sthithapragnakk -- SAA Exam Dumps Jan 24 101-200 Flashcards

Question

697 # A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest using AWS Key Management Service (AWS KMS). The company must be able to control the rotation of encryption keys. Which solution will meet these requirements with the LESS operating overhead? A. Create a customer-managed key. Use the key to encrypt EBS volumes. B. Use an AWS managed key to encrypt EBS volumes. Use the key to set automatic key rotation. C. Create an external KMS key with imported key material. Use the key to encrypt EBS volumes. D. Use an AWS-owned key to encrypt EBS volumes.

Answer 1

A. Create a customer-managed key. Use the key to encrypt EBS volumes. By creating a customer-managed key in AWS Key Management Service (AWS KMS), your business gains control over key rotation and can manage key policies. This enables encryption of EBS volumes with a key that the enterprise can rotate as needed, providing flexibility and control with minimal operational overhead.

Answer 2

A. Use an IAM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate the detection and remediation of unencrypted EBS volumes. IAM policies can help control the creation of encrypted EBS volumes, and combining them with AWS Config and Systems Manager provides a comprehensive solution for detection and remediation.

Answer 3

B. Deploy the applications in AWS local zones by extending the company's VPC from eu-central-1 to the chosen local zone. AWS Local Zones provide low-latency access to AWS services in specific geographic locations. Deploying applications to local zones can deliver the desired low-latency experience.

Answer 4

A. Migrate the web tier to Amazon EC2 instances in an auto-scaling group behind an application load balancer. C. Migrate the database to an Amazon RDS Multi-AZ deployment.

Answer 5

B. Point the client driver to an RDS proxy endpoint. Deploy Lambda functions within a VPC. RDS is in the private subnet. So, to connect to RDS the proxy needs to be in the same VPC https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

Answer 6

C. Create a transit gateway. Create VPC attachments for VPC connections. Create VPN attachments for on-premises connections.

Answer 7

D. Configure an AWS Lambda function with a function URL that uses an Amazon forecast predictor to create a prediction based on the inputs. E. Train an Amazon Forsecast predictor using historical data from the S3 bucket. *E*: Amazon Forecast is a fully managed service that uses machine learning (ML) to generate highly accurate forecasts without requiring any prior ML experience. Forecast is applicable in a wide variety of use cases, including estimating product demand, energy demand, workforce planning, computing cloud infrastructure usage, traffic demand, supply chain optimization, and financial planning. *D*: Publish demand using AWS Lambda, AWS Step Functions, and Amazon CloudWatch Events rule to periodically (hourly) query the database and write the past X-months (count from the current timestamp) demand data into the source Amazon S3. https://aws.amazon.com/blogs/machine-learning/automating-your-amazon-forecast-workflow-with-lambda-step-functions-and-cloudwatch-events-rule/ "Alternatively, if you are looking for a fully managed service to deliver highly accurate forecasts, without writing code, we recommend checking out Amazon Forecast. Amazon Forecast is a time-series forecasting service based on machine learning (ML) and built for business metrics analysis." https://aws.amazon.com/blogs/machine-learning/deep-demand-forecasting-with-amazon-sagemaker/ A. Deploy an Amazon SageMaker model. Create a SageMaker endpoint for inference. B. Use Amazon SageMaker to train a model by using the historical data in the S3 bucket. Amazon SageMaker is a fully managed service that allows you to build, train, and deploy machine learning (ML) models. To predict the resources needed for manufacturing processes based on historical data, you can use SageMaker to train a model. Once the model is trained, you can deploy it using SageMaker, creating an endpoint for inference. This endpoint can be used to make predictions based on new data.

Answer 8

C. Create individual users in the IAM Identity Center. Create new developer and administrator groups in the IAM Identity Center. Create new permission sets that include the appropriate IAM policies for each group. Assign the new groups to the appropriate accounts. Assign the new permission sets to the new groups. When new users are hired, add them to the appropriate group. The AWS Identity and Access Management (IAM) Identity Hub (AWS SSO) provides a centralized place to manage access to multiple AWS accounts. In this scenario, creating separate groups for developers and administrators in IAM Identity Center allows for easier management of permissions. By creating new permission sets that include the appropriate IAM policies for each group, you can assign these permission sets to the respective groups. This approach provides a simplified way to manage permissions for developer and administrator teams. When new users are hired, you can add them to the appropriate group, and they automatically inherit the permissions associated with that group. This reduces operational overhead when onboarding new users, ensuring they get the necessary permissions based on their roles.

Answer 9

D. Create an AWS configuration rule for Amazon EBS to evaluate whether a volume is encrypted and to flag the volume if it is not encrypted. AWS Config allows you to create rules that automatically check whether your AWS resources meet your desired configurations. In this scenario, you want to standardize your Amazon Elastic Block Store (Amazon EBS) volume encryption strategy and minimize the configuration cost and effort to operate volume encryption verification. By creating an AWS configuration rule specifically for Amazon EBS to evaluate whether a volume is encrypted, you can automate the process of verifying and flagging non-compliant resources. This solution is cost-effective because AWS Config provides a managed service for configuration compliance.

