Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Amazon Web Services SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Exam Practice Test

Page: 1 / 91
Total 911 questions

AWS Certified Solutions Architect - Associate (SAA-C03) Questions and Answers

Question 1

A company runs a production application on a fleet of Amazon EC2 instances. The application reads messages from an Amazon Simple Queue Service (Amazon SQS) queue and processes the messages in parallel. The message volume is unpredictable and highly variable.

The company must ensure that the application continually processes messages without any downtime.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Use only Spot Instances to handle the maximum capacity required.

B.

Use only Reserved Instances to handle the maximum capacity required.

C.

Use Reserved Instances to handle the baseline capacity. Use Spot Instances to provide additional capacity when required.

D.

Use Reserved Instances in an EC2 Auto Scaling group to handle the minimum capacity. Configure an auto scaling policy that is based on the SQS queue backlog.

Question 2

A company stores data in an on-premises Oracle relational database. The company needs to make the data available in Amazon Aurora PostgreSQL for analysis The company uses an AWS Site-to-Site VPN connection to connect its on-premises network to AWS.

The company must capture the changes that occur to the source database during the migration to Aurora PostgreSQL.

Which solution will meet these requirements?

Options:

A.

Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use the AWS Database Migration Service (AWS DMS) full-load migration task to migrate the data.

B.

Use AWS DataSync to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.

C.

Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use AWS Database Migration Service (AWS DMS) to migrate the existing data and replicate the ongoing changes.

D.

Use an AWS Snowball device to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.

Question 3

A company is building an application that needs to process real-time streaming data. The application must process and transform the data and then store the data for later analysis.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon Kinesis Data Streams to ingest streaming data. Configure Amazon EC2 instances to process and transform data records from the data streams. Configure the EC2 instances to store the processed and transformed data in an Amazon RDS for MySQL database.

B.

Send streaming data to an Amazon SQS queue. Configure AWS Lambda functions to process the data in the SQS queue. Store the processed data in an Amazon DynamoDB table.

C.

Use Amazon Kinesis Data Streams to ingest streaming data. Configure an AWS Lambda function to process and transform data records from the data streams. Configure the Lambda function to store the processed and transformed data in an Amazon DynamoDB table.

D.

Send streaming data to an Amazon SNS topic. Create an application to process the data on an Amazon EC2 instance. Store the processed data in an Amazon ElastiCache cache.

Question 4

An online gaming company hosts its platform on Amazon EC2 instances behind Network Load Balancers (NLBs) across multiple AWS Regions. The NLBs can route requests to targets overthe internet. The company wants to improve the customer playing experience by reducing end-to-end load time for its global customer base.

Which solution will meet these requirements?

Options:

A.

Create Application Load Balancers (ALBs) in each Region to replace the existing NLBs. Register the existing EC2 instances as targets for the ALBs in each Region.

B.

Configure Amazon Route 53 to route equally weighted traffic to the NLBs in each Region.

C.

Create additional NLBs and EC2 instances in other Regions where the company has large customer bases.

D.

Create a standard accelerator in AWS Global Accelerator. Configure the existing NLBs as target endpoints.

Question 5

A company uses Amazon Elastic Container Service (Amazon ECS) to run workloads that belong to service teams. Each service team uses an owner tag to specify the ECS containers that the team owns. The company wants to generate an AWS Cost Explorer report that shows how much each service team spends on ECS containers on a monthly basis.

Which combination of steps will meet these requirements in the MOST operationally efficient way? (Select TWO.)

Options:

A.

Create a custom report in Cost Explorer. Apply a filter for Amazon ECS.

B.

Create a custom report in Cost Explorer. Apply a filter for the owner resource tag.

C.

Set up AWS Compute Optimizer. Review the rightsizing recommendations.

D.

Activate the owner tag as a cost allocation tag. Group the Cost Explorer report by linked account.

E.

Activate the owner tag as a cost allocation tag. Group the Cost Explorer report by the owner cost allocation tag.

Question 6

A company wants to receive an email notification when IAM users are added to or deleted from an AWS account.

Which solution will meet these requirements?

Options:

A.

Enable Amazon Inspector. Create an Amazon EventBridge rule that responds to Amazon Inspector findings. Set the target as an Amazon SNS topic. Set the company ' s email address as a subscriber to the SNS topic.

B.

Enable Amazon GuardDuty. Create an Amazon EventBridge rule that responds to GuardDuty findings. Configure an event pattern of Impact:IAMUser/AnomalousBehavior. Set the target as an Amazon SNS topic. Set the company’s email address as a subscriber to the SNS topic.

C.

Enable Amazon Macie. Create an Amazon EventBridge rule that responds to Macie findings. Set the target as an Amazon SNS topic. Set the company’s email address as a subscriber to the SNS topic.

D.

Enable management events in AWS CloudTrail. Create an Amazon EventBridge rule that responds to AWS API calls through CloudTrail. Configure an event pattern for CreateUser and DeleteUser actions. Set the target as an Amazon SNS topic. Set the company’s email address as a subscriber to the SNS topic.

Question 7

A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to serve a static website. The solution must use AWS WAF to inspect all website traffic.

Options:

A.

Configure an S3 bucket policy to accept only requests that come from the AWS WAF Amazon Resource Name (ARN).

B.

Configure CloudFront to forward all incoming requests to AWS WAF before CloudFront requests content from the S3 origin.

C.

Configure a security group that allows only CloudFront IP addresses to access Amazon S3. Associate AWS WAF to the CloudFront distribution.

D.

Configure CloudFront and Amazon S3 to use an origin access control (OAC) to secure the origin S3 bucket. Associate AWS WAF to the CloudFront distribution.

Question 8

A company is developing a new online gaming application. The application will run on Amazon EC2 instances in multiple AWS Regions and will have a high number of globally distributed users. A solutions architect must design the application to optimize network latency for the users.

Which actions should the solutions architect take to meet these requirements? (Select TWO.)

Options:

A.

Configure AWS Global Accelerator. Create Regional endpoint groups in each Region where an EC2 fleet is hosted.

B.

Create a content delivery network (CDN) by using Amazon CloudFront. Enable caching for static and dynamic content, and specify a high expiration period.

C.

Integrate AWS Client VPN into the application. Instruct users to select which Region is closest to them after they launch the application. Establish a VPN connection to that Region.

D.

Create an Amazon Route 53 weighted routing policy. Configure the routing policy to give the highest weight to the EC2 instances in the Region that has the largest number of users.

E.

Configure an Amazon API Gateway endpoint in each Region where an EC2 fleet is hosted. Instruct users to select which Region is closest to them after they launch the application. Use the API Gateway endpoint that is closest to them.

Question 9

A company has a transaction-processing application that is backed by an Amazon RDS MySQL database. When the load on the application increases, a large number of database connections are opened and closed frequently, which causes latency for the database transactions.

A solutions architect determines that the root cause of the latency is poor connection handling by the application. The solutions architect cannot modify the application code. The solutions architect needs to manage database connections to improve the database performance during periods of high load.

Which solution will meet these requirements?

Options:

A.

Upgrade the database instance to a larger instance type to handle a large number of database connections.

B.

Configure Amazon RDS storage autoscaling to dynamically increase the provisioned IOPS.

C.

Use Amazon RDS Proxy to pool and share database connections.

D.

Convert the database instance to a Multi-AZ deployment.

Question 10

A data science team requires storage for nightly log processing. The size and number of logs is unknown and the logs will persist for 24 hours only.

What is the MOST cost-effective solution?

Options:

A.

Amazon S3 Glacier Deep Archive

B.

Amazon S3 Standard

C.

Amazon S3 Intelligent-Tiering

D.

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Question 11

A company is deploying a critical application by using Amazon RDS for MySQL. The application must be highly available and must recover automatically. The company needs to support interactive users (transactional queries) and batch reporting (analytical queries) with no more than a 4-hour lag. The analytical queries must not affect the performance of the transactional queries.

Which solution will meet these requirements?

Options:

A.

Configure Amazon RDS for MySQL in a Multi-AZ DB instance deployment with one standby instance. Point the transactional queries to the primary DB instance. Point the analytical queries to a secondary DB instance that runs in a different Availability Zone.

B.

Configure Amazon RDS for MySQL in a Multi-AZ DB cluster deployment with two standby instances. Point the transactional queries to the primary DB instance. Point the analytical queries to the reader endpoint.

C.

Configure Amazon RDS for MySQL to use multiple read replicas across multiple Availability Zones. Point the transactional queries to the primary DB instance. Point the analytical queries to one of the replicas in a different Availability Zone.

D.

Configure Amazon RDS for MySQL as the primary database for the transactional queries with automated backups enabled. Each night, create a read-only database from the most recent snapshot to support the analytical queries. Terminate the previously created database.

Question 12

A company needs to optimize its Amazon S3 storage costs for an application that generates many files that cannot be recreated Each file is approximately 5 MB and is stored in Amazon S3 Standard storage.

The company must store the files for 4 years before the files can be deleted The files must be immediately accessible The files are frequently accessed in the first 30 days of object creation, but they are rarely accessed after the first 30 days.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create an S3 Lifecycle policy to move the files to S3 Glacier Instant Retrieval 30 days after object creation. Delete the files 4 years after object creation.

B.

Create an S3 Lifecycle policy to move the files to S3 One Zone-Infrequent Access (S3 One Zone-IA) 30 days after object creation Delete the files 4 years after object creation.

C.

Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) 30 days after object creation Delete the files 4 years after object creation.

D.

Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) 30 days after object creation. Move the files to S3 Glacier Flexible Retrieval 4 years after object creation.

Question 13

An application is experiencing performance issues based on increased demand. This increased demand is on read-only historical records that are pulled from an Amazon RDS-hosted database with custom views and queries. A solutions architect must improve performance without changing the database structure.

Which approach will improve performance and MINIMIZE management overhead?

Options:

A.

Deploy Amazon DynamoDB, move all the data, and point to DynamoDB.

B.

Deploy Amazon ElastiCache (Redis OSS) and cache the data for the application.

C.

Deploy Memcached on Amazon EC2 and cache the data for the application.

D.

Deploy Amazon DynamoDB Accelerator (DAX) on Amazon RDS to improve cache performance.

Question 14

A company runs a Java-based job on an Amazon EC2 instance. The job runs every hour and takes 10 seconds to run. The job runs on a scheduled interval and consumes 1 GB of memory. The CPU utilization of the instance is low except for short surges during which the job uses the maximum CPU available. The company wants to optimize the costs to run the job.

Options:

A.

Use AWS App2Container (A2C) to containerize the job. Run the job as an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate with 0.5 virtual CPU (vCPU) and 1 GB of memory.

B.

Copy the code into an AWS Lambda function that has 1 GB of memory. Create an Amazon EventBridge scheduled rule to run the code each hour.

C.

Use AWS App2Container (A2C) to containerize the job. Install the container in the existing Amazon Machine Image (AMI). Ensure that the schedule stops the container when the task finishes.

D.

Configure the existing schedule to stop the EC2 instance at the completion of the job and restart the EC2 instance when the next job starts.

Question 15

A company is migrating a Linux-based web server group to AWS. The web servers must access shared files by using the NFS protocol. The company must not make any changes to the web server application.

Which solution will meet these requirements?

Options:

A.

Create an Amazon S3 bucket to store the shared files in S3 Standard. Grant the S3 bucket access to the web servers.

B.

Configure an Amazon CloudFront distribution. Set an Amazon S3 bucket as the origin. Store the shared files in the S3 bucket.

C.

Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system on the web servers.

D.

Create an Amazon FSx for Windows File Server file system. Configure SMB protocol access for the web servers.

Question 16

A company is deploying an application in three AWS Regions using an Application Load Balancer. Amazon Route 53 will be used to distribute traffic between these Regions.

Which Route 53 configuration should a solutions architect use to provide the MOST high-performing experience?

Options:

A.

Create an A record with a latency policy.

B.

Create an A record with a geolocation policy.

C.

Create a CNAME record with a failover policy.

D.

Create a CNAME record with a geoproximity policy.

Question 17

A media company uses an Amazon CloudFront distribution to deliver content over the internet The company wants only premium customers to have access to the media streams and file content. The company stores all content in an Amazon S3 bucket. The company also delivers content on demand to customers for a specific purpose, such as movie rentals or music downloads.

Which solution will meet these requirements?

Options:

A.

Generate and provide S3 signed cookies to premium customers

B.

Generate and provide CloudFront signed URLs to premium customers.

C.

Use origin access control (OAC) to limit the access of non-premium customers

D.

Generate and activate field-level encryption to block non-premium customers.

Question 18

A solutions architect is designing the architecture for a two-tier web application. The web application consists of an internet-facing Application Load Balancer (ALB) that forwards traffic to an Auto Scaling group of Amazon EC2 instances.

The EC2 instances must be able to access an Amazon RDS database. The company does not want to rely solely on security groups or network ACLs. Only the minimum resources that are necessary should be routable from the internet.

Which network design meets these requirements?

Options:

A.

Place the ALB, EC2 instances, and RDS database in private subnets.

B.

Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.

C.

Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets.

D.

Place the ALB outside the VPC. Place the EC2 instances and RDS database in private subnets.

Question 19

A company operates a data lake in Amazon S3. The company wants to query and filter data directly in S3 without downloading objects.

Which solution will meet these requirements?

Options:

A.

Use Amazon Athena to query and filter the objects in Amazon S3.

B.

Use Amazon EMR to process and filter the objects.

C.

Use Amazon API Gateway to retrieve filtered results.

D.

Use Amazon ElastiCache to cache the objects.

Question 20

A company runs Amazon EC2 instances as web servers. Peak traffic occurs at two predictable times each day. The web servers remain mostly idle during the rest of the day.

A solutions architect must manage the web servers while maintaining fault tolerance in the most cost-effective way.

Which solution will meet these requirements?

Options:

A.

Use an EC2 Auto Scaling group to scale the instances based on demand.

B.

Purchase Reserved Instances to ensure peak capacity at all times.

C.

Use a cron job to stop the EC2 instances when traffic demand is low.

D.

Use a script to vertically scale the EC2 instances during peak demand.

Question 21

A company wants to protect resources that the company hosts on AWS, including Application Load Balancers and Amazon CloudFront distributions.

The company wants an AWS service that can provide near real-time visibility into attacks on the company ' s resources. The service must also have a dedicated AWS team to assist with DDoS attacks.

Which AWS service will meet these requirements?

Options:

A.

AWS WAF

B.

AWS Shield Standard

C.

Amazon Macie

D.

AWS Shield Advanced

Question 22

A company hosts an application in an Amazon EC2 Auto Scaling group. The company has observed that during periods of high demand, new instances take too long to join the Auto Scaling group and serve the increased demand. The company determines that the root cause of the issue is the long boot time of the instances in the Auto Scaling group. The company needs to reduce the time required to launch new instances to respond to demand. Which solution will meet this requirement?

Options:

A.

Increase the maximum capacity of the Auto Scaling group by 50%.

B.

Create a warm pool for the Auto Scaling group. Use the default specification for the warm pool size.

C.

Increase the health check grace period for the Auto Scaling group by 50%.

D.

Create a scheduled scaling action. Set the desired capacity equal to the maximum capacity of the Auto Scaling group.

Question 23

A company runs a NetApp storage array in an on-premises data center. The company wants to migrate the storage array to Amazon FSx for NetApp ONTAP. The company has a mix of NFS and SMB file shares with complex directory structures and over 60 million small files. The company has 10 Gbps of network bandwidth available. The company wants to optimize migration efficiency for the file system.

Options:

A.

Use AWS DataSync with a bandwidth throttle. Use the All tiering policy.

B.

Provision an AWS Storage Gateway Volume Gateway. Configure a zero-ETL integration with the FSx for NetApp ONTAP file system.

C.

Set up NetApp SnapMirror replication between the on-premises array and the FSx for ONTAP file system.

D.

Use AWS Snowball Edge to perform an offline migration.

Question 24

A company needs to integrate with a third-party data feed. The data feed sends a webhook to notify an external service when new data is ready for consumption. A developer wrote an AWS Lambda function to retrieve data when the company receives a webhook callback. The developer must make the Lambda function available for the third party to call.

Which solution will meet these requirements with the MOST operational efficiency?

Options:

A.

Create a function URL for the Lambda function. Provide the Lambda function URL to the third party for the webhook.

B.

Deploy an Application Load Balancer ALB in front of the Lambda function. Provide the ALB URL to the third party for the webhook.

C.

Create an Amazon SNS topic. Attach the topic to the Lambda function. Provide the public hostname of the SNS topic to the third party for the webhook.

D.

Create an Amazon SQS queue. Attach the queue to the Lambda function. Provide the public hostname of the SQS queue to the third party for the webhook.

Question 25

A company runs a high-traffic web application that has a three-tier architecture consisting of a web layer, an application layer, and a database layer. The web layer and application layer run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application layer is stateless and supports automatic scaling. The database layer uses Amazon RDS for MySQL in a Multi-AZ configuration and relies on a relational architecture.

The company is preparing for a large marketing event that is expected to drive a sharp increase in read traffic. The company must ensure that the application remains highly available and responsive under load. The company wants to scale the application ' s architecture components but does not want to modify the application.

Which combination of solutions will meet these requirements? (Select THREE.)

Options:

A.

Deploy an Amazon CloudFront distribution. Specify the web layer as the origin.

B.

Enable automatic scaling for EC2 instances in the application layer.

C.

Migrate the database to Amazon Aurora. Configure Aurora Auto Scaling and Aurora Replicas.

D.

Set up an Amazon ElastiCache (Redis OSS) cluster in front of the database.

E.

Replace the ALB with a Network Load Balancer (NLB).

F.

Migrate the database to an Amazon DynamoDB table.

Question 26

A solutions architect is storing sensitive data generated by an application in Amazon S3. The solutions architect wants to encrypt the data at rest. A company policy requires an audit trail of when the AWS KMS key was used and by whom.

Which encryption option will meet these requirements?

Options:

A.

Server-side encryption with Amazon S3 managed keys (SSE-S3)

B.

Server-side encryption with AWS KMS managed keys (SSE-KMS)

C.

Server-side encryption with customer-provided keys (SSE-C)

D.

Server-side encryption with self-managed keys

Question 27

A company has developed an API by using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static content and dynamic content to users worldwide. The company wants to decrease the latency of transferring the content for API requests. Which solution will meet these requirements?

Options:

A.

Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.

B.

Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.

C.

Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

D.

Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

Question 28

A company is building an application on Amazon EC2 instances. The application needs to handle a large number of transactions. The application requires an Amazon EBS data volume that has configurable and consistent input/output operations per second (IOPS).

Which solution will meet these requirements?

Options:

A.

Provision EC2 instances with a Throughput Optimized HDD (st1) EBS root volume and a Cold HDD (sc1) EBS data volume.

B.

Provision EC2 instances with a Throughput Optimized HDD (st1) EBS volume that will serve as both a root volume and a data volume.

C.

Provision EC2 instances with a General Purpose SSD (gp3) EBS root volume and a Provisioned IOPS SSD (io2) EBS data volume.

D.

Provision EC2 instances with a General Purpose SSD (gp3) EBS root volume. Configure the application to store data in an Amazon S3 bucket.

Question 29

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer ALB. The application is served at one hostname that has two dynamic paths. The first path is named /reports and performs CPU-intensive work that has unpredictable traffic. The second path is named /generateToken and must always respond in less than 1 second. All requests currently go to a single target group. The /generateToken path latency exceeds 1 second during periods when the /reports usage is high. The company must ensure that latency for /generateToken remains under 1 second.

Which solution will meet this requirement?

Options:

A.

Expose /generateToken through an Amazon API Gateway HTTP API that forwards the request to the existing ALB target group.

B.

Configure ALB path-based routing to send traffic for /reports and /generateToken to separate target groups. Link each target group to its own Auto Scaling group.

C.

Replace the current instance type with larger EC2 instances in the existing Auto Scaling group.

D.

Deploy an Amazon CloudFront distribution in front of the ALB. Create separate cache behaviors for each path.

Question 30

A company is developing a microservices-based application to manage the company ' s delivery operations. The application consists of microservices that process orders, manage a fleet of delivery vehicles, and optimize delivery routes.

The microservices must be able to scale independently and must be able to handle bursts of traffic without any data loss.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon API Gateway REST APIs to establish communication between microservices. Deploy the application on Amazon EC2 instances in Auto Scaling groups.

B.

Use Amazon Simple Queue Service (Amazon SQS) to establish communication between microservices. Deploy the application on Amazon Elastic Container Service (Amazon ECS) containers on AWS Fargate.

C.

Use WebSocket-based communication between microservices. Deploy the application on Amazon EC2 instances in Auto Scaling groups.

D.

Use Amazon Simple Notification Service (Amazon SNS) to establish communication between microservices. Deploy the application on Amazon Elastic Container Service (Amazon ECS) containers on Amazon EC2 instances.

Question 31

A company runs several applications on Amazon EC2 instances. The company stores configuration files in an Amazon S3 bucket.

A solutions architect must provide the company ' s applications with access to the configuration files. The solutions architect must follow AWS best practices for security.

Which solution will meet these requirements?

Options:

A.

Use the AWS account root user access keys.

B.

Use the AWS access key ID and the EC2 secret access key.

C.

Use an IAM role to grant the necessary permissions to the applications.

D.

Activate multi-factor authentication (MFA) and versioning on the S3 bucket.

Question 32

An analytics application runs on multiple Amazon EC2 Linux instances that use Amazon Elastic File System (Amazon EFS) Standard storage. The files vary in size and access frequency. The company accesses the files infrequently after 30 days. However, users sometimes request older files to generate reports.

The company wants to reduce storage costs for files that are accessed infrequently. The company also wants throughput to adjust based on the size of the file system. The company wants to use the TransitionToIA Amazon EFS lifecycle policy to transition files to Infrequent Access (IA) storage after 30 days.

Which solution will meet these requirements?

Options:

A.

Configure files to transition back to Standard storage when a user accesses the files again. Specify the provisioned throughput mode.

B.

Specify the provisioned throughput mode only.

C.

Configure files to transition back to Standard storage when a user accesses the files again. Specify the bursting throughput mode.

D.

Specify the bursting throughput mode only.

Question 33

A company is designing a new application that uploads files to an Amazon S3 bucket. The uploaded files are processed to extract metadata.

Processing must take less than 5 seconds. The volume and frequency of the uploads vary from a few files each hour to hundreds of concurrent uploads.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Configure AWS CloudTrail trails to log Amazon S3 API calls. Use AWS AppSync to process the files.

B.

Configure a new object created S3 event notification within the bucket to invoke an AWS Lambda function to process the files.

C.

Configure Amazon Kinesis Data Streams to deliver the files to the S3 bucket. Invoke an AWS Lambda function to process the files.

D.

Deploy an Amazon EC2 instance. Create a script that lists all files in the S3 bucket and processes new files. Use a cron job that runs every minute to run the script.

Question 34

A company is planning to migrate to AWS. The network layout will include more than 1,000 VPCs in a single AWS Region. The resources in the VPCs need to communicate with each other.

What should a solutions architect recommend to meet these requirements?

Options:

A.

Create VPN tunnels from all the VPCs to each other. Enable route propagation.

B.

Create an AWS Direct Connect gateway, and attach a public virtual interface (VIF) to each VPC. Enable route propagation.

C.

Peer all the VPCs together by creating and accepting peering requests. Update route tables with the new routes.

D.

Create a transit gateway, and place attachments in subnets of all the VPCs. Configure a transit gateway route table with the new routes.

Question 35

An ecommerce company is launching a new marketing campaign. The company anticipates the campaign to generate ten times the normal number of daily orders through the company ' s ecommerce application. The campaign will last 3 days.

The ecommerce application architecture is based on Amazon EC2 instances in an Auto Scaling group and an Amazon RDS for MySQL database. The application writes order transactions to an Amazon Elastic File System (Amazon EFS) file system before the application writes orders to the database. During normal operations, the application write operations peak at 5,000 IOPS.

A solutions architect needs to ensure that the application can handle the anticipated workload during the marketing campaign.

Which solution will meet this requirement?

Options:

A.

For the duration of the campaign, increase the provisioned IOPS for the RDS for MySQL database. Set the Amazon EFS throughput mode to Bursting throughput.

B.

For the duration of the campaign, increase the provisioned IOPS for the RDS for MySQL database. Set the Amazon EFS throughput mode to Elastic throughput.

C.

Convert the database to a Multi-AZ deployment. Set the Amazon EFS throughput mode to Elastic throughput for the duration of the campaign.

D.

Use AWS Database Migration Service (AWS DMS) to convert the database to RDS for PostgreSQL. Set the Amazon EFS throughput mode to Bursting throughput.

