda function. The data is stored in an Amazon RDSfor PostgreSQL DB instance.During the company's most recent flash sale, a sudden increase in API calls negativelyaffected the application's performance. A solutions architect reviewed the AmazonCloudWatch metrics during that time and noticed a significant increase in Lambdainvocations and database connections. The CPU utilization also was high on the DBinstance.What should the solutions architect recommend to optimize the application's performance?

A. Increase the memory of the Lambda function. Modify the Lambda function to close thedatabase connections when the data is retrieved.
B. Add an Amazon ElastiCache for Redis cluster to store the frequently accessed datafrom the RDS database.
C. Create an RDS proxy by using the Lambda console. Modify the Lambda function to usethe proxy endpoint.
D. Modify the Lambda function to connect to the database outside of the function's handler.Check for an existing database connection before creating a new connection.

Show Answer

Question # 10

A company hosts a software as a service (SaaS) solution on AWS. The solution has anAmazon API Gateway API that serves an HTTPS endpoint. The API uses AWS Lambdafunctions for compute. The Lambda functions store data in an Amazon Aurora ServerlessVI database.The company used the AWS Serverless Application Model (AWS SAM) to deploy thesolution. The solution extends across multiple Availability Zones and has no disasterrecovery (DR) plan.A solutions architect must design a DR strategy that can recover the solution in anotherAWS Region. The solution has an R TO of 5 minutes and an RPO of 1 minute.What should the solutions architect do to meet these requirements?

A. Create a read replica of the Aurora Serverless VI database in the target Region. UseAWS SAM to create a runbook to deploy the solution to the target Region. Promote theread replica to primary in case of disaster.
B. Change the Aurora Serverless VI database to a standard Aurora MySQL globaldatabase that extends across the source Region and the target Region. Use AWS SAM tocreate a runbook to deploy the solution to the target Region.
C. Create an Aurora Serverless VI DB cluster that has multiple writer instances in the targetRegion. Launch the solution in the target Region. Configure the two Regional solutions towork in an active-passive configuration.
D. Change the Aurora Serverless VI database to a standard Aurora MySQL globaldatabase that extends across the source Region and the target Region. Launch thesolution in the target Region. Configure the two Regional solutions to work in an activepassiveconfiguration.

Show Answer

Question # 11

A company is deploying a new cluster for big data analytics on AWS. The cluster will runacross many Linux Amazon EC2 instances that are spread across multiple AvailabilityZones.All of the nodes in the cluster must have read and write access to common underlying filestorage. The file storage must be highly available, must be resilient, must be compatiblewith the Portable Operating System Interface (POSIX). and must accommodate high levelsof throughput.Which storage solution will meet these requirements?

A. Provision an AWS Storage Gateway file gateway NFS file share that is attached to anAmazon S3 bucket. Mount the NFS file share on each EC2 instance in the duster.
B. Provision a new Amazon Elastic File System (Amazon EFS) file system that usesGeneral Purpose performance mode. Mount the EFS file system on each EC2 instance inthe cluster.
C. Provision a new Amazon Elastic Block Store (Amazon EBS) volume that uses the io2volume type. Attach the EBS volume to all of the EC2 instances in the cluster.
D. Provision a new Amazon Elastic File System (Amazon EFS) file system that uses MaxI/O performance mode. Mount the EFS file system on each EC2 instance in the cluster.

Show Answer

Question # 12

A company deploys a new web application. As pari of the setup, the company configuresAWS WAF to log to Amazon S3 through Amazon Kinesis Data Firehose. The companydevelops an Amazon Athena query that runs once daily to return AWS WAF log data fromthe previous 24 hours. The volume of daily logs is constant. However, over time, the samequery is taking more time to run.A solutions architect needs to design a solution to prevent the query time from continuing toincrease. The solution must minimize operational overhead.Which solution will meet these requirements?

A. Create an AWS Lambda function that consolidates each day's AWS WAF logs into onelog file.
B. Reduce the amount of data scanned by configuring AWS WAF to send logs to adifferent S3 bucket each day.
C. Update the Kinesis Data Firehose configuration to partition the data in Amazon S3 bydate and time. Create external tables for Amazon Redshift. Configure Amazon RedshiftSpectrum to query the data source.
D. Modify the Kinesis Data Firehose configuration and Athena table definition to partitionthe data by date and time. Change the Athena query to view the relevant partitions.

Show Answer

Question # 13

A solutions architect has an operational workload deployed on Amazon EC2 instances inan Auto Scaling Group The VPC architecture spans two Availability Zones (AZ) with asubnet in each that the Auto Scaling group is targeting. The VPC is connected to an onpremisesenvironment and connectivity cannot be interrupted The maximum size of theAuto Scaling group is 20 instances in service. The VPC IPv4 addressing is as follows:VPCCIDR 10 0 0 0/23AZ1 subnet CIDR: 10 0 0 0724AZ2 subnet CIDR: 10.0.1 0724Since deployment, a third AZ has become available in the Region The solutions architectwants to adopt the new AZ without adding additional IPv4 address space and withoutservice downtime. Which solution will meet these requirements?

