4/10 (28-42) Flashcards
A company needs to create and manage multiple AWS accounts for a number of departments
from a central location. The security team requires read-only access to all accounts from its own AWs
account. The company is using AWS Organizations and created an account tor the security team.
How should a solutions architect meet these requirements?
D. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for
the OrganizationAccountAccessRole IAM role in the member account from the security account. Use
the generated temporary credentials to gain access.
A video streaming company recently launched a mobile app for video sharing. The app
uploads various files to an Amazon S3 bucket in the us-east-1 Region. The files range in size from 1 GB
to 1 0 GB
Users who access the app from Australia have experienced uploads that take long periods of time
Sometimes the files fail to completely upload for these users . A solutions architect must improve the
app’ performance for these uploads
Which solutions will meet these requirements? (Select TWO.)
A. Enable S3 Transfer Acceleration on the S3 bucket Configure the app to use the Transfer Acceleration endpoint for uploads
C. Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket
Region.
A company runs an e-commerce platform with front-end and e-commerce tiers. Both tiers
run on LAMP stacks with the front-end instances running behind a load balancing appliance that has
a virtual offering on AWS Current*/, the operations team uses SSH to log in to the instances to
maintain patches and address other concerns. The platform has recently been the target of multiple
attacks, including.
* A DDoS attack.
* An SOL injection attack
* Several successful dictionary attacks on SSH accounts on the web servers
The company wants to improve the security of the e-commerce platform by migrating to AWS. The
company’s solutions architects have decided to use the following approach;
* Code review the existing application and fix any SQL injection issues.
* Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial
security patching.
* Install AWS Systems Manager to manage patching and allow the system administrators to run
commands on all instances, as needed.
What additional steps will address all of the identified attack types while providing high availability
and minimizing risk?
B. Disable SSH access to the Amazon EC2 instances. Migrate on-premises MySQL to Amazon RDS
Multi-AZ Leverage an Elastic Load Balancer to spread the load and enable AWS Shield Advanced for
protection. Add an Amazon CloudFront distribution in front of the website Enable AWS WAF on the
distribution to manage the rules.
A company that develops consumer electronics with offices in Europe and Asia has 60 TB of software images stored on premises in Europe. The company wants to transfer the images to an Amazon S3 bucket in the ap-northeast-1 Region. New software images are created daily and must be
encrypted in transit. The company needs a solution that does not require custom development to automatically transfer all existing and new software images to Amazon S3.
What is the next step in the transfer process?
A. Deploy an AWS DataSync agent and configure a task to transfer the images to the S3 bucket.
A company recently started hosting new application workloads in the AWS Cloud. The
company is using Amazon EC2 instances. Amazon Elastic File System (Amazon EFS) file systems, and
Amazon RDS DB instances.
To meet regulatory and business requirements, the company must make the following changes for
data backups:
* Backups must be retained based on custom daily, weekly, and monthly requirements.
* Backups must be replicated to at least one other AWS Region immediately after capture.
* The backup solution must provide a single source of backup status across the AWS environment.
* The backup solution must send immediate notifications upon failure of any resource backup.
Which combination of steps will meet these requirements with the LEAST amount of operational
overhead? (Select THREE.)
B. Configure an AWS Backup plan to copy backups to another Region.
D. Add an Amazon Simple Notification Service (Amazon SNS) topic to the backup plan to send a
notification for finished jobs that have any status except BACKUP_JOB_COMPLETEO.
E. Create an Amazon Data Lifecycle Manager (Amazon DLM) snapshot lifecycle policy for each of the
retention requirements.
A retail company needs to provide a series of data files to another company. which is its
business partner.
These files are saved in an Amazon S3 bucket under Account A.
Which belongs to the retail company.
The business partner company wants one of its IAM users User_DataProcessor to access the files
from its own AWS account (Account B)
Which combination of steps must the companies take so that User_DataProcessor can access the S3
bucket successfully? (Select TWO.)
A. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A
D. InAccount B, set the permissions of User_DataProcessor to the following:
A company wants to deploy an AWS WAF solution to manage AWS WAF rules across multiple
AWS accounts. The accounts are managed under different OUs in AWS Organizations.
Administrators must be able to add or remove accounts or OUs from managed AWS WAF rule sets as
needed. Administrators also must have the ability to automatically update and remediate
noncompliant AWS WAF rules in all accounts
Which solution meets these requirements with the LEAST amount of operational overhead?
B. Deploy an organization-wide AWS Conng rule that requires all resources in the selected OUs to
associate the AWS WAF rules. Deploy automated remediation actions by using AWS Lambda to fix
noncompliant resources. Deploy AWS WAF rules by using an AWS CloudFormation stack set to target
the same OUs where the AWS Config rule is applied.