Answer 10

C. Use S3 multipart uploads. D. Fetch multiple byte-ranges from an object in parallel. S3 multipart uploads allow parallel uploading of parts of a large object, improving performance during the upload process. This is particularly beneficial for large files as it allows simultaneous uploads of different parts, improving overall upload performance. Multipart loads are well suited for scaling performance during data loads. Fetching multiple byte ranges in parallel is a strategy to improve download performance. By making simultaneous requests for different parts or ranges of an object, you can efficiently use available bandwidth and reduce the time required to download large files. This approach aligns with the goal of scaling performance during data downloads.

Answer 11

B. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system on the individual EC2 instances. E. Create an Amazon S3 bucket to store web content. Set the metadata for the Cache-Control header to no-cache. Use Amazon CloudFront to deliver content. Amazon EFS is a scalable, shared file storage service. It supports NFS and allows multiple EC2 instances to access the same file system at the same time. This option is suitable for achieving strong consistency and sharing content between instances, making it a good choice for web applications deployed across multiple availability zones. Amazon S3 can be used as a highly available and scalable storage solution. However, when immediate consistency is crucial, S3 may have potential consistency delays. Setting the cache control header to no cache helps minimize caching, but might not ensure strong consistency for immediate content updates. In summary, options B (Amazon EFS) and E (Amazon S3 with CloudFront) are more aligned with the goal of achieving strong consistency and sharing content between multiple instances in an Auto Scaling group. Among them, Amazon EFS is a dedicated file storage service designed for this purpose and is often a suitable choice for shared storage in distributed environments.

Answer 12

A. Create an A record with a latency policy.

Answer 13

D. Modify the Auto Scaling group to use EC2 instances across three availability zones. Migrate the embedded NoSQL database to Amazon DynamoDB by using the AWS Database Migration Service (AWS DMS). Option D (Modify the auto-scaling group to use EC2 instances in three availability zones and migrate the integrated NoSQL database to Amazon DynamoDB) provides high availability, scalability, and reduces operational overhead by leveraging a managed service like DynamoDB. It aligns well with the requirements of a highly available system and is ultimately consistent with the least operational overhead. NOTE: C. Modify the auto-scaling group to use EC2 instances in three availability zones. Keep the NoSQL database integrated with your replication service on EC2 instances. Explanation: Scaling across three availability zones can improve availability, but maintaining the NoSQL database integrated with the replication service on EC2 instances still involves operational complexity.

Answer 14

B. Configure Amazon ElastiCache for Redis to cache catalog data from Amazon DynamoDB and shopping cart data from the user's session. Amazon ElastiCache for Redis is a managed caching service that can be used to cache frequently accessed data. You can improve performance and help preserve shopping cart data by storing it in Redis, which is an in-memory data store.

Answer 15

B. Configure Amazon CloudWatch Container Insights to collect metrics from EKS clusters. Configure AWS X-Ray to trace the requests between microservices. Amazon CloudWatch Container Insights provides monitoring and observability for containerized applications. Collects metrics from EKS clusters, providing information on resource utilization and application performance. AWS X-Ray, on the other hand, helps track requests as they flow through different microservices, helping to identify bottlenecks and performance issues.

Answer 16

C. Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt data server side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides. With separate KMS keys for each client and access control through KMS key policies, you can achieve the desired level of security. This allows you to explicitly deny decryption for unauthorized IAM roles. NOTE: B. Provide a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt data server side. In the S3 bucket policy, deny data decryption for all principals except a customer-provided IAM role.-- This option may not be effective because denying decryption in the S3 bucket policy might not override the key policy. It could grant access to unauthorized parties.

Answer 17

B. Provision an Internet-facing application load balancer (ALB) in a public subnet. Add the EC2 instance to the target group that is associated with the ALEB. Ensure that the DNS record for the website resolves to the ALB. By placing an ALB on the public subnet and adding the EC2 instance to a target group associated with the ALB, external Internet traffic can reach the EC2 instance on the private subnet through the ALB. This configuration allows proper handling of web traffic.

Answer 18

B. Create an Amazon Elastic File System (Amazon EFS) file system. Register the file system in a StorageClass object on an EKS cluster. Use the same file system for all containers. Amazon EFS is a fully managed file storage service that supports NFS, making it easy to share data between multiple containers in an EKS cluster. It is highly available and fault tolerant by design, and its use as a shared storage solution requires minimal operational overhead.

Answer 19

B. Use Amazon Elastic Container Service (Amazon ECS) with an AWS Fargate launch type. Create an Amazon Elastic File System (Amazon EFS) volume. Add the EFS volume as a persistent storage volume mounted to the containers. AWS Fargate is a fully managed serverless computing engine for containers, eliminating the need to manage servers. Amazon EFS is a fully managed, scalable file storage service that allows you to seamlessly share data between containers. This option meets the requirement of not managing servers or storage infrastructure.