A. Update the Auto Scaling group to use the AZ2 subnet only Delete and re-create the AZ1subnet using half the previous address space Adjust the Auto Scaling group to also use the new AZI subnet When the instances are healthy, adjust the Auto Scaling group to use theAZ1 subnet only Remove the current AZ2 subnet Create a new AZ2 subnet using thesecond half of the address space from the original AZ1 subnet Create a new AZ3 subnetusing half the original AZ2 subnet address space, then update the Auto Scaling group totarget all three new subnets.
B. Terminate the EC2 instances in the AZ1 subnet Delete and re-create the AZ1 subnetusing hall the address space. Update the Auto Scaling group to use this new subnet.Repeat this for the second AZ. Define a new subnet in AZ3: then update the Auto Scalinggroup to target all three new subnets
C. Create a new VPC with the same IPv4 address space and define three subnets, withone for each AZ Update the existing Auto Scaling group to target the new subnets in thenew VPC
D. Update the Auto Scaling group to use the AZ2 subnet only Update the AZ1 subnet tohave halt the previous address space Adjust the Auto Scaling group to also use the AZ1subnet again. When the instances are healthy, adjust the Auto Seating group to use theAZ1 subnet only. Update the current AZ2 subnet and assign the second half of the addressspace from the original AZ1 subnet Create a new AZ3 subnet using half the original AZ2subnet address space, then update the Auto Scaling group to target all three new subnets

Show Answer

Question # 14

A data analytics company has an Amazon Redshift cluster that consists of several reservednodes. The cluster is experiencing unexpected bursts of usage because a team ofemployees is compiling a deep audit analysis report. The queries to generate the report arecomplex read queries and are CPU intensive.Business requirements dictate that the cluster must be able to service read and writequeries at all times. A solutions architect must devise a solution that accommodates thebursts of usage.Which solution meets these requirements MOST cost-effectively?

A. Provision an Amazon EMR cluster. Offload the complex data processing tasks.
B. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster byusing a classic resize operation when the cluster's CPU metrics in Amazon CloudWatchreach 80%.
C. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster byusing an elastic resize operation when the cluster's CPU metrics in Amazon CloudWatchreach 80%.
D. Turn on the Concurrency Scaling feature for the Amazon Redshift cluster.

Show Answer

Question # 15

An online survey company runs its application in the AWS Cloud. The application isdistributed and consists of microservices that run in an automatically scaled AmazonElastic Container Service (Amazon ECS) cluster. The ECS cluster is a target for anApplication Load Balancer (ALB). The ALB is a custom origin for an Amazon CloudFrontdistribution.The company has a survey that contains sensitive data. The sensitive data must beencrypted when it moves through the application. The application's data-handlingmicroservice is the only microservice that should be able to decrypt the data.Which solution will meet these requirements?

A. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated tothe data-handling microservice. Create a field-level encryption profile and a configuration.Associate the KMS key and the configuration with the CloudFront cache behavior.
B. Create an RSA key pair that is dedicated to the data-handling microservice. Upload thepublic key to the CloudFront distribution. Create a field-level encryption profile and aconfiguration. Add the configuration to the CloudFront cache behavior.
C. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated tothe data-handling microservice. Create a Lambda@Edge function. Program the function touse the KMS key to encrypt the sensitive data.
D. Create an RSA key pair that is dedicated to the data-handling microservice. Create aLambda@Edge function. Program the function to use the private key of the RSA key pair toencrypt the sensitive data.

Show Answer

Question # 16

A company uses an organization in AWS Organizations to manage the company's AWSaccounts. The company uses AWS CloudFormation to deploy all infrastructure. A financeteam wants to buikJ a chargeback model The finance team asked each business unit to tagresources by using a predefined list of project values.When the finance team used the AWS Cost and Usage Report in AWS Cost Explorer andfiltered based on project, the team noticed noncompliant project values. The companywants to enforce the use of project tags for new resources.Which solution will meet these requirements with the LEAST effort?

A. Create a tag policy that contains the allowed project tag values in the organization'smanagement account. Create an SCP that denies the cloudformation:CreateStack APIoperation unless a project tag is added. Attach the SCP to each OU.
B. Create a tag policy that contains the allowed project tag values in each OU. Create anSCP that denies the cloudformation:CreateStack API operation unless a project tag isadded. Attach the SCP to each OU.
C. Create a tag policy that contains the allowed project tag values in the AWS managementaccount. Create an 1AM policy that denies the cloudformation:CreateStack API operationunless a project tag is added. Assign the policy to each user.
D. Use AWS Service Catalog to manage the CloudFoanation stacks as products. Use aTagOptions library to control project tag values. Share the portfolio with all OUs that are inthe organization.

Show Answer

Question # 17

A company is running a serverless application that consists of several AWS Lambdafunctions and Amazon DynamoDB tables. The company has created new functionality thatrequires the Lambda functions to access an Amazon Neptune DB cluster. The Neptune DBcluster is located in three subnets in a VPC.Which of the possible solutions will allow the Lambda functions to access the Neptune DBcluster and DynamoDB tables? (Select TWO.)