Question 36

A company currently runs a Linux-based application in a self-managed Docker container that runs on Amazon EC2 instances. The application runs a lightweight data processing tool that always completes its job within 3 minutes. The company wants an alternative deployment solution for the application to reduce infrastructure management overhead. The company is willing to make any required changes to the image.

Which solution will meet this requirement with the LEAST operational overhead?

Options:

A.

Deploy the application as an AWS Lambda function that uses the container image.

B.

Deploy the application on Amazon EKS with the AWS Fargate launch type.

C.

Deploy the application on Amazon ECS with the AWS Fargate launch type.

D.

Deploy the application as a custom Amazon Machine Image (AMI) by using AWS Batch.

Question 37

A global ecommerce company is planning to enhance its AWS data storage architecture to improve system availability and resilience.

The company handles millions of daily transactions in relational form. It stores unstructured data in the form of images over 4 MB in size.

The solution must provide continuous operation in multiple geographic locations, minimize downtime/data loss, and support both transactional and unstructured data.

Which solution will meet these requirements?

Options:

A.

Use Amazon RDS Multi-AZ deployments for transaction data. Use Amazon DynamoDB global tables for unstructured data.

B.

Use an Amazon Aurora global database for transaction data. Use Amazon S3 with Cross-Region Replication for unstructured data.

C.

Use Amazon DynamoDB global tables for both transaction data and unstructured data.

D.

Use an Amazon Aurora global database for transaction data. Use Amazon Elastic File System (Amazon EFS) with Cross-Region Replication for unstructured data.

Question 38

A company runs an application as a task in an Amazon Elastic Container Service (Amazon ECS) cluster. The application must have read and write access to a specific group of Amazon S3 buckets. The S3 buckets are in the same AWS Region and AWS account as the ECS cluster. The company needs to grant the application access to the S3 buckets according to the principle of least privilege.

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.

Add a tag to each bucket. Create an IAM policy that includes a StringEquals condition that matches the tags and values of the buckets.

B.

Create an IAM policy that lists the full Amazon Resource Name (ARN) for each S3 bucket.

C.

Attach the IAM policy to the instance role of the ECS task.

D.

Create an IAM policy that includes a wildcard Amazon Resource Name (ARN) that matches all combinations of the S3 bucket names.

E.

Attach the IAM policy to the task role of the ECS task.

Question 39

A company is planning to connect a remote office to its AWS infrastructure. The office requires permanent and secure connectivity to AWS. The connection must provide secure access to resources in two VPCs. However, the VPCs must not be able to access each other.

Options:

A.

Create two transit gateways. Set up one AWS Site-to-Site VPN connection from the remote office to each transit gateway. Connect one VPC to the transit gateway. Configure route table propagation to the appropriate transit gateway based on the destination VPC IP range.

B.

Set up one AWS Site-to-Site VPN connection from the remote office to each of the VPCs. Update the VPC route tables with static routes to the remote office resources.

C.

Set up one AWS Site-to-Site VPN connection from the remote office to one of the VPCs. Set up VPC peering between the two VPCs. Update the VPC route tables with static routes to the remote office and peered resources.

D.

Create a transit gateway. Set up an AWS Direct Connect gateway and one Direct Connect connection between the remote office and the Direct Connect gateway. Associate the transit gateway with the Direct Connect gateway. Configure a separate private virtual interface (VIF) for each VPC, and configure routing.

Question 40

A financial services company has a two-tier consumer banking application. The frontend serves static web content. The backend consists of APIs. The company needs to migrate the frontendcomponent to AWS. The backend of the application will remain on-premises. The company must protect the application from common web vulnerabilities and attacks.

Options:

A.

Migrate the frontend to Amazon EC2 instances. Deploy an Application Load Balancer (ALB) in front of the instances. Use the instances to invoke the on-premises APIs. Associate AWS WAF rules with the instances.

B.

Deploy the frontend as an Amazon CloudFront distribution that has multiple origins. Configure one origin to be an Amazon S3 bucket that serves the static web content. Configure a second origin to route traffic to the on-premises APIs based on the URL pattern. Associate AWS WAF rules with the distribution.

C.

Migrate the frontend to Amazon EC2 instances. Deploy a Network Load Balancer (NLB) in front of the instances. Use the instances to invoke the on-premises APIs. Create an AWS Network Firewall instance. Route all traffic through the Network Firewall instance.

D.

Deploy the frontend as a static website based on an Amazon S3 bucket. Use an Amazon API Gateway REST API and a set of Amazon EC2 instances to invoke the on-premises APIs. AssociateAWS WAF rules with the REST API and the S3 bucket.

Question 41

A solutions architect is creating a website that will be hosted from an Amazon S3 bucket. The website must support secure browser connections (HTTPS).

Which combination of actions must the solutions architect take to meet this requirement? (Select TWO.)

Options:

A.

Create an Elastic Load Balancing (ELB) load balancer. Configure the load balancer to direct traffic to the S3 bucket.

B.

Create an Amazon CloudFront distribution. Set the S3 bucket as an origin.

C.

Configure the Elastic Load Balancing (ELB) load balancer with an SSL/TLS certificate.

D.

Configure the Amazon CloudFront distribution with an SSL/TLS certificate.

E.

Configure the S3 bucket with an SSL/TLS certificate.

Question 42

A company uses Amazon EC2 instances behind an Application Load Balancer ALB to serve content to users. The company uses Amazon EBS volumes to store data.

The company needs to encrypt data in transit and at rest.

Which combination of services will meet these requirements? Select TWO.

Options:

A.

Amazon GuardDuty

B.

AWS Shield

C.

AWS Certificate Manager ACM

D.

AWS Secrets Manager

E.

AWS KMS

Question 43

A company stores a large dataset for an online advertising business in an Amazon RDS for MySQL DB instance. The company wants to run business reporting queries on the data without affecting write operations to the DB instance.

Which solution will meet these requirements?

Options:

A.

Deploy RDS read replicas to process the business reporting queries.

B.

Scale out the DB instance horizontally by placing the instance behind an Elastic Load Balancing (ELB) load balancer.

C.

Scale up the DB instance to a larger instance type to handle write operations and reporting queries.

D.

Configure Amazon CloudWatch to monitor the DB instance. Deploy standby DB instances when a latency metric threshold is exceeded.

Question 44

An ecommerce company runs an application that uses an Amazon DynamoDB table in a single AWS Region. The company wants to deploy the application to a second Region. The company needs to support multi-active replication with low latency reads and writes to the existing DynamoDB table in both Regions.

Which solution will meet these requirements in the MOST operationally efficient way?

Options:

A.

Create a DynamoDB global secondary index (GSI) for the existing table. Create a new table in the second Region. Convert the existing DynamoDB table to a global table. Specify the new table as the secondary table.

B.

Enable Amazon DynamoDB Streams for the existing table. Create a new table in the second Region. Create a new application that uses the DynamoDB Streams Kinesis Adapter and the Amazon Kinesis Client Library (KCL). Configure the new application to read data from the DynamoDB table in the first Region and to write the data to the new table in the second Region.

C.

Convert the existing DynamoDB table to a global table. Choose the appropriate second Region to achieve active-active write capabilities in both Regions.

D.

Enable Amazon DynamoDB Streams for the existing table. Create a new table in the second Region. Create an AWS Lambda function in the first Region that reads data from the table in the first Region and writes the data to the new table in the second Region. Set a DynamoDB stream as the input trigger for the Lambda function.

Question 45

An ecommerce company runs several internal applications in multiple AWS accounts. The company uses AWS Organizations to manage its AWS accounts.

A security appliance in the company ' s networking account must inspect interactions between applications across AWS accounts.

Which solution will meet these requirements?

Options:

A.

Deploy a Network Load Balancer (NLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the NLB by using an interface VPC endpoint in the application accounts

B.

Deploy an Application Load Balancer (ALB) in the application accounts to send traffic directly to the security appliance.

C.

Deploy a Gateway Load Balancer (GWLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the GWLB by using an interface GWLB endpoint in the application accounts

D.

Deploy an interface VPC endpoint in the application accounts to send traffic directly to the security appliance.

Question 46

A financial service company has a two-tier consumer banking application. The frontend serves static web content. The backend consists of APIs. The company needs to migrate the frontendcomponent to AWS. The backend of the application will remain on premises. The company must protect the application from common web vulnerabilities and attacks.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Migrate the frontend to Amazon EC2 instances. Deploy an Application Load Balancer (ALB) in front of the instances. Use the instances to invoke the on-premises APIs. Associate AWS WAF rules with the instances.

B.

Deploy the frontend as an Amazon CloudFront distribution that has multiple origins. Configure one origin to be an Amazon S3 bucket that serves the static web content. Configure a second origin to route traffic to the on-premises APIs based on the URL pattern. Associate AWS WAF rules with the distribution.

C.

Migrate the frontend to Amazon EC2 instances. Deploy a Network Load Balancer (NLB) in front of the instances. Use the instances to invoke the on-premises APIs. Create an AWS Network Firewall instance. Route all traffic through the Network Firewall instance.

D.

Deploy the frontend as a static website based on an Amazon S3 bucket. Use an Amazon API Gateway REST API and a set of Amazon EC2 instances to invoke the on-premises APIs. Associate AWS WAF rules with the REST API and the S3 bucket.

Question 47

A company needs to connect its on-premises data center network to a new VPC. The data center network has a 100 Mbps symmetrical internet connection. An application that is running on premises will transfer multiple gigabytes of data each day. The application will use an Amazon Data Firehose delivery stream for processing.

What should a solutions architect recommend for maximum performance?

Options:

A.

Create a VPC peering connection between the on-premises network and the VPC. Configure routing for the on-premises network to use the VPC peering connection.

B.

Procure an AWS Snowball Edge Storage Optimized device. After several days ' worth of data has accumulated, copy the data to the device and ship the device to AWS for expedited transfer to Firehose. Repeat as needed.

C.

Create an AWS Site-to-Site VPN connection between the on-premises network and the VPC. Configure BGP routing between the customer gateway and the virtual private gateway. Use the VPN connection to send the data from on premises to Firehose.

D.

Use AWS PrivateLink to create an interface VPC endpoint for Firehose in the VPC. Set up a 1 Gbps AWS Direct Connect connection between the on-premises network and AWS. Use the PrivateLink endpoint to send the data from on premises to Firehose.

Question 48

A company plans to run a high performance computing (HPC) workload on Amazon EC2 Instances The workload requires low-latency network performance and high network throughput with tightly coupled node-to-node communication.

Which solution will meet these requirements?

Options:

A.

Configure the EC2 instances to be part of a cluster placement group

B.

Launch the EC2 instances with Dedicated Instance tenancy.

C.

Launch the EC2 instances as Spot Instances.

D.

Configure an On-Demand Capacity Reservation when the EC2 instances are launched.

Question 49

A company runs production workloads in its AWS account. Multiple teams create and maintain the workloads.

The company needs to be able to detect changes in resource configurations. The company needs to capture changes as configuration items without changing or modifying the existing resources.

Which solution will meet these requirements?

Options:

A.

Use AWS Config. Start the configuration recorder for AWS resources to detect changes in resource configurations.

B.

Use AWS CloudFormation. Initiate drift detection to capture changes in resource configurations.

C.

Use Amazon Detective to detect, analyze, and investigate changes in resource configurations.

D.

Use AWS Audit Manager to capture management events and global service events for resource configurations.

Question 50

A company is migrating an on-premises data center to the AWS Cloud. The company is using Amazon FSx for Windows File Server to perform test deployments into a single Availability Zone. After testing, the company determines that it needs to improve availability and fault tolerance for its shared Windows file system.

Which solution will meet these requirements?

Options:

A.

Set up a new FSx for Windows File Server file system in a second Availability Zone. Use AWS Transfer Family to replicate data from the original file system. Use the new file system as a failover option.

B.

Shut down the existing FSx for Windows File Server file system. Change the deployment configuration to a Multi-AZ deployment type. Restart the file system.

C.

Set up a new FSx for Windows File Server file system that has a Multi-AZ deployment type. Use AWS DataSync to transfer data from the original file system to the new file system.

D.

Set up a new FSx for Windows File Server file system that has a Multi-AZ deployment type. Use AWS DMS to transfer data from the original file system to the new file system.

Question 51

A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload.

A solutions architect must choose a connection solution that provides maximum resiliency.

Which solution meets these requirements?

Options:

A.

Two AWS Direct Connect connections from the primary data center terminating at two Direct Connect locations on two separate devices

B.

A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on the same device

C.

Two AWS Direct Connect connections from each of the primary and secondary data centers terminating at two Direct Connect locations on two separate devices

D.

A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on two separate devices

Question 52

A company hosts an end-user application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company needs to configure end-to-end encryption between the ALB and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

Options:

A.

Deploy AWS CloudHSM. Import a third-party certificate into CloudHSM. Configure the EC2 instances and the ALB to use the CloudHSM imported certificate.

B.

Import a third-party certificate bundle into AWS Certificate Manager (ACM). Generate a self-signed certificate on the EC2 instances. Associate the ACM imported third-party certificate with the ALB.

C.

Import a third-party SSL certificate into AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the ALB.

D.

Use Amazon-issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the ALB.

Question 53

A company has an Amazon S3 data lake that is governed by AWS Lake Formation. The company wants to create a visualization in Amazon QuickSight by joining the data in the data lake with operational data that is stored in an Amazon Aurora MySQL database. The company wants to enforce column-level authorization so that the company ' s marketing team can access only a subset of columns in the database.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon EMR to ingest the data directly from the database to the QuickSight SPICE engine. Include only the required columns.

B.

Use AWS Glue Studio to ingest the data from the database to the S3 data lake. Attach an IAM policy to the QuickSight users to enforce column-level access control. Use Amazon S3 as the data source in QuickSight.

C.

Use AWS Glue Elastic Views to create a materialized view for the database in Amazon S3. Create an S3 bucket policy to enforce column-level access control for the QuickSight users. Use Amazon S3 as the data source in QuickSight.

D.

Use a Lake Formation blueprint to ingest the data from the database to the S3 data lake. Use Lake Formation to enforce column-level access control for the QuickSight users. Use Amazon Athena as the data source in QuickSight.

Question 54

A company is using an Amazon Redshift cluster to run analytics queries for multiple sales teams. In addition to the typical workload, on the last Monday morning of each month, thousands of users run reports. Users have reported slow response times during the monthly surge.

The company must improve query performance without impacting the availability of the Redshift cluster.

Which solution will meet these requirements?

Options:

A.

Resize the Redshift cluster by using the classic resize capability of Amazon Redshift before every monthly surge. Reduce the cluster to its original size after each surge.

B.

Resize the Redshift cluster by using the elastic resize capability of Amazon Redshift before every monthly surge. Reduce the cluster to its original size after each surge.

C.

Enable the concurrency scaling feature for the Redshift cluster for specific workload management (WLM) queues.

D.

Enable Amazon Redshift Spectrum for the Redshift cluster before every monthly surge.

Question 55

A company is developing an ecommerce application that uses an Amazon API Gateway HTTP API. When a customer creates an order in the application, three downstream consumers must process the order event. The downstream consumers include a billing service that uses AWS Lambda functions, an email messaging service that uses AWS Lambda functions, and an inventory service that uses Amazon EC2 instances. Each consumer must receive every event. The service must absorb traffic bursts with durable buffering for each consumer. The company must be able to add new consumers without changing the producer or existing consumers. Which solution will meet these requirements?

Options:

A.

Publish order events to an Amazon SNS topic. Subscribe one Amazon SQS queue to the SNS topic for each consumer. Configure each consumer to process events from its own SQS queue.

B.

Send order events to a single Amazon SQS queue. Configure all the consumers to poll the SQS queue by using long polling.

C.

Send order events on an Amazon EventBridge event bus. Create one EventBridge rule for each consumer to target each consumer directly.

D.

Use an Application Load Balancer ALB to forward events to an Auto Scaling group of Amazon EC2 instances that call each consumer.

Question 56

A company is building an ecommerce web service on AWS. The web service sends information about new orders to an Amazon API Gateway REST API for processing. The company wants to eliminate duplicate orders within a 5-minute processing window.

Which solution will meet this requirement with the LEAST amount of development effort?

Options:

A.

Configure API Gateway to send a message to an Amazon SNS topic when API Gateway receives an order. Create a filter policy for the SNS topic to deduplicate orders. Subscribe an AWS Lambda function to the SNS topic to process filtered results.

B.

Configure API Gateway to send a message to an Amazon SQS FIFO queue when API Gateway receives an order. Include a MessageDeduplicationId token in the order requests. Configure the queue to invoke an AWS Lambda function for processing.

C.

Use API Gateway integrations to send messages to an Amazon SQS standard queue. Include OrderID and Timestamp attributes in the order requests. Use an AWS Lambda function to consume the queue. Use the attributes to discard duplicate orders.

D.

Use an API Gateway integration to send messages to an Amazon SQS standard queue. Configure an AWS Lambda function to process the queue. Include a MessageDeduplicationId token in the order requests.

Question 57

A company runs multiple web applications on Amazon EC2 instances behind a single Application Load Balancer (ALB). The application experiences unpredictable traffic spikes throughout each day. The traffic spikes cause high latency. The unpredictable spikes last less than 3 hours. The company needs a solution to resolve the latency issue caused by traffic spikes.

Options:

A.

Use EC2 instances in an Auto Scaling group. Configure the ALB and Auto Scaling group to use a target tracking scaling policy.

B.

Use EC2 Reserved Instances in an Auto Scaling group. Configure the Auto Scaling group to use a scheduled scaling policy based on peak traffic hours.

C.

Use EC2 Spot Instances in an Auto Scaling group. Configure the Auto Scaling group to use a scheduled scaling policy based on peak traffic hours.

D.

Use EC2 Reserved Instances in an Auto Scaling group. Replace the ALB with a Network Load Balancer (NLB).

Question 58

A solutions architect has created an AWS Lambda function that makes queries to an Amazon Aurora MySQL DB instance. When the solutions architect performs a test, the DB instance shows an error for too many connections.

Which solution will meet these requirements with the LEAST operational effort?

Options:

A.

Create a read replica for the DB instance. Query the replica DB instance instead of the primary DB instance.

B.

Migrate the data to an Amazon DynamoDB database.

C.

Configure the Amazon Aurora MySQL DB instance for Multi-AZ deployment.

D.

Create a proxy in Amazon RDS Proxy. Query the proxy instead of the DB instance.

Question 59

A company is developing a containerized web application that needs to be highly available and scalable. The application requires access to GPU resources.

Options:

A.

Package the application as an AWS Lambda function in a container image. Use Lambda to run the containerized application on a runtime with GPU access.

B.

Deploy the application container to Amazon Elastic Kubernetes Service (Amazon EKS). Use AWS Fargate to manage compute resources and access to GPU resources.

C.

Deploy the application container to Amazon Elastic Container Registry (Amazon ECR). Use Amazon ECR to run the containerized application with an attached GPU.

D.

Run the application on Amazon EC2 instances from a GPU instance family by using Amazon Elastic Container Service (Amazon ECS) for orchestration.

Question 60

A company generates approximately 20 GB of data multiple times each day. The company uses AWS DataSync to copy all data from on-premises storage to Amazon S3 every 6 hours for further processing. The analytics team wants to modify the copy process to copy only data relevant to the analytics team and ignore the rest of the data. The team wants to copy data as soon as possible and receive a notification when the copy process is finished. Which combination of steps will meet these requirements MOST cost-effectively? (Select THREE.)

Options:

A.

Modify the data generation process on-premises to create a manifest file at the end of the copy process with the names of the objects to be copied to Amazon S3. Create a custom script to upload the manifest file to an S3 bucket.

B.

Modify the data generation process on-premises to create a manifest file at the end of the copy process with the names of the objects to be copied to Amazon S3. Create an AWS Lambda function to load the manifest file data into an Amazon DynamoDB table.

C.

Create an AWS Lambda function that Amazon EventBridge invokes when the manifest file is loaded into Amazon DynamoDB. Configure the Lambda function to copy the data from on-premises storage to the S3 bucket that uses the manifest file.

D.

Create an AWS Lambda function that an S3 Event Notification invokes when the manifest file is uploaded. Configure the Lambda function to invoke the DataSync task by calling the StartTaskExecution API action with a manifest.

E.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule to send an email notification to the SNS topic when the DataSync task execution status changes to SUCCESS or to ERROR.

F.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function to send an email notification to the SNS topic when the DataSync task execution status changes to SUCCESS or to ERROR.

Question 61

A company is redesigning a static website. The company needs a solution to host the new website in the company ' s AWS account. The solution must be secure and scalable.

Which combination of solutions will meet these requirements? (Select THREE.)

Options:

A.

Configure an Amazon CloudFront distribution. Set the Amazon S3 bucket as the origin.

B.

Associate an AWS Certificate Manager (ACM) TLS certificate to the Amazon CloudFront distribution.

C.

Enable static website hosting for the Amazon S3 bucket.

D.

Create an Amazon S3 bucket to store the static website content.

E.

Export the website ' s SSL/TLS certificate from AWS Certificate Manager (ACM) to the root of the Amazon S3 bucket.

F.

Turn off Block Public Access for the Amazon S3 bucket.

Question 62

A company has an application that uses an Amazon DynamoDB table for storage. A solutions architect discovers that many requests to the table are not returning the latest data.

Users have not reported latency or performance issues.

Which design change should the solutions architect recommend?

Options:

A.

Add read replicas to the table.

B.

Use a global secondary index (GSI).

C.

Request strongly consistent reads for the table.

D.

Request eventually consistent reads for the table.

Question 63

An ecommerce company runs Its application on AWS. The application uses an Amazon Aurora PostgreSQL cluster in Multi-AZ mode for the underlying database. During a recent promotionalcampaign, the application experienced heavy read load and write load. Users experienced timeout issues when they attempted to access the application.

A solutions architect needs to make the application architecture more scalable and highly available.

Which solution will meet these requirements with the LEAST downtime?

Options:

A.

Create an Amazon EventBndge rule that has the Aurora cluster as a source. Create an AWS Lambda function to log the state change events of the Aurora cluster. Add the Lambda function as a target for the EventBndge rule Add additional reader nodes to fail over to.

B.

Modify the Aurora cluster and activate the zero-downtime restart (ZDR) feature. Use Database Activity Streams on the cluster to track the cluster status.

C.

Add additional reader instances to the Aurora cluster Create an Amazon RDS Proxy target group for the Aurora cluster.

D.

Create an Amazon ElastiCache for Redis cache. Replicate data from the Aurora cluster to Redis by using AWS Database Migration Service (AWS DMS) with a write-around approach.

Question 64

A company is enhancing the security of its AWS environment, where the company stores a significant amount of sensitive customer data. The company needs a solution that automatically identifies and classifies sensitive data that is stored in multiple Amazon S3 buckets. The solution must automatically respond to data breaches and alert the company ' s security team through email immediately when noncompliant data is found.

Which solution will meet these requirements?

Options:

A.

Use Amazon GuardDuty. Configure an AWS Lambda function to route alerts to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the SNS topic.

B.

Use Amazon GuardDuty. Configure an AWS Lambda function to route alerts to an Amazon Simple Queue Service (Amazon SQS) queue. Configure a second Lambda function to periodically poll the SQS queue and to send emails to the security team by using Amazon Simple Email Service (Amazon SES).

C.

Use Amazon Macie. Integrate Amazon EventBridge with Macie, and configure EventBridge to send alerts to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the SNS topic.

D.

Use Amazon Macie. Integrate Amazon EventBridge with Macie, and configure EventBridge to route alerts to an Amazon Simple Queue Service (Amazon SQS) queue. Configure an AWS Lambda function to periodically poll the SQS queue and to send alerts to the security team by using Amazon Simple Email Service (Amazon SES).

Question 65

A company has an ecommerce application that users access through multiple mobile apps and web applications. The company needs a solution that will receive requests from the mobile apps and web applications through an API.

Request traffic volume varies significantly throughout each day. Traffic spikes during sales events. The solution must be loosely coupled and ensure that no requests are lost.

Which solution will meet these requirements?

Options:

A.

Create an Application Load Balancer ALB. Create an AWS Elastic Beanstalk endpoint to process the requests. Add the Elastic Beanstalk endpoint to the target group of the ALB.

B.

Set up an Amazon API Gateway REST API with an integration to an Amazon SQS queue. Configure a dead-letter queue. Create an AWS Lambda function to poll the queue to process the requests.

C.

Create an Application Load Balancer ALB. Create an AWS Lambda function to process the requests. Add the Lambda function as a target of the ALB.

D.

Set up an Amazon API Gateway HTTP API with an integration to an Amazon SNS topic. Create an AWS Lambda function to process the requests. Subscribe the function to the SNS topic to process the requests.

Question 66

A company runs an application on EC2 instances that need access to RDS credentials stored in AWS Secrets Manager.

Which solution meets this requirement?

Options:

A.