A data analytics company has an Amazon Redshift cluster that consists of several reserved
nodes. The duster is experiencing unexpected bursts of usage because a team of employees is compiling a deep audit analysis report The queries to generate the report are complex read queries
and are CPU intensive.
Business requirements dictate that the cluster must be able to service read and write queries at at)
times A solutions architect must devise a solution that accommodates the bursts of usage
Which solution meets these requirements MOST cost-effectively?
D. Turn on the Concurrency Scaling feature for the Amazon Redshift duster
A solutions architect is designing an application to accept timesheet entries from employees
on their mobile devices. Timesheets will be submitted weekly, with most of the submissions
occurring on Friday. The data must be stored in a format that allows payroll administrators to run
monthly reports. The infrastructure must be highly available and scale to match the rate of incoming
data and reporting requests.
Which combination of steps meets these requirements while minimizing operational overhead?
(Select TWO.)
A. Deploy the application to Amazon EC2 On-Demand Instances With load balancing across multiple
Availability Zones. Use scheduled Amazon EC2 Auto Scaling to add capacity before the high volume of
submissions on Fridays.
E. Store the timesheet submission data in Amazon S3. Use Amazon Athena and Amazon OuickSight to
generate the reports using Amazon S3 as the data source.
A company that uses AWS Organizations is creating several new AWS accounts. The company
is setting up controls to properly allocate AWS costs to business units. The company must Implement
a solution to ensure that all resources include a tag that has a key of costcenter and a value from a
predefined list of business units. The solution must send a notification each time a resource tag does
not meet these criteri
a. The solution must not prevent the creation of resources.
Which solution will meet these requirements with the LEAST operational overhead?
B. Create an 1AM policy for all actions that create AWS resources. Add a condition to the policy that
awsResourceTag/costcenter must exist and must contain a
valid business unit value Create an Amazon EventBridge (Amazon CloudWatch Events) rule that
monitors 1AM service events and Amazon EC2 service events for noncompliant tag policies.
Configure the rule to send notifications through Amazon Simple Notification Service (Amazon SNS).
A company is using multiple AWS accounts. The company has a shared services account and
several other accounts (or different projects.
A team has a VPC in a project account. The team wants to connect this VPC to a corporate network
through an AWS Direct Connect gateway that exists in the shared services account. The team wants
to automatically perform a virtual private gateway association with the Direct Connect gateway by
using an already-tested AWS Lambda function while deploying its VPC networking stack. The Lambda
function code can assume a role by using AWS Security Token Service (AWS STS). The team is using
AWS Cloud Formation to deploy its infrastructure.
Which combination of steps will meet these requirements? (Select THREE.)
B. Create a cross-account 1AM role in the shared services account that grants the Lambda function
the directconnect:” permission. Add the sts:AssumeRo!e
C. Add a custom resource to the Cloud Formation networking stack that references the Lambda
function in the project account.
E. Create a cross-account 1AM role in the shared services account that grants the sts: Assume Role
permission to the Lambda function with the directconnect:”
permission acting as a resource. Add the sts AssumeRole permission with this cross-account 1AM role
as a resource to the 1AM role that belongs to the Lambda function in the project account.
A company processes environmental dat
a. The company has set up sensors to provide a continuous stream of data from different areas in a
city. The data is available in JSON format.
The company wants to use an AWS solution to send the data to a database that does not require
fixed schemas for storage. The data must be sent in real time.
Which solution will meet these requirements?
B. Use Amazon Kinesis Data Streams to send the data to Amazon DynamoDB
A company is developing and hosting several projects in the AWS Cloud. The projects are
developed across multiple AWS accounts under the same organization in AWS Organizations. The
company requires the cost lor cloud infrastructure to be allocated to the owning project. The team
responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking
the Project tag used for cost allocation.
Which actions should a solutions architect take to resolve the problem and prevent it from happening
in the future? (Select THREE.)
B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is
missing.
D. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is
missing.
E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the
missing Project tag.
An e-commerce company is revamping its IT infrastructure and is planning to use AWS
services. The company’s CIO has asked a solutions architect to design a simple, highly available, and
loosely coupled order processing application. The application is responsible (or receiving and
processing orders before storing them in an Amazon DynamoDB table. The application has a sporadic
traffic pattern and should be able to scale during markeling campaigns to process the orders with
minimal delays.
Which of the following is the MOST reliable approach to meet the requirements?
B. Receive the orders in an Amazon SOS queue and trigger an AWS Lambda function lo process them.
A company is using AWS Organizations lo manage multiple accounts. Due to regulatory
requirements, the company wants to restrict specific member accounts to certain AWS Regions,
where they are permitted to deploy resources. The resources in the accounts must be tagged,
enforced based on a group standard, and centrally managed with minimal configuration.
What should a solutions architect do to meet these requirements?
D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using
conditions to limit Regions.