A. Create three public subnets in the Neptune VPC, and route traffic through an internetgateway. Host the Lambda functions in the three new public subnets.
B. Create three private subnets in the Neptune VPC, and route internet traffic through aNAT gateway. Host the Lambda functions in the three new private subnets.
C. Host the Lambda functions outside the VPC. Update the Neptune security group to allowaccess from the IP ranges of the Lambda functions.
D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptunedatabase, and have the Lambda functions access Neptune over the VPC endpoint.
E. Create three private subnets in the Neptune VPC. Host the Lambda functions in thethree new isolated subnets. Create a VPC endpoint for DynamoDB, and route DynamoDBtraffic to the VPC endpoint.

Show Answer

Question # 18

A company is running multiple workloads in the AWS Cloud. The company has separateunits for software development. The company uses AWS Organizations and federation withSAML to give permissions to developers to manage resources in their AWS accounts. Thedevelopment units each deploy their production workloads into a common productionaccount.Recently, an incident occurred in the production account in which members of adevelopment unit terminated an EC2 instance that belonged to a different developmentunit. A solutions architect must create a solution that prevents a similar incident fromhappening in the future. The solution also must allow developers the possibility to managethe instances used for their workloads.Which strategy will meet these requirements?

A. Create separate OUs in AWS Organizations for each development unit. Assign thecreated OUs to the company AWS accounts. Create separate SCPs with a deny action anda StringNotEquals condition for the DevelopmentUnit resource tag that matches thedevelopment unit name. Assign the SCP to the corresponding OU.
B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS)session tag during SAML federation. Update the IAM policy for the developers' assumedIAM role with a deny action and a StringNotEquals condition for the DevelopmentUnitresource tag and aws:PrincipalTag/ DevelopmentUnit.
C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS)session tag during SAML federation. Create an SCP with an allow action and aStringEquals condition for the DevelopmentUnit resource tag andaws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
D. Create separate IAM policies for each development unit. For every IAM policy, add anallow action and a StringEquals condition for the DevelopmentUnit resource tag and thedevelopment unit name. During SAML federation, use AWS Security Token Service (AWSSTS) to assign the IAM policy and match the development unit name to the assumed IAMrole.

Show Answer

Question # 19

A company has an organization in AWS Organizations that includes a separate AWSaccount for each of the company's departments. Application teams from differentdepartments develop and deploy solutions independently.The company wants to reduce compute costs and manage costs appropriately acrossdepartments. The company also wants to improve visibility into billing for individual departments. The company does not want to lose operational flexibility when the companyselects compute resources.Which solution will meet these requirements?

A. Use AWS Budgets for each department. Use Tag Editor to apply tags to appropriateresources. Purchase EC2 Instance Savings Plans.
B. Configure AWS Organizations to use consolidated billing. Implement a tagging strategythat identifies departments. Use SCPs to apply tags to appropriate resources. PurchaseEC2 Instance Savings Plans.
C. Configure AWS Organizations to use consolidated billing. Implement a tagging strategythat identifies departments. Use Tag Editor to apply tags to appropriate resources.Purchase Compute Savings Plans.
D. Use AWS Budgets for each department. Use SCPs to apply tags to appropriateresources. Purchase Compute Savings Plans.

Show Answer

Question # 20

A company is developing a web application that runs on Amazon EC2 instances in an AutoScaling group behind a public-facing Application Load Balancer (ALB). Only users from aspecific country are allowed to access the application. The company needs the ability to logthe access requests that have been blocked. The solution should require the least possiblemaintenance.Which solution meets these requirements?

A. Create an IPSet containing a list of IP ranges that belong to the specified country.Create an AWS WAF web ACL. Configure a rule to block any requests that do not originatefrom an IP range in the IPSet. Associate the rule with the web ACL. Associate the web ACLwith the ALB.
B. Create an AWS WAF web ACL. Configure a rule to block any requests that do notoriginate from the specified country. Associate the rule with the web ACL. Associate theweb ACL with the ALB.
C. Configure AWS Shield to block any requests that do not originate from the specifiedcountry. Associate AWS Shield with the ALB.
D. Create a security group rule that allows ports 80 and 443 from IP ranges that belong tothe specified country. Associate the security group with the ALB.

Show Answer

Question # 21

A company is migrating to the cloud. It wants to evaluate the configurations of virtualmachines in its existing data center environment to ensure that it can size new AmazonEC2 instances accurately. The company wants to collect metrics, such as CPU. memory,and disk utilization, and it needs an inventory of what processes are running on eachinstance. The company would also like to monitor network connections to mapcommunications between servers.Which would enable the collection of this data MOST cost effectively?

A. Use AWS Application Discovery Service and deploy the data collection agent to eachvirtual machine in the data center.
B. Configure the Amazon CloudWatch agent on all servers within the local environmentand publish metrics to Amazon CloudWatch Logs.
C. Use AWS Application Discovery Service and enable agentless discovery in the existingvisualization environment.
D. Enable AWS Application Discovery Service in the AWS Management Console andconfigure the corporate firewall to allow scans over a VPN.