Create an IAM role, and attach the role to each EC2 instance profile. Use an identity-based policy to grant the role access to the secret.

B.

Create an IAM user, and attach the user to each EC2 instance profile. Use a resource-based policy to grant the user access to the secret.

C.

Create a resource-based policy for the secret. Use EC2 Instance Connect to access the secret.

D.

Create an identity-based policy for the secret. Grant direct access to the EC2 instances.

Question 67

A company needs to migrate its customer transactions database from on-premises to AWS. The database resides on an Oracle DB instance that runs on a Linux server. According to a new security requirement, the company must rotate the database password each year.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Convert the database to Amazon DynamoDB by using AWS Schema Conversion Tool (AWS SCT). Store the password in AWS Systems Manager Parameter Store. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function for yearly password rotation.

B.

Migrate the database to Amazon RDS for Oracle. Store the password in AWS Secrets Manager. Turn on automatic rotation. Configure a yearly rotation schedule.

C.

Migrate the database to an Amazon EC2 instance. Use AWS Systems Manager Parameter Store to keep and rotate the connection string by using an AWS Lambda function on a yearly schedule.

D.

Migrate the database to Amazon Neptune by using AWS Schema Conversion Tool (AWS SCT). Create an Amazon CloudWatch alarm to invoke an AWS Lambda function for yearly password rotation.

Question 68

A company runs a production database on Amazon RDS for MySQL. The company wants to upgrade the database version for security compliance reasons. Because the database contains critical data, the company wants a quick solution to upgrade and test functionality without losing any data.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an RDS manual snapshot. Upgrade to the new version of Amazon RDS for MySQL.

B.

Use native backup and restore. Restore the data to the upgraded new version of Amazon RDS for MySQL.

C.

Use AWS Database Migration Service (AWS DMS) to replicate the data to the upgraded new version of Amazon RDS for MySQL.

D.

Use Amazon RDS Blue/Green Deployments to deploy and test production changes.

Question 69

A company hosts an application on AWS that uses an Amazon S3 bucket and an Amazon Aurora database. The company wants to implement a multi-Region disaster recovery DR strategy that minimizes potential data loss.

Which solution will meet these requirements?

Options:

A.

Create an Aurora read replica in a second Availability Zone within the same AWS Region. Enable S3 Versioning for the bucket.

B.

Create an Aurora read replica in a second AWS Region. Configure AWS Backup to create continuous backups of the S3 bucket to a second bucket in a second Availability Zone.

C.

Enable Aurora native database backups across multiple AWS Regions. Use S3 cross-account backups within the company ' s local Region.

D.

Migrate the database to an Aurora global database. Create a second S3 bucket in a second Region. Configure Cross-Region Replication.

Question 70

A company is developing a rating system for its ecommerce web application. The company needs a solution to save ratings that users submit in an Amazon DynamoDB table.

The company wants to ensure that developers do not need to interact directly with the DynamoDB table. The solution must be scalable and reusable.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an Application Load Balancer (ALB). Create an AWS Lambda function, and set the function as a target group in the ALB. Invoke the Lambda function by using the put_item method through the ALB.

B.

Create an AWS Lambda function. Configure the Lambda function to interact with the DynamoDB table by using the put-item method from Boto3. Invoke the Lambda function from the web application.

C.

Create an Amazon Simple Queue Service (Amazon SQS) queue and an AWS Lambda function that has an SQS trigger type. Instruct the developers to add customer ratings to the SQS queue as JSON messages. Configure the Lambda function to fetch the ratings from the queue and store the ratings in DynamoDB.

D.

Create an Amazon API Gateway REST API Define a resource and create a new POST method Choose AWS as the integration type, and select DynamoDB as the service. Set the action to PutItem.

Question 71

A company runs an HPC workload that uses a 200-TB file system on premises. The company needs to migrate this data to Amazon FSx for Lustre. Internet capacity is 10 Mbps, and all data must be migrated within 30 days.

Which solution will meet this requirement?

Options:

A.

Use AWS DMS to transfer data into S3 and link FSx for Lustre to the bucket.

B.

Deploy AWS DataSync on premises and transfer directly into FSx for Lustre.

C.

Use AWS Storage Gateway Volume Gateway to move data into FSx for Lustre.

D.

Use an AWS Snowball Edge storage-optimized device to transfer data into S3 and link FSx for Lustre to the bucket.

Question 72

A company is building a serverless application that processes large volumes of data from a mobile app. The application uses an AWS Lambda function to process the data and store the data in an Amazon DynamoDB table.

The company needs to ensure that the application can recover from failures and continue processing data without losing any records.

Which solution will meet these requirements?

Options:

A.

Configure the Lambda function to use a dead-letter queue with an Amazon Simple Queue Service (Amazon SQS) queue. Configure Lambda to retry failed records from the dead-letter queue. Use a retry mechanism by implementing an exponential backoff algorithm.

B.

Configure the Lambda function to read records from Amazon Data Firehose. Replay the Firehose records in case of any failures.

C.

Use Amazon OpenSearch Service to store failed records. Configure AWS Lambda to retry failed records from OpenSearch Service. Use Amazon EventBridge to orchestrate the retry logic.

D.

Use Amazon Simple Notification Service (Amazon SNS) to store the failed records. Configure Lambda to retry failed records from the SNS topic. Use Amazon API Gateway to orchestrate the retry calls.

Question 73

An advertising company stores terabytes of data in an Amazon S3 data lake. The company wants to build its own foundation model (FM) and has deployed a training cluster on AWS. The company loads file-based data from Amazon S3 to the training cluster to train the FM. The company wants to reduce data loading time to optimize the overall deployment cycle.

The company needs a storage solution that is natively integrated with Amazon S3. The solution must be scalable and provide high throughput.

Which storage solution will meet these requirements?

Options:

A.

Mount an Amazon Elastic File System (Amazon EFS) file system to the training cluster. Use AWS DataSync to migrate data from Amazon S3 to the EFS file system to train the FM.

B.

Use an Amazon FSx for Lustre file system and Amazon S3 with Data Repository Association (DRA). Preload the data from Amazon S3 to the Lustre file system to train the FM.

C.

Attach Amazon Block Store (Amazon EBS) volumes to the training cluster. Load the data from Amazon S3 to the EBS volumes to train the FM.

D.

Use AWS DataSync to migrate the data from Amazon S3 to the training cluster as files. Train the FM on the local file-based data.

Question 74

A financial services company must retain log data for 1 year. The company stores log files in an Amazon S3 bucket and wants to prevent any user from deleting or overwriting the log files during this period. The data must remain available for read-only requests.

Options:

A.

Enable S3 Versioning on the bucket. Use Object Lock in compliance mode with a 1-year retention period.

B.

Enable S3 Transfer Acceleration on the bucket. Create an S3 Lifecycle Configuration rule to move objects to Amazon S3 Glacier Flexible Retrieval after 1 year.

C.

Enable S3 Versioning on the bucket. Create an S3 Lifecycle Configuration rule to move objects to Amazon S3 Glacier Flexible Retrieval after 1 year.

D.

Create an AWS Lambda function to programmatically check the timestamp of S3 data and to move the data to Amazon S3 Glacier Deep Archive if the data is older than 1 year.

Question 75

A company runs an on-premises managed file transfer solution to collect images from its clients. The company uses an open source transfer tool to transfer and integrate the images into the company ' s workflow. The company then runs a custom application to add watermarks to the images.

The company needs to migrate this workload to AWS and wants to use AWS managed services where possible. Uploaded images must be stored as objects. The company wants to automate the watermark addition.

Which solution will meet these requirements?

Options:

A.

Use AWS DataSync to automate file transfers. Store the images in an Amazon S3 bucket. Use an application that runs on Amazon EC2 instances to add watermarks.

B.

Use REST APIs to transfer files. Store the images in an Amazon S3 bucket. Use AWS Batch jobs to add watermarks.

C.

Use SFTP with AWS Transfer Family to automate file transfers into Amazon S3 buckets. Configure the Transfer Family workflow to invoke an AWS Lambda function to add watermarks.

D.

Use AWS Transfer Family to transfer images. Store the images in Amazon S3 Glacier Deep Archive. Run an AWS Step Functions state machine to add watermarks.

Question 76

A company wants to use an API to translate text from one language to another. The API must receive an HTTP header value and pass the value to an embedded library. The API translates documents in 6 minutes. The API requires a custom authorization mechanism.

Options:

A.

Configure an Amazon API Gateway REST API with AWS_PROXY integration to synchronously call an AWS Lambda function to perform translations.

B.

Configure an AWS Lambda function with a Lambda function URL to synchronously call a second function to perform translations.

C.

Configure an Amazon API Gateway REST API with AWS_PROXY integration to asynchronously call an AWS Lambda function to perform translations.

D.

Configure an Amazon API Gateway REST API with HTTP PROXY integration to synchronously call a web endpoint that is hosted on an EC2 instance.

Question 77

A company is using an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company must ensure that Kubernetes service accounts in the EKS cluster have secure and granular access to specific AWS resources by using IAM roles for service accounts (IRSA).

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.

Create an IAM policy that defines the required permissions. Attach the policy directly to the IAM role of the EKS nodes.

B.

Implement network policies within the EKS cluster to prevent Kubernetes service accounts from accessing specific AWS services.

C.

Modify the EKS cluster’s IAM role to include permissions for each Kubernetes service account. Ensure a one-to-one mapping between IAM roles and Kubernetes roles.

D.

Define an IAM role that includes the necessary permissions. Annotate the Kubernetes service accounts with the Amazon Resource Name (ARN) of the IAM role.

E.

Set up a trust relationship between the IAM roles for the service accounts and an OpenID Connect (OIDC) identity provider.

Question 78

A company runs an application on Microsoft SQL Server databases in an on-premises data center. The company wants to migrate to AWS and optimize costs for its infrastructure on AWS.

Which solution will meet these requirements?

Options:

A.

Migrate the databases to Amazon EC2 instances that use SQL Server Amazon Machine Images (AMIs) provided by AWS.

B.

Migrate to Amazon Aurora PostgreSQL by using Babelfish for Aurora PostgreSQL.

C.

Migrate the databases to a PostgreSQL database that runs on Amazon EC2 instances.

D.

Migrate the databases to Amazon RDS for Microsoft SQL Server.

Question 79

Question:

A company wants to deploy an internal web application on AWS. The web application must be accessible only from the company ' s office. The company needs to download security patches for the web application from the internet. The company has created a VPC and has configured an AWS Site-to-Site VPN connection to the company ' s office. A solutions architect must design a secure architecture for the web application. Which solution will meet these requirements?

Options:

Options:

A.

Deploy the web application on Amazon EC2 instances in public subnets behind a public Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the inbound source of the ALB ' s security group to 0.0.0.0/0.

B.

Deploy the web application on Amazon EC2 instances in private subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet gateway to the VPC. Set the inbound source of the ALB ' s security group to the company ' s office network CIDR block.

C.

Deploy the web application on Amazon EC2 instances in public subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in private subnets. Attach an internet gateway to the VPC. Set the outbound destination of the ALB ' s security group to the company ' s office network CIDR block.

D.

Deploy the web application on Amazon EC2 instances in private subnets behind a public Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the outbound destination of the ALB ' s security group to 0.0.0.0/0.

Question 80

A company has a VPC with multiple private subnets that host multiple applications. The applications must not be accessible to the internet. However, the applications need to access multiple AWS services. The applications must not use public IP addresses to access the AWS services.

Options:

A.

Configure interface VPC endpoints for the required AWS services. Route traffic from the private subnets through the interface VPC endpoints.

B.

Deploy a NAT gateway in each private subnet. Route traffic from the private subnets through the NAT gateways.

C.

Deploy internet gateways in each private subnet. Route traffic from the private subnets through the internet gateways.

D.

Set up an AWS Direct Connect connection between the private subnets. Route traffic from the private subnets through the Direct Connect connection.

Question 81

A company is using a loosely coupled serverless architecture on AWS. The architecture consists of multiple web applications and APIs distributed across multiple teams. The company uses AWS Control Tower to provision AWS accounts. The company ' s development teams use AWS CloudFormation.

The company wants to improve trace monitoring and gain insight into how individual services in application stacks are performing.

Which solution will meet these requirements?

Options:

A.

Enable AWS CloudTrail across all accounts by using AWS Control Tower.

B.

Enable AWS X-Ray across all accounts by using AWS Control Tower.

C.

Enable Amazon CloudWatch in the CloudFormation templates.

D.

Enable AWS X-Ray in the CloudFormation templates.

Question 82

A company needs to create a compliance management solution. The company wants to use a combination of AWS services to achieve the fine-grained visibility that the solution requires. The compliance management solution must provide a centralized method for company employees to review security findings and out-of-compliance findings.

Which solution will meet these requirements with the LEAST ongoing maintenance?

Options:

A.

Configure AWS Security Hub to centralize findings. Use conformance packs in Amazon Inspector to check for compliance framework misalignment.

B.

Use AWS Marketplace to purchase a security tool. Install the tool on an Amazon EC2 instance. Assign an EC2 Instance Profile for the tool to gather data from AWS resources.

C.

Configure AWS Security Hub to centralize findings. Use conformance packs in AWS Config to check for compliance framework misalignment.

D.

Configure AWS Systems Manager to provide a centralized dashboard. Use conformance packs in AWS Config to check for compliance framework misalignment.

Question 83

A global company operates in multiple AWS Regions to meet data residency requirements. The company uses AWS Organizations to manage its accounts. The company wants to restrict IAM roles and access to specific Regions to prevent accidental data operations across geographic boundaries.

Which solution will meet these requirements?

Options:

A.

Configure a service control policy (SCP) to deny the ec2:RunInstances action in non-compliant Regions.

B.

Configure IAM policies by using the aws:RequestedRegion condition.

C.

Configure IAM role trust policies that use the aws:SourceIp condition.

D.

Configure AWS Config to detect unwanted access across Regions.

Question 84

A company is designing the network for an online multi-player game. The game uses the UDP networking protocol and will be deployed in eight AWS Regions. The network architecture needs to minimize latency and packet loss to give end users a high-quality gaming experience.

Which solution will meet these requirements?

Options:

A.

Set up a transit gateway in each Region. Create inter-Region peering attachments between each transit gateway.

B.

Set up AWS Global Accelerator with UDP listeners and endpoint groups in each Region.

C.

Set up Amazon CloudFront with UDP turned on. Configure an origin in each Region.

D.

Set up a VPC peering mesh between each Region. Turn on UDP for each VPC.

Question 85

An online food delivery company wants to optimize its storage costs. The company has been collecting operational data for the last 10 years in a data lake that was built on Amazon S3 by using a Standard storage class. The company does not keep data that is older than 7 years. A solutions architect frequently uses data from the past 6 months for reporting and runs queries on data from the last 2 years about once a month. Data that is more than 2 years old is rarely accessed and is only used for audit purposes.

Which combination of solutions will optimize the company ' s storage costs? (Select TWO.)

Options:

A.

Create an S3 Lifecycle configuration rule to transition data that is older than 6 months to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Create another S3 Lifecycle configuration rule to transition data that is older than 2 years to the S3 Glacier Deep Archive storage class.

B.

Create an S3 Lifecycle configuration rule to transition data that is older than 6 months to the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class. Create another S3 Lifecycle configuration rule to transition data that is older than 2 years to the S3 Glacier Flexible Retrieval storage class.

C.

Use the S3 Intelligent-Tiering storage class to store data instead of the S3 Standard storage class.

D.

Create an S3 Lifecycle expiration rule to delete data that is older than 7 years.

E.

Create an S3 Lifecycle configuration rule to transition data that is older than 7 years to the S3 Glacier Deep Archive storage class.

Question 86

A company wants to create a payment processing application. The application must run when a payment record arrives in an existing Amazon S3 bucket. The application must process each payment record exactly once. The company wants to use an AWS Lambda function to process the payments.

Which solution will meet these requirements?

Options:

A.

Configure the existing S3 bucket to send object creation events to Amazon EventBridge. Configure EventBridge to route events to an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Configure the Lambda function to run when a new event arrives in the SQS queue.

B.

Configure the existing S3 bucket to send object creation events to an Amazon Simple Notification Service (Amazon SNS) topic. Configure the Lambda function to run when a new event arrives in the SNS topic.

C.

Configure the existing S3 bucket to send object creation events to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function to run when a new event arrives in the SQS queue.

D.

Configure the existing S3 bucket to send object creation events directly to the Lambda function. Configure the Lambda function to handle object creation events and to process the payments.

Question 87

A company uses an Amazon Aurora PostgreSQL DB cluster to store structured sensitive data about its customers. To meet compliance requirements, the company introduced a policy that all the customer-related data must be encrypted at rest.

Which solution will ensure that the company is compliant with the policy with the LEAST operational overhead?

Options:

A.

Modify the existing Aurora PostgreSQL DB cluster to enable encryption at rest by using an AWS KMS key. Use the encrypted cluster to store the customer data.

B.

Create a new Aurora PostgreSQL DB cluster. Enable encryption by using an AWS KMS key during database creation. Manually migrate the data from the old database to the new database.

C.

Create a new Aurora PostgreSQL DB cluster. Enable encryption by using server-side encryption (SSE) during database creation. Migrate the data from the old database to the new database.

D.

Create a snapshot of the existing Aurora PostgreSQL DB cluster. Enable encryption by using an AWS KMS key. Restore the snapshot to a new Aurora PostgreSQL DB cluster.

Question 88

A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance. The Lambda function processes input data and saves its output as an object to Amazon S3.

Intermittently, the Lambda function times out while trying to upload the object because of saturated traffic on the NAT instance ' s network The company wants to access Amazon S3 without traversing the internet.

Which solution will meet these requirements?

Options:

A.

Replace the EC2 NAT instance with an AWS managed NAT gateway.

B.

Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type

C.

Provision a gateway endpoint for Amazon S3 in the VPC. Update the route tables of the subnets accordingly.

D.

Provision a transit gateway. Place transit gateway attachments in the private subnets where the Lambda function is running.

Question 89

A company wants to deploy an AWS Lambda function that will read and write objects to Amazon S3 bucket. The Lambda function must be connected to the company ' s VPC. The company must deploy the Lambda function only to private subnets in the VPC. The Lambda function must not be allowed to access the internet.

Which solutions will meet these requirements? (Select TWO.)

Options:

A.

Create a private NAT gateway to access the S3 bucket.

B.

Attach an Elastic IP address to the NAT gateway.

C.

Create a gateway VPC endpoint for the S3 bucket.

D.

Create an interface VPC endpoint for the S3 bucket.

E.

Create a public NAT gateway to access the S3 bucket.

Question 90

A company wants to migrate a visual search application from an on-premises environment to AWS. The application uses NFS storage to cache images. The image cache is currently a few terabytes in size. The company needs to migrate to a cost-effective cloud alternative.

Which solution will meet these requirements in the MOST cost-effective way?

Options:

A.

Use an Amazon ElastiCache (Memcached) cluster as the image cache. Set the cache TTL according to the required image lifetime in the cache.

B.

Use compute-optimized Amazon EC2 instances with instance store volumes as the image cache. Recycle EC2 instances for cache invalidation.

C.

Use an Amazon EFS One Zone file system as the image cache. Configure the application to use the EFS mount target.

D.

Use Amazon S3 Express One Zone to store the images. Store the S3 object URLs in an Amazon DynamoDB table. Use DynamoDB TTL to invalidate image cache entries.

Question 91

A company is building an application on an Amazon ECS cluster that uses the AWS Fargate launch type. The application must read files from a private Amazon S3 bucket.

The company needs to design a security solution to allow ECS tasks to retrieve data from the S3 bucket.

Which solution will meet these requirements with the LEAST administrative effort?

Options:

A.

Assign an inline IAM policy to the task role that is configured in the ECS task definition. Configure the policy to grant access to the S3 bucket.

B.

Create an IAM user that has programmatic access to the S3 bucket. Store the IAM user credentials as a parameter in AWS Systems Manager Parameter Store. Configure the ECS task definition to read the parameter during runtime.

C.

Assign an IAM policy to the task execution role that is configured in the ECS task definition. Configure the policy to grant access to the S3 bucket.

D.

Create an IAM user and access keys for the S3 bucket. Store the access credentials as a secret in AWS Secrets Manager. Configure the ECS task definition to read the secret during runtime.

Question 92

A transaction processing company has weekly scripted batch jobs that run on Amazon EC2 instances. The EC2 instances are in an Auto Scaling group. The number of transactions can vary, but the baseline CPU utilization that is noted on each run is at least 60%. The company needs to provision the capacity 30 minutes before the jobs run.

Currently, engineers complete this task by manually modifying the Auto Scaling group parameters. The company does not have the resources to analyze the required capacity trends for the Auto Scaling group counts. The company needs an automated way to modify the Auto Scaling group ' s desired capacity.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create a dynamic scaling policy for the Auto Scaling group. Configure the policy to scale based on the CPU utilization metric. Set the target value for the metric to 60%.

B.

Create a scheduled scaling policy for the Auto Scaling group. Set the appropriate desired capacity, minimum capacity, and maximum capacity. Set the recurrence to weekly. Set the start time to 30 minutes before the batch jobs run.

C.

Create a predictive scaling policy for the Auto Scaling group. Configure the policy to scale based on forecast. Set the scaling metric to CPU utilization. Set the target value for the metric to 60%. In the policy, set the instances to pre-launch 30 minutes before the jobs run.

D.

Create an Amazon EventBridge event to invoke an AWS Lambda function when the CPU utilization metric value for the Auto Scaling group reaches 60%. Configure the Lambda function to increase the Auto Scaling group ' s desired capacity and maximum capacity by 20%.

Question 93

A company has applications that run in an organization in AWS Organizations. The company outsources operational support of the applications. The company needs to provide access for the external support engineers without compromising security.

The external support engineers need access to the AWS Management Console. The external support engineers also need operating system access to the company ' s fleet of Amazon EC2 instances that run Amazon Linux in private subnets.

Which solution will meet these requirements MOST securely?

Options:

A.

Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM IdentityCenter to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.

B.

Confirm that AWS Systems Manager Agent {SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local IAM user credentials in each AWS account to the external support engineers for console access.

C.

Confirm that all instances have a security group that allows SSH access only from the external support engineers source IP address ranges. Provide local IAM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances.

D.

Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers ' IP address ranges Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account IAM user credentials to the engineers for console access.

Question 94

A company stores data in Amazon S3. According to regulations, the data must not contain personally identifiable information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The company needs to automatically detect PII in S3 buckets and to notify the company ' s security team. Which solution will meet these requirements?

Options:

A.

Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.

B.

Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.

C.

Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData:S3Object/Personal event type from Macie findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.

D.

Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.

Question 95

A company is developing a serverless web application that gives users the ability to interact with real-time analytics from online games. The data from the games must be streamed in real time. The company needs a durable, low-latency database option for user data. The company does not know how many users will use the application. Any design considerations must provide response times of single-digit milliseconds as the application scales.

Which combination of AWS services will meet these requirements? Select TWO.

Options:

A.

Amazon CloudFront

B.

Amazon DynamoDB

C.

Amazon Kinesis

D.

Amazon RDS

E.

AWS Global Accelerator

Question 96

A company operates multiple VPCs in a single AWS account. Account users need temporary access to Amazon S3 buckets. The S3 buckets are private and have no public endpoints.

The solution must follow the principle of least privilege for access to each environment and must avoid distributing permanent access keys.

Which solution will meet these requirements?

Options:

A.

Create a gateway VPC endpoint for Amazon S3 in each VPC. Attach an endpoint policy that allows only environment-scoped IAM roles to access the S3 buckets.

B.

Configure the S3 buckets to use SSE-S3. Create bucket policies that allow access only from the VPC CIDR blocks.

C.

Define separate S3 access points for each environment. Allow users to assume a role associated with the access points. Use the default Amazon S3 endpoints.

D.

Route S3 traffic through a NAT gateway. Configure bucket policies that allow traffic only from the NAT gateway’s public IP addresses.

Question 97

An ecommerce company runs applications in AWS accounts that are part of an organization in AWS Organizations. The applications run on Amazon Aurora PostgreSQL databases across all the accounts. The company needs to prevent malicious activity and must identify abnormal failed and incomplete login attempts to the databases.

Options:

A.

Attach service control policies (SCPs) to the root of the organization to identify the failed login attempts.

B.

Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the organization.

C.

Publish the Aurora general logs to a log group in Amazon CloudWatch Logs. Export the log data to a central Amazon S3 bucket.

D.

Publish all the Aurora PostgreSQL database events in AWS CloudTrail to a central Amazon S3 bucket.

Question 98

A solutions architect needs to optimize storage costs. The solutions architect must identify any Amazon S3 buckets that are no longer being accessed or are rarely accessed.

Which solution will accomplish this goal with the LEAST operational overhead?