Answer 20

A. Create internal network load balancers in front of the application in each region. C. Create an AWS global accelerator to route traffic to load balancers in each region. - Network Load Balancers (NLBs) can handle both TCP and UDP traffic, making them suitable for distributing game traffic within a region. However, NLBs are specific to a single region and do not provide global routing. - AWS Global Accelerator supports TCP and UDP protocols, making it suitable for global routing. You can direct traffic to the best-performing endpoints in different regions, providing high availability and low latency. Given the requirement for global high availability and support for TCP and UDP traffic, option C (AWS Global Accelerator) would be the most appropriate option. It can handle global routing of TCP and UDP traffic, directing users to the best performing endpoints in different regions. If more advanced traffic management is needed within each region, you can use network load balancers (NLBs) as optional components to handle TCP/UDP traffic within each region.

Answer 21

C. Subscribe to AWS Shield Advanced. Engage the AWS DDoS Response Team (DRT) to integrate mitigation controls into the service. AWS Shield Advanced is designed specifically for DDoS protection, and the involvement of the AWS DDoS Response Team (DRT) provides additional support to mitigate DDoS attacks. Requires a subscription to AWS Shield Advanced, which comes with more advanced DDoS protection features.

Answer 22

D. Create an Amazon FSx for Luster file system. Import data directly into the FSx for Luster file system. Access the FSx for Luster file system from the HPC cluster instances. - Amazon FSx for Luster is a high-performance, fully managed file system optimized for use with HPC workloads. By importing data directly into FSx for Luster, you can achieve low latency access and high performance. It is designed to provide high-performance, scalable access to data, making it well suited for HPC scenarios. This option minimizes the need for additional data transfer steps, resulting in efficient access to data on Snowball Edge Storage Optimized devices.

Answer 23

B. Set up an AWS DataSync agent on the on-premises servers, and synchronize the data to Amazon S3. - AWS DataSync is a fully managed data transfer service that can efficiently and securely transfer data between local storage and Amazon S3. Configuring a DataSync agent on Local servers can perform incremental and parallel transfers, optimizing the use of available bandwidth and minimizing costs.

Answer 24

C. Configure a network load balancer with the required protocol and ports for the Internet traffic. Specify the EC2 instances as the targets. - Network Load Balancers (NLB) are designed to provide ultra-low latency and high throughput performance. They operate at the connection or network layer (layer 4) and are well suited for UDP traffic. NLB is optimized to handle millions of requests per second with minimal latency compared to application load balancers (ALBs) or gateway load balancers.

Answer 25

A. Use AWS Database Migration Service (AWS DMS) schema conversion to transform the database objects. D. Define an AWS Database Migration Service (AWS DMS) task with change data capture (CDC) to migrate the data. To migrate your RDS for MySQL DB instance to an Amazon Aurora PostgreSQL DB cluster and replicate data changes during the migration, you can use the following combination of steps: A. **Use Database Migration Service Schema Conversion AWS Data Management System (AWS DMS) to transform database objects. ** - AWS DMS Schema Conversion can be used to convert MySQL database schema and objects to PostgreSQL-compatible syntax. D. **Define an AWS Database Migration Service (AWS DMS) task with change data capture (CDC) to migrate the data. ** - AWS DMS supports change data capture (CDC), which allows the migration service to capture changes that occur to the source database (RDS for MySQL) during the migration process. This ensures that any changes in progress are replicated to the Aurora PostgreSQL database cluster.

Answer 26

B. Create a read replica of the database. Configure the script to query only the read replica to report total new entries. - When creating a database read replica, it offloads the read-intensive workload of the reporting script from the primary database instance. This helps improve performance on the primary instance, minimizing the impact on the critical application. Additionally, read replicas are kept up to date through asynchronous replication, providing near real-time data for reporting without impacting the performance of the primary instance.

Answer 27

B. Enable ALB access logging on Amazon S3. Create a table in Amazon Athena and query the logs. - Enabling ALB access logging to Amazon S3 allows you to capture detailed logs of incoming requests to ALB. By creating a table in Amazon Athena and querying these logs, you gain the ability to analyze and understand traffic patterns, identify anomalies, and perform queries efficiently. Athena provides an interactive, serverless query service that allows you to analyze data directly in Amazon S3 without needing to manage the infrastructure.

Answer 28

C. Create public NAT gateways in public subnets in the same VPCs as the EC2 instances.

Answer 29

B. Attach the SCP to the three non-production organizations member accounts. - Attaching the SCP directly to non-production member accounts ensures that the policy applies specifically to those accounts. This way, the policy denies launching EC2 instances of the prohibited size on non-production accounts. E. Create an OU for the required accounts. Attach the SCP to the OU. Move non-production member accounts to the new OU. - By creating a separate OU for non-production accounts and attaching the SCP to that OU, you can isolate the application of the policy to only non-production accounts. Moving non-production member accounts to the new OU associates them with the SCP. In summary, options B and E are appropriate solutions based on the requirement to prohibit users from launching EC2 instances of a certain size in non-production accounts while allowing them in the production account. Option D should be avoided, and option A and option C are not recommended as they apply to the organization-wide SCP or management account.