Show Answer

Question # 22

A company uses AWS Organizations to manage a multi-account structure. The companyhas hundreds of AWS accounts and expects the number of accounts to increase. Thecompany is building a new application that uses Docker images. The company will pushthe Docker images to Amazon Elastic Container Registry (Amazon ECR). Only accountsthat are within the company's organization should haveaccess to the images.The company has a CI/CD process that runs frequently. The company wants to retain allthe tagged images. However, the company wants to retain only the five most recent untagged images.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a private repository in Amazon ECR. Create a permissions policy for therepository that allows only required ECR operations. Include a condition to allow the ECRoperations if the value of the aws:PrincipalOrglD condition key is equal to the ID of thecompany's organization. Add a lifecycle rule to the ECR repository that deletes alluntagged images over the count of five.
B. Create a public repository in Amazon ECR. Create an IAM role in the ECR account. Setpermissions so that any account can assume the role if the value of the aws:PrincipalOrglDcondition key is equal to the ID of the company's organization. Add a lifecycle rule to theECR repository that deletes all untagged images over the count of five.
C. Create a private repository in Amazon ECR. Create a permissions policy for therepository that includes only required ECR operations. Include a condition to allow the ECRoperations for all account IDs in the organization. Schedule a daily Amazon EventBridgerule to invoke an AWS Lambda function that deletes all untagged images over the count offive.
D. Create a public repository in Amazon ECR. Configure Amazon ECR to use an interfaceVPC endpoint with an endpoint policy that includes the required permissions for imagesthat the company needs to pull. Include a condition to allow the ECR operations for allaccount IDs in the company's organization. Schedule a daily Amazon EventBridge rule toinvoke an AWS Lambda function that deletes all untagged images over the count of five.

Show Answer

Question # 23

A company wants to send data from its on-premises systems to Amazon S3 buckets. Thecompany created the S3 buckets in three different accounts. The company must send thedata privately without the data traveling across the internet The company has no existingdedicated connectivity to AWSWhich combination of steps should a solutions architect take to meet these requirements?(Select TWO.)

A. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Set up an AWS Direct Connect connection with a private VIF betweenthe on-premises environment and the private VPC.
B. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Set up an AWS Direct Connect connection with a public VlF betweenthe on-premises environment and the private VPC.
C. Create an Amazon S3 interface endpoint in the networking account.
D. Create an Amazon S3 gateway endpoint in the networking account.
E. Establish a networking account in the AWS Cloud Create a private VPC in thenetworking account. Peer VPCs from the accounts that host the S3 buckets with the VPCin the network account.

Show Answer

Question # 24

A company runs an unauthenticated static website (www.example.com) that includes aregistration form for users. The website uses Amazon S3 for hosting and uses AmazonCloudFront as the content delivery network with AWS WAF configured. When theregistration form is submitted, the website calls an Amazon API Gateway API endpoint thatinvokes an AWS Lambda function to process the payload and forward the payload to anexternal API call.During testing, a solutions architect encounters a cross-origin resource sharing (CORS)error. The solutions architect confirms that the CloudFront distribution origin has theAccess-Control-Allow-Origin header set to www.example.com.What should the solutions architect do to resolve the error?

A. Change the CORS configuration on the S3 bucket. Add rules for CORS to the AllowedOrigin element for www.example.com.
B. Enable the CORS setting in AWS WAF. Create a web ACL rule in which the Access-Control-Allow-Origin header is set to www.example.com.
C. Enable the CORS setting on the API Gateway API endpoint. Ensure that the APIendpoint is configured to return all responses that have the Access-Control -Allow-Originheader set to www.example.com.
D. Enable the CORS setting on the Lambda function. Ensure that the return code of thefunction has the Access-Control-Allow-Origin header set to www.example.com.

Show Answer

Question # 25

A company migrated an application to the AWS Cloud. The application runs on twoAmazon EC2 instances behind an Application Load Balancer (ALB). Application data isstored in a MySQL database that runs on an additional EC2 instance. The application's useof the database is read-heavy.The loads static content from Amazon Elastic Block Store (Amazon EBS) volumes that are attached to each EC2 instance. The static content is updated frequently and must becopied to each EBS volume.The load on the application changes throughout the day. During peak hours, the applicationcannot handle all the incoming requests. Trace data shows that the database cannothandle the read load during peak hours.Which solution will improve the reliability of the application?

