sthithapragnakk -- SAA Exam Dumps Jan 24 1-100 Flashcards

Question

692 Question #: 676 Topic #: 1 [All AWS Certified Solutions Architect - Associate SAA-C03 Questions] A company's application uses Network Load Balancers, Auto Scaling groups, Amazon EC2 instances, and databases that are deployed in an Amazon VPC. The company wants to capture information about traffic to and from the network interfaces in near real time in its Amazon VPC. The company wants to send the information to Amazon OpenSearch Service for analysis. Which solution will meet these requirements? A. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Streams to stream the logs from the log group to OpenSearch Service. B. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Firehose to stream the logs from the log group to OpenSearch Service. C. Create a trail in AWS CloudTrail. Configure VPC Flow Logs to send the log data to the trail. Use Amazon Kinesis Data Streams to stream the logs from the trail to OpenSearch Service. D. Create a trail in AWS CloudTrail. Configure VPC Flow Logs to send the log data to the trail. Use Amazon Kinesis Data Firehose to stream the logs from the trail to OpenSearch Service.

Answer 1

B. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Firehose to stream the logs from the log group to OpenSearch Service. CloudTrail is for logging administrative actions, we need CloudWatch. We want the data in another AWS service (OpenSearch), not Kinesis, thus we need Firehose, not Streams. VPC Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC. By configuring VPC Flow Logs to send the log data to a log group in Amazon CloudWatch Logs, you can then use Amazon Kinesis Data Firehose to stream the logs from the log group to Amazon OpenSearch Service for analysis. This approach provides near real-time streaming of logs to the analytics service. So, option so most you know you need to remember near real time that is another thing that is what you need and capture information about the traffic to and from the network interfaces. Okay that is another thing that you need to not and we already covered this right whenever you want traffic information about traffic to and from in within the VPC, what should come to your mind server admins, VPC flow logs should come to your mind because that is what provides you detailed information about traffic to and fro from a PC and all the options has it so that is not a big help here at all. But let's go through each option. Option is not the right one because this involves setting up VPC flow logs to capture network traffic information, and then send the logs to an Amazon CloudWatch To log group, and subsequently it suggests using Amazon Kinesis data streams to stream the logs from the log group to Amazon OpenSearch service with Viola, this is feasible, trust me it works. OK, using Kinesis data streams might introduce what might introduce unnecessary complexity for this use case. Okay, so let's this will work. But there are there might be some other options in this options where you don't have to do all this where it maybe there is a feature in one of these or VPC flow logs that you can use to make it possible. So let's go through other wrong options, which will be landed the options see, and this option involves using Cloud trail to capture VPC flow logs and then using Kinesis data streams to stream the logs to the open source service. However, what is cloud trail it is typically used for logging API activity on your account and it may not may not provide the detailed network traffic information captured by VPC flow logs hence, that's gone or similarly, Option D which is same as d where in it is using Cloud trail. So that will leave us with Option B okay, if you are looking at these two and like okay, both look the same. Why not? Why are you crossing out a and b? Well, here you are using data streams. Here we are using data firehose. Well, what is the difference? Well, this option again, similar to Option A, but suggests using Kinesis data firehose, instead of data streams. Firehose is a managed service that simplifies the process of delivering data to destinations, such as open source service, data streams cannot open data Firehose can send data to open source service, it is a more suitable option for near real time log analysis, making it a better solution for this scenario.

Answer 2

B. Create two managed node groups. Provision one node group with On-Demand Instances. Provision the second node group with Spot Instances. The keywords are infrequent and resiliency. This solution allows you to have a mix of On-Demand Instances and Spot Instances within the same EKS cluster. You can use the On-Demand Instances for the development work where you need dedicated resources and then leverage Spot Instances for testing the resiliency of the application. Spot Instances are generally more cost-effective but can be terminated with short notice, so using a combination of On-Demand and Spot Instances provides a balance between cost savings and stability. Option A (Create a managed node group that contains only Spot Instances) might be cost-effective, but it could introduce potential challenges for tasks that require dedicated resources and might not be the best fit for all scenarios. the company needs a dedicated Eks cluster for development work, the company will use the development cluster frequently to test the resiliency of the application, I think we have done similar one, but for a different use case, the Eks cluster must manage all nodes which solution most cost effectively. Okay, here we are seeing cost effectively. Okay. So what is it saying it has managed node groups. And then they want to test the resiliency of the application. And they are also using on demand, which is costly. But we want to choose the most cost effective solution here. So let's go through this option is talking about creating a managed node group that contains only Spot Instances. Well, yeah, this is cheaper, but this might not be the best solution because stability and predictability are required for certain development activities I and we are talking about making it available right needs dedicated Eks cluster for development. If you go with Spot Instances, there will be instances where you won't have any spot instances. So there won't be any development Eks cluster in the development to work with that also having Spot Instances for all of them, no, we are not going to it is not going to work it out okay, then we have option C wherein it is talking about both actually both option C and Option D involves using auto scaling groups and user data scripts. While they could work managing multiple managed node groups, provides a cleaner and more straightforward approach in the context of eks. So here they are talking again, same thing manage node group that contains only on demand this is going to be costly for that reason, we won't use it. And this is talking about auto scaling groups confident users Spot Instances again same thing as this. So instead what we will do is we will use a combination of dedicated on demand instances and Spot Instances. So whenever the Spot Instances are not available, it doesn't mean that complete Eks cluster is down no we will have the on demand instances we will use it so option B allows the company to have a dedicated cluster for development work by creating two managed node instances instance one, one using on demand instances and the other using Spot Instances. The company can manage costs effectively, on demand on demand instances provides stability and reliability, which is suitable for development work that requires consistent and predictable performance. And the Spot Instances offer cost savings but come with the trade off of potential termination with short notice. However, for free infrequent testing and resilience experiments, Spot Instances can be utilized to optimize costs. Therefore, option B is the most cost effective solution that aligns with the specified requirements.