Answer 30

A. Set up S3 bucket policies to allow access from a VPC endpoint. - This option involves creating a VPC endpoint for Amazon S3 in your Amazon VPC. A VPC endpoint allows you to privately connect your VPC to S3 without going over the public Internet. By configuring S3 bucket policies to allow access from the VPC endpoint, you ensure that EC2 instances within your VPC can securely access S3 without requiring public Internet access. This is a more secure and recommended approach to handling sensitive data.

Answer 31

C. Create a Route 53 private hosted zone. Associate the private hosted zone with the VPC. - This option involves creating a Route 53 private hosted zone, which allows you to define custom DNS records for private communication within your VPC. Associating the private hosted zone with the VPC ensures that DNS records are used to resolve domain names within the specified VPC. This approach is secure because it allows you to control DNS records for private communication.

Answer 32

B. Store the photos in the Amazon S3 Intelligent-Tiering storage class. Store the photo metadata and its S3 location in DynamoDB. - Amazon S3 Intelligent-Tiering automatically moves objects between two access levels: frequent and infrequent access. It is designed for objects with unknown or changing access patterns. This is suitable for a photo hosting service where some photos are viewed a lot for months, and others are viewed for a short period. - Storing photo metadata and S3 location in DynamoDB provides a fast and scalable way to query and retrieve information about photos. DynamoDB is well suited for handling metadata and providing fast searches based on metadata.

Answer 33

D. Use the least outstanding requests algorithm based on the RequestCount and TargetResponseTime CloudWatch metrics. - The "least outstanding requests" algorithm, also known as the least outstanding requests balancing algorithm, considers the number of outstanding requests and the target response time. Its goal is to distribute new requests to the instances that have fewer outstanding requests and optimal response time. - In this scenario, using RequestCount (to measure the number of requests) and TargetResponseTime (to evaluate the responsiveness of the instances) CloudWatch metrics together allow for a more informed decision about routing traffic to the instances that are less loaded.

Answer 34

D. Create a savings plan alert subscription. Enable all notification options. Enter an email address to receive notifications. - Savings plan alert subscriptions allow you to set up notifications based on various thresholds, including coverage thresholds. By enabling all notification options, you can receive timely alerts through different channels when coverage decreases.

Answer 35

A. Configure public subnets in the existing VPC. Deploy an MSK cluster in the public subnets. Update the MSK cluster security settings to enable mutual TLS authentication. - This option takes advantage of the existing VPC, minimizing the need to create a new VPC. By deploying the MSK cluster on public subnets and enabling mutual TLS authentication, you can ensure that the MSK cluster is publicly accessible while protecting data in transit.

Answer 36

D. Create an AWS Transfer Family SFTP internal server in two availability zones. Use Amazon S3 storage. Create an AWS Lambda function to process order files. Use a transfer family managed workflow to invoke the Lambda function. - Uses an internal SFTP server. - Amazon S3 provides durable, scalable storage. - AWS Lambda function processes order files efficiently. - Lambda-managed workflow allows for streamlined processing. In summary, taking into account the clarified requirements, Option D stands out as a suitable option, leveraging an internal SFTP server in two availability zones with Amazon S3 and AWS Lambda storage for efficient order file processing.

Answer 37

C. Migrate the Apache Hadoop application and the Apache Spark application to Amazon EMR clusters on AWS Outposts. Use the EMR clusters to process the data. - Use AWS Outposts for a local extension of AWS infrastructure. - EMR clusters for scalable and managed data processing.

Answer 38

C. Create an Amazon S3 bucket that uses S3 Intelligent-Tiering. Migrate data to the S3 bucket using an AWS Amazon Gateway storage S3 File gateway. - S3 Intelligent-Tiering automatically moves objects between access levels based on changing access patterns. - Storage Gateway supports SMB and NFS protocols. https://aws.amazon.com/s3/faqs/ - The total volume of data and number of objects you can store in Amazon S3 are unlimited.

Answer 39

C. Run the application on Amazon Elastic Container Service (Amazon ECS) as microservices with service auto-scaling. - ECS allows running microservices with automatic service scaling based on demand. - Offers flexibility and scalability. - Option C (Amazon ECS with microservices and service auto-scaling) appears to better align with the company's requirements for flexibility, scalability, and minimal downtime.

Answer 40

D. Use an AWS Lambda function that runs custom-developed code. - Serverless architecture, without the need to manage the infrastructure. - Automatic scaling based on demand. - Minimal operational support. - **Option D (AWS Lambda):** Given the company's requirements for a serverless microservices architecture with minimal infrastructure and operational support, AWS Lambda is a strong contender. It aligns well with the principles of serverless computing, automatically scaling based on demand and eliminating the need to manage the underlying infrastructure. It is important to note that the final choice could also depend on the specific application requirements and development preferences.