Options:

A.

Analyze bucket access patterns by using the S3 Storage Lens dashboard for advanced activity metrics.

B.

Analyze bucket access patterns by using the S3 dashboard in the AWS Management Console.

C.

Turn on the Amazon CloudWatch BucketSizeBytes metric for buckets. Analyze bucket access patterns by using the metrics data with Amazon Athena.

D.

Turn on AWS CloudTrail for S3 object monitoring. Analyze bucket access patterns by using CloudTrail logs that are integrated with Amazon CloudWatch Logs.

Question 99

A company hosts an application on an Amazon EC2 instance. The application needs to access a MySQL database that the company hosts on a second EC2 instance. The EC2 instances are in separate VPCs within the same AWS account. The traffic between the application and MySQL database needs to be secure and private.

What combination of steps will meet these requirements? (Select TWO.)

Options:

A.

Configure a VPC peering connection and routing between the VPCs.

B.

Configure the application to use Amazon RDS Proxy to access the MySQL database.

C.

Configure the MySQL instance to use an SSL certificate.

D.

Ensure the public IP address of the application EC2 instance is allowed in the network ACL of the VPC that contains the MySQL instance.

E.

Ensure the security group ID of the application EC2 instance is allowed in the network ACL of the VPC that contains the MySQL instance.

Question 100

A company runs an application on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to protect the application against layer 7 DDoS attacks.

Which solution will meet this requirement?

Options:

A.

Associate AWS Shield Standard with the ALB.

B.

Create an AWS WAF web ACL and add a custom rule. Associate the web ACL with the ALB.

C.

Create an AWS WAF web ACL and add an AWS managed rule. Associate the web ACL with the ALB.

D.

Create an Amazon CloudFront distribution and set the ALB as the origin. Configure the application DNS record to point to the CloudFront distribution instead of the ALB.

Question 101

A company wants to run its experimental workloads in the AWS Cloud. The company has a budget for cloud spending. The company ' s CFO is concerned about cloud spending accountabil-ity for each department. The CFO wants to receive notification when the spending threshold reaches 60% of the budget.

Which solution will meet these requirements?

Options:

A.

Use cost allocation tags on AWS resources to label owners. Create usage budgets in AWS Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget.

B.

Use AWS Cost Explorer forecasts to determine resource owners. Use AWS Cost Anomaly Detection to create alert threshold notifications when spending exceeds 60% of the budget.

C.

Use cost allocation tags on AWS resources to label owners. Use AWS Support API on AWS Trusted Advisor to create alert threshold notifications when spending exceeds 60% of the budget.

D.

Use AWS Cost Explorer forecasts to determine resource owners. Create usage budgets in AWS Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget.

Question 102

A company wants to create an Amazon EMR cluster that multiple teams will use. The company wants to ensure that each team ' s big data workloads can access only the AWS services that each team needs to interact with. The company does not want the workloads to have access to Instance Metadata Service Version 2 (IMDSv2) on the cluster ' s underlying EC2 instances.

Which solution will meet these requirements?

Options:

A.

Configure interface VPC endpoints for each AWS service that the teams need. Use the required interface VPC endpoints to submit the big data workloads.

B.

Create EMR runtime roles. Configure the cluster to use the runtime roles. Use the runtime roles to submit the big data workloads.

C.

Create an EC2 IAM instance profile that has the required permissions for each team. Use the instance profile to submit the big data workloads.

D.

Create an EMR security configuration that has the EnableApplicationScoped IAM Role option set to false. Use the security configuration to submit the big data workloads.

Question 103

A company uses an organization in AWS Organizations to manage multiple AWS accounts. Multiple teams access each AWS account by assuming IAM roles. Each team has a unique IAM role. Each IAM role has a unique set of permissions.

A security team wants to automate some security tasks by deploying AWS Lambda functions within each AWS account. The security team wants to ensure that only members of the security team can modify the Lambda functions directly.

Which solution will meet these requirements?

Options:

A.

Create a service control policy SCP that prevents any entity from making changes to Lambda functions except for the IAM role of the security team that is specified in the Principal key. Attach the SCP to the root of the organization.

B.

Create an IAM policy that denies all changes to the Amazon Resource Names ARNs of the Lambda functions. Attach the IAM policy to the root user of each AWS account.

C.

Create a service control policy SCP that denies all changes to Lambda functions. Attach the SCP to the root of the organization.

D.

Create a service control policy SCP that prevents any entity from making changes to Lambda functions except for the IAM role of the security team that is specified in the Condition clause. Attach the SCP to the root of the organization.

Question 104

A company hosts an application on AWS. The application gives users the ability to upload photos and store the photos in an Amazon S3 bucket. The company wants to use Amazon CloudFront and a custom domain name to upload the photo files to the S3 bucket in the eu-west-1 Region.

Which solution will meet these requirements? (Select TWO.)

Options:

A.

Use AWS Certificate Manager (ACM) to create a public certificate in the us-east-1 Region. Use the certificate in CloudFront.

B.

Use AWS Certificate Manager (ACM) to create a public certificate in eu-west-1. Use the certificate in CloudFront.

C.

Configure Amazon S3 to allow uploads from CloudFront. Configure S3 Transfer Acceleration.

D.

Configure Amazon S3 to allow uploads from CloudFront origin access control (OAC).

E.

Configure Amazon S3 to allow uploads from CloudFront. Configure an Amazon S3 website endpoint.

Question 105

A company has built an application that uses an Amazon Simple Queue Service (Amazon SQS) standard queue and an AWS Lambda function. The Lambda function writes messages to the SQS queue. The company needs a solution to ensure that the consumer of the SQS queue never receives duplicate messages.

Which solution will meet this requirement with the FEWEST changes to the current architecture?

Options:

A.

Modify the SQS queue to enable long polling for the queue.

B.

Delete the existing SQS queue. Recreate the queue as a FIFO queue. Enable content-based deduplication for the queue.

C.

Modify the SQS queue to enable content-based deduplication for the queue.

D.

Delete the SQS queue. Create an Amazon MQ message broker. Configure the broker to deduplicate messages.

Question 106

A company is designing an application to connect AWS Lambda functions to an Amazon RDS for MySQL DB instance. The DB instance manages many connections. The company needs to modify the application to improve connectivity and recovery.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon RDS Proxy for connection pooling. Modify the application to use the RDS Proxy for connections to the DB instance.

B.

Create a new RDS instance for connection pooling. Modify the application to use the new RDS instance for connectivity.

C.

Create read replicas to distribute the load of the DB instance. Create a Network Load Balancer to distribute the load across the read replicas.

D.

Migrate the RDS for MySQL DB instance to Amazon Aurora MySQL to increase DB instance performance.

Question 107

A company currently stores 5 TB of data in on-premises block storage systems. The company ' s current storage solution provides limited space for additional data. The company runs applications on premises that must be able to retrieve frequently accessed data with low latency. The company requires a cloud-based storage solution.

Which solution will meet these requirements with the MOST operational efficiency?

Options:

A.

Use Amazon S3 File Gateway Integrate S3 File Gateway with the on-premises applications to store and directly retrieve files by using the SMB file system.

B.

Use an AWS Storage Gateway Volume Gateway with cached volumes as iSCSt targets.

C.

Use an AWS Storage Gateway Volume Gateway with stored volumes as iSCSI targets.

D.

Use an AWS Storage Gateway Tape Gateway. Integrate Tape Gateway with the on-premises applications to store virtual tapes in Amazon S3.

Question 108

A company is building a cloud-based application on AWS that will handle sensitive customer data. The application uses Amazon RDS for the database, Amazon S3 for object storage, and S3 Event Notifications that invoke AWS Lambda for serverless processing.

The company uses AWS IAM Identity Center to manage user credentials. The development, testing, and operations teams need secure access to Amazon RDS and Amazon S3 while ensuring the confidentiality of sensitive customer data. The solution must comply with the principle of least privilege.

Which solution meets these requirements with the LEAST operational overhead?

Options:

A.

Use IAM roles with least privilege to grant all the teams access. Assign IAM roles to each team with customized IAM policies defining specific permission for Amazon RDS and S3 object access based on team responsibilities.

B.

Enable IAM Identity Center with an Identity Center directory. Create and configure permission sets with granular access to Amazon RDS and Amazon S3. Assign all the teams to groups that have specific access with the permission sets.

C.

Create individual IAM users for each member in all the teams with role-based permissions. Assign the IAM roles with predefined policies for RDS and S3 access to each user based on user needs. Implement IAM Access Analyzer for periodic credential evaluation.

D.

Use AWS Organizations to create separate accounts for each team. Implement cross-account IAM roles with least privilege. Grant specific permission for RDS and S3 access based on team roles and responsibilities.

Question 109

A company sets up an organization in AWS Organizations that contains 10AWS accounts. A solutions architect must design a solution to provide access to the accounts for several thousand employees. The company has an existing identity provider (IdP). The company wants to use the existing IdP for authentication to AWS.

Which solution will meet these requirements?

Options:

A.

Create IAM users for the employees in the required AWS accounts. Connect IAM users to the existing IdP. Configure federated authentication for the IAM users.

B.

Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.

C.

Configure AWS IAM Identity Center Connect IAM Identity Center to the existing IdP Provision users and groups from the existing IdP

D.

Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the users in the existing IdP.

Question 110

A company is moving data from an on-premises data center to the AWS Cloud. The company must store all its data in an Amazon S3 bucket. To comply with regulations, the company must also ensure that the data will be protected against overwriting indefinitely.

Which solution will ensure that the data in the S3 bucket cannot be overwritten?

Options:

A.

Enable versioning for the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to protect the data.

B.

Disable versioning for the S3 bucket. Configure S3 Object Lock for the S3 bucket with a retention period of 1 year.

C.

Enable versioning for the S3 bucket. Configure S3 Object Lock for the S3 bucket with a legal hold.

D.

Configure S3 Storage Lens for the S3 bucket. Use server-side encryption with customer-provided keys (SSE-C) to protect the data.

Question 111

A company asks a solutions architect to review the architecture for its messaging application. The application uses TCP and UDP traffic. The company is planning to deploy a new VoIP feature, but its 10 test users in other countries are reporting poor call quality.

The VoIP application runs on an Amazon EC2 instance with more than enough resources. The HTTP portion of the company ' s application behind an Application Load Balancer has no issues.

What should the solutions architect recommend for the company to do to address the VoIP performance issues?

Options:

A.

Use AWS Global Accelerator.

B.

Implement Amazon CloudFront into the architecture.

C.

Use an Amazon Route 53 geoproximity routing policy.

D.

Migrate from Application Load Balancers to Network Load Balancers.

Question 112

A media company hosts a web application on AWS for uploading videos. Only authenticated users should upload within a specified time frame after authentication.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Configure the application to generate IAM temporary security credentials for authenticated users.

B.

Create an AWS Lambda function that generates pre-signed URLs when a user authenticates.

C.

Develop a custom authentication service that integrates with Amazon Cognito to control and log direct S3 bucket access through the application.

D.

Use AWS Security Token Service (AWS STS) to assume a pre-defined IAM role that grants authenticated users temporary permissions to upload videos directly to the S3 bucket.

Question 113

A company is designing a web application with an internet-facing Application Load Balancer (ALB).

The company needs the ALB to receive HTTPS web traffic from the public internet. The ALB must send only HTTPS traffic to the web application servers hosted on the Amazon EC2 instances on port 443. The ALB must perform a health check of the web application servers over HTTPS on port 8443.

Which combination of configurations of the security group that is associated with the ALB will meet these requirements? (Select THREE.)

Options:

A.

Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443.

B.

Allow all outbound traffic to 0.0.0.0/0 for port 443.

C.

Allow HTTPS outbound traffic to the web application instances for port 443.

D.

Allow HTTPS inbound traffic from the web application instances for port 443.

E.

Allow HTTPS outbound traffic to the web application instances for the health check on port 8443.

F.

Allow HTTPS inbound traffic from the web application instances for the health check on port 8443.

Question 114

A startup company is hosting a website for its customers on an Amazon EC2 instance. The website consists of a stateless Python application and a MySQL database. The website serves only a small amount of traffic. The company is concerned about the reliability of the instance and needs to migrate to a highly available architecture. The company cannot modify the application code.

Which combination of actions should a solutions architect take to achieve high availability for the website? (Select TWO.)

Options:

A.

Provision an internet gateway in each Availability Zone in use.

B.

Migrate the database to an Amazon RDS for MySQL Multi-AZ DB instance.

C.

Migrate the database to Amazon DynamoDB. and enable DynamoDB auto scaling.

D.

Use AWS DataSync to synchronize the database data across multiple EC2 instances.

E.

Create an Application Load Balancer to distribute traffic to an Auto Scaling group of EC2 instances that are distributed across two Availability Zones.

Question 115

A company uses AWS to host a public website. The load on the webservers recently increased.

The company wants to learn more about the traffic flow and traffic sources. The company also wants to increase the overall security of the website.

Which solution will meet these requirements?

Options:

A.

Deploy AWS WAF and set up logging. Use Amazon Data Firehose to deliver the log files to an Amazon S3 bucket for analysis.

B.

Deploy Amazon API Gateway and set up logging. Use Amazon Kinesis Data Streams to deliver the log files to an Amazon S3 bucket for analysis.

C.

Deploy a Network Load Balancer and set up logging. Use Amazon Data Firehose to deliver the log files to an Amazon S3 bucket for analysis.

D.

Deploy an Application Load Balancer and set up logging. Use Amazon Kinesis Data Streams to deliver the log files to an Amazon S3 bucket for analysis.

Question 116

A company has an application that receives and processes purchase orders. The application supports only XML data. The company needs to configure the application to accept orders in JSON format. The company does not want to modify the application.

A solutions architect is using an Amazon API Gateway HTTP API to create a new purchase order API. The solutions architect needs to modify the application DNS record to point to the new HTTP API.

Options:

A.

Use an HTTP proxy integration to pass XML requests to the application. For JSON requests, use API Gateway mappings to convert the purchase orders to XML. Use an AWS Lambda function that is integrated with API Gateway to call the application.

B.

Use an HTTP proxy integration to pass XML requests to the application. For JSON requests, use an AWS Lambda function that is integrated with API Gateway to convert the purchase orders from JSON to XML and to call the application.

C.

Use an HTTP custom integration to pass XML requests to the application. For JSON requests, use API Gateway mappings to convert the purchase orders to XML. Use an AWS Lambda function that is integrated with API Gateway to call the application.

D.

Use an HTTP custom integration to pass XML requests to the application. For JSON requests, use an AWS Lambda function that is integrated with API Gateway to convert the purchase orders to JSON and to call the application.

Question 117

A global company is migrating its workloads from an on-premises data center to AWS. The AWS environment includes multiple AWS accounts. IAM roles. AWS Config rules, and a VPC.

The company wants an automated process to provision new accounts on demand when the company ' s business units require new accounts.

Which solution will meet these requirements with LEAST effort?

Options:

A.

Use AWS Control Tower to set up an organization in AWS Organizations. Use AWS Control Tower Account Factory for Terraform (AFT) to provision new AWS accounts.

B.

Create an organization in AWS Organizations. Use the AWS CLI CreateAccount API action to provision new AWS accounts. Organize the business units with organizational units (OUs).

C.

Create an AWS Lambda function that uses the AWS Organizations API to create new accounts. Invoke the Lambda function from an AWS CloudFormation template in AWS Service Catalog.

D.

Create an organization in AWS Organizations. Use AWS Step Functions to orchestrate the account creation process. Send account creation requests to an Amazon API Gateway API endpoint to invoke an AWS Lambda function that creates new accounts.

Question 118

A company wants to implement a data lake in the AWS Cloud. The company must ensure that only specific teams have access to sensitive data in the data lake. The company must have row-level access control for the data lake.

Options:

Options:

A.

Use Amazon RDS to store the data. Use IAM roles and permissions for data governance and access control.

B.

Use Amazon Redshift to store the data. Use IAM roles and permissions for data governance and access control.

C.

Use Amazon S3 to store the data. Use AWS Lake Formation for data governance and access control.

D.

Use AWS Glue Catalog to store the data. Use AWS Glue DataBrew for data governance and access control.

Question 119

An analytics company wants to deploy a custom extract, transform, and load ETL solution as a containerized application on AWS. The application requires high-performance access to files that are in a centralized repository. File processing can take up to 1 hour to finish. Which solution will meet these requirements?

Options:

A.

Deploy an AWS Lambda function from a container image. Create and attach an Amazon EFS file system to the function.

B.

Deploy containers on Amazon ECS with the Amazon EC2 launch type. Configure the EC2 instances to use instance store volumes.

C.

Deploy containers on Amazon ECS with the AWS Fargate launch type. Mount an Amazon EFS file system to the containers.

D.

Create an Amazon S3 Express One Zone bucket to store the files. Deploy an AWS Lambda function from a container image. Process files from the S3 Express One Zone bucket.

Question 120

A developer used the AWS SDK to create an application that aggregates and produces log records for 10 services. The application delivers data to an Amazon Kinesis Data Streams stream.

Each record contains a log message with a service name, creation timestamp, and other log information. The stream has 15 shards in provisioned capacity mode. The stream uses service name as the partition key.

The developer notices that when all the services are producing logs,ProvisionedThroughputExceededException errors occur during PutRecord requests. The stream metrics show that the write capacity the applications use is below the provisioned capacity.

How should the developer resolve this issue?

Options:

A.

Change the capacity mode from provisioned to on-demand.

B.

Double the number of shards until the throttling errors stop occurring.

C.

Change the partition key from service name to creation timestamp.

D.

Use a separate Kinesis stream for each service to generate the logs.

Question 121

A company is developing a rating system for its ecommerce web application. The company needs a solution to save ratings that users submit in an Amazon DynamoDB table. The company wants to ensure that developers do not need to interact directly with the DynamoDB table. The solution must be scalable and reusable.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an Application Load Balancer ALB. Create an AWS Lambda function, and set the function as a target group in the ALB. Invoke the Lambda function by using the PutItem method through the ALB.

B.

Create an AWS Lambda function. Configure the Lambda function to interact with the DynamoDB table by using the PutItem method from Boto3. Invoke the Lambda function from the web application.

C.

Create an Amazon SQS queue and an AWS Lambda function that has an SQS trigger type. Instruct the developers to add customer ratings to the SQS queue as JSON messages. Configure the Lambda function to fetch the ratings from the queue and store the ratings in DynamoDB.

D.

Create an Amazon API Gateway REST API. Define a resource and create a new POST method. Choose AWS as the integration type, and select DynamoDB as the service. Set the action to PutItem.

Question 122

A security team needs to enforce the rotation of all IAM users ' access keys every 90 days. If an access key is found to be older, the key must be made inactive and removed. A solutions architect must create a solution that will check for and remediate any keys older than 90 days.

Which solution meets these requirements with the LEAST operational effort?

Options:

A.

Create an AWS Config rule to check for the key age. Configure the AWS Config rule to run an AWS Batch job to remove the key.

B.

Create an Amazon EventBridge rule to check for the key age. Configure the rule to run an AWS Batch job to remove the key.

C.

Create an AWS Config rule to check for the key age. Define an Amazon EventBridge rule to schedule an AWS Lambda function to remove the key.

D.

Create an Amazon EventBridge rule to check for the key age. Define an EventBridge rule to run an AWS Batch job to remove the key.

Question 123

An ecommerce company wants a disaster recovery solution for its Amazon RDS DB instances that run Microsoft SQL Server Enterprise Edition. The company ' s current recovery point objective (RPO) and recovery time objective (RTO) are 24 hours.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create a cross-Region read replica and promote the read replica to the primary instance

B.

Use AWS Database Migration Service (AWS DMS) to create RDS cross-Region replication.

C.

Use cross-Region replication every 24 hours to copy native backups to an Amazon S3 bucket

D.

Copy automatic snapshots to another Region every 24 hours.

Question 124

A company has an industrial application that controls a process in real time. The company plans to rearchitect the application to distribute jobs across several Amazon EC2 instances in a VPC. The solution needs to maximize the network throughput and minimize the network latency between the instances.

Options:

A.

Place the instances in a host-level partition placement group. Choose instance types that support enhanced networking.

B.

Place the instances in several dedicated hosts in the same partition of a partition placement group. Choose dedicated hosts that support enhanced networking.

C.

Place the instances in several dedicated hosts in the same rack of a rack-level placement group. Choose dedicated hosts that support enhanced networking.

D.

Place the instances in a cluster placement group. Choose instance types that support enhanced networking.

Question 125

A transaction-processing company has weekly batch jobs that run on Amazon EC2 instances in an Auto Scaling group. Transaction volume varies, but CPU utilization is always at least 60% during the batch runs. Capacity must be provisioned 30 minutes before the jobs begin.

Engineers currently scale the Auto Scaling group manually. The company needs an automated solution but cannot allocate time to analyze scaling trends.

Which solution will meet these requirements with the least operational overhead?

Options:

A.

Create a dynamic scaling policy based on CPU utilization at 60%.

B.

Create a scheduled scaling policy. Set desired, minimum, and maximum capacity. Set recurrence weekly. Set the start time to 30 minutes before the jobs run.

C.

Create a predictive scaling policy that forecasts CPU usage and pre-launches instances 30 minutes before the jobs run.

D.

Create an EventBridge rule that invokes a Lambda function when CPU reaches 60%. The Lambda function increases the Auto Scaling group size by 20%.

Question 126

A company runs an order management application on AWS. The application allows customers to place orders and pay with a credit card. The company uses an Amazon CloudFront distribution to deliver the application. A security team has set up logging for all incoming requests. The security team needs a solution to generate an alert if any user modifies the logging configuration.

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.

Configure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule.

B.

Create an Application Load Balancer (ALB). Enable AWS WAF rules for the ALB. Configure an AWS Config rule to detect security violations.

C.

Create an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team.

D.

Set up Amazon GuardDuty. Configure GuardDuty to monitor findings from the CloudFront distribution. Create an AWS Lambda function to address the findings.

E.

Create a private API in Amazon API Gateway. Use AWS WAF rules to protect the private API from common security problems.

Question 127

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of costs and security concerns, the company wants to control which services each AWS account can use

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS Systems Manager templates to control which AWS services each department can use

B.

Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.

C.

Use AWS CloudFormation to automatically provision only the AWS services that each department can use.

D.

Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services

Question 128

A company is migrating a document management application to AWS. The application runs on Linux servers. The company will migrate the application to Amazon EC2 instances in an Auto Scaling group. The company stores 7 TiB of documents in a shared storage file system. An external relational database tracks the documents.

Documents are stored once and can be retrieved multiple times for reference at any time. The company cannot modify the application during the migration. The storage solution must be highly available and must support scaling over time.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Deploy an EC2 instance with enhanced networking as a shared NFS storage system. Export the NFS share. Mount the NFS share on the EC2 instances in the Auto Scaling group.

B.

Create an Amazon S3 bucket that uses the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Mount the S3 bucket on the EC2 instances in the Auto Scaling group.

C.

Deploy an SFTP server endpoint by using AWS Transfer for SFTP and an Amazon S3 bucket. Configure the EC2 instances in the Auto Scaling group to connect to the SFTP server.

D.

Create an Amazon EFS file system with mount points in multiple Availability Zones. Use the EFS Standard-Infrequent Access (Standard-IA) storage class. Mount the NFS share on the EC2 instances in the Auto Scaling group.

Question 129

A company has a web application with sporadic usage patterns. Usage is heavy at the beginning of each month, moderate weekly, and unpredictable during the week. The application uses a MySQL database and must move to AWS without database modifications.

Which solution will meet these requirements?

Options:

A.

Amazon DynamoDB

B.

Amazon RDS for MySQL

C.

MySQL-compatible Amazon Aurora Serverless

D.

MySQL on Amazon EC2 in an Auto Scaling group

Question 130

An ecommerce company is redesigning a product catalog system to handle millions of products and provide fast access to product information. The system needs to store structured product data such as product name, price, description, and category. The system also needs to store unstructured data such as high-resolution product videos and user manuals. The architecture must be highly available and must be able to handle sudden spikes in traffic during large-scale sales events.

Options:

A.

Use an Amazon RDS Multi-AZ deployment to store product information. Store product videos and user manuals in Amazon S3.

B.

Use Amazon DynamoDB to store product information. Store product videos and user manuals in Amazon S3.

C.

Store all product information, including product videos and user manuals, in Amazon DynamoDB.

D.

Deploy an Amazon DocumentDB (with MongoDB compatibility) cluster to store all product information, product videos, and user manuals.

Question 131

A healthcare company stores personally identifiable information (PII) data in an Amazon RDS for Oracle database. The company must encrypt the PII data at rest. The company must use dedicated hardware modules to store and manage the encryption keys.

Options:

A.

Use AWS Key Management Service (AWS KMS) to configure encryption for the RDS database. Store and manage keys in AWS CloudHSM.

