SAA part2 - HackMD

# SAA part2 ### A company hosted a web application in an Auto Scaling group of EC2 instances. The IT manager is concerned about the over-provisioning of the resources that can cause higher operating costs. A Solutions Architect has been instructed to create a **cost-effective** solution without affecting the performance of the application. Which dynamic scaling policy should be used to satisfy this requirement? - [ ] Use simple scaling. - [ ] Use scheduled scaling. - [ ] Use suspend and resume scaling. - [X] Use target tracking scaling. ### A company is looking for a solution that can store video archives in AWS from old news footage. The company needs to minimize costs and will rarely need to restore these files. When the files are needed, they must be available in a maximum of five minutes. What is the MOST cost-effective solution? - [x] Store the video archives in Amazon S3 Glacier and use Expedited retrievals. - [ ] Store the video archives in Amazon S3 Glacier and use Standard retrievals. - [ ] Store the video archives in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). - [ ] Store the video archives in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA). ### A Solutions Architect is hosting a website in an Amazon S3 bucket named tutorialsdojo. The users load the website using the following URL: `http://demo-test-website.s3-website-us-east-1.amazonaws.com` and there is a new requirement to add a JavaScript on the webpages in order to make authenticated HTTP GET requests against the same bucket by using the Amazon S3 API endpoint. Upon testing, you noticed that the web browser blocks JavaScript from allowing those requests. Which of the following options is the **MOST** suitable solution that you should implement for this scenario? - [ ] Enable cross-account access. - [ ] Enable Cross-Zone Load Balancing. - [X] Enable Cross-origin resource sharing (CORS) configuration in the bucket. - [ ] Enable Cross-Region Replication (CRR). ### A solutions architect is designing a new service behind Amazon API Gateway. The request patterns for the service will be unpredictable and can change suddenly from 0 requests to over 500 per second. The total size of the data that needs to be persisted in a backend database is currently less than 1 GB with unpredictable future growth. Data can be queried using simple key-value requests. Which combination of AWS services would meet these requirements? **(Choose two.)** - [ ] AWS Fargate - [x] AWS Lambda - [x] Amazon DynamoDB - [ ] Amazon EC2 Auto Scaling - [ ] MySQL-compatible Amazon Aurora ### A company has created a VPC with multiple private subnets in multiple Availability Zones (AZs) and one public subnet in one of the AZs. The public subnet is used to launch a NAT gateway. There are instances in the private subnets that use a NAT gateway to connect to the internet. In case of an AZ failure, the company wants to ensure that the instances are not all experiencing internet connectivity issues and that there is a backup plan ready. Which solution should a solutions architect recommend that is MOST highly available? - [ ] Create a new public subnet with a NAT gateway in the same AZ. Distribute the traffic between the two NAT gateways. - [ ] Create an Amazon EC2 NAT instance in a new public subnet. Distribute the traffic between the NAT gateway and the NAT instance. - [x] Create public subnets in each AZ and launch a NAT gateway in each subnet. Configure the traffic from the private subnets in each AZ to the respective NAT gateway. - [ ] Create an Amazon EC2 NAT instance in the same public subnet. Replace the NAT gateway with the NAT instance and associate the instance with an Auto Scaling group with an appropriate scaling policy. ### A company wants to host a scalable web application on AWS. The application will be accessed by users from different geographic regions of the world. Application users will be able to download and upload unique data up to gigabytes in size. The development team wants a cost-effective solution to minimize upload and download latency and maximize performance. What should a solutions architect do to accomplish this? - [x] Use Amazon S3 with Transfer Acceleration to host the application. - [ ] Use Amazon S3 with CacheControl headers to host the application. - [ ] Use Amazon EC2 with Auto Scaling and Amazon CloudFront to host the application. - [ ] Use Amazon EC2 with Auto Scaling and Amazon ElastiCache to host the application. ### A tech company has a CRM application hosted on an Auto Scaling group of On-Demand EC2 instances. The application is extensively used during office hours from 8 in the morning till 6 in the afternoon. Their users are complaining that the performance of the application is slow during the start of the day but then works normally after a couple of hours. Which of the following can be done to ensure that the application works properly at the beginning of the day? - [ ] Configure a Dynamic scaling policy for the Auto