Answer 41

A. Create a transit gateway and associate the Direct Connect connection with a new transit VIF. Turn on the transit gateway's route propagation feature. - Centralized management with a transit gateway. - Simplifies routing by using route propagation. - **Option A (Transit Gateway):** This option provides centralized management using a transit gateway, simplifies routing with route propagation, and avoids the need to recreate VIFs. It is a scalable and efficient solution for connecting multiple VPCs and local networks.

Answer 42

C. Enable default host configuration management in Systems Manager to manage EC2 instances. - This option, as clarified, seems to be a direct and efficient solution. It eliminates the need for manual changes to IAM roles and aligns with the requirement for no application disruption. - Default Host Management Configuration creates and applies a default IAM role to ensure that Systems Manager has permissions to manage all instances in the Region and perform automated patch scans using Patch Manager. NOTE: Only one role can be assigned to an Amazon EC2 instance at a time, and all applications on the instance share the same role and permissions. (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html#) Suggested: Instead create 2 managed policies and attach them to the same IAM Role. Attach that IAM Role to the EC2 instance.

Answer 43

B. Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster. - This option is more aligned with Kubernetes best practices. The Kubernetes Cluster Autoscaler automatically scales the cluster size based on the resource requirements of the pods. It is designed to handle the dynamic nature of containerized workloads. - Option B, using Kubernetes Cluster Autoscaler, is probably the best option to solve the problem with the least administrative overhead. It aligns well with the Kubernetes ecosystem and provides the automation needed to scale the cluster based on the pod's resource requirements.

Answer 44

B. Enable an S3 lifecycle policy that removes incomplete multipart uploads. - Incomplete multi-part uploads may consume additional storage. Enabling a lifecycle policy to remove incomplete multi-part uploads can help reduce storage costs by cleaning up unnecessary data.

Answer 45

D. Deploy an Amazon ElastiCache for Redis cluster in front of the existing database instance. Modify the game to use Redis. - Amazon ElastiCache for Redis is a caching service, and using it can help improve read performance by caching frequently accessed data. However, it might not be the best choice for a primary data store.

Answer 46

C. Configure delete protection on DynamoDB tables. - Enabling delete protection on DynamoDB tables prevents accidental deletion of the entire table. This is a simple and effective way to mitigate the risk of accidental deletions.

Answer 47

B. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3 while retaining copies of frequently accessed data subsets locally. - when AWS Storage Gateway is configured with stored volumes, it effectively keeps all data locally Meeting the requirement for immediate recovery of all data. - Asynchronous backups to Amazon S3 provide durability and off-site storage. - Cached Mode: In this mode, your primary data resides in Amazon S3, while frequently accessed data is cached locally for low-latency access. Stores everything in Storage Gateway On-Prem while asynchronously backing up to the cloud

Answer 48

B. Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking - Predictive scaling uses machine learning algorithms to forecast future resource utilization based on historical data. Goal tracking helps maintain a specific utilization goal - Considering the requirement to analyze both daily and weekly historical workload trends and adapt to live and forecasted changes, **Option B (Enable predictive scaling to forecast and scale. Configure dynamic scaling with the goal tracking)** is probably the most suitable. Predictive scaling, with its machine learning capabilities, provides a proactive approach to scaling based on historical patterns. - Remember that the effectiveness of predictive scaling depends on the quality and stability of historical data. If the workload is highly dynamic or unpredictable, a combination of options may be necessary.

Answer 49

A. Implement an Amazon ElastiCache for Redis cluster between the application and the DB cluster. - Amazon ElastiCache for Redis can serve as an in-memory caching solution, reducing the need for repeated reads from the Aurora MySQL DB cluster. -Considering the requirement to alleviate the effect of repeated reads on the database cluster, and the cost-effectiveness aspect, **Option A (Deploy an Amazon ElastiCache for Redis cluster between the application and the database cluster data)** could be the most profitable. Caching can significantly reduce the load on the database cluster by serving repeated read requests from memory.

Answer 50

C. Request strongly consistent reads for the table. - Stongly consistent reads ensure that the most up-to-date data is returned, but can have a greater impact on performance.

Answer 51

B. Use AWS WAF to protect the application. Use RDS parameter groups to configure security settings. AWS WAF is designed specifically for web application firewall protection. RDS parameter groups can be used to configure database-specific security settings. Considering the specific requirement to protect against SQL injection and other web-based attacks, the most suitable option is **Option B (Use AWS WAF to protect the application. Use RDS parameter groups to configure security settings ). ** AWS WAF is designed for web application firewall protection and allows you to create rules to filter and monitor HTTP requests, helping to mitigate common web-based attacks. RDS parameter groups can be used to configure additional database-specific security settings. This combination provides a comprehensive solution to protect both the application and the database.