Answer 3

B. Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS). This option allows you to create a customer managed key using AWS KMS. With a customer managed key, you have full control over key lifecycle management, including the ability to create, rotate, and disable keys with minimal effort. SSE-KMS also integrates with AWS Identity and Access Management (IAM) for fine-grained access control. as you see encryption, we have to you have to think about kms. But there are other encryptions that are available as well. For example like SSE s3, but here we are talking about create rotate and disabled keys SSE s3, you cannot rotate them because it is managed by actually s3. So since it's managed is SSE s3 is my s3 managed encryption grace. It does provide encryption but it does not give you the same level of control or what key management as done by kms. So let's forget about that. So option C even though it is using AWS kms. It probably is important to note that AWS managed keys do not provide the same level of control over key creation, rotation and disabling as customer manage key because these are managed by kms itself. Okay, okay, and Option D involves manually downloading encrypting uploading s3 objects, which is a less efficient and more error prone process competitor leveraging AWS kms server side encryption for that reason we are going to go with option B. wherein we are going to create and manage customer managed keys. giving you full control over the lifecycle of the keys. This includes the ability to create rotate, disable keys as needed, and using server side encryption with AWS kms keys ensures that the s3 objects are encrypted with the specified customer man is the key. This provides a secure and managed approach to encrypting sensitive data in Amazon s3.

Answer 4

A. Create an S3 bucket that has S3 Object Lock enabled. C. Configure a default retention period of 30 days for the objects. E. Configure an S3 Lifecycle policy to expire the objects after 30 days. In theory, E alone would be enough because the objects are "retained for 30 days" without any configuration as long as no one deletes them. But let's assume that they want us to prevent deletion. A: Yes, required to prevent deletion. Object Lock requires Versioning, so if we 'create an S3 bucket that has S3 Object Lock enabled' that this also has object versioning enabled, otherwise we would not be able to create it. C: Yes, "default retention period" specifies how long object lock will be applied to new objects by default, we need this to protect objects from deletion. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html A. Create an S3 bucket that has S3 Object Lock enabled. Enable the S3 Object Lock feature on S3. C. Configure a default retention period of 30 days for the objects. To lock the objects for 30 days. E. Configure an S3 Lifecycle policy to expire the objects after 30 days. -> to delete the objects after 30 days. First of all, they should be retained for 30 days, they should be automatically deleted after 30 days. Okay, so those are our requirements looks like so let's go through these options. Let's eliminate what you know the wrong answers obviously, it is talking about create s3 bucket that has object versioning enabled. Okay, so why do we need this? This is not necessarily for meeting the specific requirements mentioned in the question at all. Object versioning is more relevant when managing different versions of objects, but it does not directly address the retention and deletion policies. So forget about that. Then we have option D configure in lifecycle policy to protect the objects for 30 days. Well, this is obviously not applicable here as well because the goal is to retain the object for 30 days then automatically delete them not to protect them nowhere in the question they're talking about protecting so forget about that. And then option f is not explicitly needed for implementing the retention and deletion policy using s3 object locking lifecycle policies. I mean, we can do that using that but here it is saying tagging while tagging can be useful for organizational purposes it is not a primary requirement, if you want to delete or retain them. So for that purpose, what are we going to do we are going to use s3 object or lock enable. What does this do it will ensure that the objects in the bucket cannot be deleted or modified fire a specified retention period. This helps in meeting the requirement of retaining backups for 30 days. Then, Option C configure a default retention period of 30 days for the objects Yes. By specifying the objects within the bucket are locked for a duration of 30 days when you do this. This enforces the retention policy on the objects. Finally we have option E which will make sure to delete a data medically after that it is.

Answer 5

A. Create an AWS DataSync location for both the destination S3 bucket and the EFS file system. Create a task for the destination S3 bucket and the EFS file system. Set the transfer mode to transfer only data that has changed. A fulfils the requirement of "copied files should be overwritten only if the source file changes" so A is correct. Transfer only data that has changed – DataSync copies only the data and metadata that differs between the source and destination location. Transfer all data – DataSync copies everything in the source to the destination without comparing differences between the locations. https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html

Answer 6

B. Invite the AWS R&D account to be part of the new organization after the R&D AWS account has left the old organization.

Answer 7

C. Configure an Amazon API Gateway endpoint in front of an Amazon Kinesis Data Firehose that stores the information the business receives in an Amazon S3 bucket. Use an API Gateway Lambda authorizer to resolve authorization. Amazon API Gateway: Acts as a managed service to create, publish, and secure APIs at scale. Allows the creation of API endpoints that can be integrated with other web applications. Amazon Kinesis Data Firehose: Used to capture and upload streaming data to other AWS services. In this case, you can store the information in an Amazon S3 bucket. API Gateway Lambda Authorizer: Provides a way to control access to your APIs using Lambda functions. Allows you to implement custom authorization logic. This solution offers scalability, the ability to handle unpredictable surges in activity, and integration capabilities. Using a Lambda API Gateway authorizer ensures that the authorization step is performed securely. The other options have some limitations or are less aligned with the specified requirements: A. GWLB vs. Amazon ECS: This option involves a load balancer vs. ECS, which might be better suited for scenarios requiring container orchestration, but could introduce an unnecessary complexity for the given requirements. B. Amazon API Gateway vs. Amazon Kinesis Data Flow: This option lacks the Lambda authorizer to resolve authorization and may not be as easy to integrate with other web applications. D. GWLB vs. Amazon ECS with Lambda function for authorization: Similar to option A, this introduces a load balancer and ECS, which might be more complex than necessary for the given requirements. In summary, Option C offers a streamlined solution with the necessary scalability, integration capabilities, and authorization control.

Answer 8

D. Copy automatic snapshots to another region every 24 hours Amazon RDS creates and saves automated backups of your DB instance or Multi-AZ DB cluster during your DB instance backup window. RDS creates a storage volume snapshot of your database instance, backing up the entire database instance and not just individual databases. RDS saves automated backups of your DB instance according to the backup retention period that you specify. If necessary, you can recover your DB instance at any time during the backup retention period.