Scaling group to launch new instances based on the CPU utilization. - [ ] Configure a Dynamic scaling policy for the Auto Scaling group to launch new instances based on the Memory utilization. - [X] Configure a Scheduled scaling policy for the Auto Scaling group to launch new instances before the start of the day. - [ ] Set up an Application Load Balancer (ALB) to your architecture to ensure that the traffic is properly distributed on the instances. ### An ecommerce company is running a multi-tier application on AWS. The front-end and backend tiers both run on Amazon EC2, and the database runs on Amazon RDS for MySQL. The backend tier communicates with the RDS instance. There are frequent calls to return identical datasets from the database that are causing performance slowdowns. Which action should be taken to improve the performance of the backend? - [ ] Implement Amazon SNS to store the database calls. - [x] Implement Amazon ElastiCache to cache the large datasets. - [ ] Implement an RDS for MySQL read replica to cache database calls. - [ ] Implement Amazon Kinesis Data Firehose to stream the calls to the database. ### Organizers for a global event want to put daily reports online as static HTML pages. The pages are expected to generate millions of views from users around the world. The files are stored in an Amazon S3 bucket. A solutions architect has been asked to design an efficient and effective solution. Which action should the solutions architect take to accomplish this? - [ ] Generate presigned URLs for the files. - [ ] Use cross-Region replication to all Regions. - [ ] Use the geoproximity feature of Amazon Route 53. - [x] Use Amazon CloudFront with the S3 bucket as its origin. ### A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement mandate encryption of data before sending it to Amazon S3. What should a solutions architect recommend to satisfy these requirements? - [ ] Server-side encryption with customer-provided encryption keys - [ ] Client-side encryption with Amazon S3 managed encryption keys - [ ] Server-side encryption with keys stored in AWS key Management Service (AWS KMS) - [x] Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS) ### A retail website has intermittent, sporadic, and unpredictable transactional workloads throughout the day that are hard to predict. The website is currently hosted on-premises and is slated to be migrated to AWS. A new relational database is needed that autoscales capacity to meet the needs of the application's peak load and scales back down when the surge of activity is over. Which of the following option is the **MOST cost-effective** and suitable database setup in this scenario? - [X] Launch an Amazon Aurora Serverless DB cluster then set the minimum and maximum capacity for the cluster. - [ ] Launch an Amazon Aurora Provisioned DB cluster with burstable performance DB instance class types. - [ ] Launch a DynamoDB Global table with Auto Scaling enabled. - [ ] Launch an Amazon Redshift data warehouse cluster with Concurrency Scaling. ### There was an incident in your production environment where the user data stored in the S3 bucket has been accidentally deleted by one of the Junior DevOps Engineers. The issue was escalated to your manager and after a few days, you were instructed to improve the security and protection of your AWS resources. What combination of the following options will protect the S3 objects in your bucket from both accidental deletion and overwriting? **(Select TWO.)** - [X] Enable Versioning - [ ] Provide access to S3 data strictly through pre-signed URL only - [ ] Disallow S3 Delete using an IAM bucket policy - [ ] Enable Amazon S3 Intelligent-Tiering - [X] Enable Multi-Factor Authentication Delete ### A company is using Amazon S3 to store frequently accessed data. When an object is created or deleted, the S3 bucket will send an event notification to the Amazon SQS queue. A solutions architect needs to create a solution that will notify the development and operations team about the created or deleted objects. Which of the following would satisfy this requirement? - [ ] Set up another Amazon SQS queue for the other team. Grant Amazon S3 permission to send a notification to the second SQS queue. - [ ] Create a new Amazon SNS FIFO topic for the other team. Grant Amazon S3 permission to send the notification to the second SNS topic. - [ ] Set up an Amazon SNS topic and configure two Amazon SQS queues to poll the SNS topic. Grant Amazon S3 permission to send notifications to Amazon SNS and update the bucket to use the new SNS topic. - [X] Create an Amazon SNS topic and configure two Amazon SQS queues to subscribe to the topic. Grant Amazon S3 permission to send notifications to Amazon SNS and update the bucket to use the new SNS topic. ### A company has a mobile chat application with a data store based in Amazon DynamoDB. Users would like new messages to be read with as little latency as possible. A solutions architect needs to design an optimal