A. Migrate the application to a set of AWS Lambda functions. Set the Lambda functions astargets for the ALB. Create a new single EBS volume for the static content. Configure theLambda functions to read from the new EBS volume. Migrate the database to an AmazonRDS for MySQL Multi-AZ DB cluster.
B. Migrate the application to a set of AWS Step Functions state machines. Set the statemachines as targets for the ALB. Create an Amazon Elastic File System (Amazon EFS) filesystem for the static content. Configure the state machines to read from the EFS filesystem. Migrate the database to Amazon Aurora MySQL Serverless v2 with a reader DBinstance.
C. Containerize the application. Migrate the application to an Amazon Elastic ContainerService (Amazon ECS) Cluster. Use the AWS Fargate launch type for the tasks that hostthe application. Create a new single EBS volume the static content. Mount the new EBSvolume on the ECS duster. Configure AWS Application Auto Scaling on ECS cluster. Setthe ECS service as a target for the ALB. Migrate the database to an Amazon RDS forMySOL Multi-AZ DB cluster.
D. Containerize the application. Migrate the application to an Amazon Elastic ContainerService (Amazon ECS) cluster. Use the AWS Fargate launch type for the tasks that hostthe application. Create an Amazon Elastic File System (Amazon EFS) file system for thestatic content. Mount the EFS file system to each container. Configure AWS ApplicationAuto Scaling on the ECS cluster Set the ECS service as a target for the ALB. Migrate thedatabase to Amazon Aurora MySQL Serverless v2 with a reader DB instance.

Show Answer

Question # 26

A company is using Amazon API Gateway to deploy a private REST API that will provideaccess to sensitive data. The API must be accessible only from an application that is deployed in a VPC. The company deploys the API successfully. However, the API is notaccessible from an Amazon EC2 instance that is deployed in the VPC.Which solution will provide connectivity between the EC2 instance and the API?

A. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy thatallows apigateway:* actions. Disable private DNS naming for the VPC endpoint. Configurean API resource policy that allows access from the VPC. Use the VPC endpoint's DNSname to access the API.
B. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy thatallows the execute-api:lnvoke action. Enable private DNS naming for the VPC endpoint.Configure an API resource policy that allows access from the VPC endpoint. Use the APIendpoint's DNS names to access the API. Most Voted
C. Create a Network Load Balancer (NLB) and a VPC link. Configure private integrationbetween API Gateway and the NLB. Use the API endpoint's DNS names to access theAPI.
D. Create an Application Load Balancer (ALB) and a VPC Link. Configure privateintegration between API Gateway and the ALB. Use the ALB endpoint's DNS name toaccess the API.

Show Answer

Question # 27

A solutions architect is creating an application that stores objects in an Amazon S3 bucket The solutions architect must deploy the application in two AWS Regions that will be used simultaneously The objects in the two S3 buckets must remain synchronized with each other. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE)

A. Use AWS Lambda functions to connect to the loT devices
B. Configure the loT devices to publish to AWS loT Core
C. Write the metadata to a self-managed MongoDB database on an Amazon EC2 instance
D. Write the metadata to Amazon DocumentDB (with MongoDB compatibility)
E. Use AWS Step Functions state machines with AWS Lambda tasks to prepare thereports and to write the reports to Amazon S3 Use Amazon CloudFront with an S3 origin toserve the reports
F. Use an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon EC2instances to prepare the reports Use an ingress controller in the EKS cluster to serve the reports

Show Answer

Question # 28

A solutions architect is creating an application that stores objects in an Amazon S3 bucketThe solutions architect must deploy the application in two AWS Regions that will be usedsimultaneously The objects in the two S3 buckets must remain synchronized with eachother.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select THREE)

A. Create an S3 Multi-Region Access Point. Change the application to refer to the Multi-Region Access Point
B. Configure two-way S3 Cross-Region Replication (CRR) between the two S3 buckets
C. Modify the application to store objects in each S3 bucket.
D. Create an S3 Lifecycle rule for each S3 bucket to copy objects from one S3 bucket tothe other S3 bucket.
E. Enable S3 Versioning for each S3 bucket
F. Configure an event notification for each S3 bucket to invoke an AVVS Lambda functionto copy objects from one S3 bucket to the other S3 bucket.

Show Answer

Question # 29

A North American company with headquarters on the East Coast is deploying a new web application running on Amazon EC2 in the us-east-1 Region. The application shoulddynamically scale to meet user demand and maintain resiliency. Additionally, theapplication must have disaster recover capabilities in an active-passive configuration withthe us-west-1 Region.Which steps should a solutions architect take after creating a VPC in the us-east-1 Region?

A. Create a VPC in the us-west-1 Region. Use inter-Region VPC peering to connect bothVPCs. Deploy an Application Load Balancer (ALB) spanning multiple Availability Zones(AZs) to the VPC in the us-east-1 Region. Deploy EC2 instances across multiple AZs ineach Region as part of an Auto Scaling group spanning both VPCs and served by the ALB.
B. Deploy an Application Load Balancer (ALB) spanning multiple Availability Zones (AZs)to the VPC in the us-east-1 Region. Deploy EC2 instances across multiple AZs as part ofan Auto Scaling group served by the ALB. Deploy the same solution to the us-west-1Region. Create an Amazon Route 53 record set with a failover routing policy and healthchecks enabled to provide high availability across both Regions.
C. Create a VPC in the us-west-1 Region. Use inter-Region VPC peering to connect bothVPCs. Deploy an Application Load Balancer (ALB) that spans both VPCs. Deploy EC2instances across multiple Availability Zones as part of an Auto Scaling group in each VPCserved by the ALB. Create an Amazon Route 53 record that points to the ALB.
D. Deploy an Application Load Balancer (ALB) spanning multiple Availability Zones (AZs)to the VPC in the us-east-1 Region. Deploy EC2 instances across multiple AZs as part ofan Auto Scaling group served by the ALB. Deploy the same solution to the us-west-1Region. Create separate Amazon Route 53 records in each Region that point to the ALB inthe Region. Use Route 53 health checks to provide high availability across both Regions.