Answer 9

B. Use Amazon ElastiCache for Redis to store session state. Update the application to use ElastiCache for Redis to store session state. In summary, option B (Amazon ElastiCache for Redis) is a common and effective solution for maintaining user session state in a web application, providing high availability and preventing loss of session state during server outages. Web. Amazon ElastiCache for Redis: Redis is an in-memory data store that can be used to store session data. It offers high availability and persistence options, making it suitable for maintaining session state. Sticky sessions and auto-scaling group: Using ElastiCache for Redis enables centralized storage of session state, ensuring that sticky sessions can still be maintained even if an EC2 instance is unavailable or replaced due to scaling automatic.

Answer 10

A. Create a read replica of the database. Directs queries to the read replica. This is the most cost-effective solution because it does not require any additional AWS services. A read replica is a copy of a database that is synchronized with the primary database. You can route report queries to the read replica, which will not impact performance for daily workloads

Answer 11

D. Use Amazon API Gateway to connect requests to Amazon EKS. You are charged for each hour or partial hour that an application load balancer is running, and the number of load balancer capacity units (LCUs) used per hour. With Amazon API Gateway, you only pay when your APIs are in use. https://aws.amazon.com/blogs/containers/integrate-amazon-api-gateway-with-amazon-eks/

Answer 12

D. Use Amazon S3 to store images. Use Amazon CloudFront to distribute geo-restricted images. Provide a signed URL for each client to access data in CloudFront. In summary, option D (Use Amazon S3 to store the images. Use Amazon CloudFront to distribute the geo-restricted images. Provide a signed URL for each client to access the data in CloudFront) is the most appropriate solution to meet the requirements. specified. Amazon S3 for Storage: Amazon S3 is used to store the images. Provides scalable, durable, low-latency storage for images. Amazon CloudFront for content delivery: CloudFront is used as a content delivery network (CDN) to distribute images globally. This reduces latency and ensures fast access for customers around the world. Geo Restrictions in CloudFront: CloudFront supports geo restrictions, allowing the company to deny access to users from specific countries. This satisfies the requirement of controlling access based on the user's location. Signed URLs for secure access: Signed URLs are provided to clients for secure access to images. This ensures that only authorized customers can access the content. Cost Minimization: CloudFront is a cost-effective solution for content delivery, and can significantly reduce data transfer costs by serving content from edge locations close to end users.

Answer 13

A. Use Multi-AZ Redis replication groups with shards containing multiple nodes. In summary, option A (Use Multi-AZ Redis Replication Groups with shards containing multiple nodes) is the most appropriate option to achieve high availability at both the node level and the AWS Region level in Amazon ElastiCache for Redis. Multi-AZ Redis Replication Groups: Amazon ElastiCache provides Multi-AZ support for Redis, allowing the creation of replication groups that span multiple availability zones (AZs) within a region. This guarantees high availability at a regional level. Shards with Multi-node: Shards within the replication group can contain multiple nodes, providing scalability and redundancy at the node level. This contributes to high availability and performance.

Answer 14

C. Start the EC2 on-demand instances with hibernation enabled. Configure EC2 Auto Scaling hot pools during the next testing phase. In summary, option C (Start EC2 on-demand instances with hibernation enabled. Configure EC2 Auto Scaling hot pools during the next testing phase) addresses the problem of reducing launch time by utilizing hibernation and maintenance. from hot pools for faster response. EC2 On-Demand Instances with Hibernation: Hibernation allows EC2 instances to persist their in-memory state to Amazon EBS. When an instance is hibernated, it can quickly resume with its previous memory state intact. This is particularly useful for reducing startup time and loading memory quickly. EC2 Auto Scaling Warm Pools: Auto Scaling warm pools allow you to keep a specific number of instances running even when demand is low. Warm pools keep instances in a state where they can respond quickly to increased demand. This helps reduce the time it takes for an instance to become fully productive.

Answer 15

C. Use dynamic scaling to change the size of the Auto Scaling group. Dynamic Scaling: Dynamic scaling adjusts the size of the Auto Scaling group in response to changing demand. Allows the Auto Scaling group to automatically increase or decrease the number of instances based on defined policies. This is well suited for handling surges in traffic as the group enters or exits as needed.

Answer 16

A. Migrate the PostgreSQL database to Amazon Aurora Serverless v2. Amazon Aurora Serverless v2: Aurora Serverless v2 is designed for variable and unpredictable workloads. Automatically adjusts database capacity based on actual usage, allowing you to scale down during low demand periods and scale up during peak periods. This ensures that the application can handle increased traffic without manual intervention.

Answer 17

B. Configure scheduled scaling to increase Lambda-provisioned concurrency before employees start using the application each day. Scheduled scaling for provisioned concurrency: Provisioned concurrency ensures that a specified number of function instances are available and hot to handle requests. By configuring scheduled scaling to increase provisioned concurrency ahead of anticipated maximum usage each day, you ensure that there are enough warm instances to handle incoming requests, reducing cold starts and latency.

Answer 18

MORE FOLLOW UP NEEDED! A. Deploy an on-premises AWS Storage Gateway in Amazon S3 File Gateway mode. C. Configure an AWS Glue crawler to create a table based on the data that is in Amazon S3. F. Configure Amazon Athena to query data that is in Amazon S3. Provide access to analysts. Deploy an on-premises AWS Storage Gateway in Amazon S3 File Gateway mode (Option A): This allows on-premises devices to write data to an SMB file share, and the data is stored in Amazon S3. This option provides a scalable and cost-effective way to ingest data into the cloud. Configure an AWS Glue crawler to create a table based on data in Amazon S3 (Option C): AWS Glue can automatically discover the schema of the data in Amazon S3 and create a table in the AWS Glue data catalog. This makes it easier for analysts to query data using SQL commands. Set up Amazon Athena to Query Data in Amazon S3 (Option F): Amazon Athena is a serverless query service that allows analysts to run SQL queries directly on data stored in Amazon S3. It's cost-effective because you charge per query, and there's no need to provision or manage infrastructure.

