Transcription

AWS Solutions Architect – Associate (SAA-C01)Sample Exam Questions1) A company is storing an access key (access key ID and secret access key) in a text file on a customAMI. The company uses the access key to access DynamoDB tables from instances created from theAMI. The security team has mandated a more secure solution.Which solution will meet the security team’s mandate?A.B.C.D.Put the access key in an S3 bucket, and retrieve the access key on boot from the instance.Pass the access key to the instances through instance user data.Obtain the access key from a key server launched in a private subnet.Create an IAM role with permissions to access the table, and launch all instances with the new role.2) A company is developing a highly available web application using stateless web servers. Whichservices are suitable for storing session state data? (Select TWO.)A.B.C.D.E.CloudWatchDynamoDBElastic Load BalancingElastiCacheStorage Gateway3) Company salespeople upload their sales figures daily. A Solutions Architect needs a durable storagesolution for these documents that also protects against users accidentally deleting importantdocuments.Which action will protect against unintended user actions?A.B.C.D.Store data in an EBS volume and create snapshots once a week.Store data in an S3 bucket and enable versioning.Store data in two S3 buckets in different AWS regions.Store data on EC2 instance storage.4) An application requires a highly available relational database with an initial storage capacity of 8 TB.The database will grow by 8 GB every day. To support expected traffic, at least eight read replicas willbe required to handle database reads.Which option will meet these requirements?A.B.C.D.DynamoDBAmazon S3Amazon AuroraAmazon Redshift 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved aws.amazon.com1

AWS Solutions Architect – Associate (SAA-C01)Sample Exam Questions5) A Solutions Architect is designing a critical business application with a relational database that runson an EC2 instance. It requires a single EBS volume that can support up to 16,000 IOPS.Which Amazon EBS volume type can meet the performance requirements of this application?A.B.C.D.EBS Provisioned IOPS SSDEBS Throughput Optimized HDDEBS General Purpose SSDEBS Cold HDD6) A web application allows customers to upload orders to an S3 bucket. The resulting Amazon S3events trigger a Lambda function that inserts a message to an SQS queue. A single EC2 instancereads messages from the queue, processes them, and stores them in an DynamoDB table partitionedby unique order ID. Next month traffic is expected to increase by a factor of 10 and a SolutionsArchitect is reviewing the architecture for possible scaling problems.Which component is MOST likely to need re-architecting to be able to scale to accommodate the newtraffic?A.B.C.D.Lambda functionSQS queueEC2 instanceDynamoDB table7) An application saves the logs to an S3 bucket. A user wants to keep the logs for one month fortroubleshooting purposes, and then purge the logs.What feature will enable this?A.B.C.D.Adding a bucket policy on the S3 bucket.Configuring lifecycle configuration rules on the S3 bucket.Creating an IAM policy for the S3 bucket.Enabling CORS on the S3 bucket.8) An application running on EC2 instances processes sensitive information stored on Amazon S3. Theinformation is accessed over the Internet. The security team is concerned that the Internetconnectivity to Amazon S3 is a security risk.Which solution will resolve the security concern?A.B.C.D.Access the data through an Internet Gateway.Access the data through a VPN connection.Access the data through a NAT Gateway.Access the data through a VPC endpoint for Amazon S3. 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved aws.amazon.com2

AWS Solutions Architect – Associate (SAA-C01)Sample Exam Questions9) An organization is building an Amazon Redshift cluster in their shared services VPC. The cluster willhost sensitive data.How can the organization control which networks can access the cluster?A.B.C.D.Run the cluster in a different VPC and connect through VPC peering.Create a database user inside the Amazon Redshift cluster only for users on the network.Define a cluster security group for the cluster that allows access from the allowed networks.Only allow access to networks that connect with the shared services network via VPN.10) A Solutions Architect is designing an online shopping application running in a VPC on EC2 instancesbehind an ELB Application Load Balancer. The instances run in an Auto Scaling group acrossmultiple Availability Zones. The application tier must read and write data to a customer manageddatabase cluster. There should be no access to the database from the Internet, but the cluster mustbe able to obtain software patches from the Internet.Which VPC design meets these requirements?A.B.C.D.Public subnets for both the application tier and the database clusterPublic subnets for the application tier, and private subnets for the database clusterPublic subnets for the application tier and NAT Gateway, and private subnets for the database clusterPublic subnets for the application tier, and private subnets for the database cluster and NAT Gateway 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved aws.amazon.com3

AWS Solutions Architect – Associate (SAA-C01)Sample Exam QuestionsAnswers1) D – IAM roles for EC2 instances allow applications running on the instance to access AWS resourceswithout having to create and store any access keys. Any solution involving the creation of an access keythen introduces the complexity of managing that secret.2) B, D – Both DynamoDB and ElastiCache provide high performance storage of key-value pairs.CloudWatch and ELB are not storage services. Storage Gateway is a storage service, but it is a hybridstorage service that enables on-premises applications to use cloud storage.3) B – If a versioned object is deleted, then it can still be recovered by retrieving the final version. ResponseA would lose any changes committed since the previous snapshot. Storing the data in 2 S3 bucketswould provide slightly more protection, but a user could still delete the object from both buckets. EC2instance storage is ephemeral and should never be used for data requiring durability.4) C – Amazon Aurora is a relational database that will automatically scale to accommodate data growth.Amazon Redshift does not support read replicas and will not automatically scale. DynamoDB is a NoSQLservice, not a relational database. Amazon S3 is object storage, not a relational database.5) A – EBS Provisioned IOPS SSD provides sustained performance for mission-critical low-latencyworkloads. EBS General Purpose SSD can provide bursts of performance up to 3,000 IOPS and have amaximum baseline performance of 10,000 IOPS for volume sizes greater than 3.3 TB. The 2 HDD optionsare lower cost, high throughput volumes.6) C – A single EC2 instance will not scale and is a single point of failure in the architecture. A much bettersolution would be to have EC2 instances in an Auto Scaling group across 2 availability zones readmessages from the queue. The other responses are all managed services that can be configured to scaleor will scale automatically.7) B – Lifecycle configuration allows lifecycle management of objects in a bucket. The configuration is a setof one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects.Bucket policies and IAM define access to objects in an S3 bucket. CORS enables clients in one domainto interact with resources in a different domain.8) D – VPC endpoints for Amazon S3 provide secure connections to S3 buckets that do not require agateway or NAT instances. NAT Gateways and Internet Gateways still route traffic over the Internet to thepublic endpoint for Amazon S3. There is no way to connect to Amazon S3 via VPN.9) C – A security group can grant access to traffic from the allowed networks via the CIDR range for eachnetwork. VPC peering and VPN are connectivity services and cannot control traffic for security. AmazonRedshift user accounts address authentication and authorization at the user level and have no controlover network traffic.10) C – The online application must be in public subnets to allow access from clients' browsers. The databasecluster must be in private subnets to meet the requirement that there be no access from the Internet. A 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved aws.amazon.com4

AWS Solutions Architect – Associate (SAA-C01)Sample Exam QuestionsNAT Gateway is required to give the database cluster the ability to download patches from the Internet.NAT Gateways must be deployed in public subnets. 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved aws.amazon.com5