B.

Use AWS CloudHSM backed AWS KMS keys to configure transparent encryption for the RDS database.

C.

Use Amazon EC2 instance store encryption to encrypt database volumes by using AWS CloudHSM backed keys.

D.

Configure RDS snapshots and use server-side encryption with Amazon S3 managed keys (SSE-S3). Store the keys in AWS CloudHSM.

Question 132

A company is designing a web application on AWS. The application uses a VPN connection between the company ' s on-premises data center and the company ' s VPC.

The company uses Amazon Route 53 as its DNS service. The application must use private DNS records to communicate with the on-premises services from a VPC.

Which solution will meet these requirements MOST securely?

Options:

A.

Create a Route 53 Resolver outbound endpoint. Create a Resolver rule. Associate the Resolver rule with the VPC.

B.

Create a Route 53 Resolver inbound endpoint. Create a Resolver rule. Associate the Resolver rule with the VPC.

C.

Create a Route 53 private hosted zone. Associate the private hosted zone with the on-premises network.

D.

Create a Route 53 public hosted zone. Create a record for each on-premises service.

Question 133

A company uses an AWS Transfer for SFTP public server endpoint and Amazon S3 storage to host large datasets for its customers. The company provides customers SSH private keys to authenticate and download their datasets. The Transfer for SFTP server is configured with structured logging that is saved to an S3 bucket. The company wants to charge customers based on their monthly data download usage. Which solution will meet these requirements?

Options:

A.

Configure VPC Flow Logs to write to a new S3 bucket. Run monthly queries on the flow logs to identify customer usage and calculate cost. Add the charges to the customers ' monthly bills.

B.

Each month, use AWS Cost Explorer to examine the costs for Transfer for SFTP and obtain a breakdown by customer. Add the charges to the customers ' monthly bills.

C.

Enable requester pays on the S3 bucket that hosts the software. Allocate the charges to each customer based on the customer ' s requests.

D.

Run Amazon Athena queries on the logging S3 bucket monthly to identify customer usage and calculate costs. Add the charges to the customers ' monthly bills.

Question 134

A company hosts an Amazon EC2 instance in a private subnet in a new VPC. The VPC also has a public subnet that has the default route set to an internet gateway. The private subnet does not have outbound internet access.

The EC2 instance needs to have the ability to download monthly security updates from an outside vendor. However, the company must block any connections that are initiated from the internet.

Which solution will meet these requirements?

Options:

A.

Configure the private subnet route table to use the internet gateway as the default route.

B.

Create a NAT gateway in the public subnet. Configure the private subnet route table to use the NAT gateway as the default route.

C.

Create a NAT instance in the private subnet. Configure the private subnet route table to use the NAT instance as the default route.

D.

Create a NAT instance in the private subnet. Configure the private subnet route table to use the internet gateway as the default route.

Question 135

A company currently runs an on-premises stock trading application by using Microsoft Windows Server. The company wants to migrate the application to the AWS Cloud. The company needs to design a highly available solution that provides low-latency access to block storage across multiple Availability Zones. Which solution will meet these requirements with the LEAST implementation effort?

Options:

A.

Configure a Windows Server cluster that spans two Availability Zones on Amazon EC2 instances. Install the application on both cluster nodes. Use Amazon FSx for Windows File Server as shared storage between the two cluster nodes.

B.

Configure a Windows Server cluster that spans two Availability Zones on Amazon EC2 instances. Install the application on both cluster nodes Use Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp3) volumes as storage attached to the EC2 instances. Set up application-level replication to sync data from one EBS volume in one Availability Zone to another EBS volume in the second Availability Zone.

C.

Deploy the application on Amazon EC2 instances in two Availability Zones Configure one EC2 instance as active and the second EC2 instance in standby mode. Use an Amazon FSx for NetApp ONTAP Multi-AZ file system to access the data by using Internet Small Computer Systems Interface (iSCSI) protocol.

D.

Deploy the application on Amazon EC2 instances in two Availability Zones. Configure one EC2 instance as active and the second EC2 instance in standby mode. Use Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io2) volumes as storage attached to the EC2 instances. Set up Amazon EBS level replication to sync data from one io2 volume in one Availability Zone to another io2 volume in the second Availability Zone.

Question 136

A company runs a critical Amazon RDS for MySQL DB instance in a single Availability Zone. The company must improve the availability of the DB instance.

Which solution will meet this requirement?

Options:

A.

Configure the DB instance to use a multi-Region DB instance deployment.

B.

Create an Amazon Simple Queue Service (Amazon SQS) queue in the AWS Region where the company hosts the DB instance to manage writes to the DB instance.

C.

Configure the DB instance to use a Multi-AZ DB instance deployment.

D.

Create an Amazon Simple Queue Service (Amazon SQS) queue in a different AWS Region than the Region where the company hosts the DB instance to manage writes to the DB instance.

Question 137

A company has a single AWS account that contains resources belonging to several teams. The company needs to identify the costs associated with each team. The company wants to use a tag named CostCenter to identify resources that belong to each team.

Options:

A.

Tag all resources that belong to each team with the user-defined CostCenter tag.

B.

Create a tag for each team, and set the value to CostCenter.

C.

Activate the CostCenter tag to track cost allocation.

D.

Configure AWS Billing and Cost Management to send monthly invoices to the company through email messages.

E.

Set up consolidated billing in the existing AWS account.

Question 138

A company needs to accommodate traffic for a web application that the company hosts on AWS, especially during peak usage hours.

The application uses Amazon EC2 instances as web servers, an Amazon RDS DB instance for database operations, and an Amazon S3 bucket to store transaction documents. The application struggles to scale effectively and experiences performance issues.

The company wants to improve the scalability of the application and prevent future performance issues. The company also wants to improve global access speeds to the transaction documents for the company ' s global users.

Which solution will meet these requirements?

Options:

A.

Place the EC2 instances in Auto Scaling groups to scale appropriately during peak usage hours. Use Amazon RDS read replicas to improve database read performance. Deploy an Amazon CloudFront distribution that uses Amazon S3 as the origin.

B.

Increase the size of the EC2 instances to provide more compute capacity. Use Amazon ElastiCache to reduce database read loads. Use AWS Global Accelerator to optimize the delivery of the transaction documents that are in the S3 bucket.

C.

Transition workloads from the EC2 instances to AWS Lambda functions to scale in response to the usage peaks. Migrate the database to an Amazon Aurora global database to provide cross-Region reads. Use AWS Global Accelerator to deliver the transaction documents that are in the S3 bucket.

D.

Convert the application architecture to use Amazon Elastic Container Service (Amazon ECS) containers. Configure a Multi-AZ deployment of Amazon RDS to support database operations. Replicate the transaction documents that are in the S3 bucket across multiple AWS Regions.

Question 139

A company hosts a public web application on AWS. The website has a three-tier architecture. The frontend web tier is comprised of Amazon EC2 instances in an Auto Scaling group. The application tier is a second Auto Scaling group. The database tier is an Amazon RDS database.

The company has configured the Auto Scaling groups to handle the application ' s normal level of demand. During an unexpected spike in demand, the company notices a long delay in the startup time when the frontend and application layers scale out. The company needs to improve the scaling performance of the application without negatively affecting the user experience.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Decrease the minimum number of EC2 instances for both Auto Scaling groups. Increase the desired number of instances to meet the peak demand requirement.

B.

Configure the maximum number of instances for both Auto Scaling groups to be the number required to meet the peak demand. Create a warm pool.

C.

Increase the maximum number of EC2 instances for both Auto Scaling groups to meet the normal demand requirement. Create a warm pool.

D.

Reconfigure both Auto Scaling groups to use a scheduled scaling policy. Increase the size of the EC2 instance types and the RDS instance types.

Question 140

A company runs game applications on AWS. The company needs to collect, visualize, and analyze telemetry data from the company ' s game servers. The company wants to gain insights into the behavior, performance, and health of game servers in near real time. Which solution will meet these requirements?

Options:

A.

Use Amazon Kinesis Data Streams to collect telemetry data. Use Amazon Managed Service for Apache Flink to process the data in near real time and publish custom metrics to Amazon CloudWatch. Use Amazon CloudWatch to create dashboards and alarms from the custom metrics.

B.

Use Amazon Data Firehose to collect, process, and store telemetry data in near real time. Use AWS Glue to extract, transform, and load (ETL) data from Firehose into required formats for analysis. Use Amazon QuickSight to visualize and analyze the data.

C.

Use Amazon Kinesis Data Streams to collect, process, and store telemetry data. Use Amazon EMR to process the data in near real time into required formats for analysis. Use Amazon Athena to analyze and visualize the data.

D.

Use Amazon DynamoDB Streams to collect and store telemetry data. Configure DynamoDB Streams to invoke AWS Lambda functions to process the data in near real time. Use Amazon Managed Grafana to visualize and analyze the data.

Question 141

A company hosts an application on AWS that gives users the ability to download photos. The company stores all photos in an Amazon S3 bucket that is located in the us-east-1 Region. The company wants to provide the photo download application to global customers with low latency.

Which solution will meet these requirements?

Options:

A.

Find the public IP addresses that Amazon S3 uses in us-east-1. Configure an Amazon Route 53 latency-based routing policy that routes to all the public IP addresses.

B.

Configure an Amazon CloudFront distribution in front of the S3 bucket. Use the distribution endpoint to access the photos that are in the S3 bucket.

C.

Configure an Amazon Route 53 geoproximity routing policy to route the traffic to the S3 bucket that is closest to each customer ' s location.

D.

Create a new S3 bucket in the us-west-1 Region. Configure an S3 Cross-Region Replication rule to copy the photos to the new S3 bucket.

Question 142

A company collects 10 GB of telemetry data every day from multiple devices. The company stores the data in an Amazon S3 bucket that is in a source data account.

The company has hired several consulting agencies to analyze the company ' s data. Each agency has a unique AWS account. Each agency requires read access to the company ' s data.

The company needs a secure solution to share the data from the source data account to the consulting agencies.

Which solution will meet these requirements with the LEAST operational effort?

Options:

A.

Set up an Amazon CloudFront distribution. Use the S3 bucket as the origin.

B.

Make the S3 bucket public for a limited time. Inform only the agencies that the bucket is publicly accessible.

C.

Configure cross-account access for the S3 bucket to the accounts that the agencies own.

D.

Set up an IAM user for each agency in the source data account. Grant each agency IAM user access to the company ' s S3 bucket.

Question 143

A company needs to provide a team of contractors with temporary access to the company ' s AWS resources for a short-term project. The contractors need different levels of access to AWS services. The company needs to revoke permissions for all the contractors when the project is finished.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use IAM to create a user account for each contractor. Attach policies that define access levels for the contractors to the user accounts. Manually deactivate the accounts when the project is finished.

B.

Use AWS STS to generate temporary credentials for the contractors. Provide the contractors access based on predefined roles. Set the access to automatically expire when the project is finished.

C.

Configure AWS Config rules to monitor the contractors ' access patterns. Use AWS Config rules to automatically revoke permissions that are not in use or that are too permissive.

D.

Use AWS CloudTrail and custom Amazon EventBridge triggers to audit the contractors ' actions. Adjust the permissions for each contractor based on activity logs.

Question 144

A company operates a data lake in Amazon S3 that stores large datasets in multiple formats. The company has an application that retrieves and processes subsets of data from multiple objects in the data lake based on filtering criteria. For each data query, the application currently downloads the entire S3 object and performs transformations. The current process requires a large amount of transformation time.

The company wants a solution that will give the application the ability to query and filter directly on S3 objects without downloading the objects.

Which solution will meet these requirements?

Options:

A.

Use Amazon Athena to query and filter the objects in Amazon S3.

B.

Use Amazon EMR to process and filter the objects.

C.

Use Amazon API Gateway to create an API to retrieve filtered results from Amazon S3.

D.

Use Amazon ElastiCache (Valkey) to cache the objects.

Question 145

A media company is launching a new product platform that artists from around the world can use to upload videos and images directly to an Amazon S3 bucket. The company owns and maintains the S3 bucket. The artists must be able to upload files from personal devices without the need for AWS credentials or an AWS account.

Which solution will meet these requirements MOST securely?

Options:

A.

Enable cross-origin resource sharing (CORS) on the S3 bucket.

B.

Turn off block public access for the S3 bucket. Share the bucket URL to the artists to enable uploads without credentials.

C.

Use an IAM role that has upload permissions for the S3 bucket to generate presigned URLs for S3 prefixes that are specific to each artist. Share the URLs to the artists.

D.

Create a web interface that uses an IAM role that has permission to upload and view objects in the S3 bucket. Share the web interface URL to the artists.

Question 146

A developer is creating a serverless application that performs video encoding. The encoding process runs as background jobs and takes several minutes to encode each video. The process must not send an immediate result to users.

The developer is using Amazon API Gateway to manage an API for the application. The developer needs to run test invocations and request validations. The developer must distribute API keys to control access to the API.

Which solution will meet these requirements?

Options:

A.

Create an HTTP API. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the HTTP API. Use the Event invocation type to call the Lambda function.

B.

Create a REST API with the default endpoint type. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the REST API. Use the Event invocation type to call the Lambda function.

C.

Create an HTTP API. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the HTTP API. Use the RequestResponse invocation type to call the Lambda function.

D.

Create a REST API with the default endpoint type. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the REST API. Use the RequestResponse invocation type to call the Lambda function.

Question 147

A manufacturing company runs an order processing application in its VPC. The company wants to securely send messages from the application to an external Salesforce system that uses Open Authorization (OAuth).

A solutions architect needs to integrate the company ' s order processing application with the external Salesforce system.

Which solution will meet these requirements?

Options:

A.

Create an Amazon Simple Notification Service (Amazon SNS) topic in a fanout configuration that pushes data to an HTTPS endpoint. Configure the order processing application to publish messages to the SNS topic.

B.

Create an Amazon Simple Notification Service (Amazon SNS) topic in a fanout configuration that pushes data to an Amazon Data Firehose delivery stream that has a HTTP destination. Configure the order processing application to publish messages to the SNS topic.

C.

Create an Amazon EventBridge rule and configure an Amazon EventBridge API destination partner Configure the order processing application to publish messages to Amazon EventBridge.

D.

Create an Amazon Managed Streaming for Apache Kafka (Amazon MSK) topic that has an outbound MSK Connect connector. Configure the order processing application to publish messages to the MSK topic.

Question 148

A company recently launched a new application for its customers. The application runs on multiple Amazon EC2 instances across two Availability Zones. End users use TCP to communicate with the application.

The application must be highly available and must automatically scale as the number of users increases.

Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

Options:

A.

Add a Network Load Balancer in front of the EC2 instances.

B.

Configure an Auto Scaling group for the EC2 instances.

C.

Add an Application Load Balancer in front of the EC2 instances.

D.

Manually add more EC2 instances for the application.

E.

Add a Gateway Load Balancer in front of the EC2 instances.

Question 149

A company uses Amazon Route 53 as its DNS provider. The company hosts a website both on premises and in the AWS Cloud. The company ' s on-premises data center is near the us-west-1 Region. The company hosts the website on AWS in the eu-central-1 Region.

The company wants to optimize load times for the website as much as possible.

Which solution will meet these requirements?

Options:

A.

Create a DNS record with a failover routing policy that routes all primary traffic to eu-central-1. Configure the routing policy to use the on-premises data center as the secondary location.

B.

Create a DNS record with an IP-based routing policy. Configure specific IP ranges to return the value for the eu-central-1 website. Configure all other IP ranges to return the value for the on-premises website.

C.

Create a DNS record with a latency-based routing policy. Configure one latency record for the eu-central-1 website and one latency record for the on-premises data center. Associate the record for the on-premises data center with the us-west-1 Region.

D.

Create a DNS record with a weighted routing policy. Split the traffic evenly between eu-central-1 and the on-premises data center.

Question 150

A company hosts an ecommerce application on AWS by using Amazon EC2 instances. The EC2 instances are spread across three Availability Zones behind an Application Load Balancer ALB. The EC2 instances are in an Auto Scaling group.

Some application users report that the application occasionally directs users who have already authenticated to the login page. The users must log in again.

The company needs a solution that will prevent the application from redirecting authenticated users to the login page.

Which solution will meet this requirement?

Options:

A.

Manually terminate the EC2 instances. Wait for the Auto Scaling group to launch new EC2 instances automatically.

B.

Configure the ALB to direct user activities to the appropriate EC2 instance through the IPv4 IP address of the instance that is registered as a target in the target group.

C.

Apply session affinity with application-based stickiness at the target group level.

D.

Configure the ALB to direct user activities to just one EC2 instance that is registered as a target in the target group.

Question 151

A company wants to publish a private website for its on-premises employees. The website consists of several HTML pages and image files. The website must be available only through HTTPS and must be available only to on-premises employees. A solutions architect plans to store the website files in an Amazon S3 bucket.

Which solution will meet these requirements?

Options:

A.

Create an S3 bucket policy to deny access when the source IP address is not the public IP address of the on-premises environment Set up an Amazon Route 53 alias record to point to the S3 bucket. Provide the alias record to the on-premises employees to grant the employees access to the website.

B.

Create an S3 access point to provide website access. Attach an access point policy to deny access when the source IP address is not the public IP address of the on-premises environment. Provide the S3 access point alias to the on-premises employees to grant the employees access to the website.

C.

Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Use AWS Certificate Manager for SSL. Use AWS WAF with an IP set rule that allows access for the on-premises IP address. Set up an Amazon Route 53 alias record to point to the CloudFront distribution.

D.

Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Create a CloudFront signed URL for the objects in the bucket. Set up an Amazon Route 53 alias record to point to the CloudFront distribution. Provide the signed URL to the on-premises employees to grant the employees access to the website.

Question 152

A company is building new learning management applications on AWS. The company is using Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 to host the applications. The company must ensure that container images are secure. Company administrators must receive notifications of any security vulnerabilities in the images.

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.

Modify the ECS cluster properties to use privileged mode. Enable host-based logging.

B.

Use the AWS Config conformance pack for Amazon ECS. Use AWS Config to notify administrators if any security vulnerabilities are detected.

C.

Configure AWS WAF to invoke an Amazon CloudWatch alarm when a new security vulnerability is detected.

D.

Use Amazon Inspector to scan container images in Amazon Elastic Container Registry (Amazon ECR).

E.

Use AWS Systems Manager Parameter Store to encrypt container images.

Question 153

A solutions architect needs to design a solution for a high performance computing (HPC) workload. The solution must include multiple Amazon EC2 instances. Each EC2 instance requires 10 Gbps of bandwidth individually for single-flow traffic. The EC2 instances require an aggregate throughput of 100 Gbps of bandwidth across all EC2 instances. Communication between the EC2 instances must have low latency.

Which solution will meet these requirements?

Options:

A.

Place the EC2 instances in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.

B.

Place the EC2 instances in multiple subnets in a single VPC. Configure a spread placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.

C.

Place the EC2 instances in multiple VPCs. Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.

D.

Place the EC2 instances in multiple subnets across multiple Availability Zones. Configure a cluster placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.

Question 154

A company needs to provide a team of contractors with temporary access to the company ' s AWS resources for a short-term project. The contractors need different levels of access to AWS services. The company needs to revoke permissions for all the contractors when the project is finished.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS IAM to create a user account for each contractor. Attach policies that define access levels for the contractors to the user accounts. Manually deactivate the accounts when the project is finished.

B.

Use AWS Security Token Service (AWS STS) to generate temporary credentials for the contractors. Provide the contractors access based on predefined roles. Set the access to automatically expire when the project is finished.

C.

Configure AWS Config rules to monitor the contractors ' access patterns. Use AWS Config rules to automatically revoke permissions that are not in use or that are too permissive.

D.

Use AWS CloudTrail and custom Amazon EventBridge triggers to audit the contractors ' actions. Adjust the permissions for each contractor based on activity logs.

Question 155

A company has a production Amazon RDS for MySQL database. The company needs to create a new application that will read frequently changing data from the database with minimal impact on the database ' s overall performance. The application will rarely perform the same query more than once.

What should a solutions architect do to meet these requirements?

Options:

A.

Set up an Amazon ElastiCache cluster. Query the results in the cluster.

B.

Set up an Application Load Balancer (ALB). Query the results in the ALB.

C.

Set up a read replica for the database. Query the read replica.

D.

Set up querying of database snapshots. Query the database snapshots.

Question 156

A company wants DevOps teams to create IAM roles, but no role may have administrative permissions.

Which solution will meet these requirements?

Options:

A.

Use SCPs to deny AdministratorAccess policy usage.

B.

Use SCPs to require a permissions boundary when creating IAM roles.

C.

Allow all permissions and auto-delete noncompliant roles.

D.

Attach restrictive permissions boundaries directly to IAM users.

Question 157

A company has Amazon EC2 instances in multiple AWS Regions. The instances all store and retrieve confidential data from the same Amazon S3 bucket. The company wants to improve the security of its current architecture.

The company wants to ensure that only the Amazon EC2 instances within its VPC can access the S3 bucket. The company must block all other access to the bucket.

Which solution will meet this requirement?

Options:

A.

Use IAM policies to restrict access to the S3 bucket.

B.

Use server-side encryption (SSE) to encrypt data in the S3 bucket at rest. Store the encryption key on the EC2 instances.

C.

Create a VPC endpoint for Amazon S3. Configure an S3 bucket policy to allow connections only from the endpoint.

D.

Use AWS Key Management Service (AWS KMS) with customer-managed keys to encrypt the data before sending the data to the S3 bucket.

Question 158

A company has a social media application that is experiencing rapid user growth. The current architecture uses t-family Amazon EC2 instances. The current architecture struggles to handle the increasing number of user posts and images. The application experiences performance slowdowns during peak usage times.

A solutions architect needs to design an updated architecture that will resolve the performance issues and scale as usage increases.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use the largest Amazon EC2 instance in the same family to host the application. Install a relational database on the instance to store all account information and to store posts and images.

B.

Use Amazon Simple Queue Service (Amazon SQS) to buffer incoming posts. Use a larger EC2 instance in the same family to host the application. Store account information in Amazon DynamoDB. Store posts and images in the local EC2 instance file system.

C.

Use an Amazon API Gateway REST API and AWS Lambda functions to process requests. Store account information in Amazon DynamoDB. Use Amazon S3 to store posts and images.

D.

Deploy multiple EC2 instances in the same family. Use an Application Load Balancer to distribute traffic. Use a shared file system to store account information and to store posts and images.

Question 159

A company needs to collect streaming data from several sources and store the data in the AWS Cloud. The dataset is heavily structured, but analysts need to perform several complex SQL queries and need consistent performance. Some of the data is queried more frequently than the rest. The company wants a solution that meets its performance requirements in a cost-effective manner.

Which solution meets these requirements?

Options:

A.

Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to ingest the data to save it to Amazon S3. Use Amazon Athena to perform SQL queries over the ingested data.

B.

Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to ingest the data to save it to Amazon Redshift. Enable Amazon Redshift workload management (WLM) to prioritize workloads.

C.

Use Amazon Data Firehose to ingest the data to save it to Amazon Redshift. Enable Amazon Redshift workload management (WLM) to prioritize workloads.

D.

Use Amazon Data Firehose to ingest the data to save it to Amazon S3. Load frequently queried data to Amazon Redshift using the COPY command. Use Amazon Redshift Spectrum for less frequently queried data.

Question 160

An e-commerce company stores inventory, order, and user information in multiple Amazon Redshift clusters. The Redshift clusters must comply with the company ' s security policies. The company must receive notifications about any security configuration violations.

Which solution will meet these requirements?

Options:

A.

Create an Amazon EventBridge rule that uses the Redshift clusters as the source. Create an AWS Lambda function to evaluate the Redshift cluster security configuration. Configure theLambda function to notify the company of any violations of the security policies. Add the Lambda function as a target of the EventBridge rule.

B.

Create an AWS Lambda function to check the validity of the Redshift cluster security configurations. Create an Amazon EventBridge rule that invokes the Lambda function when Redshift clusters are created. Notify the company of any violations of security policies.

C.

Set up Amazon Redshift Advisor in the company ' s AWS account to monitor cluster configurations. Configure Redshift Advisor to generate notifications for security items that the company must address.

D.

Create an AWS Lambda function to check the Redshift clusters for any violation of the security configurations. Create an AWS Config custom rule to invoke the Lambda function when Redshift cluster security configurations are modified. Provide the compliance state of each Redshift cluster to AWS Config. Configure AWS Config to notify the company of any violations of the security policies.

Question 161

A company has a large fleet of vehicles that are equipped with internet connectivity to send telemetry to the company. The company receives over 1 million data points every 5 minutes from the vehicles. The company uses the data in machine learning (ML) applications to predict vehicle maintenance needs and to preorder parts. The company produces visual reports based on the captured data. The company wants to migrate the telemetry ingestion, processing, and visualization workloads to AWS. Which solution will meet these requirements?