Answer 52

B. Enable the Amazon RDS protection feature in Amazon GuardDuty for the member accounts of the organization. - RDS Protection in GuardDuty analyzes RDS login activity for potential access threats and generates findings when suspicious behavior is detected. - This option directly addresses the requirement of preventing malicious activity and identifying abnormal login attempts to Amazon Aurora databases, making it an effective option. The most operationally efficient solution to prevent malicious activity and identify abnormal login attempts to Amazon Aurora databases. Provides automated threat detection designed specifically for RDS login activity without the need for additional infrastructure

Answer 53

D. Connect the existing Direct Connect connection to a Direct Connect gateway. Routes traffic from the virtual private gateways in the VPCs in each region to the Direct Connect gateway. - The Direct Connect gateway allows you to connect multiple VPCs in different regions to the same Direct Connect connection. Simplifies network architecture.

Answer 54

A. Push score updates to Amazon Kinesis Data Streams. Process the updates in Kinesis Data Streams with AWS Lambda. Store the processed updates in Amazon DynamoDB. - Amazon Kinesis Data Streams can handle large traffic spikes, and AWS Lambda allows for first-come, first-served processing. Storing processed updates in DynamoDB provides a highly available database.

Answer 55

B. Use S3 Same-Region Replication to replicate logs from the S3 buckets to another S3 bucket on us-west-2. Use this S3 bucket for log analysis. - Built-in S3 function, minimal operating overhead. - Reduced latency and near real-time replication. - Amazon S3 SRR is an S3 feature that automatically replicates data between buckets within the same AWS Region. With SRR, you can set up replication at a bucket level, a shared prefix level, or an object level using S3 object tags. You can use SRR to make one or more copies of your data in the same AWS Region. SRR helps you address data sovereignty and compliance requirements by keeping a copy of your data in a separate AWS account in the same region as the original. (https://aws.amazon.com/s3/features/replication/#:~:text=Amazon%20S3%20SRR%20is%20an,in%20the%20same%20AWS%20Region.) Same-Region Replication (SRR) is used to copy objects across Amazon S3 buckets in the same AWS Region. SRR can help you do the following: Aggregate logs into a single bucket – If you store logs in multiple buckets or across multiple accounts, you can easily replicate logs into a single, in-Region bucket. Doing so allows for simpler processing of logs in a single location. Configure live replication between production and test accounts – If you or your customers have production and test accounts that use the same data, you can replicate objects between those multiple accounts, while maintaining object metadata. Abide by data sovereignty laws – You might be required to store multiple copies of your data in separate AWS accounts within a certain Region. Same-Region Replication can help you automatically replicate critical data when compliance regulations don't allow the data to leave your country. Same-Region Replication (SRR) is used to copy objects across Amazon S3 buckets in the same AWS Region. SRR can help you do the following: Aggregate logs into a single bucket – If you store logs in multiple buckets or across multiple accounts, you can easily replicate logs into a single, in-Region bucket. Doing so allows for simpler processing of logs in a single location. Configure live replication between production and test accounts – If you or your customers have production and test accounts that use the same data, you can replicate objects between those multiple accounts, while maintaining object metadata. Abide by data sovereignty laws – You might be required to store multiple copies of your data in separate AWS accounts within a certain Region. Same-Region Replication can help you automatically replicate critical data when compliance regulations don't allow the data to leave your country.

Answer 56

C. Configure two-way (bidirectional) replication among the S3 buckets located in all three regions. E. Create an S3 multi-region access point. Modify the application to use the Amazon Resource Name (ARN) of the multi-region access point for video streaming and uploading. **Option C:** - *Settings:* Bi-directional replication between S3 buckets in all three regions. - *Analysis:* This option guarantees bidirectional synchronization of data between the three regions, providing consistency and minimizing latency. **Option E:** - *Settings:* Create an S3 multi-region access point for both video streaming and uploads. - *Analysis:* This option combines the benefits of the S3 multi-region hotspot to optimize access latency and replicate loads to the nearest low-latency region, making it a strong candidate. Considering the need to minimize latency for both uploads and access, **Option C** and **Option E** stand out. However, **Option E** explicitly mentions using the S3 multi-region hotspot for both streaming and uploads, making it a more complete solution. Therefore, **Option E** appears to be the most appropriate option.

Answer 57

B. Upload and store content to Amazon S3. Use S3 transfer acceleration for uploads. S3 Transfer Acceleration is designed to accelerate uploads to Amazon S3 by utilizing Amazon CloudFront's globally distributed edge locations. This option can improve the speed of content uploads. Considering the emphasis on minimizing latency for content uploads, **Option B** (using S3 transfer acceleration) appears to be the most appropriate. S3 transfer acceleration is explicitly designed to speed up uploads to Amazon S3, making it a good choice for optimizing the user experience during content uploads.