Answer 19

A. Provide resilient power and network connectivity to the Outposts racks C. Physical security and access controls of the Outposts data center environment F. Plan additional capacity for clusters Amazon ECS to mitigate server failures and maintenance events From https://docs.aws.amazon.com/whitepapers/latest/aws-outposts-high-availability-design/aws-outposts-high-availability-design.html With Outposts, you are responsible for providing resilient power and network connectivity to the Outpost racks to meet your availability requirements for workloads running on Outposts. You are responsible for the physical security and access controls of the data center environment. You must provide sufficient power, space, and cooling to keep the Outpost operational and network connections to connect the Outpost back to the Region. Since Outpost capacity is finite and determined by the size and number of racks AWS installs at your site, you must decide how much EC2, EBS, and S3 on Outposts capacity you need to run your initial workloads, accommodate future growth, and to provide extra capacity to mitigate server failures and maintenance events.

Answer 20

A. Implement a network load balancer (NLB). Configure the NLB to be publicly accessible over the TCP port that the application requires. Network Load Balancer (NLB): NLB is designed to handle TCP traffic with extremely low latency. It is a Layer 4 (TCP/UDP) load balancer that provides high performance and scales horizontally. NLB is suitable for scenarios where low latency and high throughput are critical, making it a good choice for TCP-based applications with strict performance requirements. Publicly Accessible: NLB can be configured to be publicly accessible, allowing it to accept incoming requests from the Internet. TCP Port Configuration: NLB allows you to configure it to listen on the specific non-standard TCP port required by the application. Options B, C, and D are less suitable for the given requirements: Application Load Balancer (ALB) (Option B): ALB is designed for HTTP/HTTPS traffic and operates at the application layer (layer 7). It may introduce additional overhead and may not be as suitable for non-TCP HTTP based applications. Amazon CloudFront (Option C): CloudFront is a content delivery network service designed primarily for content delivery, and is typically used for HTTP/HTTPS traffic. It may not be the best option for handling arbitrary TCP traffic. Amazon API Gateway (Option D): API Gateway is designed to create RESTful APIs and is not optimized for arbitrary TCP traffic. It may not provide the low latency performance required for the described scenario. Therefore, NLB is the recommended option to maintain high throughput and low latency for a TCP-based application on a non-standard port. NLB is able to handle up to tens of millions of requests per second, while providing high performance and low latency. https://aws.amazon.com/blogs/aws/new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second/ https://aws.amazon.com/elasticloadbalancing/network-load-balancer Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).

Answer 21

B. Creates an Aurora read replica of the RDS instance for the PostgreSQL database. Promote the Aurora read replica to a new Aurora PostgreSQL DB cluster. Aurora Read Replica: Creates an Aurora Read Replica of the existing RDS instance for the PostgreSQL database. This read replica is continually updated with changes to the source database. Promotion: Promote the Aurora read replica to become the primary instance of the new Aurora PostgreSQL database cluster. This process involves minimal downtime as it does not affect the source RDS for the PostgreSQL database instance. Advantages of Option B: Low Downtime: Read replica can be promoted with minimal downtime, allowing for a smooth transition. Continuous Replication: Read replication ensures continuous replication of changes from the source database to the Aurora PostgreSQL database cluster. Operating Overhead: This approach minimizes operating overhead compared to other options. Take advantage of Aurora's replication capabilities for seamless migration.

Answer 22

C. Use AWS Backup to configure a backup plan for the entire EC2 instance group. Use the AWS Backup API or AWS CLI to speed up the process of restoring multiple EC2 instances. AWS Backup: AWS Backup is a fully managed backup service that centralizes and automates data backup across all AWS services. Supports backup of Amazon EBS volumes and enables efficient backup management. Backup plan: Create a backup plan in AWS Backup that includes the entire EC2 instance group. This ensures a centralized and consistent backup strategy for all instances. API or CLI: AWS Backup provides an API and CLI that can be used to automate and speed up the process of restoring multiple EC2 instances. This allows for a simplified disaster recovery process. Advantages of Option C: Centralized Management: AWS Backup provides a centralized management interface for backup plans, making it easy to manage and track backups of a large number of resources. Automation: Using the AWS Backup API or CLI allows automation of backup and restore processes, reducing manual effort. Consistent backups: AWS Backup ensures consistent and reliable backups of EBS volumes associated with EC2 instances.

Answer 23

B. Use AWS passing function map state in distributed mode to process data in parallel. AWS Step Functions allow you to orchestrate and scale distributed processing using map state. Map state can process elements in a large data set in parallel by distributing work across multiple resources. Using map state in distributed mode will automatically take care of parallel processing and scaling. Step Functions will add more workers to process the data as needed. Step Functions is serverless, so there are no servers to manage. It will automatically scale based on demand. https://docs.aws.amazon.com/step-functions/latest/dg/use-dist-map-orchestrate-large-scale-parallel-workloads.html

Answer 24

D. Order multiple AWS Snowball devices. Copy data to devices. Send the devices to AWS to copy the data to Amazon S3. 1 Gbps will make about 7 TB in 24 hours. This means that 400 Mbps will only do 2.8 TB in 24 hours. Or, 510 weeks to transmit.

Answer 25

D. Deploy an AWS Storage Gateway volume gateway that is configured with cached volumes. AWS Storage Gateway: AWS Storage Gateway is a hybrid cloud storage service that provides seamless, secure integration between on-premises IT environments and AWS storage services. Supports different gateway configurations, including volume gateways. Cached volumes provide low latency access to frequently used data because frequently accessed data is stored locally on premises. The entire dataset is backed up on Amazon S3, ensuring durability and accessibility. Minimal Changes to Infrastructure: Using a cached volume gateway minimizes the need for significant changes to existing infrastructure. It allows the company to keep frequently accessed data on-premises while taking advantage of the scalability and durability of Amazon S3. Incorrect Option C (AWS Storage Gateway volume gateway with stored volumes): Stored volumes keep the entire data set on-premises, and may not be best suited for low-latency access to frequently used data. Therefore, option D, which uses an AWS Storage Gateway volume gateway with cached volumes, is the most appropriate option for the given requirements.