Options:

A.

Use Amazon Timestream for LiveAnalytics to store the data points. Grant Amazon SageMaker permission to access the data for processing. Use Amazon QuickSight to visualize the data.

B.

Use Amazon DynamoDB to store the data points. Use DynamoDB Connector to ingest data from DynamoDB into Amazon EMR for processing. Use Amazon QuickSight to visualize the data.

C.

Use Amazon Neptune to store the data points. Use Amazon Kinesis Data Streams to ingest data from Neptune into an AWS Lambda function for processing. Use Amazon QuickSight to visualize the data.

D.

Use Amazon Timestream to for LiveAnalytics to store the data points. Grant Amazon SageMaker permission to access the data for processing. Use Amazon Athena to visualize the data.

Question 162

A company runs a web application that uses Amazon RDS for MySQL to store relational data. Data in the database does not change frequently.

A solutions architect notices that during peak usage times, the database has performance issues when it serves the data. The company wants to improve the performance of the database.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

A.

Integrate AWS WAF with the application.

B.

Create a read replica for the database. Redirect read traffic to the read replica.

C.

Create an Amazon ElastiCache (Memcached) cluster. Configure the application and the database to integrate with the cluster.

D.

Use the Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class to store the data that changes infrequently.

E.

Migrate the database to Amazon DynamoDB. Configure the application to use the DynamoDB database.

Question 163

A company runs a fleet of Amazon EC2 On-Demand Instances to support a document processing application that has variable usage patterns. The company wants to optimize compute costs for the application. The company needs a solution that can tolerate occasional disruptions to document processing jobs.

Which solution will meet these requirements?

Options:

A.

Replace the EC2 instances with an Amazon EKS cluster that uses AWS Fargate Spot capacity.

B.

Use the EC2 Spot Instance placement score feature to identify which instance type to use. Deploy the application on Spot Instances.

C.

Create a single EC2 Auto Scaling group. Set a mixed configuration of EC2 On-Demand Instances and EC2 Spot Instances.

D.

Continue to use EC2 On-Demand Instances. Purchase Convertible Reserved Instances.

Question 164

A solutions architect is designing the architecture for a company website that is composed of static content. The company ' s target customers are located in the United States and Europe.

Which architecture should the solutions architect recommend to MINIMIZE cost?

Options:

A.

Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to limit the edge locations in use.

B.

Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to maximize the use of edge locations.

C.

Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront geolocation routing policy to route requests to the closest Region to the user.

D.

Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront distribution with an Amazon Route 53 latency routing policy to route requests to the closest Region to the user.

Question 165

A software company needs to upgrade a critical web application. The application is hosted in a public subnet. The EC2 instance runs a MySQL database. The application ' s DNS records are published in an Amazon Route 53 zone.

A solutions architect must reconfigure the application to be scalable and highly available. The solutions architect must also reduce MySQL read latency.

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.

Launch a second EC2 instance in a second AWS Region. Use a Route 53 failover routing policy to redirect the traffic to the second EC2 instance.

B.

Create and configure an Auto Scaling group to launch private EC2 instances in multiple Availability Zones. Add the instances to a target group behind a new Application Load Balancer.

C.

Migrate the database to an Amazon Aurora MySQL cluster. Create the primary DB instance and reader DB instance in separate Availability Zones.

D.

Create and configure an Auto Scaling group to launch private EC2 instances in multiple AWS Regions. Add the instances to a target group behind a new Application Load Balancer.

E.

Migrate the database to an Amazon Aurora MySQL cluster with cross-Region read replicas.

Question 166

A company is designing a new multi-tier web application that consists of the following components:

• Web and application servers that run on Amazon EC2 instances as part of Auto Scaling groups

• An Amazon RDS DB instance for data storage

A solutions architect needs to limit access to the application servers so that only the web servers can access them. Which solution will meet these requirements?

Options:

A.

Deploy AWS PrivateLink in front of the application servers. Configure the network ACL to allow only the web servers to access the application servers.

B.

Deploy a VPC endpoint in front of the application servers Configure the security group to allow only the web servers to access the application servers

C.

Deploy a Network Load Balancer with a target group that contains the application servers ' Auto Scaling group Configure the network ACL to allow only the web servers to access the application servers.

D.

Deploy an Application Load Balancer with a target group that contains the application servers ' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers.

Question 167

A company wants a flexible compute solution that includes Amazon EC2 instances and AWS Fargate. The company does not want to commit to multi-year contracts.

Which purchasing option will meet these requirements MOST cost-effectively?

Options:

A.

Purchase a 1-year EC2 Instance Savings Plan with the All Upfront option.

B.

Purchase a 1-year Compute Savings Plan with the No Upfront option.

C.

Purchase a 1-year Compute Savings Plan with the Partial Upfront option.

D.

Purchase a 1-year Compute Savings Plan with the All Upfront option.

Question 168

A healthcare company needs a storage solution for electronic health records EHRs. The company must store the EHRs for at least 10 years to comply with regulations. The company rarely accesses the records. The records must be secure, immutable, and retrievable within a few hours when needed. Which solution will meet these requirements in the MOST cost-effective way?

Options:

A.

Store the records in Amazon S3 Standard. Enable server-side encryption with Amazon S3 managed keys SSE-S3 and S3 Versioning.

B.

Store the records in Amazon S3 Glacier Flexible Retrieval. Configure S3 Object Lock and set a retention period of 10 years.

C.

Store the records in Amazon S3 One Zone-Infrequent Access S3 One Zone-IA. Configure an S3 Lifecycle policy to remove records after 10 years.

D.

Store the records in Amazon S3 Intelligent-Tiering. Configure automatic archiving to the Archive Access tier.

Question 169

A company wants to use a data lake that is hosted on Amazon S3 to provide analytics services for historical data. The data lake consists of 800 tables but is expected to grow to thousands of tables. More than 50 departments use the tables, and each department has hundreds of users. Different departments need access to specific tables and columns.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an IAM role for each department. Use AWS Lake Formation based access control to grant each IAM role access to specific tables and columns. Use Amazon Athena to analyze the data.

B.

Create an Amazon Redshift cluster for each department. Use AWS Glue to ingest into the Redshift cluster only the tables and columns that are relevant to that department. Create Redshift database users. Grant the users access to the relevant department ' s Redshift cluster. Use Amazon Redshift to analyze the data.

C.

Create an IAM role for each department. Use AWS Lake Formation tag-based access control to grant each IAM role access to only the relevant resources. Create LF-tags that are attached to tables and columns. Use Amazon Athena to analyze the data.

D.

Create an Amazon EMR cluster for each department. Configure an IAM service role for each EMR cluster to access relevant S3 files. For each department ' s users, create an IAM role that provides access to the relevant EMR cluster. Use Amazon EMR to analyze the data.

Question 170

A company is using an AWS Lambda function in a VPC. The Lambda function needs to access dependencies that exceed the size of the Lambda layer quota. The data that the Lambda function retrieves must be encrypted in transit.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Store the dependencies in an Amazon Elastic File System (Amazon EFS) file system. Mount the file system to the Lambda function. Retrieve the dependencies from the file system.

B.

Store the dependencies on an Amazon EC2 instance that has an instance store volume and web server software. Use HTTPS API calls to retrieve the dependencies each time the Lambda function runs.

C.

Store the dependencies on an Amazon EC2 instance that hosts an NFS file server. Read the files from the EC2 instance each time the Lambda function runs.

D.

Store the dependencies in two separate Lambda layers. Redesign the application to have two Lambda functions that use different Lambda layers.

Question 171

A company runs its applications on both Amazon EKS clusters and on-premises Kubernetes clusters. The company wants to view all clusters and workloads from a central location.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon CloudWatch Container Insights to collect and group the cluster information.

B.

Use Amazon EKS Connector to register and connect all Kubernetes clusters.

C.

Use AWS Systems Manager to collect and view the cluster information.

D.

Use Amazon EKS Anywhere as the primary cluster to view the other clusters with native Kubernetes commands.

Question 172

A company has a static website that is hosted on Amazon CloudFront in front of Amazon S3. The static website uses a database backend. The company notices that the website does not reflect updates that have been made in the website ' s Git repository. The company checks the continuous integration and continuous delivery (CI/CD) pipeline between the Git repository and Amazon S3. The company verifies that the webhooks are configured properly and that the CI/CD pipeline Is sending messages that indicate successful deployments.

A solutions architect needs to implement a solution that displays the updates on the website.

Which solution will meet these requirements?

Options:

A.

Add an Application Load Balancer.

B.

Add Amazon ElastiCache for Redis or Memcached to the database layer of the web application.

C.

Invalidate the CloudFront cache.

D.

Use AWS Certificate Manager (ACM) to validate the website ' s SSL certificate.

Question 173

A company wants to store a large amount of data as objects for analytics and long-term archiving. Resources from outside AWS need to access the data. The external resources need to access the data with unpredictable frequency. However, the external resource must have immediate access when necessary.

The company needs a cost-optimized solution that provides high durability and data security.

Which solution will meet these requirements?

Options:

A.

Store the data in Amazon S3 Standard. Apply S3 Lifecycle policies to transition older data to S3 Glacier Deep Archive.

B.

Store the data in Amazon S3 Intelligent-Tiering.

C.

Store the data in Amazon S3 Glacier Flexible Retrieval. Use expedited retrieval to provide immediate access when necessary.

D.

Store the data in Amazon Elastic File System (Amazon EFS) Infrequent Access (IA). Use lifecycle policies to archive older files.

Question 174

A mining company is using Amazon S3 as its data lake. The company wants to analyze the data collected by the sensors in its mines. A data pipeline is being built to capture data from the sensors, ingest the data into an S3 bucket, and convert the data to Apache Parquet format. The data pipeline must be processed in near-real time. The data will be used for on-demand queries with Amazon Athena.

Which solution will meet these requirements?

Options:

A.

Use Amazon Data Firehose to invoke an AWS Lambda function that converts the data to Parquet format and stores the data in Amazon S3.

B.

Use Amazon Kinesis Data Streams to invoke an AWS Lambda function that converts the data to Parquet format and stores the data in Amazon S3.

C.

Use AWS DataSync to invoke an AWS Lambda function that converts the data to Parquet format and stores the data in Amazon S3.

D.

Use Amazon Simple Queue Service (Amazon SQS) to stream data directly to an AWS Glue job that converts the data to Parquet format and stores the data in Amazon S3.

Question 175

A company uses AWS to run its workloads. The company uses AWS Organizations to manage its accounts. The company needs to identify which departments are responsible for specific costs.

New accounts are constantly created in the Organizations account structure. The Organizations continuous integration and continuous delivery (CI/CD) framework already adds the populated department tag to the AWS resources. The company wants to use an AWS Cost Explorer report to identify the service costs by department from all AWS accounts.

Which combination of steps will meet these requirements with the MOST operational efficiency? (Select TWO.)

Options:

A.

Activate the aws:createdBy cost allocation tag and the department cost allocation tag in the management account.

B.

Create a new cost and usage report in Cost Explorer. Group by the department cost allocation tag. Apply a filter to see all linked accounts and services.

C.

Activate only the department cost allocation tag in the management account.

D.

Create a new cost and usage report in Cost Explorer. Group by the department cost allocation tag without any other filters.

E.

Activate only the aws:createdBy cost allocation tag in the management account.

Question 176

A company has an application that runs on Amazon EC2 instances in an Auto Scaling group. The application uses hardcoded credentials to access an Amazon RDS database.

To comply with new regulations, the company needs to automatically rotate the database password for the application service account every 90 days.

Which solution will meet these requirements?

Options:

A.

Create an AWS Lambda function to generate new passwords and upload them to EC2 instances by using SSH.

B.

Create a secret for the database credentials in AWS Secrets Manager. Enable rotation every 90 days. Modify the application to retrieve credentials from Secrets Manager.

C.

Create an Amazon ECS task to rotate passwords and upload them to EC2 instances.

D.

Create a new EC2 instance that runs a cron job to rotate passwords.

Question 177

A company has a serverless web application that is comprised of AWS Lambda functions. The application experiences spikes in traffic that cause increased latency because of cold starts. The company wants to improve the application’s ability to handle traffic spikes and to minimize latency. The solution must optimize costs during periods when traffic is low.

Options:

A.

Configure provisioned concurrency for the Lambda functions. Use AWS Application Auto Scaling to adjust the provisioned concurrency.

B.

Launch Amazon EC2 instances in an Auto Scaling group. Add a scheduled scaling policy to launch additional EC2 instances during peak traffic periods.

C.

Configure provisioned concurrency for the Lambda functions. Set a fixed concurrency level to handle the maximum expected traffic.

D.

Create a recurring schedule in Amazon EventBridge Scheduler. Use the schedule to invoke the Lambda functions periodically to warm the functions.

Question 178

A company generates SSL certificates from a third-party provider. The company imports the certificates into AWS Certificate Manager (ACM) to use with public web applications.

A solutions architect must implement a solution to notify the company ' s security team 30 days before an imported certificate expires. The company already has an Amazon Simple Queue Service (Amazon SQS) queue. The company also has an Amazon Simple Notification Service (Amazon SNS) topic that has the security team ' s email address as a subscriber.

Which solution will provide the security team with the required notification about certificates?

Options:

A.

Create an AWS Lambda function to scan for expiring certificates. Program the Lambda function to list the certificates in a JSON message and to deliver the message to the SQS queue.

B.

Create an AWS Lambda function to scan for expiring certificates. Program the Lambda function to list the certificates in a JSON message and to deliver the message to the SNS topic.

C.

Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SQS queue as the rule ' s target.

D.

Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SNS topic as the rule ' s target.

Question 179

A company has a serverless web application that is comprised of AWS Lambda functions. The application experiences spikes in traffic that cause increased latency because of cold starts. The company wants to improve the application ' s ability to handle traffic spikes and to minimize latency. The solution must optimize costs during periods when traffic is low.

Which solution will meet these requirements?

Options:

A.

Configure provisioned concurrency for the Lambda functions. Use AWS Application Auto Scaling to adjust the provisioned concurrency.

B.

Launch Amazon EC2 instances in an Auto Scaling group. Add a scheduled scaling policy to launch additional EC2 instances during peak traffic periods.

C.

Configure provisioned concurrency for the Lambda functions. Set a fixed concurrency level to handle the maximum expected traffic.

D.

Create a recurring schedule in Amazon EventBridge Scheduler. Use the schedule to invoke the Lambda functions periodically to warm the functions.

Question 180

A company processes large amounts of data by using Amazon EC2 instances in an Auto Scaling group. The data processing jobs run for up to 48 hours each week. The data processing jobs can handle interruptions. However, the company wants to minimize the interruptions. The company wants to use the latest generation of Amazon EC2 instances each year.

Which solution will meet these requirements in the MOST cost-effective way?

Options:

A.

Purchase Convertible Reserved Instances on an All Upfront basis for a 3-year term for the instance types currently in use.

B.

Purchase Standard Reserved Instances on an All Upfront basis for a 1-year term for the instance types currently in use.

C.

Purchase Spot Instances with a price-capacity-optimized allocation strategy. Override instance types in the Auto Scaling group.

D.

Purchase Spot Instances with a capacity-optimized allocation strategy. Override instance types in the Auto Scaling group.

Question 181

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer ALB. The company wants the application to be accessible only from inside the VPC that hosts the ALB.

The company creates an alias record of example.com in Amazon Route 53. The DNS record for the application must be resolvable only in the VPC where the application runs.

Which solution will meet these requirements?

Options:

A.

Use an internet-facing ALB. Create a Route 53 public hosted zone for the application DNS name.

B.

Use an internal ALB. Create a Route 53 public hosted zone for the application DNS name.

C.

Use an internet-facing ALB. Create a Route 53 private hosted zone for the application DNS name.

D.

Use an internal ALB. Create a Route 53 private hosted zone for the application DNS name.

Question 182

A company wants to migrate hundreds of gigabytes of unstructured data from an on-premises location to an Amazon S3 bucket. The company has a 100-Mbps internet connection on premises. The company needs to encrypt the data in transit to the S3 bucket. The company will store new data directly in Amazon S3.

Options:

A.

Use AWS Database Migration Service (AWS DMS) to synchronize the on-premises data to a destination S3 bucket.

B.

Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket.

C.

Use an AWS Snowball Edge device to migrate the data to an S3 bucket. Use an AWS CloudHSM key to encrypt the data on the Snowball Edge device.

D.

Set up an AWS Direct Connect connection between the on-premises location and AWS. Use the s3 cp command to move the data directly to an S3 bucket.

Question 183

A company is building a stock trading application in the AWS Cloud. The company requires a highly available solution that provides low-latency access to block storage across multiple Availability Zones.

Options:

A.

Use an Amazon S3 bucket and an S3 File Gateway as shared storage for the application.

B.

Create an Amazon EC2 instance in each Availability Zone. Attach a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume to each EC2 instance. Create a Bash script to sync data between volumes.

C.

Use an Amazon FSx for NetApp ONTAP Multi-AZ file system to access data by using the iSCSI protocol.

D.

Create an Amazon EC2 instance in each Availability Zone. Attach a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume to each EC2 instance. Create a Python script to sync data between volumes.

Question 184

A media publishing company is building an application on AWS to give users the ability to print their own books. The application frontend runs on a Docker container.

The amount of incoming orders varies significantly. The incoming orders can temporarily exceed the throughput of the company ' s book printing machines. Order-processing payloads are up to 4 MB in size.

The company needs to develop a solution that can scale to handle incoming orders.

Which solution will meet this requirement?

Options:

A.

Use Amazon Simple Queue Service (Amazon SQS) to queue incoming orders. Create an AWS Lambda@Edge function to process orders. Deploy the frontend application on Amazon Elastic Kubernetes Service (Amazon EKS).

B.

Use Amazon Simple Notification Service (Amazon SNS) to queue incoming orders. Create an AWS Lambda function to process orders. Deploy the frontend application on AWS Fargate.

C.

Use Amazon Simple Queue Service (Amazon SQS) to queue incoming orders. Create an AWS Lambda function to process orders. Deploy the frontend application on Amazon Elastic Container Service (Amazon ECS) with the AWS Fargate launch type.

D.

Use Amazon Simple Notification Service (Amazon SNS) to queue incoming orders. Create an AWS Lambda@Edge function to process orders. Deploy the frontend application on Amazon EC2 instances.

Question 185

A company stores a large number of image files in an Amazon S3 bucket. The images need to be readily available for 180 days. The company rarely accesses images that are older than 180 days. However, the company must be able to access images immediately when necessary.

The company wants to archive images that are older than 360 days, but the company must be able to access the images instantly when required. The images cannot be deleted. The company requires high availability and redundancy throughout the entire lifecycle of the files.

The company will use S3 Standard storage for the first 180 days. The company needs to configure S3 Lifecycle rules to handle the remaining lifecycle stages of the files.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Transition the objects to S3 One Zone-Infrequent Access S3 One Zone-IA after 180 days. Transition the objects to S3 Glacier Instant Retrieval after 360 days.

B.

Transition the objects to S3 One Zone-Infrequent Access S3 One Zone-IA after 180 days. Transition the objects to S3 Glacier Flexible Retrieval after 360 days.

C.

Transition the objects to S3 Standard-Infrequent Access S3 Standard-IA after 180 days. Transition the objects to S3 Glacier Instant Retrieval after 360 days.

D.

Transition the objects to S3 Standard-Infrequent Access S3 Standard-IA after 180 days. Transition the objects to S3 Glacier Flexible Retrieval after 360 days.

Question 186

A company is building a new web-based customer relationship management application. The application will use several Amazon EC2 instances that are backed by Amazon EBS volumes behind an Application Load Balancer (ALB). The application will also use an Amazon Aurora database. All data for the application must be encrypted at rest and in transit.

Which solution will meet these requirements?

Options:

A.

Use AWS KMS certificates on the ALB to encrypt data in transit. Use AWS Certificate Manager (ACM) to encrypt the EBS volumes and Aurora database storage at rest.

B.

Use the AWS root account to log in to the AWS Management Console. Upload the company ' s encryption certificates. While in the root account, select the option to turn on encryption for all data at rest and in transit for the account.

C.

Use AWS KMS to encrypt the EBS volumes and Aurora database storage at rest. Attach an AWS Certificate Manager (ACM) certificate to the ALB to encrypt data in transit.

D.

Use BitLocker to encrypt all data at rest. Import the company ' s TLS certificate keys to AWS KMS. Attach the KMS keys to the ALB to encrypt data in transit.

Question 187

A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS.

Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)

Options:

A.

Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.

B.

Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC.

C.

Create an Amazon S3 interface endpoint in the networking account.

D.

Create an Amazon S3 gateway endpoint in the networking account.

E.

Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.

Question 188

A company is building a web application that serves a content management system. The content management system runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group across multiple Availability Zones. Users are constantly adding and updating files, blogs, and other website assets in the content management system.

A solutions architect must implement a solution in which all the EC2 instances share up-to-date website content with the least possible lag time.

Options:

A.

Update the EC2 user data in the Auto Scaling group lifecycle policy to copy the website assets from the EC2 instance that was launched most recently. Configure the ALB to make changes to the website assets only in the newest EC2 instance.

B.

Copy the website assets to an Amazon Elastic File System (Amazon EFS) file system. Configure each EC2 instance to mount the EFS file system locally. Configure the website hosting application to reference the website assets that are stored in the EFS file system.

C.

Copy the website assets to an Amazon S3 bucket. Ensure that each EC2 instance downloads the website assets from the S3 bucket to the attached Amazon Elastic Block Store (Amazon EBS) volume. Run the S3 sync command once each hour to keep files up to date.

D.

Restore an Amazon Elastic Block Store (Amazon EBS) snapshot with the website assets. Attach the EBS snapshot as a secondary EBS volume when a new EC2 instance is launched. Configure the website hosting application to reference the website assets that are stored in the secondary EBS volume.

Question 189

A company hosts a photo sharing web application on AWS. Users upload and share thousands of photos each hour. The company needs a durable storage solution that provides retrieval mechanisms for the photos. Most uploaded photos are not accessed often after 30 days, but the company does not want to delete older photos.

Which solution will meet these requirements in the MOST cost-effective way?

Options:

A.

Store the photos in an Amazon EFS file system for immediate use. Use AWS Backup with on-demand backups and point-in-time recovery PITR to store photos that are older than 30 days.

B.

Store the photos in an Amazon S3 bucket. Use Amazon S3 Lifecycle configurations to move photos that are older than 30 days to S3 Intelligent-Tiering.

C.

Store the photos in Amazon DynamoDB for immediate use. Use AWS Backup with on-demand backups and point-in-time recovery PITR to store photos that are older than 30 days.

D.

Store the photos in Amazon FSx for Lustre for immediate use. Use AWS Backup with continuous backups and point-in-time recovery PITR to store photos that are older than 30 days.

Question 190

A company runs an application on Amazon EC2 instances. The instances need to access an Amazon RDS database by using specific credentials. The company uses AWS Secrets Manager to contain the credentials the EC2 instances must use.

Which solution will meet this requirement?

Options:

A.

Create an IAM role, and attach the role to each EC2 instance profile. Use an identity-based policy to grant the new IAM role access to the secret that contains the database credentials.

B.

Create an IAM user, and attach the user to each EC2 instance profile. Use a resource-based policy to grant the new IAM user access to the secret that contains the database credentials.

C.

Create a resource-based policy for the secret that contains the database credentials. Use EC2 Instance Connect to access the secret.

D.

Create an identity-based policy for the secret that contains the database credentials. Grant direct access to the EC2 instances.

Question 191

A company runs a multi-tier application on premises by using virtual machines (VMs). The application tiers communicate asynchronously through third-party middleware that guarantees exactly-once delivery. The company is planning to migrate the application to AWS and needs to replace the middleware solution. The solution must provide exactly-once delivery for messages from the application.

Which combination of actions will meet these requirements with the LEAST infrastructure management? (Select TWO.)

Options:

A.

Use AWS Lambda functions to provide compute layers in the architecture.

B.

Use Amazon EC2 instances to provide compute layers in the architecture.

C.

Use Amazon SNS as a messaging component between the compute layers.

D.

Use Amazon SQS FIFO queues as a messaging component between the compute layers.

E.

Run containers on Amazon EKS to provide compute layers in the architecture.

Question 192

A company is building a serverless application to process clickstream data from its website. The clickstream data is sent to an Amazon Kinesis Data Streams data stream from the application web servers.

The company wants to enrich the clickstream data by joining the clickstream data with customer profile data from an Amazon Aurora Multi-AZ database. The company wants to use Amazon Redshift to analyze the enriched data. The solution must be highly available.

Which solution will meet these requirements?

Options:

A.