Answer 58

B. Send the requests from the API Gateway REST API to Amazon EventBridge. Configure EventBridge to invoke the target Lambda functions. Amazon EventBridge is a serverless event bus that simplifies event management. This option provides a scalable, serverless solution with minimal operational overhead. It allows direct invocation of Lambda functions, reducing the need for additional components. **NOTE:** **Option A:** - *Configuration:* Send requests to an SNS topic, subscribe to SQS queues to the SNS topic, and configure Lambda functions to poll SQS queues. - *Analysis:* This option introduces additional components (SNS and SQS), but provides flexibility in component decoupling. It might have more operational overhead than other options due to the need to manage SNS topics and SQS queues. **Option D:** - *Configuration:* Send requests to multiple SQS queues and configure Lambda functions to poll those queues. - *Analysis:* Similar to Option A, this introduces additional components (SQS queues). While it offers decoupling, it may have higher operational overhead due to SQS managing multiple queues.

Answer 59

A. Create a list of unencrypted objects by filtering an Amazon S3 inventory report. Configure an S3 batch operations job to encrypt the objects from the list using server-side encryption with a customer-provided key (SSE-C). Configure the default S3 encryption feature to use server-side encryption with a client-provided key (SSE-C). - *Analysis:* This option allows encryption of existing unencrypted objects and applies the default encryption for future objects. It is suitable for a customer-provided key (SSE-C). https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

Answer 60

A. Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file that contains the domain records hosted by the previous provider. - *Analysis:* This option involves creating a public zone hosted on Amazon Route 53 and importing existing records. It's a quick and easy approach to migrating DNS hosting, and is suitable for a public website.

Answer 61

A. Use AWS AppConfig to store and manage application configuration. Use AWS Secrets Manager to store and retrieve credentials. - *Analysis:* AWS AppConfig is designed to manage application configurations, and AWS Secrets Manager is designed to securely store and manage sensitive information, such as database credentials. This option provides a dedicated and secure solution for both aspects.

Answer 62

D. Download the root certificates provided by AWS. Provide the certificates on all connections to the RDS instance. This option involves using the root certificates provided by AWS for SSL/TLS encryption. Downloading and configuring these certificates on application connections will encrypt data in transit. Make sure your application and database settings are configured correctly to use SSL/TLS. To encrypt data in transit with Amazon RDS MySQL, option D is best suited. It involves using AWS-provided root certificates for SSL/TLS encryption, providing a secure way to encrypt communication between the application and the RDS instance.

Answer 63

A. A network load balancer with an associated Elastic IP address. Using a Network Load Balancer instead of a Classic Load Balancer has the following benefits: Support for static IP addresses for the load balancer. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

Answer 64

B. Create IAM users for daily administrative tasks. Enable multi-factor authentication on the root user.

Answer 65

A. Enable and configure enhanced networking on each EC2 instance. C. Run the EC2 instances in a cluster placement group. - Improved networking provides higher performance by offloading some of the network processing to the underlying hardware. This can help reduce latency. - A cluster placement group is a logical grouping of instances within a single availability zone. It is designed to provide low latency communication between instances. This can be particularly beneficial for applications that require high network performance.

Answer 66

C. Use AWS DataSync to migrate the data to Amazon FSx for Windows File Server. AWS DataSync can be used to migrate data efficiently, and Amazon FSx for Windows File Server provides a highly available, fully managed Windows file system with support for SMB-based storage. This option allows the company to maintain compatibility of existing applications without changing the way applications access data after migration. AWS DataSync is a data transfer service that simplifies, automates, and accelerates moving and replicating data between on-premises storage systems and AWS storage services over the internet or AWS Direct Connect. DataSync can transfer your file data, and also file system metadata such as ownership, time stamps, and access permissions. In DataSync, a location for Amazon FSx for Windows is an endpoint for an FSx for Windows File Server. You can transfer files between a location for Amazon FSx for Windows and a location for other file systems. For information, see Working with Locations in the AWS DataSync User Guide. DataSync accesses your FSx for Windows File Server using the Server Message Block (SMB) protocol.

Answer 67

A. Enable CloudWatch cross-account observability for the monitoring account. Deploy an AWS CloudFormation template provided by the monitoring account in each AWS account to share the data with the monitoring account. - This option involves enabling observability between CloudWatch accounts, allowing the monitoring account to access data from other accounts. Deploying an AWS CloudFormation template to each AWS account makes it easy to share observability data. This approach can work effectively to centralize monitoring across multiple accounts.

Answer 68

B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address. - AWS WAF (Web Application Firewall) is designed to protect web applications from various attacks, including SQL injection. Since AWS WAF is already being used in this scenario, modifying its configuration to add an IP match condition is a suitable approach. - Modifying AWS WAF to add an IP match condition allows you to specify rules to block or allow requests based on specific IP addresses. This way, you can block access to the website of the identified malicious IP address. **NOTE:** regarding option A: - Network ACLs are more concerned with controlling access to Amazon CloudFront based on IP addresses. CloudFront with WAF is how address filtering is performed with the action on the WAF.