Answer 26

B. Store all objects in S3 Standard with an S3 lifecycle rule to transition the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days. Before you transition objects to S3 Standard-IA or S3 One Zone-IA, you must store them for at least 30 days in Amazon S3. For example, you cannot create a Lifecycle rule to transition objects to the S3 Standard-IA storage class one day after you create them. Amazon S3 doesn't support this transition within the first 30 days because newer objects are often accessed more frequently or deleted sooner than is suitable for S3 Standard-IA or S3 One Zone-IA storage. Similarly, if you are transitioning noncurrent objects (in versioned buckets), you can transition only objects that are at least 30 days noncurrent to S3 Standard-IA or S3 One Zone-IA storage. https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html

Answer 27

C. Create an Amazon S3 bucket. Update the app to store documents in S3 bucket. Store the object metadata in the existing database. Storing the blobs in the db is more expensive than s3 with references in the db. DynamoDB's limit on the size of each record is 400 KB, so D is wrong. Considerations: Storing large objects (blobs) in Amazon S3 is a scalable and cost-effective solution. Storing metadata in the existing database allows you to maintain the necessary information for each document. The load on the RDS instance has been reduced as large objects are stored in S3. Conclusion: This option is recommended as it leverages the strengths of Amazon S3 and RDS, providing scalability, cost-effectiveness, and maintaining metadata. Option C stands out as the most suitable to address the requirements while taking into account factors such as performance, scalability and cost-effectiveness.

Answer 28

A. Associate an AWS WAF web ACL with the ALB. Use IP rule sets in the ALB to filter traffic. Update the IP addresses in the rule to include the registered IP addresses. AWS Web Application Firewall (WAF) is designed to protect web applications from common web exploits. By associating a WAF web ACL with the ALB, you can configure IP rule sets to filter incoming traffic based on source IP addresses. Updating the IP addresses in the rule to include registered IP addresses allows you to control and restrict access to only authorized locations. Conclusion: This option provides a secure and scalable solution to restrict web application access based on registered IP addresses.

Answer 29

B. Create data filters to implement row-level security and cell-level security. Data filters in AWS Lake Formation are designed to implement row-level and cell-level security. This option aligns with the requirement to control access at the data level and is an appropriate approach for this scenario.

Answer 30

B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between your on-premises network and the VPC. Deploy a gateway VPC endpoint for Amazon S3: This allows EC2 instances in the VPC to access Amazon S3 directly without traversing the public Internet. Ensures that data is transmitted securely over the AWS network. Set up an AWS Direct Connect connection: Direct Connect provides a dedicated network connection between the on-premises network and the VPC, ensuring a private, trusted link.

Answer 31

A. Use Amazon Kinesis Data Streams to ingest the data. Process data using AWS Lambda functions. Amazon Kinesis Data Streams can handle large volumes of streaming data, providing a scalable and resilient solution. AWS Lambda functions can be triggered by Kinesis Data Streams, allowing the application to process data in near real time. Lambda automatically scales based on the rate of incoming events, ensuring the system can handle spikes in data volume. Amazon Kinesis Data Streams, for ingesting data and processing it with AWS Lambda functions, is the recommended design for handling near real-time streaming data at scale. Provides the scalability and resilience needed to process large volumes of data. The keyword is "real time". Kinesis data streams are meant for real time data processing. https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-kinesis-data-streams-on-demand/

Answer 32

D. Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint. A VPC endpoint allows your EC2 instances to connect to services like Amazon S3 directly within the AWS network without traversing the Internet. An Internet gateway or NAT gateway is not required for this solution, ensuring that the application does not use the Internet to connect to the S3 bucket. Improves security by keeping traffic within the AWS network and avoiding exposure to the public Internet.

Answer 33

B. Enable secret encryption on the EKS cluster using the AWS Key Management Service (AWS KMS). Amazon EKS offers the option to encrypt Kubernetes secrets at rest using AWS Key Management Service (AWS KMS). This is a native and managed solution within the EKS service, reducing operational overhead. Kubernetes secrets are automatically encrypted using the default AWS KMS key for the EKS cluster. This ensures that sensitive information stored in Kubernetes secrets is encrypted, providing security.

Answer 34

D. Deploy an application load balancer with a target group that contains the auto-scaling group of application servers. Configure the security group to allow only web servers to access application servers. An application load balancer (ALB) can be used to distribute incoming web traffic across multiple Amazon EC2 instances. The ALB can be configured with a target group that contains the Auto Scaling group of application servers. Security groups can be used to control incoming and outgoing traffic to instances. By configuring the security group associated with the application servers to only allow security group traffic from the web servers, you limit access to only the web servers.

Answer 35

D. Configure Amazon CloudWatch Container Insights on the existing EKS cluster. View metrics and logs in the CloudWatch console. Amazon CloudWatch Container Insights provides a comprehensive solution for monitoring and analyzing containerized applications, including those running on Amazon Elastic Kubernetes Service (Amazon EKS). Collects performance metrics, logs, and events from EKS clusters and containerized applications, allowing you to gain insight into their performance and health. CloudWatch Container Insights integrates with CloudWatch Logs, allowing you to view logs and metrics in the CloudWatch console for analysis. Provides a centralized location to collect, aggregate, and summarize metrics and logs for your customer-facing application's microservices architecture.

Answer 36

C. Configure Amazon GuardDuty to monitor and report findings to AWS Security Hub. Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior in AWS accounts. Analyzes VPC flow logs, AWS CloudTrail event logs, and DNS logs for potential threats. GuardDuty findings can be sent to AWS Security Hub, which acts as a central hub for monitoring security alerts and compliance status across all AWS accounts. AWS Security Hub consolidates and prioritizes findings from multiple AWS services, including GuardDuty, and provides a unified view of security alerts. Security Hub can integrate with third-party security tools and allows the creation of custom actions to remediate security findings. This solution provides continuous monitoring, detection, and reporting of malicious activities in your AWS account, including S3 bucket access patterns.

Answer 37

B. Create an Amazon Elastic File System (Amazon EFS) file system. E. Install an AWS DataSync agent in the on-premises data center. Use a data synchronization task between on-premises and AWS. Option B: Amazon EFS provides a fully managed, scalable NFS file system that can be mounted by multiple Amazon EC2 instances simultaneously. You can create an Amazon EFS file system and then mount it to the necessary AWS resources. Option E: AWS DataSync is a data transfer service that simplifies and accelerates data migration between on-premises storage systems and AWS. By installing a DataSync agent in your on-premises data center, you can use DataSync tasks to efficiently transfer data to Amazon EFS. This approach helps minimize downtime and ensure a smooth migration.