Use an AWS Lambda function to process and enrich the clickstream data. Use the same Lambda function to write the clickstream data to Amazon S3. Use Amazon Redshift Spectrum to query the enriched data in Amazon S3.

B.

Use an Amazon EC2 Spot Instance to poll the data stream and enrich the clickstream data. Configure the EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.

C.

Use an Amazon Elastic Container Service (Amazon ECS) task with AWS Fargate Spot capacity to poll the data stream and enrich the clickstream data. Configure an Amazon EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.

D.

Use Amazon Kinesis Data Firehose to load the clickstream data from Kinesis Data Streams to Amazon S3. Use AWS Glue crawlers to infer the schema and populate the AWS Glue Data Catalog. Use Amazon Athena to query the raw data in Amazon S3.

Question 193

A company recently migrated a monolithic application to an Amazon EC2 instance and Amazon RDS. The application has tightly coupled modules. The existing design of the application gives the application the ability to run on only a single EC2 instance.

The company has noticed high CPU utilization on the EC2 instance during peak usage times. The high CPU utilization corresponds to degraded performance on Amazon RDS for read requests. The company wants to reduce the high CPU utilization and improve read request performance.

Which solution will meet these requirements?

Options:

A.

Resize the EC2 instance to an EC2 instance type that has more CPU capacity. Configure an Auto Scaling group with a minimum and maximum size of 1. Configure an RDS read replica for read requests.

B.

Resize the EC2 instance to an EC2 instance type that has more CPU capacity. Configure an Auto Scaling group with a minimum and maximum size of 1. Add an RDS read replica and redirect all read/write traffic to the replica.

C.

Configure an Auto Scaling group with a minimum size of 1 and maximum size of 2. Resize the RDS DB instance to an instance type that has more CPU capacity.

D.

Resize the EC2 instance to an EC2 instance type that has more CPU capacity Configure an Auto Scaling group with a minimum and maximum size of 1. Resize the RDS DB instance to an instance type that has more CPU capacity.

Question 194

A company needs a solution to back up and protect critical AWS resources. The company needs to regularly take backups of several Amazon EC2 instances and Amazon RDS for PostgreSQL databases. To ensure high resiliency, the company must have the ability to validate and restore backups.

Which solution meets the requirement with LEAST operational overhead?

Options:

A.

Use AWS Backup to create a backup schedule for the resources. Use AWS Backup to create a restoration testing plan for the required resources.

B.

Take snapshots of the EC2 instances and RDS DB instances. Create AWS Batch jobs to validate and restore the snapshots.

C.

Create a custom AWS Lambda function to take snapshots of the EC2 instances and RDS DB instances. Create a second Lambda function to restore the snapshots periodically to validate the backups.

D.

Take snapshots of the EC2 instances and RDS DB instances. Create an AWS Lambda function to restore the snapshots periodically to validate the backups.

Question 195

A company allows users to upload and store photos through its website. The website has users from all around the world. All images that users upload are stored in a centralized Amazon S3 bucket. The company wants to increase the speed in which its entire user base can upload photos through the website.

What should a solutions architect recommend to meet these requirements?

Options:

A.

Create an Amazon CloudFront distribution. Use the Amazon S3 Standard storage class to store files.

B.

Create an Amazon CloudFront distribution. Configure the distribution settings and origin.

C.

Configure S3 Transfer Acceleration on the S3 bucket. Use the standard S3 endpoint to upload files.

D.

Configure S3 Transfer Acceleration on the S3 bucket. Use the S3 Accelerate endpoint to upload files.

Question 196

A company needs a cloud-based solution for backup, recovery, and archiving while retaining encryption key material control.

Which combination of solutions will meet these requirements? (Select TWO)

Options:

A.

Create an AWS Key Management Service (AWS KMS) key without key material. Import the company ' s key material into the KMS key.

B.

Create an AWS KMS encryption key that contains key material generated by AWS KMS.

C.

Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Use S3 Bucket Keyswith AWS KMS keys.

D.

Store the data in an Amazon S3 Glacier storage class. Use server-side encryption with customer-provided keys (SSE-C).

E.

Store the data in AWS Snowball devices. Use server-side encryption with AWS KMS keys (SSE-KMS).

Question 197

A finance company uses scheduled scripts to store and visualize stock market data in an Amazon DynamoDB table. The company deletes records after a month to optimize costs. However, the company needs a cost-optimized solution to generate reports and visualizations based on historical data. Which solution will meet these requirements?

Options:

A.

Use an integration between DynamoDB and Amazon Redshift to load records directly into Amazon Redshift. Use the built-in Amazon Redshift query engine to generate reports and visualizations.

B.

Use Amazon Kinesis Data Streams and Amazon Data Firehose to stream DynamoDB records to an Amazon S3 bucket. Load the data into Amazon Redshift. Use the built-in Amazon Redshift query editor to query the data to generate reports and visualizations.

C.

Use Amazon Kinesis Data Streams and Amazon Data Firehose to stream DynamoDB records to an Amazon S3 bucket. Use Amazon Athena to query the data. Use Amazon QuickSight to generate reports and visualizations.

D.

Use AWS DMS to continuously copy DynamoDB records into an Amazon RDS database for long-term storage. Use Amazon QuickSight to generate reports and visualizations.

Question 198

A data science team needs storage for nightly log processing. The size and number of logs is unknown, and the logs persist for only 24 hours.

What is the MOST cost-effective solution?

Options:

A.

Amazon S3 Glacier Deep Archive

B.

Amazon S3 Standard

C.

Amazon S3 Intelligent-Tiering

D.

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Question 199

A company runs a containerized application on a Kubernetes cluster in an on-premises data center. The company is using a MongoDB database for data storage. The company wants to migrate some of these environments to AWS, but no code changes or deployment method changes are possible at this time. The company needs a solution that minimizes operational overhead.

Options:

A.

Use Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 worker nodes for compute and MongoDB on EC2 for data storage.

B.

Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate for compute and Amazon DynamoDB for data storage.

C.

Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 worker nodes for compute and Amazon DynamoDB for data storage.

D.

Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate for compute and Amazon DocumentDB (with MongoDB compatibility) for data storage.

Question 200

A solutions architect is building a static website hosted on Amazon S3. The website uses an Amazon Aurora PostgreSQL database accessed through an AWS Lambda function. The production website uses a Lambda alias that points to a specific version of the Lambda function.

Database credentials must rotate every 2 weeks. Previously deployed Lambda versions must always use the most recent credentials.

Which solution will meet these requirements?

Options:

A.

Store credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve credentials from Secrets Manager.

B.

Include the credentials in the Lambda function code and update the function regularly.

C.

Use Lambda environment variables and update them when new credentials are available.

D.

Store credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code to retrieve credentials from Parameter Store.

Question 201

A company is planning to deploy a business-critical application in the AWS Cloud. The application requires durable storage with consistent, low-latency performance.

Which type of storage should a solutions architect recommend to meet these requirements?

Options:

A.

Instance store volume

B.

Amazon ElastiCache (Memcached) cluster

C.

Provisioned IOPS SSD Amazon Elastic Block Store (Amazon EBS) volume

D.

Throughput Optimized HDD Amazon Elastic Block Store (Amazon EBS) volume

Question 202

A company is developing a latency-sensitive application. Part of the application includes several AWS Lambda functions that need to initialize as quickly as possible. The Lambda functions are written in Java and contain initialization code outside the handlers to load libraries, initialize classes, and generate unique IDs.

Which solution will meet the startup performance requirement MOST cost-effectively?

Options:

A.

Move all the initialization code to the handlers for each Lambda function. Activate Lambda SnapStart for each Lambda function. Configure SnapStart to reference the $LATEST version of each Lambda function.

B.

Publish a version of each Lambda function. Create an alias for each Lambda function. Configure each alias to point to its corresponding version. Set up provisioned concurrency configuration for each Lambda function to point to the corresponding alias.

C.

Publish a version of each Lambda function. Set up a provisioned concurrency configuration for each Lambda function to point to the corresponding version. Activate Lambda SnapStart for the published versions of the Lambda functions.

D.

Update the Lambda functions to add a pre-snapshot hook. Move the code that generates unique IDs into the handlers. Publish a version of each Lambda function. Activate Lambda SnapStart for the published versions of the Lambda functions.

Question 203

An ecommerce company wants to collect user clickstream data from the company ' s website for real-time analysis. The website experiences fluctuating traffic patterns throughout the day. The company needs a scalable solution that can adapt to varying levels of traffic.

Which solution will meet these requirements?

Options:

A.

Use a data stream in Amazon Kinesis Data Streams in on-demand mode to capture the clickstream data. Use AWS Lambda to process the data in real time.

B.

Use Amazon Data Firehose to capture the clickstream data. Use AWS Glue to process the data in real time.

C.

Use Amazon Kinesis Video Streams to capture the clickstream data. Use AWS Glue to process the data in real time.

D.

Use Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) to capture the clickstream data. Use AWS Lambda to process the data in real time.

Question 204

A company is migrating some workloads to AWS. However, many workloads will remain on premises. The on-premises workloads require secure and reliable connectivity to AWS with consistent, low-latency performance.

The company has deployed the AWS workloads across multiple AWS accounts and multiple VPCs. The company plans to scale to hundreds of VPCs within the next year.

The company must establish connectivity between each of the VPCs and from the on-premises environment to each VPC.

Which solution will meet these requirements?

Options:

A.

Use an AWS Direct Connect connection to connect the on-premises environment to AWS. Configure VPC peering to establish connectivity between VPCs.

B.

Use multiple AWS Site-to-Site VPN connections to connect the on-premises environment to AWS. Create a transit gateway to establish connectivity between VPCs.

C.

Use an AWS Direct Connect connection with a Direct Connect gateway to connect the on-premises environment to AWS. Create a transit gateway to establish connectivity between VPCs. Associate the transit gateway with the Direct Connect gateway.

D.

Use an AWS Site-to-Site VPN connection to connect the on-premises environment to AWS. Configure VPC peering to establish connectivity between VPCs.

Question 205

A company serves its website by using an Auto Scaling group of Amazon EC2 instances in a single AWS Region. The website does not require a database

The company is expanding, and the company ' s engineering team deploys the website to a second Region. The company wants to distribute traffic across both Regions to accommodate growth and for disaster recovery purposes The solution should not serve traffic from a Region in which the website is unhealthy.

Which policy or resource should the company use to meet these requirements?

Options:

A.

An Amazon Route 53 simple routing policy

B.

An Amazon Route 53 multivalue answer routing policy

C.

An Application Load Balancer in one Region with a target group that specifies the EC2 instance IDs from both Regions

D.

An Application Load Balancer in one Region with a target group that specifies the IP addresses of the EC2 instances from both Regions

Question 206

A company runs an application on premises. The application needs to periodically upload large files to an Amazon S3 bucket. A solutions architect needs a solution to provide the application with short-lived authenticated access to the S3 bucket. The solution must not use long-term credentials. The solution needs to be secure and scalable.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an IAM user that has an access key and a secret key. Store the keys on the on-premises server in an environment variable. Attach a policy to the IAM user that restricts access to only the S3 bucket.

B.

Configure an AWS Site-to-Site VPN connection from the on-premises environment to the company ' s VPC. Launch an Amazon EC2 instance with an instance profile. Route all file uploads from the on-premises application through the EC2 instance to the S3 bucket.

C.

Configure an S3 bucket policy to allow access for the on-premises server ' s public IP address. Configure the policy to allow PUT operations only from the server ' s IP address.

D.

Configure a trust relationship between the on-premises server and AWS Security Token Service (AWS STS). Generate credentials by assuming an IAM role for each upload operation.

Question 207

A company has an on-premises volume backup solution that is end of life. The company wants to use AWS as part of a new backup solution while maintaining local access to all data. The data must be automatically and securely transferred to AWS.

Which solution meets these requirements?

Options:

A.

Use AWS Snowball to migrate data to Amazon S3. Mount the Snowball S3 endpoint for local access.

B.

Use AWS Snowball Edge to migrate data to Amazon S3. Use the Snowball Edge file interface to provide local access.

C.

Use AWS Storage Gateway and configure a cached volume gateway. Run the gateway appliance on premises, cache a percentage of data locally, and mount gateway volumes for local access.

D.

Use AWS Storage Gateway and configure a stored volume gateway. Run the appliance on premises, map the gateway storage to on-premises disks, and mount gateway volumes for local access.

Question 208

A company has developed an API using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static and dynamic content to users worldwide. The company wants to decrease the latency of transferring content for API requests.

Options:

Options:

A.

Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.

B.

Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.

C.

Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

D.

Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

Question 209

A company has a batch processing application that runs every day. The process typically takes an average 3 hours to complete. The application can handle interruptions and can resume the process after a restart. Currently, the company runs the application on Amazon EC2 On-Demand Instances.

The company wants to optimize costs while maintaining the same performance level.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Purchase a 1-year EC2 Instance Savings Plan for the appropriate instance family and size to meet the requirements of the application.

B.

Use EC2 On-Demand Capacity Reservations based on the appropriate instance family and size to meet the requirements of the application. Run the EC2 instances in an Auto Scaling group.

C.

Determine the appropriate instance family and size to meet the requirements of the application. Convert the application to run on AWS Batch with EC2 On-Demand Instances. Purchase a 1-year Compute Savings Plan.

D.

Determine the appropriate instance family and size to meet the requirements of the application. Convert the application to run on AWS Batch with EC2 Spot Instances.

Question 210

An online gaming company is transitioning user data storage to Amazon DynamoDB to support the company ' s growing user base. The current architecture includes DynamoDB tables that contain user profiles, achievements, and in-game transactions.

The company needs to design a robust, continuously available, and resilient DynamoDB architecture to maintain a seamless gaming experience for users.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create DynamoDB tables in a single AWS Region. Use on-demand capacity mode. Use global tables to replicate data across multiple Regions.

B.

Use DynamoDB Accelerator (DAX) to cache frequently accessed data. Deploy tables in a single AWS Region and enable auto scaling. Configure Cross-Region Replication manually to additional Regions.

C.

Create DynamoDB tables in multiple AWS Regions. Use on-demand capacity mode. Use DynamoDB Streams for Cross-Region Replication between Regions.

D.

Use DynamoDB global tables for automatic multi-Region replication. Deploy tables in multiple AWS Regions. Use provisioned capacity mode. Enable auto scaling.

Question 211

A company is developing a new application that uses Amazon EC2, Amazon S3, and AWS Lambda resources. The company wants to allow employees to access the AWS Management Console by using existing credentials that the company stores and manages in an on-premises Microsoft Active Directory. Each employee must have a specific level of access to the AWS resources that is based on the employee ' s role.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Configure AWS Directory Service to create an Active Directory in AWS Managed Microsoft AD. Establish a trust relationship with the on-premises Active Directory. Configure IAM roles and trust policies to give the employees access to the AWS resources.

B.

Use LDAP to directly integrate the on-premises Active Directory with IAM. Map Active Directory groups to IAM roles to control access to AWS resources.

C.

Implement a custom identity broker to authenticate users into the on-premises Active Directory. Configure the identity broker to use AWS STS to grant authorized users IAM role-based access to the AWS resources.

D.

Configure Amazon Cognito to federate users into the on-premises Active Directory. Use Cognito user pools to manage user identities and to manage user access to the AWS resources.

Question 212

A large financial services company uses Amazon ElastiCache (Redis OSS) for its new application that has a global user base. A solutions architect must develop a caching solution that will be available across AWS Regions and include low-latency replication and failover capabilities for disaster recovery (DR). The company ' s security team requires the encryption of cross-Region data transfers.

Which solution meets these requirements with the LEAST amount of operational effort?

Options:

A.

Enable cluster mode in ElastiCache (Redis OSS). Then create multiple clusters across Regions and replicate the cache data by using AWS Database Migration Service (AWS DMS). Promote a cluster in the failover Region to handle production traffic when DR is required.

B.

Create a global data store in ElastiCache (Redis OSS).Then create replica clusters in two other Regions. Promote one of the replica clusters as primary when DR is required.

C.

Disable cluster mode in ElastiCache (Redis OSS). Then create multiple replication groups across Regions and replicate the cache data by using AWS Database Migration Service (AWS DMS). Promote a replication group in the failover Region to primary when DR is required.

D.

Create a snapshot of ElastiCache (Redis OSS) in the primary Region and copy it to the failover Region. Use the snapshot to restore the cluster from the failover Region when DR is required.

Question 213

How can a company detect and notify security teams about PII in S3 buckets?

Options:

A.

Use Amazon Macie. Create an EventBridge rule for SensitiveData findings and send an SNS notification.

B.

Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SNS notification.

C.

Use Amazon Macie. Create an EventBridge rule for SensitiveData:S3Object/Personal findings and send an SQS notification.

D.

Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SQS notification.

Question 214

A home security company is expanding its business globally. The company needs to encrypt customer data. The company does not want to manage its own keys. The company needs the keys to be usable in multiple AWS Regions and needs to control access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS Key Management Service (AWS KMS) to create multi-Region keys. Apply tags to identify each key. Use attribute-based access control (ABAC) condition keys to control access to the keys.

B.

Use AWS Key Management Service (AWS KMS) to create multiple keys by importing key material. Apply tags to identify each key. Use attribute-based access control (ABAC) condition keys to control access to the keys.

C.

Use AWS CloudHSM to create a CloudHSM cluster in the company ' s primary Region. Synchronize the CloudHSM cluster to additional Regions by using the CloudHSM Management Utility (CMU).

D.

Use AWS CloudHSM to create users. Use the CloudHSM Management Utility (CMU) to share keys with the users. Use the shareKey command to share or unshare the key with additional users in each Region.

Question 215

A company wants to restrict access to the content of its web application. The company needs to protect the content by using authorization techniques that are available on AWS. The company also wants to implement a serverless architecture for authorization and authentication that has low login latency.

The solution must integrate with the web application and serve web content globally. The application currently has a small user base, but the company expects the application ' s user base to increase

Which solution will meet these requirements?

Options:

A.

Configure Amazon Cognito for authentication. Implement Lambda@Edge for authorization. Configure Amazon CloudFront to serve the web application globally

B.

Configure AWS Directory Service for Microsoft Active Directory for authentication. Implement AWS Lambda for authorization. Use an Application Load Balancer to serve the web application globally.

C.

Configure Amazon Cognito for authentication. Implement AWS Lambda for authorization Use Amazon S3 Transfer Acceleration to serve the web application globally.

D.

Configure AWS Directory Service for Microsoft Active Directory for authentication. Implement Lambda@Edge for authorization. Use AWS Elastic Beanstalk to serve the web application globally.

Question 216

A company is creating a payment processing application that supports TLS connections from IPv4 clients. The application requires outbound access to the public internet. The application must allow users to access the application from a single entry point while maintaining the lowest possible attack surface.

The company wants to use Amazon ECS tasks to deploy the application. The company wants to enable awsvpc network mode.

Which solution will meet these requirements?

Options:

A.

Create a VPC that has an internet gateway, public subnets, and private subnets. Deploy a Network Load Balancer (NLB) and a NAT gateway in the public subnets. Deploy the ECS tasks in the private subnets.

B.

Create a VPC that has an egress-only internet gateway, public subnets, and private subnets. Deploy an Application Load Balancer (ALB) and a NAT gateway in the public subnets. Deploy the ECS tasks in the private subnets.

C.

Create a VPC that has an internet gateway, public subnets, and private subnets. Deploy an Application Load Balancer (ALB) in the public subnets. Deploy the ECS tasks in the public subnets.

D.

Create a VPC that has an egress-only internet gateway, public subnets, and private subnets. Deploy a Network Load Balancer (NLB) in the public subnets. Deploy the ECS tasks in the public subnets.

Question 217

A company is planning to migrate a legacy application to AWS. The application currently uses NFS to communicate to an on-premises storage solution to store application data. The application cannot be modified to use any other communication protocols other than NFS for this purpose.

Which storage solution should a solutions architect recommend for use after the migration?

Options:

A.

AWS DataSync

B.

Amazon Elastic Block Store (Amazon EB5)

C.

Amazon Elastic File System (Amazon EF5)

D.

Amazon EMR File System (Amazon EMRFS)

Question 218

A company is designing the architecture for a new mobile app that uses the AWS Cloud. The company uses organizational units (OUs) in AWS Organizations to manage its accounts. The company wants to tag Amazon EC2 instances with data sensitivity by using values of sensitive and nonsensitive IAM identities must not be able to delete a tag or create instances without a tag

Which combination of steps will meet these requirements? (Select TWO.)

Options:

A.

In Organizations, create a new tag policy that specifies the data sensitivity tag key and the required values. Enforce the tag values for the EC2 instances Attach the tag policy to the appropriate OU.

B.

In Organizations, create a new service control policy (SCP) that specifies the data sensitivity tag key and the required tag values Enforce the tag values for the EC2 instances. Attach the SCP to the appropriate OU.

C.

Create a tag policy to deny running instances when a tag key is not specified. Create another tag policy that prevents identities from deleting tags Attach the tag policies to the appropriate OU.

D.

Create a service control policy (SCP) to deny creating instances when a tag key is not specified. Create another SCP that prevents identities from deleting tags Attach the SCPs to the appropriate OU.

E.

Create an AWS Config rule to check if EC2 instances use the data sensitivity tag and the specified values. Configure an AWS Lambda function to delete the resource if a noncompliant resource is found.

Question 219

A company runs all its business applications in the AWS Cloud. The company uses AWS Organizations to manage multiple AWS accounts.

A solutions architect needs to review all permissions that are granted to IAM users to determine which IAM users have more permissions than required.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:

A.

Use Network Access Analyzer to review all access permissions in the company ' s AWS accounts.

B.

Create an AWS CloudWatch alarm that activates when an IAM user creates or modifies resources in an AWS account.

C.

Use AWS Identity and Access Management IAM Access Analyzer to review all the company ' s resources and accounts.

D.

Use Amazon Inspector to find vulnerabilities in existing IAM policies.

Question 220

A company wants to migrate its on-premises Oracle database to Amazon Aurora. The company wants to use a secure and encrypted network to transfer the data. Which combination of steps will meet these requirements? (Select TWO.)

Options:

A.

Use AWS Application Migration Service to migrate the data.

B.

Use AWS Schema Conversion Tool (AWS SCT) and AWS Database Migration Service (AWS DMS) to migrate the data.

C.

Use AWS Direct Connect SiteLink to transfer data from the on-premises environment to AWS.

D.

Use AWS Site-to-Site VPN to establish a connection to transfer the data from the on-premises environment to AWS.

E.

Use AWS App2Container to migrate the data.

Question 221

A company is migrating its databases to Amazon RDS for PostgreSQL. The company is migrating its applications to Amazon EC2 instances. The company wants to optimize costs for long-running workloads.

Which solution will meet this requirement MOST cost-effectively?

Options:

A.

Use On-Demand Instances for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year Compute Savings Plan with the No Upfront option for the EC2 instances.

B.

Purchase Reserved Instances for a 1 year term with the No Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year EC2 Instance Savings Plan with the No Upfront option for the EC2 instances.

C.

Purchase Reserved Instances for a 1 year term with the Partial Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year EC2 Instance Savings Plan with the Partial Upfront option for the EC2 instances.

D.

Purchase Reserved Instances for a 3 year term with the All Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 3 year EC2 Instance Savings Plan with the All Upfront option for the EC2 instances.

Question 222

A company ' s packaged application dynamically creates and returns single-use text files in response to user requests. The company is using Amazon CloudFront for distribution, but wants to further reduce data transfer costs. The company cannot modify the application ' s source code.

What should a solutions architect do to reduce costs?

Options:

A.

Use Lambda@Edge to compress the files as they are sent to users.

B.

Enable Amazon S3 Transfer Acceleration to reduce the response times.

C.

Enable caching on the CloudFront distribution to store generated files at the edge.

D.

Use Amazon S3 multipart uploads to move the files to Amazon S3 before returning them to users.

Question 223

A company wants to use Amazon S3 to back up its on-premises file storage solution. The company ' s on-premises file storage solution uses NFS, and the company wants its new solution to support NFS. The company wants to archive the backup files after 5 days. If the company needs archived files for disaster recovery, the company is willing to wait a few days for the retrieval of those files.

Which solution meets these requirements MOST cost-effectively?

Options:

A.

Deploy an AWS Storage Gateway file gateway that is associated with an S3 bucket. Move the files from the on-premises file storage solution to the file gateway. Create an S3 Lifecycle rule to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) after 5 days.

B.

Deploy an AWS Storage Gateway volume gateway that is associated with an S3 bucket. Move the files from the on-premises file storage solution to the volume gateway. Create an S3 Lifecycle rule to move the files to S3 Glacier Deep Archive after 5 days.

C.

Deploy an AWS Storage Gateway tape gateway that is associated with an S3 bucket. Move the files from the on-premises file storage solution to the tape gateway. Create an S3 Lifecycle rule to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) after 5 days.