solution that requires minimal application changes. Which method should the solutions architect select? - [x] Configure Amazon DynamoDB Accelerator (DAX) for the new messages table. Update the code to use the DAX endpoint. - [ ] Add DynamoDB read replicas to handle the increased read load. Update the application to point to the read endpoint for the read replicas. - [ ] Double the number of read capacity units for the new messages table in DynamoDB. Continue to use the existing DynamoDB endpoint. - [ ] Add an Amazon ElastiCache for Redis cache to the application stack. Update the application to point to the Redis cache endpoint instead of DynamoDB. ### A solutions architect is designing a solution to access a catalog of images and provide users with the ability to submit requests to customize images. Image customization parameters will be in any request sent to an AWS API Gateway API. The customized image will be generated on demand, and users will receive a link they can click to view or download their customized image. The solution must be highly available for viewing and customizing images. What is the MOST cost-effective solution to meet these requirements? - [ ] Use Amazon EC2 instances to manipulate the original image into the requested customizations. Store the original and manipulated images in Amazon S3. Configure an Elastic Load Balancer in front of the EC2 instances. - [x] Use AWS Lambda to manipulate the original image to the requested customizations. Store the original and manipulated images in Amazon S3. Configure an Amazon CloudFront distribution with the S3 bucket as the origin. - [ ] Use AWS Lambda to manipulate the original image to the requested customizations. Store the original images in Amazon S3 and the manipulated images in Amazon DynamoDB. Configure an Elastic Load Balancer in front of the Amazon EC2 instances. - [ ] Use Amazon EC2 instances to manipulate the original image into the requested customizations. Store the original images in Amazon S3 and the manipulated images in Amazon DynamoDB. Configure an Amazon CloudFront distribution with the S3 bucket as the origin. ### A company is planning to migrate a business-critical dataset to Amazon S3. The current solution design uses a single S3 bucket in the us-east-1 Region with versioning enabled to store the dataset. The company's disaster recovery policy states that all data multiple AWS Regions. How should a solutions architect design the S3 solution? - [ ] Create an additional S3 bucket in another Region and configure cross-Region replication. - [ ] Create an additional S3 bucket in another Region and configure cross-origin resource sharing (CORS). - [X] Create an additional S3 bucket with versioning in another Region and configure cross-Region replication. - [ ] Create an additional S3 bucket with versioning in another Region and configure cross-origin resource (CORS). ### A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements, all existing and new data in this database must be encrypted. How should this be accomplished? - [ ] Create an Amazon S3 bucket with server-side encryption enabled. Move all the data to Amazon S3. Delete the RDS instance. - [ ] Enable RDS Multi-AZ mode with encryption at rest enabled. Perform a failover to the standby instance to delete the original instance. - [x] Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot. - [ ] Create an RDS read replica with encryption at rest enabled. Promote the read replica to master and switch the application over to the new master. Delete the old RDS instance. ### An application that records weather data every minute is deployed in a fleet of Spot EC2 instances and uses a MySQL RDS database instance. Currently, there is only one RDS instance running in one Availability Zone. You plan to improve the database to ensure high availability by synchronous data replication to another RDS instance. Which of the following performs synchronous data replication in RDS? - [X] RDS DB instance running as a Multi-AZ deployment - [ ] RDS Read Replica - [ ] DynamoDB Read Replica - [ ] CloudFront running as a Multi-AZ deployment ### A startup is using Amazon RDS to store data from a web application. Most of the time, the application has low user activity but it receives bursts of traffic within seconds whenever there is a new product announcement. The Solutions Architect needs to create a solution that will allow users around the globe to access the data using an API. What should the Solutions Architect do meet the above requirement? - [ ] Create an API using Amazon API Gateway and use the Amazon ECS cluster with Service Auto Scaling to handle the bursts of traffic in seconds. - [ ] Create an API using Amazon API Gateway and use Amazon Elastic Beanstalk with Auto Scaling to handle the bursts of traffic in seconds. - [X] Create an API using Amazon API Gateway and use AWS Lambda to handle the bursts of traffic in seconds. - [ ] Create an API using Amazon API Gateway and use an Auto Scaling group of