Show Answer

Question # 30

A company needs to monitor a growing number of Amazon S3 buckets across two AWSRegions. The company also needs to track the percentage of objects that areencrypted in Amazon S3. The company needs a dashboard to display this information forinternal compliance teams.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a new S3 Storage Lens dashboard in each Region to track bucket andencryption metrics. Aggregate data from both Region dashboards into a single dashboardin Amazon QuickSight for the compliance teams.
B. Deploy an AWS Lambda function in each Region to list the number of buckets and theencryption status of objects. Store this data in Amazon S3. Use Amazon Athena queries todisplay the data on a custom dashboard in Amazon QuickSight for the compliance teams.
C. Use the S3 Storage Lens default dashboard to track bucket and encryption metrics.Give the compliance teams access to the dashboard directly in the S3 console.
D. Create an Amazon EventBridge rule to detect AWS Cloud Trail events for S3 objectcreation. Configure the rule to invoke an AWS Lambda function to record encryptionmetrics in Amazon DynamoDB. Use Amazon QuickSight to display the metrics in adashboard for the compliance teams.

Show Answer

Question # 31

A financial services company runs a complex, multi-tier application on Amazon EC2instances and AWS Lambda functions. The application stores temporary data in AmazonS3. The S3 objects are valid for only 45 minutes and are deleted after 24 hours.The company deploys each version of the application by launching an AWSCloudFormation stack. The stack creates all resources that are required to run theapplication. When the company deploys and validates a new application version, thecompany deletes the CloudFormation stack of the old version.The company recently tried to delete the CloudFormation stack of an old applicationversion, but the operation failed. An analysis shows that CloudFormation failed to delete anexisting S3 bucket. A solutions architect needs to resolve this issue without making majorchanges to the application's architecture.Which solution meets these requirements?

A. Implement a Lambda function that deletes all files from a given S3 bucket. Integrate thisLambda function as a custom resource into the CloudFormation stack. Ensure that thecustom resource has a DependsOn attribute that points to the S3 bucket's resource.
B. Modify the CloudFormation template to provision an Amazon Elastic File System(Amazon EFS) file system to store the temporary files there instead of in Amazon S3.Configure the Lambda functions to run in the same VPC as the file system. Mount the filesystem to the EC2 instances and Lambda functions.
C. Modify the CloudFormation stack to create an S3 Lifecycle rule that expires all objects45 minutes after creation. Add a DependsOn attribute that points to the S3 bucket'sresource.
D. Modify the CloudFormation stack to attach a DeletionPolicy attribute with a value ofDelete to the S3 bucket.

Show Answer

Question # 32

A company is currently in the design phase of an application that will need an RPO of lessthan 5 minutes and an RTO of less than 10 minutes. The solutions architecture team isforecasting that the database will store approximately 10 TB of data. As part of the design,they are looking for a database solution that will provide the company with the ability to failover to a secondary Region.Which solution will meet these business requirements at the LOWEST cost?

A. Deploy an Amazon Aurora DB cluster and take snapshots of the cluster every 5minutes. Once a snapshot is complete, copy the snapshot to a secondary Region to serveas a backup in the event of a failure.
B. Deploy an Amazon RDS instance with a cross-Region read replica in a secondaryRegion. In the event of a failure, promote the read replica to become the primary.
C. Deploy an Amazon Aurora DB cluster in the primary Region and another in a secondaryRegion. Use AWS DMS to keep the secondary Region in sync.
D. Deploy an Amazon RDS instance with a read replica in the same Region. In the event ofa failure, promote the read replica to become the primary.

Show Answer

Question # 33

A financial company needs to create a separate AWS account for a new digital walletapplication. The company uses AWS Organizations to manage its accounts. A solutionsarchitect uses the 1AM user Supportl from the management account to create a newmember account with finance1@example.com as the email address.What should the solutions architect do to create IAM users in the new member account?

A. Sign in to the AWS Management Console with AWS account root user credentials byusing the 64-character password from the initial AWS Organizations emailsenttofinance1@example.com. Set up the IAM users as required.
B. From the management account, switch roles to assume theOrganizationAccountAccessRole role with the account ID of the new member account. Setup the IAM users as required.
C. Go to the AWS Management Console sign-in page. Choose "Sign in using root accountcredentials." Sign in in by using the email address finance1@example.com and themanagement account's root password. Set up the IAM users as required.
D. Go to the AWS Management Console sign-in page. Sign in by using the account ID ofthe new member account and the Supportl IAM credentials. Set up the IAM users as required.