Answer 38

C. Create an FSx file system for Windows File Server on us-east-1 that has a Multi-AZ deployment type. Use AWS Backup to create a daily backup plan that includes a backup rule that copies the backup to us-west-2. Configure AWS Backup Vault Lock in compliance mode for a target vault on us-west-2. Set a minimum duration of 5 years. A Multi-AZ deployment type in us-east-1 provides high availability within the region. AWS Backup can be used to automate the backup process and create a backup copy on us-west-2. Using AWS Backup Vault Lock in compliance mode ensures that data is retained for the specified duration (5 years) and cannot be deleted by any user. In summary, Option C with Multi-AZ deployment and compliance mode for Vault Lock is considered the most robust solution to ensure high availability and long-term data retention with strict controls.

Answer 39

C. Create a service control policy (SCP) that prohibits changes to CloudTrail and attach it to the developer accounts. Service control policies (SCPs) are applied at the root level of an AWS organization to set fine-grained permissions for all accounts in the organization. By creating an SCP that explicitly prohibits changes to CloudTrail, you can enforce this policy across all developer accounts. This approach ensures that even if individual developers have root access to their AWS accounts, they will not be able to modify CloudTrail settings due to SCP restrictions.

Answer 40

C. SSD IOPS provisioned Amazon Elastic Block Store (Amazon EBS) volume Provisioned IOPS SSD volumes are designed for applications that require predictable and consistent I/O performance. You can provision a specific number of IOPS when creating the volume to ensure consistent low-latency performance. These volumes provide durability and are suitable for business-critical applications.

Answer 41

A. Create a second S3 bucket on us-east-1. Use S3 cross-region replication to copy photos from the existing S3 bucket to the second S3 bucket. This is a simple and fully managed solution. To automatically replicate new objects as they are written to the bucket, use live replication, such as Cross-Region Replication (CRR).

Answer 42

C. Implement Amazon DynamoDB as a database solution. Make sure DynamoDB auto-scaling is enabled. D. Deploy the static content to an Amazon S3 bucket. Provision an Amazon CloudFront distribution with the S3 bucket as the origin. C. DynamoDB auto-scaling dynamically adjusts provisioned capacity based on actual traffic. This is a good option to handle different workloads and ensure optimal performance. D. This is a valid approach to serving static content with low latency globally using Amazon CloudFront. It helps in scalability and improves performance by distributing content to edge locations. Based on scalability and ease of management, the recommended options are C (DynamoDB with auto-scaling) and D (S3 with CloudFront). These options take advantage of fully managed services and provide scalability without the need for manual intervention. With provisioned capacity you can also use auto scaling to automatically adjust your table’s capacity based on the specified utilization rate to ensure application performance, and also to potentially reduce costs. To configure auto scaling in DynamoDB, set the minimum and maximum levels of read and write capacity in addition to the target utilization percentage. It is important to note that DynamoDB auto scaling modifies provisioned throughput settings only when the actual workload stays elevated or depressed for a sustained period of several minutes. This means that provisioned capacity (with on-demand) is probably best for you if you have relatively predictable application traffic, run applications whose traffic is consistent, and ramps up or down gradually. Whereas on-demand capacity mode is probably best when you have new tables with unknown workloads, unpredictable application traffic and also if you only want to pay exactly for what you use. The on-demand pricing model is ideal for bursty, new, or unpredictable workloads whose traffic can spike in seconds or minutes, and when under-provisioned capacity would impact the user experience.

Answer 43

B. Configure AWS WAF.

Answer 44

D. Configure Security Assertion Markup Language (SAML)-based federation 2 0. Create roles with the appropriate policies attached. Assign roles to Active Directory groups. SAML enables single sign-on (SSO) between the company's Active Directory and AWS. Users can use their existing corporate credentials to access AWS resources without having to manage a separate set of credentials for AWS. Roles and policies: With SAML-based federation, roles are created in AWS that define the permissions that users will have. Policies are attached to these roles to specify what actions users can take. Assignment to Active Directory Groups: Roles in AWS can be assigned to Active Directory groups. This allows you to centrally manage permissions across Active Directory groups, and users inherit these permissions when they assume the associated roles in AWS. In summary, SAML-based federation provides a standardized way to enable single sign-on between AWS and the enterprise Active Directory, ensuring a seamless experience for users while maintaining centralized access control across Active Directory groups.

Answer 45

C. Configure Amazon Route 53 with a geolocation policy With Amazon Route 53, you can create a geolocation routing policy that routes traffic based on the user's geographic location. This allows you to serve different content or direct users to different application load balancers based on their geographic location. By setting geolocation policies on Amazon Route 53, you can achieve the desired content distribution while complying with distribution rights. In summary, for the specific requirement of serving different content based on the geographic location of users, the most appropriate option is to use geolocation routing policies with Amazon Route 53.

Answer 46

B. Deploy an AWS DataSync agent on-premises. Configure the DataSync agent to perform online data transfer to an S3 bucket. AWS DataSync is a service designed for online data transfer to and from AWS. Deploying a DataSync agent on-premises enables efficient and secure transfers over the network. DataSync automatically verifies data integrity, ensuring that Amazon S3 data matches the source

Answer 47

A. Create 200 new hosted zones in the Amazon Route 53 console Import zone files. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html

Answer 48

C. Configure the S3 storage lens to report the incomplete multipart upload object count. S3 Storage Lens is a fully managed analytics solution that provides organization-wide visibility into object storage usage, activity trends, and helps identify cost-saving opportunities. It is designed to minimize operational overhead and provides comprehensive information about your S3 usage. Incompleteness Reporting: S3 Storage Lens allows you to configure metrics, including multi-part incomplete uploads, without the need for complex configuration. It provides a holistic view of your storage usage, including the status of loads from various parties, making it suitable for compliance and cost monitoring purposes. S3 storage lens is specifically designed to obtain information about S3 usage.