Amazon EC2 instances to handle the bursts of traffic in seconds. ### A company's web application uses an Amazon RDS PostgreSQL DB instance to store its application data. During the financial closing period at the start of every month, Accountants run large queries that impact the database's performance due to high usage. The company wants to minimize the impact that the reporting activity has on the web application. What should a solutions architect do to reduce the impact on the database with the LEAST amount of effort? - [x] Create a read replica and direct reporting traffic to the replica. - [ ] Create a Multi-AZ database and direct reporting traffic to the standby. - [ ] Create a cross-Region read replica and direct reporting traffic to the replica. - [ ] Create an Amazon Redshift database and direct reporting traffic to the Amazon Redshift database. ### A Solutions Architect needs to make sure that the On-Demand EC2 instance can only be accessed from this IP address (`110.238.98.71`) via an SSH connection. Which configuration below will satisfy this requirement? - [X] Security Group Inbound Rule: Protocol – TCP. Port Range – `22`, Source `110.238.98.71/32` - [ ] Security Group Inbound Rule: Protocol – UDP, Port Range – `22`, Source `110.238.98.71/32` - [ ] Security Group Inbound Rule: Protocol – TCP. Port Range – `22`, Source `110.238.98.71/0` - [ ] Security Group Inbound Rule: Protocol – UDP, Port Range – `22`, Source `110.238.98.71/0` ### A tech company that you are working for has undertaken a Total Cost Of Ownership (TCO) analysis evaluating the use of Amazon S3 versus acquiring more storage hardware. The result was that all 1200 employees would be granted access to use Amazon S3 for the storage of their personal documents. Which of the following will you need to consider so you can set up a solution that incorporates a single sign-on feature from your corporate AD or LDAP directory and also restricts access for each individual user to a designated user folder in an S3 bucket? **(Select TWO.)** - [ ] Use 3rd party Single Sign-On solutions such as Atlassian Crowd, OKTA, OneLogin and many others. - [X] Set up a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens. - [ ] Map each individual user to a designated user folder in S3 using Amazon WorkDocs to access their personal documents. - [X] Configure an IAM role and an IAM Policy to access the bucket. - [ ] Set up a matching IAM user for each of the 1200 users in your corporate directory that needs access to a folder in the S3 bucket. ### An application hosted in EC2 consumes messages from an SQS queue and is integrated with SNS to send out an email to you once the process is complete. The Operations team received 5 orders but after a few hours, they saw 20 email notifications in their inbox. Which of the following could be the possible culprit for this issue? - [ ] The web application is set for long polling so the messages are being sent twice. - [X] The web application is not deleting the messages in the SQS queue after it has processed them. - [ ] The web application is set to short polling so some messages are not being picked up - [ ] The web application does not have permission to consume messages in the SQS queue. ### A company's website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The website has a mix of dynamic and static content. Users around the globe are reporting that the website is slow. Which set of actions will improve website performance for users worldwide? - [x] Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon Route 53 record to point to the CloudFront distribution. - [ ] Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger instance sizes and register the instances with the ALB. - [ ] Launch new EC2 instances hosting the same web application in different Regions closer to the users. Then register instances with the same ALB using cross- Region VPC peering. - [ ] Host the website in an Amazon S3 bucket in the Regions closest to the users and delete the ALB and EC2 instances. Then update an Amazon Route 53 record to point to the S3 buckets. ### A Solutions Architect is working for a company which has multiple VPCs in various AWS regions. The Architect is assigned to set up a logging system which will track all of the changes made to their AWS resources in all regions, including the configurations made in IAM, CloudFront, AWS WAF, and Route 53. In order to pass the compliance requirements, the solution must ensure the security, integrity, and durability of the log data. It should also provide an event history of all API calls made in AWS Management Console and AWS CLI. Which of the following solutions is the best fit for this scenario? - [X] Set up a new CloudTrail trail in a new S3 bucket using the AWS CLI and also pass both the --is-multi-region-trail and --include-global-service-events parameters then encrypt log files using KMS encryption. Apply Multi Factor Authentication (MFA) Delete on the S3 bucket and ensure that only