Show Answer

Question # 34

A company has a solution that analyzes weather data from thousands of weather stations.The weather stations send the data over an Amazon API Gateway REST API that has anAWS Lambda function integration. The Lambda function calls a third-party service for datapre-processing. The third-party service gets overloaded and fails the pre-processing,causing a loss of data.A solutions architect must improve the resiliency of the solution. The solutions architectmust ensure that no data is lost and that data can be processed later if failures occur.What should the solutions architect do to meet these requirements?

A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queueas the dead-letter queue for the API.
B. Create two Amazon Simple Queue Service (Amazon SQS) queues: a primary queueand a secondary queue. Configure the secondary queue as the dead-letter queue for theprimary queue. Update the API to use a new integration to the primary queue. Configurethe Lambda function as the invocation target for the primary queue.
C. Create two Amazon EventBridge event buses: a primary event bus and a secondaryevent bus. Update the API to use a new integration to the primary event bus. Configure anEventBridge rule to react to all events on the primary event bus. Specify the Lambdafunction as the target of the rule. Configure the secondary event bus as the failuredestination for the Lambda function.
D. Create a custom Amazon EventBridge event bus. Configure the event bus as the failuredestination for the Lambda function.

Show Answer

Question # 35

A research center is migrating to the AWS Cloud and has moved its on-premises 1 PBobject storage to an Amazon S3 bucket. One hundred scientists are using this objectstorage to store their work-related documents. Each scientist has a personal folder on theobject store. All the scientists are members of a single IAM user group.The research center's compliance officer is worried that scientists will be able to accesseach other's work. The research center has a strict obligation to report on which scientistaccesses which documents. The team that is responsible for these reports has little AWS experience and wants aready-to-use solution that minimizes operational overhead.Which combination of actions should a solutions architect take to meet theserequirements? (Select TWO.)

A. Create an identity policy that grants the user read and write access. Add a condition thatspecifies that the S3 paths must be prefixed with ${aws:username}. Apply the policy on thescientists' IAM user group.
B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket.Store the trail output in another S3 bucket. Use Amazon Athena to query the logs andgenerate reports.
C. Enable S3 server access logging. Configure another S3 bucket as the target for logdelivery. Use Amazon Athena to query the logs and generate reports.
D. Create an S3 bucket policy that grants read and write access to users in the scientists'IAM user group.
E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucketand write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatchconnector to query the logs and generate reports.

Show Answer

Question # 36

A company is using AWS Organizations with a multi-account architecture. The company'scurrent security configuration for the account architecture includes SCPs, resource-basedpolicies, identity-based policies, trust policies, and session policies.A solutions architect needs to allow an IAM user in Account A to assume a role in AccountB.Which combination of steps must the solutions architect take to meet this requirement?(Select THREE.)

A. Configure the SCP for Account A to allow the action.
B. Configure the resource-based policies to allow the action.
C. Configure the identity-based policy on the user in Account A to allow the action.
D. Configure the identity-based policy on the user in Account B to allow the action.
E. Configure the trust policy on the target role in Account B to allow the action.
F. Configure the session policy to allow the action and to be passed programmatically bythe GetSessionToken API operation.

Show Answer

Question # 37

A company is migrating its infrastructure to the AWS Cloud. The company must complywith a variety of regulatory standards for different projects. The company needs a multiaccountenvironment.A solutions architect needs to prepare the baseline infrastructure. The solution mustprovide a consistent baseline of management and security, but it must allow flexibility fordifferent compliance requirements within various AWS accounts. The solution also needsto integrate with the existing on-premises Active Directory Federation Services (AD FS)server.Which solution meets these requirements with the LEAST amount of operationaloverhead?

A. Create an organization in AWS Organizations. Create a single SCP for least privilegeaccess across all accounts. Create a single OU for all accounts. Configure an IAM identityprovider for federation with the on-premises AD FS server. Configure a central loggingaccount with a defined process for log generating services to send log events to the centralaccount. Enable AWS Config in the central account with conformance packs for allaccounts.
B. Create an organization in AWS Organizations. Enable AWS Control Tower on theorganization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Add OUS as necessary. Connect AWS IAM Identity Center (AWSSingle Sign-On) to the on-premises AD FS server.
C. Create an organization in AWS Organizations. Create SCPs for least privilege access.Create an OU structure, and use it to group AWS accounts. Connect AWS IAM IdentityCenter (AWS Single Sign-On) to the on-premises AD FS server. Configure a centrallogging account with a defined process for log generating services to send log events to thecentral account. Enable AWS Config in the central account with aggregators andconformance packs.
D. Create an organization in AWS Organizations. Enable AWS Control Tower on theorganization. Review included controls (guardrails) for SCPs. Check AWS Config for areasthat require additions. Configure an IAM identity provider for federation with the onpremisesAD FS server.

Show Answer

Question # 38

A company needs to store and process image data that will be uploaded from mobiledevices using a custom mobile app. Usage peaks between 8 AM and 5 PM on weekdays,with thousands of uploads per minute. The app is rarely used at any other time. A user isnotified when image processing is complete.Which combination of actions should a solutions architect take to ensure image processingcan scale to handle the load? (Select THREE.)