Answer 49

D. Use Amazon RDS blue/green deployments to deploy and test production changes. You can make changes to RDS database instances in the green environment without affecting production workloads. For example, you can upgrade the major or minor version of the database engine, update the underlying file system configuration, or change database parameters in the staging environment. You can thoroughly test the changes in the green environment. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html

Answer 50

C. Use an Amazon Elastic Container Service (Amazon ECS) Fargate task triggered by an Amazon EventBridge scheduled event. Serverless, suitable for long-running tasks. Automatically scale and manage the underlying infrastructure. EC2 instances from option D would cost more.

Answer 51

B. Use Amazon Neptune to store the information. Use Neptune Streams to process changes to the database. Amazon Neptune is a fully managed graph database, and Neptune Streams allows you to capture changes to the database. This option provides a fully managed solution for storing and monitoring database changes, minimizing operational overhead. Both storage and change monitoring are handled by Amazon Neptune.

Answer 52

C. Store the data in an Amazon Elastic File System (Amazon EFS) file system. Mount the file system on the application instances. Amazon EFS is a scalable, elastic file storage service that can be mounted on multiple EC2 instances simultaneously. It is suitable for applications that require shared access to data across multiple instances. This option is a good option for the scenario described.

Answer 53

C. Create a read replica from the source database instance. Serves read traffic from the read replica.

Answer 54

C. Configure cross-account access for S3 bucket to accounts owned by agencies. This is a suitable option. You can configure cross-account access by creating AWS Identity and Access Management (IAM) roles in the source data account and allowing consulting agency AWS accounts to assume these roles. This way you can grant temporary and secure access to the S3 bucket.

Answer 55

C. Create an SNS subscription that sends the event to Amazon Simple Queue Service (Amazon SQS). Configure the SOS queue to trigger a Lambda function. It follows the pattern of using an SQS queue as an intermediary for event handling, providing scalable and decoupled event processing. SQS can handle bursts of events, and the Lambda function can be triggered from the SQS queue. This solution is the recommended scalable approach to handle Amazon S3 events in a decoupled manner. Primary advantage of having a SQS in between SNS and Lambda is Reprocessing. Assume that the Lambda fails to process certain event for some reason (e.g. timeout or lack of memory footprint), you can increase the timeout (to max 5 minutes) or memory (to max of 1.5GB) and restart your polling and you can reprocess the older events. This would not be possible in case of SNS to Lambda, wherein if Lambda fails the event is lost. And even if you configure DLQ you would still have to make provisions for reading that separately and processing the message

Answer 56

B. AWS Lambda C. Amazon DynamoDB B. AWS Lambda is a serverless computing service that automatically scales in response to incoming request traffic. It is suitable for handling unpredictable request patterns, and you only pay for the calculation time consumed. Lambda can integrate with other AWS services, including API Gateway, to handle the backend logic of your service. C. DynamoDB is a fully managed NoSQL database that provides fast, predictable performance with seamless scalability. It is well suited for simple key-value queries and can handle different workloads. DynamoDB automatically scales based on demand, making it suitable for unpredictable request patterns. It also supports automatic scaling of read and write capacity.

Answer 57

A. Use an AWS Lambda function to create a URL pre-signed by S3. Instruct employees to use the URL. A. By using an AWS Lambda function, you can generate S3 pre-signed URLs on the fly. These URLs grant temporary access to specific S3 resources. Employees can use these URLs to securely upload or download data without requiring direct access to AWS credentials. This approach minimizes operational overhead, as you only need to manage the Lambda function, and there is no need for complex user management. Minimizing operational overhead: AWS Lambda is a serverless computing service, meaning there is no need to manage the underlying infrastructure. The Lambda function can be triggered by specific events (for example, an S3 upload trigger), and can be designed to handle the generation of pre-signed URLs automatically. This solution simplifies the process of securely sharing data without the need for extensive user management or additional infrastructure management.

Answer 58

A. Disable session affinity (sticky sessions) on the ALB Session affinity (sticky sessions): When session affinity (sticky sessions) is enabled, the load balancer routes requests from a particular client to the same backend EC2 instance. While this It can be beneficial in certain scenarios, it can lead to uneven traffic distribution and higher latency if one instance receives more requests than others. Disabling sticky sessions: By disabling session affinity, ALB distributes incoming requests more evenly across all healthy instances, helping to balance load and reduce latency.

Answer 59

B. Grant decryption permission for the Lambda IAM role in the KMS key's policy * This action ensures that the IAM role associated with the Lambda function has the necessary permission to decrypt files using the specified KMS key. E. Create a new IAM role with the kms:decrypt permission and attach the execute role to the Lambda function. * If the existing IAM role lacks the required kms:decrypt permission, you may need to create a new IAM role with this permission and attach it to the Lambda function.

Answer 60

B. Enable cost and usage reporting in the management account. Deliver reports to Amazon S3. Use Amazon Athena for analysis. Directly stores reports in S3 and leverages Athena for SQL-based analysis.

Answer 61

A. Connect a network load balancer to the Auto Scaling group. Network Load Balancers (NLBs) are designed to handle TCP, UDP, and TLS traffic.

Answer 62

A. Store logs in Amazon S3. Use Amazon Athena for analytics. Amazon S3 is a highly scalable object storage service, and Amazon Athena allows you to run SQL queries directly on data stored in S3. This option is cost-effective as you only pay for the queries you run. It is suitable for on-demand analysis with standard SQL queries. Given the requirement for cost-effectiveness, scalability, and on-demand analysis with standard SQL queries, option A (Amazon S3 with Amazon Athena) is probably the most suitable option. It enables efficient storage, scalable queries, and cost-effective on-demand analysis for large amounts of web traffic logs.

Answer 63

A. Use the AWS Certificate Manager (ACM) console to request a public certificate for the apex top com domain example and a wildcard certificate for *.example.com. E. Validate domain ownership by adding the necessary DNS records to the DNS provider. A. This option is valid to protect both the apex domain and its subdomains with a single wildcard certificate. E. This is part of the domain validation process. DNS validation is commonly used for issuing SSL/TLS certificates. https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html

Answer 64

B. Use an AWS Key Management Service (AWS KMS) external keystore backed by an external key manager. With the AWS KMS Foreign Key Vault, AWS KMS can use an external key manager for key storage. This allows the company to use its own key management infrastructure outside of the AWS cloud. This option provides flexibility and allows integration with multiple external key managers while minimizing operational overhead on the AWS side. https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html

Answer 65

C. Use Amazon FSx for Luster as a shared file system. Link the file system to an Amazon S3 bucket for further processing. Amazon FSx for Luster is well suited for HPC workloads, providing parallel access with low latency. Linking the file system to an S3 bucket allows for seamless integration for post-processing, leveraging the strengths of both services.