authorized users can access the logs by configuring the bucket policies. - [ ] Set up a new CloudWatch trail in a new S3 bucket using the AWS CLI and also pass both the --is-multi-region-trail and --include-global-service-events parameters then encrypt log files using KMS encryption. Apply Multi Factor Authentication (MFA) Delete on the S3 bucket and ensure that only authorized users can access the logs by configuring the bucket policies. - [ ] Set up a new CloudWatch trail in a new S3 bucket using the CloudTrail console and also pass the --is-multi-region-trail parameter then encrypt log files using KMS encryption. Apply Multi Factor Authentication (MFA) Delete on the S3 bucket and ensure that only authorized users can access the logs by configuring the bucket policies. - [ ] Set up a new CloudTrail trail in a new S3 bucket using the AWS CLI and also pass both the --is-multi-region-trail and --no-include-global-service-events parameters then encrypt log files using KMS encryption. Apply Multi Factor Authentication (MFA) Delete on the S3 bucket and ensure that only authorized users can access the logs by configuring the bucket policies. ### A company has been storing analytics data in an Amazon RDS instance for the past few years. The company asked a solutions architect to find a solution that allows users to access this data using an API. The expectation is that the application will experience periods of inactivity but could receive bursts of traffic within seconds. Which solution should the solutions architect suggest? - [ ] Set up an Amazon API Gateway and use Amazon ECS. - [ ] Set up an Amazon API Gateway and use AWS Elastic Beanstalk. - [x] Set up an Amazon API Gateway and use AWS Lambda functions. - [ ] Set up an Amazon API Gateway and use Amazon EC2 with Auto Scaling. ### A gaming company has multiple Amazon EC2 instances in a single Availability Zone for its multiplayer game that communicates with users on Layer 4. The chief technology officer (CTO) wants to make the architecture highly available and cost-effective. What should a solutions architect do to meet these requirements? **(Choose two.)** - [ ] Increase the number of EC2 instances. - [ ] Decrease the number of EC2 instances. - [x] Configure a Network Load Balancer in front of the EC2 instances. - [ ] Configure an Application Load Balancer in front of the EC2 instances. - [x] Configure an Auto Scaling group to add or remove instances in multiple Availability Zones automatically. ### A solutions architect has created a new AWS account and must secure AWS account root user access. Which combination of actions will accomplish this? **(Choose two.)** - [x] Ensure the root user uses a strong password. - [x] Enable multi-factor authentication to the root user. - [ ] Store root user access keys in an encrypted Amazon S3 bucket. - [ ] Add the root user to a group containing administrative permissions. - [ ] Apply the required permissions to the root user with an inline policy document. ### A media company has an Amazon ECS Cluster, which uses the Fargate launch type, to host its news website. The application data are all stored in Amazon Keyspaces (for Apache Cassandra) with data-at-rest encryption enabled. The database credentials should be supplied using environment variables, to comply with strict security compliance. As the Solutions Architect, you have to ensure that the credentials are secure and that they cannot be viewed in plaintext on the cluster itself. Which of the following is the most suitable solution in this scenario that you can implement with minimal effort? - [ ] In the ECS task definition file of the ECS Cluster, store the database credentials to Amazon ECS Anywhere to centrally manage these sensitive data and securely transmit it to only those containers that need access to it. Allocate an IAM Role to the cluster to ensure that the passwords are only accessible by the ECS service tasks. Run the AWS IAM Access Analyzer to verify that the credentials can’t be viewed in plaintext. - [ ] Store the database credentials in the ECS task definition file of the ECS Cluster and encrypt it with KMS. Store the task definition JSON file in Amazon Quantum Ledger Database (Amazon QLDB). Create an IAM role to the ECS task definition script that allows access to the Amazon QLDB and then pass the --cli-input-json parameter when calling the ECS register-task-definition action. Reference the task definition JSON file in the Amazon QLDB which contains the database credentials. - [ ] Use the AWS Secrets Manager to store the database credentials and then encrypt them using AWS Certificate Manager (ACM). Create a resource-based policy for your Amazon ECS task execution role (taskRoleArn) and reference it with your task definition which allows access to both ACM and AWS Secrets Manager. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Secrets Manager secret which contains the sensitive data, to present to the container. - [X] Use the AWS Systems Manager Parameter Store to keep the database credentials and then encrypt them using AWS KMS. Create an IAM Role for your Amazon ECS task execution role (taskRoleArn) and reference it with your task definition, which allows access to both KMS and the Parameter Store. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Systems Manager Parameter Store parameter containing the sensitive data to present to the container. ### A solutions architect at an ecommerce company wants to back up application log data to Amazon S3. The solutions architect is unsure how frequently the logs will be accessed or which logs will be accessed the most. The company wants to keep costs as low as possible by using the appropriate S3 storage class. Which S3 storage class should be implemented to meet these requirements? - [ ] S3 Glacier - [x] S3 Intelligent-Tiering - [ ] S3 Standard-Infrequent Access (S3 Standard-IA) - [ ] S3 One Zone-Infrequent Access (S3 One Zone-IA) ### A company hosts multiple applications in their VPC. While monitoring the system, they noticed that multiple port scans are coming in from a specific IP address block that is trying to connect to several AWS resources inside their VPC. The internal security team has requested that all offending IP addresses be denied for the next 24 hours for security purposes. Which of the following is the best method to quickly and temporarily deny access from the specified IP addresses? - [ ] Create a policy in IAM to deny access from the IP Address block. - [X] Modify the Network Access Control List associated with all public subnets in the VPC to deny access from the IP Address block. - [ ] Add a rule in the Security Group of the EC2 instances to deny access from the IP Address block. - [ ] Configure the firewall in the operating system of the EC2 instances to deny access from the IP address block. ### A company hosts a static website on-premises and wants to migrate the website to AWS. The website should load as quickly as possible for users around the world. The company also wants the most cost-effective solution. What should a solutions architect do to accomplish this? - [ ] Copy the website content to an Amazon S3 bucket. Configure the bucket to serve static webpage content. Replicate the S3 bucket to multiple AWS Regions. - [x] Copy the website content to an Amazon S3 bucket. Configure the bucket to serve static webpage content. Configure Amazon CloudFront with the S3 bucket as the origin. - [ ] Copy the website content to an Amazon EBS-backed Amazon EC2 instance running Apache HTTP Server. Configure Amazon Route 53 geolocation routing policies to select the closest origin. - [ ] Copy the website content to multiple Amazon EBS-backed Amazon EC2 instances running Apache HTTP Server in multiple AWS Regions. Configure Amazon CloudFront geolocation routing policies to select the closest origin. ### A web application is using CloudFront to distribute their images, videos, and other static contents stored in their S3 bucket to its users around the world. The company has recently introduced a new member-only access to some of its high quality media files. There is a requirement to provide access to multiple private media files only to their paying subscribers without having to change their current URLs. Which of the following is the most suitable solution that you should implement to satisfy this requirement? - [ ] Configure your CloudFront distribution to use Match Viewer as its Origin Protocol Policy which will automatically match the user request. This will allow access to the private content if the request is a paying member and deny it if it is not a member. - [ ] Create a Signed URL with a custom policy which only allows the members to see the private files. - [ ] Configure your CloudFront distribution to use Field-Level Encryption to protect your private data and only allow access to members. - [X] Use Signed Cookies to control who can access the private files in your CloudFront distribution by modifying your application to determine whether a user should have access to your content. For members, send the required Set-Cookie headers to the viewer which will unlock the content only to them. ### A suite of web applications is hosted in an Auto Scaling group of EC2 instances across three Availability Zones and is configured with default settings. There is an Application Load Balancer that forwards the request to the respective target group on the URL path. The scale-in policy has been triggered due to the low number of incoming traffic to the application. Which EC2 instance will be the first one to be terminated by your Auto Scaling group? - [ ] The EC2 instance which has the least number of user sessions - [ ] The EC2 instance which has been running for the longest time - [X] The EC2 instance launched from the oldest launch configuration - [ ] The instance will be randomly selected by the Auto Scaling group ### A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company. How should security groups be configured in this situation? **(Choose two.)