Answer 69

C. Configure AWS IAM Identity Center (AWS Single Sign-On). Connect the IAM Identity Center to the existing IdP. Provision users and groups from the existing IdP. Explanation: 1. **AWS IAM Identity Center (AWS Single Sign-On - SSO):** - AWS SSO is a fully managed service that allows users to access multiple AWS accounts and applications using their existing corporate credentials. Simplifies user access management across all AWS accounts. 2. **Connect to Existing IdP:** - AWS Single Sign-On can be configured to connect to your existing Identity Provider (IdP), allowing users to sign in with their existing corporate credentials. This takes advantage of the existing authentication mechanism. 3. **Provisioning Users and Groups:** - AWS SSO allows you to provision users and groups from the existing IdP. This eliminates the need to manually create IAM users in each AWS account, providing a more centralized and efficient approach.

Answer 70

C. Attach the AdministratorAccess identity-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group. Explanation: 1. **Administrator Access Policy:** - The “Administrator Access” policy is a managed policy in AWS IAM that grants full access to AWS services and resources. It is designed to provide unrestricted access to perform any action in your AWS account. 2. **Identity-based policy:** - Identity-based policies are attached directly to IAM users, groups, or roles. In this case, attaching the "AdministratorAccess" policy directly to the IAM user group ensures that all users within that group inherit the permissions. 3. **IAM User Group:** - Creating an IAM user group allows for easy permissions management. By placing each of the five designated employee IAM users in the IAM user group, you can efficiently manage and grant full access to the specified resources. **NOTE:** - **A**. Attach the AdministratorAccess resource-based policy to the IAM user group: - Resource-based policies are used to define permissions on resources, such as S3 buckets or Lambda functions, not for IAM user groups. The "AdministratorAccess" policy is an identity-based policy.

Answer 71

A. Use AWS Lambda for the compute layers of the architecture. D. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as the messaging component between the compute layers. - AWS Lambda is a serverless computing service that requires minimal infrastructure management. It automatically scales based on the number of incoming requests, and you don't have to provision or manage servers. Lambda may be suitable for stateless and event-based processing, making it a good choice for certain types of applications. - Amazon SQS FIFO (First-First In-Out) queues provide message processing and orderly delivery of messages exactly once. Using SQS FIFO queues ensures that messages are processed in the order they are received and delivered exactly once. This helps maintain the integrity of the payment processing application.

Answer 72

D. Deploy AWS Transfer for SFTP and an Amazon S3 bucket for storage. Modify the application to extract batch files from Amazon S3 to an Amazon EC2 instance for processing. Use an EC2 instance in an auto-scaling group with a scheduled scaling policy to run the batch operation.

Answer 73

B. Put the EC2 instances behind application load balancers (ALBs) in each region. Deploy AWS WAF in the ALBs. Create an accelerator using AWS Global Accelerator and register ALBs as endpoints. - ALBs are designed to route HTTP/HTTPS traffic and provide advanced features including content-based routing, making them suitable for web applications. - AWS WAF on ALB provides protection against common web exploits. - AWS Global Accelerator is used to improve availability and performance by providing a static Anycast IP address and directing traffic to optimal AWS endpoints.

Answer 74

B. Use Amazon RDS Proxy in front of the Aurora database. To reduce failover time and improve connection handling on an Amazon Aurora MySQL database, the recommended solution is: **Option B: Use Amazon RDS Proxy in front of the Aurora database. ** Explanation: 1. **Amazon RDS Proxy:** - Amazon RDS Proxy is a highly available, fully managed database proxy for Amazon RDS (Relational Database Service) that makes applications more scalable , more resistant to database failures and more secure. It helps manage database connections, which can be particularly beneficial in scenarios with too many connections. 2. **Benefits of using Amazon RDS Proxy:** - Efficient connection pooling: RDS Proxy efficiently manages connections to the database, reducing the potential for connection-related issues. - Reduced failover time: RDS Proxy can significantly reduce failover time when a read replica is promoted to the primary writer. Maintains persistent connections during failovers, minimizing impact on applications. **NOTE:**Discussion of other options: - Option A (Switch from Aurora to Amazon RDS with Multi-AZ cluster deployment): This option may not address the specific need to reduce failover time, and Aurora is known for its fast failovers. Multi-AZ implementation is already a feature available in Aurora.

Answer 75

A. Create a Object Lambda access point. Create an AWS Lambda function that redacts the PII when the function reads the file. Instruct the external service provider to access the object Lambda access point. - Object Lambda access points allow custom processing of S3 object data before returning it to the requester. A Lambda function can be attached to the access point to dynamically redact PII from text files when they are accessed. This ensures that the third-party service provider only receives information redacted without PII. - AWS Lambda provides a scalable, low-overhead, serverless environment for processing.

Answer 76

C. Create an Amazon CloudWatch alarm to recover the EC2 instance in case of failure. This option involves using Amazon CloudWatch to monitor the health of the EC2 instance. A CloudWatch alarm can be configured to detect failures or problems and trigger an automated recovery action. The recovery action could be implemented using AWS Lambda functions or other automation tools. While this option does not modify the application code, it introduces operational automation for system recovery.

sthithapragnakk -- SAA Exam Dumps Jan 24 101-200 Flashcards

(100 cards)