Answer 66

A. Use AWS Global Accelerator with health checks. A. AWS Global Accelerator provides static IP addresses that act as a fixed entry point to your applications. Supports health checks, which helps route traffic only to healthy endpoints. This can provide high availability and low latency access. B. Amazon Route 53 can route traffic based on users' geographic location. While it supports failover, failover may not be as automated or fast as using AWS Global Accelerator. C. Amazon CloudFront is a content delivery network that can distribute content globally. While it can handle multiple sources, it may not provide the same level of control over failover and latency as AWS Global Accelerator.

Answer 67

B. Use Amazon FSx for Luster persistent file systems. Amazon FSx persistent file systems for Luster are durable and can maintain data. It provides high performance and is designed for HPC and other high-performance workloads. A. Amazon FSx for Luster provides high-performance file systems optimized for HPC workloads. Scratch filesystems are temporary and do not persist data after the filesystem is deleted. For large-scale HPC workloads with sub-millisecond latency requirements and the need for sustained performance, Amazon FSx for Luster Persistent File Systems (Option B) is best suited. It is designed to deliver high performance for compute-intensive workloads, making it a good choice for weather forecasting enterprise requirements.

Answer 68

C. Configure the General Purpose SSD (gp3) EBS volume storage type and provision 15,000 IOPS. Gp3 is more cost effective than io1 and is designed for higher performance. Considering cost effectiveness, gp3 may be a suitable option, providing the necessary IOPS.

Answer 69

C. Transition the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 180 days, S3 Glacier Instant Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years. glacier instant retrieval actually going to retrieve the data instantly within milliseconds, whereas glacial flexible retrieval, this will take at least five to 12 hour. So obviously, we cannot use this for our use case, because after 360 days, we need it immediately, which is only going to be achieved by glacier retrieval.

Answer 70

A. Migrate to Amazon RDS for Microsoft SOL Server. Use read replicas for reporting purposes

Answer 71

D. Configure canary settings for the production stage API. Change the percentage of traffic directed to the canary deployment to 20%. Make planned updates to the production stage. Implement the changes Canary release is a software development strategy in which a new version of an API (as well as other software) is deployed for testing purposes, and the base version remains deployed as a production release for normal operations on the same stage. For purposes of discussion, we refer to the base version as a production release in this documentation. Although this is reasonable, you are free to apply canary release on any non-production version for testing. In a canary release deployment, total API traffic is separated at random into a production release and a canary release with a pre-configured ratio. Typically, the canary release receives a small percentage of API traffic and the production release takes up the rest. The updated API features are only visible to API traffic through the canary. You can adjust the canary traffic percentage to optimize test coverage or performance. https://docs.aws.amazon.com/apigateway/latest/developerguide/canary-release.html

Answer 72

B. Configure a transient cluster that runs the primary node and core nodes on on-demand instances and task nodes on spot instances In this option, the cluster is configured as transient, indicating that it is intended for short-lived workloads. The master node and core nodes are instantiated on-demand for stability and reliability. Task nodes are in one-time instances, which can be more profitable, but have the risk of outages. From the documentation: When you configure termination after step execution, the cluster starts, runs bootstrap actions, and then runs the steps that you specify. As soon as the last step completes, Amazon EMR terminates the cluster's Amazon EC2 instances. Clusters that you launch with the Amazon EMR API have step execution enabled by default. Termination after step execution is effective for clusters that perform a periodic processing task, such as a daily data processing run. Step execution also helps you ensure that you are billed only for the time required to process your data. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-longrunning-transient.html

Answer 73

B. Create an AWS Lambda function to tag the resources after the Lambda function looks up the appropriate cost center from the RDS database. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function. In option B, an AWS Lambda function is used to tag the resources. This Lambda function is configured to look up the appropriate cost center from the RDS database. This ensures that each resource is tagged with the correct cost center ID. Using Amazon EventBridge in conjunction with AWS CloudTrail events allows you to trigger the Lambda function when resources are created. This ensures that the tagging process is automatically started whenever a relevant event occurs.

Answer 74

D. Configure an Amazon CloudFront distribution with an Amazon S3 endpoint to an S3 bucket that is configured to host the static content. Configure an application load balancer that targets an Amazon Elastic Container Service (Amazon ECS) service that runs AWS Fargate tasks for the PHP application. Configure the PHP application to use an Amazon ElastiCache for Redis cluster that runs in multiple availability zones. This option leverages Amazon CloudFront for global content delivery, providing low-latency access to static resources. Separating static content (hosted on S3) and dynamic content (running on ECS with Fargate) is a good practice for scalability and manageability. Using an application load balancer with AWS Fargate tasks for your PHP application provides a highly available and scalable environment. The Amazon ElastiCache for Redis cluster with Multi-AZ is used for session management, ensuring high availability. Option D is a well-designed solution that leverages multiple AWS managed services to achieve high availability, scalability, and separation of concerns. It aligns with best practices for hosting web applications on AWS.

Answer 75

C. Create a public application load balancer. Specify the application target group. E. Create a web ACL in AWS WAF. Associate the web ACL with the endpoint An application load balancer (ALB) is designed for HTTP/HTTPS traffic and supports session affinity (sticky sessions). By creating a public ALB, you can expose your web application to the Internet with the necessary routing and load balancing capabilities. AWS WAF (Web Application Firewall) provides protection against common web exploits and attacks. By creating a web ACL, you can define rules to filter and control web traffic. Associating the web ACL with the endpoint ensures that the web application is protected by the specified security policies.

Answer 76

D. Store images in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Use S3 Standard-IA to deliver images directly using a static website.

sthithapragnakk -- SAA Exam Dumps Jan 24 1-100 Flashcards

(100 cards)