A. Upload files from the mobile software directly to Amazon S3. Use S3 event notificationsto create a message in an Amazon MQ queue.
B. Upload files from the mobile software directly to Amazon S3. Use S3 event notificationsto create a message in an Amazon Simple Queue Service (Amazon SOS) standard queue.
C. Invoke an AWS Lambda function to perform image processing when a message isavailable in the queue.
D. Invoke an S3 Batch Operations job to perform image processing when a message isavailable in the queue
E. Send a push notification to the mobile app by using Amazon Simple Notification Service(Amazon SNS) when processing is complete.
F. Send a push notification to the mobile app by using Amazon Simple Email Service(Amazon SES) when processing is complete.

Show Answer

Question # 39

A company has mounted sensors to collect information about environmental parameterssuch as humidity and light throughout all the company's factories. The company needs tostream and analyze the data in the AWS Cloud in real time. If any of the parameters fall outof acceptable ranges, the factory operations team must receive a notification immediately.Which solution will meet these requirements?

A. Stream the data to an Amazon Kinesis Data Firehose delivery stream. Use AWS StepFunctions to consume and analyze the data in the Kinesis Data Firehose delivery stream.use Amazon Simple Notification Service (Amazon SNS) to notify the operations team.
B. Stream the data to an Amazon Managed Streaming for Apache Kafka (Amazon MSK)cluster. Set up a trigger in Amazon MSK to invoke an AWS Fargate task to analyze thedata. Use Amazon Simple Email Service (Amazon SES) to notify the operations team.
C. Stream the data to an Amazon Kinesis data stream. Create an AWS Lambda function toconsume the Kinesis data stream and to analyze the data. Use Amazon Simple NotificationService (Amazon SNS) to notify the operations team.
D. Stream the data to an Amazon Kinesis Data Analytics application. I-Jse an automaticallyscaled and containerized service in Amazon Elastic Container Service (Amazon ECS) toconsume and analyze the data. use Amazon Simple Email Service (Amazon SES) to notifythe operations team.

Show Answer

Question # 40

A software company needs to create short-lived test environments to test pull requests aspart of its development process. Each test environment consists of a single Amazon EC2 instance that is in an Auto Scaling group.The test environments must be able to communicate with a central server to report testresults. The central server is located in an on-premises data center. A solutions architectmust implement a solution so that the company can create and delete test environmentswithout any manual intervention. The company has created a transit gateway with a VPNattachment to the on-premises network.Which solution will meet these requirements with the LEAST operational overhead?

A. Create an AWS CloudFormation template that contains a transit gateway attachmentand related routing configurations. Create a CloudFormation stack set that includes thistemplate. Use CloudFormation StackSets to deploy a new stack for each VPC in theaccount. Deploy a new VPC for each test environment.
B. Create a single VPC for the test environments. Include a transit gateway attachment andrelated routing configurations. Use AWS CloudFormation to deploy all test environmentsinto the VPC.
C. Create a new OU in AWS Organizations for testing. Create an AWS CloudFormationtemplate that contains a VPC, necessary networking resources, a transit gatewayattachment, and related routing configurations. Create a CloudFormation stack set thatincludes this template. Use CloudFormation StackSets for deployments into each accountunder the testing 01.1. Create a new account for each test environment.
D. Convert the test environment EC2 instances into Docker images. Use AWSCloudFormation to configure an Amazon Elastic Kubernetes Service (Amazon EKS) clusterin a new VPC, create a transit gateway attachment, and create related routingconfigurations. Use Kubernetes to manage the deployment and lifecycle of the testenvironments.

Show Answer

Question # 41

A company is deploying AWS Lambda functions that access an Amazon RDS forPostgreSQL database. The company needs to launch the Lambda functions in a QAenvironment and in a production environment.The company must not expose credentials within application code and must rotatepasswords automatically.Which solution will meet these requirements?

A. Store the database credentials for both environments in AWS Systems ManagerParameter Store. Encrypt the credentials by using an AWS Key Management Service(AWS KMS) key. Within the application code of the Lambda functions, pull the credentialsfrom the Parameter Store parameter by using the AWS SDK for Python (Bot03). Add a roleto the Lambda functions to provide access to the Parameter Store parameter.
B. Store the database credentials for both environments in AWS Secrets Manager withdistinct key entry for the QA environment and the production environment. Turn on rotation.Provide a reference to the Secrets Manager key as an environment variable for theLambda functions.
C. Store the database credentials for both environments in AWS Key Management Service(AWS KMS). Turn on rotation. Provide a reference to the credentials that are stored inAWS KMS as an environment variable for the Lambda functions.
D. Create separate S3 buckets for the QA environment and the production environment.Turn on server-side encryption with AWS KMS keys (SSE-KMS) for the S3 buckets. Usean object naming pattern that gives each Lambda function's application code the ability topull the correct credentials for the function's corresponding environment. Grant eachLambda function's execution role access to Amazon S3.

Show Answer