** - [x] Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0. - [ ] Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0. - [x] Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier. - [ ] Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier. - [ ] Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier. ### A newly hired Solutions Architect is assigned to manage a set of CloudFormation templates that are used in the company's cloud architecture in AWS. The Architect accessed the templates and tried to analyze the configured IAM policy for an S3 bucket. What does the above IAM policy allow? **(Select THREE.)** ![](https://i.imgur.com/lO98sOZ.jpg) - [X] An IAM user with this IAM policy is allowed to read objects from `all` S3 buckets owned by the account. - [X] An IAM user with this IAM policy is allowed to write objects into the `xxx-bucket` S3 bucket. - [ ] An IAM user with this IAM policy is allowed to change access rights for the `xxx-bucket` S3 bucket. - [ ] An IAM user with this IAM policy is allowed to read objects in the `xxx-bucket` S3 bucket but not allowed to list the objects in the bucket. - [X] An IAM user with this IAM policy is allowed to read objects from the `xxx-bucket` S3 bucket. - [ ] An IAM user with this IAM policy is allowed to read and delete objects from the `xxx-bucket` S3 bucket. ### A solutions architect is designing the cloud architecture for a new application being deployed on AWS. The process should run in parallel while adding and removing application nodes as needed based on the number of jobs to be processed. The processor application is stateless. The solutions architect must ensure that the application is loosely coupled and the job items are durably stored. Which design should the solutions architect use? - [ ] Create an Amazon SNS topic to send the jobs that need to be processed. Create an Amazon Machine Image (AMI) that consists of the processor application. Create a launch configuration that uses the AMI. Create an Auto Scaling group using the launch configuration. Set the scaling policy for the Auto Scaling group to add and remove nodes based on CPU usage. - [ ] Create an Amazon SQS queue to hold the jobs that need to be processed. Create an Amazon Machine Image (AMI) that consists of the processor application. Create a launch configuration that uses the AMI. Create an Auto Scaling group using the launch configuration. Set the scaling policy for the Auto Scaling group to add and remove nodes based on network usage. - [x] Create an Amazon SQS queue to hold the jobs that need to be processed. Create an Amazon Machine Image (AMI) that consists of the processor application. Create a launch template that uses the AMI. Create an Auto Scaling group using the launch template. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of items in the SQS queue. - [ ] Create an Amazon SNS topic to send the jobs that need to be processed. Create an Amazon Machine Image (AMI) that consists of the processor application. Create a launch template that uses the AMI. Create an Auto Scaling group using the launch template. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of messages published to the SNS topic. ### A travel photo sharing website is using Amazon S3 to serve high-quality photos to visitors of your website. After a few days, you found out that there are other travel websites linking and using your photos. This resulted in financial losses for your business. What is the MOST effective method to mitigate this issue? - [X] Configure your S3 bucket to remove public read access and use pre-signed URLs with expiry dates. - [ ] Use CloudFront distributions for your photos. - [ ] Block the IP addresses of the offending websites using NACL. - [ ] Store and privately serve the high-quality photos on Amazon WorkDocs instead. ### A marketing company is storing CSV files in an Amazon S3 bucket for statistical analysis. An application on an Amazon EC2 instance needs permission to efficiently process the CSV data stored in the S3 bucket. Which action will MOST securely grant the EC2 instance access to the S3 bucket? - [ ] Attach a resource-based policy to the S3 bucket. - [ ] Create an IAM user for the application with specific permissions to the S3 bucket. - [x] Associate an IAM role with least privilege permissions to the EC2 instance profile. - [ ] Store AWS credentials directly on the EC2 instance for applications on the instance to use for API calls. ### An Amazon EC2 administrator created the following policy associated with an IAM group containing several users: ![](https://i.imgur.com/UIKqVGz.png) What is the effect of this policy? - [ ] Users can terminate an EC2 instance in any AWS Region except us-east-1. - [ ] Users can terminate an EC2 instance with the IP address 10.100.100.1 in the us-east-1 Region. - [x] Users can terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254. - [ ] Users cannot terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254.