D.

Deploy an AWS Storage Gateway file gateway that is associated with an S3 bucket. Move the files from the on-premises file storage solution to the file gateway. Create an S3 Lifecycle rule to move the files to S3 Glacier Deep Archive after 5 days.

Question 224

A company is designing a new internal web application in the AWS Cloud. The new application must securely retrieve and store multiple employee usernames and passwords from an AWS managed service.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Store the employee credentials in AWS Systems Manager Parameter Store. Use AWS CloudFormation and the BatchGetSecretValue API to retrieve usernames and passwords from Parameter Store.

B.

Store the employee credentials in AWS Secrets Manager. Use AWS CloudFormation and AWS Batch with the BatchGetSecretValue API to retrieve the usernames and passwords from Secrets Manager.

C.

Store the employee credentials in AWS Systems Manager Parameter Store. Use AWS CloudFormation and AWS Batch with the BatchGetSecretValue API to retrieve the usernames and passwords from Parameter Store.

D.

Store the employee credentials in AWS Secrets Manager. Use AWS CloudFormation and the BatchGetSecretValue API to retrieve the usernames and passwords from Secrets Manager.

Question 225

A company is running a web-based game in two Availability Zones in the us-west-2 Region. The web servers use an Application Load Balancer (ALB) in public subnets. The ALB has an SSL certificate from AWS Certificate Manager (ACM) with a custom domain name. The game is written in JavaScript and runs entirely in a user ' s web browser.

The game is increasing in popularity in many countries around the world. The company wants to update the application architecture and optimize costs without compromising performance.

What should a solutions architect do to meet these requirements?

Options:

A.

Use Amazon CloudFront and create a global distribution that points to the ALB. Reuse the existing certificate from ACM for the CloudFront distribution. Use Amazon Route 53 to update the application alias to point to the distribution.

B.

Use AWS CloudFormation to deploy the application stack to AWS Regions near countries where the game is popular. Use ACM to create a new certificate for each application instance. Use Amazon Route 53 with a geolocation routing policy to direct traffic to the local application instance.

C.

Use Amazon S3 and create an S3 bucket in AWS Regions near countries where the game is popular. Deploy the HTML and JavaScript files to each S3 bucket. Use ACM to create a new certificate for each S3 bucket. Use Amazon Route 53 with a geolocation routing policy to direct traffic to the local S3 bucket.

D.

Use Amazon S3 and create an S3 bucket in us-west-2. Deploy the HTML and JavaScript files to the S3 bucket. Use Amazon CloudFront and create a global distribution with the S3 bucket as the origin. Use ACM to create a new certificate for the distribution. Use Amazon Route 53 to update the application alias to point to the distribution.

Question 226

A company hosts a web application in a VPC on AWS. A public Application Load Balancer (ALB) forwards connections from the internet to an Auto Scaling group of Amazon EC2 instances. The Auto Scaling group runs in private subnets across four Availability Zones.

The company stores data in an Amazon S3 bucket in the same Region. The EC2 instances use NAT gateways in each Availability Zone for outbound internet connectivity.

The company wants to optimize costs for its AWS architecture.

Which solution will meet this requirement?

Options:

A.

Reconfigure the Auto Scaling group and the ALB to use two Availability Zones instead of four. Do not change the desired count or scaling metrics for the Auto Scaling group to maintain application availability.

B.

Create a new, smaller VPC that still has sufficient IP address availability to run the application. Redeploy the application stack in the new VPC. Delete the existing VPC and its resources.

C.

Deploy an S3 gateway endpoint to the VPC. Configure the EC2 instances to access the S3 bucket through the S3 gateway endpoint.

D.

Deploy an S3 interface endpoint to the VPC. Configure the EC2 instances to access the S3 bucket through the S3 interface endpoint.

Question 227

A company has an on-premises application that uses SFTP to collect financial data from multiple vendors. The company is migrating to the AWS Cloud. The company has created an application that uses Amazon S3 APIs to upload files from vendors.

Some vendors run their systems on legacy applications that do not support S3 APIs. The vendors want to continue to use SFTP-based applications to upload data. The company wants to use managed services for the needs of the vendors that use legacy applications.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an AWS Database Migration Service (AWS DMS) instance to replicate data from the storage of the vendors that use legacy applications to Amazon S3. Provide the vendors with the credentials to access the AWS DMS instance.

B.

Create an AWS Transfer Family endpoint for vendors that use legacy applications.

C.

Configure an Amazon EC2 instance to run an SFTP server. Instruct the vendors that use legacy applications to use the SFTP server to upload data.

D.

Configure an Amazon S3 File Gateway for vendors that use legacy applications to upload files to an SMB file share.

Question 228

A solutions architect needs to ensure that only resources in VPC vpc-11aabb22 can access an S3 bucket in account 123456789012 with Block Public Access enabled.

Which solution meets this requirement?

Options:

A.

Create a bucket policy with Deny and a Condition using " StringNotEquals " : { " aws:SourceVpc " : " vpc-11aabb22 " }.

B.

Create a bucket policy with Allow and Resource " arn:aws:ec2:us-west-2:123456789012:vpc/vpc-11aabb22 " .

C.

Create a bucket policy with Allow and a Condition using " StringNotEquals " : { " aws:SourceVpc " : " vpc-11aabb22 " }.

D.

Create a bucket policy with Deny and " StringNotEquals " : { " aws:PrincipalAccount " : " 123456789012 " }.

Question 229

A company runs its databases on Amazon RDS for PostgreSQL. The company wants a secure solution to manage the master user password by rotating the password every 30 days. Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon EventBridge to schedule a custom AWS Lambda function to rotate the password every 30 days.

B.

Use the modlfy-db-instance command in the AWS CLI to change the password.

C.

Integrate AWS Secrets Manager with Amazon RDS for PostgreSQL to automate password rotation.

D.

Integrate AWS Systems Manager Parameter Store with Amazon RDS for PostgreSQL to automate password rotation.

Question 230

A company needs to ensure that an IAM group that contains database administrators can perform operations only within Amazon RDS. The company must ensure that the members of the IAM group cannot access any other AWS services.

Options:

A.

Create an IAM policy that includes a statement that has the Effect " Allow " and the Action " rds: " . Attach the IAM policy to the IAM group.

B.

Create an IAM policy that includes two statements. Configure the first statement to have the Effect " Allow " and the Action " rds: " . Configure the second statement to have the Effect " Deny " and the Action " " . Attach the IAM policy to the IAM group.

C.

Create an IAM policy that includes a statement that has the Effect " Deny " and the NotAction " rds: " . Attach the IAM policy to the IAM group.

D.

Create an IAM policy with a statement that includes the Effect " Allow " and the Action " rds: " . Include a permissions boundary that has the Effect " Allow " and the Action " rds: " . Attach the IAM policy to the IAM group.

Question 231

A company wants to migrate an application that processes logs to AWS. Currently, the application runs on an on-premises storage area network (SAN).

The application reads and processes large log files sequentially. The application requires throughput of up to 500 MBps.

A solutions architect needs to migrate the application with minimal change to the application architecture.

Which solution will meet these requirements in the MOST cost-effective way?

Options:

A.

Use a General Purpose SSD (gp3) Amazon EBS volume with 500 MBps provisioned throughput.

B.

Use a Throughput Optimized HDD (st1) Amazon EBS volume with provisioned storage based on the throughput requirement.

C.

Use a Cold HDD (sc1) Amazon EBS volume with provisioned storage based on the throughput requirement.

D.

Use a Provisioned IOPS (io1) Amazon EBS volume with 500 MBps provisioned throughput.

Question 232

A company has an API that receives real-time data from a fleet of monitoring devices. The API stores this data in an Amazon RDS DB instance for later analysis. The amount of data that the monitoring devices send to the API fluctuates. During periods of heavy traffic, the API often returns timeout errors.

After an inspection of the logs, the company determines that the database is not capable of processing the volume of write traffic that comes from the API. A solutions architect must minimize the number of connections to the database and must ensure that data is not lost during periods of heavy traffic.

Options:

A.

Increase the size of the DB instance to an instance type that has more available memory.

B.

Modify the DB instance to be a Multi-AZ DB instance. Configure the application to write to all active RDS DB instances.

C.

Modify the API to write incoming data to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function that Amazon SQS invokes to write data from the queue to the database.

D.

Modify the API to write incoming data to an Amazon Simple Notification Service (Amazon SNS) topic. Use an AWS Lambda function that Amazon SNS invokes to write data from the topic to the database.

Question 233

A company is designing a microservice-based architecture tor a new application on AWS. Each microservice will run on its own set of Amazon EC2 instances. Each microservice will need to interact with multiple AWS services such as Amazon S3 and Amazon Simple Queue Service (Amazon SQS).

The company wants to manage permissions for each EC2 instance based on the principle of least privilege.

Which solution will meet this requirement?

Options:

A.

Assign an IAM user to each micro-service. Use access keys stored within the application code to authenticate AWS service requests.

B.

Create a single IAM role that has permission to access all AWS services. Associate the IAM role with all EC2 instances that run the microservices

C.

Use AWS Organizations to create a separate account for each microservice. Manage permissions at the account level.

D.

Create individual IAM roles based on the specific needs of each microservice. Associate the IAM roles with the appropriate EC2 instances.

Question 234

A company is developing a photo-hosting application in the us-east-1 Region. The application gives users across multiple countries the ability to upload and view photos. Some photos are heavily viewed for months, while other photos are viewed for less than a week. The application allows users to upload photos that are up to 20 MB in size. The application uses photo metadata to determine which photos to display to each user.

The company needs a cost-effective storage solution to support the application.

Options:

A.

Store the photos in Amazon DynamoDB. Turn on DynamoDB Accelerator (DAX).

B.

Store the photos in the Amazon S3 Intelligent-Tiering storage class. Store the photo metadata and the S3 location URLs in Amazon DynamoDB.

C.

Store the photos in the Amazon S3 Standard storage class. Set up an S3 Lifecycle policy to move photos older than 30 days to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Use object tags to keep track of metadata.

D.

Store the photos in an Amazon DynamoDB table. Use the DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA) storage class. Store the photo metadata in Amazon ElastiCache.

Question 235

A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally.

The company ' s security team needs a single sign-on solution across all the company ' s AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory

Which solution will meet these requirements?

Options:

A.

Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft Active Directory. Configure the Active Directory to be the identity source for AWS IAM Identity Center

B.

Enable AWS IAM Identity Center. Configure a two-way forest trust relationship to connect the company ' s self-managed Active Directory with IAM Identity Center by using AWS Directory Service for Microsoft Active Directory.

C.

Use AWS Directory Service and create a two-way trust relationship with the company ' s self-managed Active Directory.

D.

Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS IAM Identity Center.

Question 236

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company is building a product that spans multiple accounts. Developers at the company who work in multiple accounts need to give AWS Lambda functions access to write logs to an Amazon S3 bucket that is in a central logging account.

Which solution will meet this requirement in the MOST secure way?

Options:

A.

Create an IAM role in the central logging account that has write access to the S3 bucket. Create a trust policy that allows AWS Lambda functions in accounts within the organization to assume the IAM role.

B.

Create an IAM user in the central logging account that has full access to the S3 bucket. Create an S3 bucket policy that allows the IAM user to write to the S3 bucket. Use the IAM user access key and secret key credentials as environment variables.

C.

Create an S3 bucket policy for the S3 bucket in the central logging account. Configure the bucket policy to allow full access for AWS Lambda.

D.

Create an IAM user for each developer in the central logging account. Create an S3 bucket policy for the S3 bucket in the central logging account that allows full access for each IAM user.

Question 237

A company runs an application that consists of multiple microservices. The company mandates that the microservices use messages to communicate with each other. The application must archive the microservices ' messages for 30 days.

Which solution will meet these requirements with the LEAST amount of development effort?

Options:

A.

Use an Amazon EventBridge event bus to route messages between the microservices. Use message filtering to ensure that each microservice receives only messages that are relevant to each microservice. Create an archive in Amazon EventBridge to store the messages for 30 days.

B.

Use a single Amazon SNS topic to distribute the messages. Subscribe each microservice to the topic. Use message filtering to ensure that each microservice receives only messages that are relevant to each microservice. Use an Amazon SQS queue to store the messages for 30 days.

C.

Use a single Amazon SNS topic to distribute the messages. Subscribe each microservice to the topic. Use message filtering to ensure that each microservice receives only messages that are relevant to each microservice. Store messages in an Amazon S3 bucket for 30 days.

D.

Create a private Amazon API Gateway HTTP API for the microservices to send messages. Use an AWS Lambda function to forward the messages to the appropriate microservices based on query parameters. Archive messages in Amazon S3 for 30 days.

Question 238

A company runs a monolithic application in its on-premises data center. The company used Java/Tomcat to build the application. The application uses Microsoft SQL Server as a database.

The company wants to migrate the application to AWS.

Which solution will meet this requirement with the LEAST operational overhead?

Options:

A.

Use AWS App2Container to containerize the application. Deploy the application on Amazon Elastic Kubernetes Service (Amazon EKS). Deploy the database to Amazon RDS for SQL Server. Configure a Multi-AZ deployment.

B.

Containerize the application and deploy the application on a self-managed Kubernetes cluster on an Amazon EC2 instance. Deploy the database on a separate EC2 instance. Set up Microsoft SQL Server Always On availability groups.

C.

Deploy the frontend of the web application as a website on Amazon S3. Use Amazon DynamoDB for the database tier.

D.

Use AWS App2Container to containerize the application. Deploy the application on Amazon Elastic Kubernetes Service (Amazon EKS). Use Amazon DynamoDB for the database tier.

Question 239

An application has performance issues due to increased demand. The demand is on read-only historical records in Amazon RDS using custom queries. The company wants improved performance without changing database structure and with minimal management overhead.

Which approach meets the requirement?

Options:

A.

Deploy DynamoDB and move all data.

B.

Deploy Amazon ElastiCache (Redis OSS) and cache application data.

C.

Deploy Memcached on EC2 and cache data.

D.

Deploy DynamoDB Accelerator (DAX) on Amazon RDS.

Question 240

A company has Amazon EC2 instances that run nightly batch jobs to process data. The EC2 instances run in an Auto Scaling group that uses On-Demand billing. If a job fails on one instance, another instance will reprocess the job. The batch jobs run between 12:00 AM and 06:00 AM local time every day.

Which solution will provide EC2 instances to meet these requirements MOST cost-effectively?

Options:

A.

Purchase a 1-year Savings Plan for Amazon EC2 that covers the instance family of the Auto Scaling group that the batch job uses.

B.

Purchase a 1-year Reserved Instance for the specific instance type and operating system of the instances in the Auto Scaling group that the batch job uses.

C.

Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances. Set a policy to scale out based on CPU usage.

D.

Create a new launch template for the Auto Scaling group. Increase the instance size. Set a policy to scale out based on CPU usage.

Question 241

A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center. The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:

A.

Provision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.

B.

Provision an Amazon Route 53 private hosted zone. Configure NS records that point to on-premises DNS servers.

C.

Create DNS endpoints by using Amazon Route 53 Resolver. Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.

D.

Provision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.

Question 242

Question:

A company recently migrated a large amount of research data to an Amazon S3 bucket. The company needs an automated solution to identify sensitive data in the bucket. A security team also needs to monitor access patterns for the data 24 hours a day, 7 days a week to identify suspicious activities or evidence of tampering with security controls.

Options:

Options:

A.

Set up AWS CloudTrail reporting, and grant the security team read-only access to the CloudTrail reports. Set up an Amazon S3 Inventory report to identify sensitive data. Review the findings with the security team.

B.

Enable Amazon Macie and Amazon GuardDuty on the account. Grant the security team access to Macie and GuardDuty. Review the findings with the security team.

C.

Set up an Amazon S3 Inventory report. Use Amazon Athena and Amazon QuickSight to identify sensitive data. Create a dashboard for the security team to review findings.

D.

Use AWS Identity and Access Management (IAM) Access Advisor to monitor for suspicious activity and tampering. Create a dashboard for the security team. Set up an Amazon S3 Inventory report to identify sensitive data. Review the findings with the security team.

Question 243

An automobile company collects several terabytes of sensor data from vehicles every day and stores the data in Amazon S3. The company wants to use Amazon SageMaker AI and the sensor data to run an inference model.

The company needs to pre-process the data to remove noise or bias that interferes with inference. The company wants to run the inference model once each week.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS Batch to pre-process the data. Use a SageMaker AI processing job to run the inference workloads.

B.

Use Amazon EMR to pre-process the data. Use a SageMaker AI processing job to run the inference workloads.

C.

Use a SageMaker AI batch transform job to pre-process the data and to run the inference workloads.

D.

Use AWS Glue to pre-process the data. Use a SageMaker AI processing job to run the inference workloads.

Question 244

A company that uses AWS Organizations runs 150 applications across 30 different AWS accounts. The company used AWS Cost and Usage Report to create a new report in the management account. The report is delivered to an Amazon S3 bucket that is replicated to a bucket in the data collection account.

The company ' s senior leadership wants to view a custom dashboard that provides NAT gateway costs each day starting at the beginning of the current month.

Which solution will meet these requirements?

Options:

A.

Share an Amazon QuickSight dashboard that includes the requested table visual. Configure QuickSight to use AWS DataSync to query the new report.

B.

Share an Amazon QuickSight dashboard that includes the requested table visual. Configure QuickSight to use Amazon Athena to query the new report.

C.

Share an Amazon CloudWatch dashboard that includes the requested table visual. Configure CloudWatch to use AWS DataSync to query the new report.

D.

Share an Amazon CloudWatch dashboard that includes the requested table visual. Configure CloudWatch to use Amazon Athena to query the new report.

Question 245

A company wants to run big data workloads on Amazon EMR. The workloads need to process terabytes of data in memory.

A solutions architect needs to identify the appropriate EMR cluster instance configuration for the workloads.

Which solution will meet these requirements?

Options:

A.

Use a storage optimized instance for the primary node. Use compute optimized instances for core nodes and task nodes.

B.

Use a memory optimized instance for the primary node. Use storage optimized instances for core nodes and task nodes.

C.

Use a general purpose instance for the primary node. Use memory optimized instances for core nodes and task nodes.

D.

Use general purpose instances for the primary, core, and task nodes.

Question 246

A company plans to deploy an application that uses an Amazon CloudFront distribution. The company will set an Application Load Balancer (ALB) as the origin for the distribution. The company wants to ensure that users access the ALB only through the CloudFront distribution. The company plans to deploy the solution in a new VPC.

Which solution will meet these requirements?

Options:

A.

Configure the network ACLs in the subnet where the ALB is deployed to allow inbound traf-fic only from the public IP addresses of the CloudFront edge locations.

B.

Create a VPC origin for the CloudFront distribution. Set the VPC origin Amazon Resource Name (ARN) to the ARN of the ALB.

C.

Create a security group that allows only inbound traffic from the public IP addresses of the CloudFront edge locations. Associate the security group with the ALB.

D.

Create a VPC origin for the CloudFront distribution. Configure an ALB rule. Set the source IP condition to allow traffic only from the public IP addresses of the CloudFront edge locations.

Question 247

A solutions architect runs a web application on multiple Amazon EC2 instances that are in individual target groups behind an Application Load Balancer (ALB). Users can reach the application through a public website.

The solutions architect wants to allow engineers to use a development version of the website to access one specific development EC2 instance to test new features for the application. The solutions architect wants to use an Amazon Route 53 hosted zone to give the engineers access to the development instance. The solution must automatically route to the development instance even if the development instance is replaced.

Which solution will meet these requirements?

Options:

A.

Create an A record for the development website that has the value set to the ALB. Create a listener rule on the ALB that forwards requests for the development website to the target group that contains the development instance.

B.

Recreate the development instance with a public IP address. Create an A record for the development website that has the value set to the public IP address of the development instance.

C.

Create an A record for the development website that has the value set to the ALB. Create a listener rule on the ALB to redirect requests for the development website to the public IP address of the development instance.

D.

Place all the instances in the same target group. Create an A record for the development website. Set the value to the ALB. Create a listener rule on the ALB that forwards requests for the development website to the target group.

Question 248

A company maintains its accounting records in a custom application that runs on Amazon EC2 instances. The company needs to migrate the data to an AWS managed service for development and maintenance of the application data. The solution must require minimal operational support and provide immutable, cryptographically verifiable logs of data changes.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Copy the records from the application into an Amazon Redshift cluster.

B.

Copy the records from the application into an Amazon Neptune cluster.

C.

Copy the records from the application into an Amazon Timestream database.

D.

Copy the records from the application into an Amazon Quantum Ledger Database (Amazon QLDB) ledger.

Question 249

A company runs its production workload on Amazon EC2 instances with Amazon Elastic Block Store (Amazon EBS) volumes. A solutions architect needs to analyze the current EBS volume cost and to recommend optimizations. The recommendations need to include estimated monthly saving opportunities.

Which solution will meet these requirements?

Options:

A.

Use Amazon Inspector reporting to generate EBS volume recommendations for optimization.

B.

Use AWS Systems Manager reporting to determine EBS volume recommendations for optimization.

C.

Use Amazon CloudWatch metrics reporting to determine EBS volume recommendations for optimization.

D.

Use AWS Compute Optimizer to generate EBS volume recommendations for optimization.

Question 250

An ecommerce company hosts an application on AWS across multiple Availability Zones. The application experiences uniform load throughout most days.

The company hosts some components of the application in private subnets. The components need to access the internet to install and update patches.

A solutions architect needs to design a cost-effective solution that provides secure outbound internet connectivity for private subnets across multiple Availability Zones. The solution must maintain high availability.

Options:

A.

Deploy one NAT gateway in each Availability Zone. Configure the route table for each pri-vate subnet within an Availability Zone to route outbound traffic through the NAT gateway in the same Availability Zone.

B.

Place one NAT gateway in a designated Availability Zone within the VPC. Configure the route tables of the private subnets in each Availability Zone to direct outbound traffic specifi-cally through the NAT gateway for internet access.

C.

Deploy an Amazon EC2 instance in a public subnet. Configure the EC2 instance as a NAT instance. Set up the instance with security groups that allow inbound traffic from private sub-nets and outbound internet access. Configure route tables to direct traffic from the private sub-nets through the NAT instance.

D.

Use one NAT Gateway in a Network Load Balancer (NLB) target group. Configure private subnets in each Availability Zone to route traffic to the NLB for outbound internet access.

Question 251

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.

Which solution meets these requirements and is the MOST operationally efficient?

Options:

A.

Server-side encryption with customer-provided keys (SSE-C)

B.

Server-side encryption with Amazon S3 managed keys (SSE-S3)

C.

Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation

D.

Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Question 252

A global company hosts its web application on Amazon EC2 instances behind an Application Load Balancer ALB. The web application has static data and dynamic data. The company stores its static data in an Amazon S3 bucket. The company wants to improve performance and reduce latency for the static data and dynamic data. The company is using its own domain name registered with Amazon Route 53.

What should a solutions architect do to meet these requirements?

Options:

A.

Create an Amazon CloudFront distribution that has the S3 bucket and the ALB as origins. Configure Route 53 to route traffic to the CloudFront distribution.

B.

Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint. Configure Route 53 to route traffic to the CloudFront distribution.

C.

Create an Amazon CloudFront distribution that has the S3 bucket as an origin. Create an AWS Global Accelerator standard accelerator that has the ALB and the CloudFront distribution as endpoints. Create a custom domain name that points to the accelerator DNS name. Use the custom domain name as an endpoint for the web application.

D.

Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint. Create two domain names. Point one domain name to the CloudFront DNS name for dynamic content. Point the other domain name to the accelerator DNS name for static content. Use the domain names as endpoints for the web application.

Question 253

A company needs an automated solution to detect cryptocurrency mining activity on Amazon EC2 instances. The solution must automatically isolate any identified EC2 instances for forensic analysis.

Which solution will meet these requirements?

Options:

A.

Create an Amazon EventBridge rule that runs when Amazon GuardDuty detects cryptocurrency mining activity. Configure the rule to invoke an AWS Lambda function to isolate the identified EC2 instances.

B.

Create an AWS Security Hub custom action that runs when Amazon GuardDuty detects cryptocurrency mining activity. Configure the custom action to invoke an AWS Lambda function to isolate the identified EC2 instances.

C.

Create an Amazon Inspector rule that runs when Amazon GuardDuty detects cryptocurrency mining activity. Configure the rule to invoke an AWS Lambda function to isolate the identified EC2 instances.

D.

Create an AWS Config custom rule that runs when AWS Config detects cryptocurrency mining activity. Configure the rule to invoke an AWS Lambda function to isolate the identified EC2 instances.

Question 254

A company needs to archive an on-premises relational database. The company wants to retain the data. The company needs to be able to run SQL queries on the archived data to create annual reports.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS DMS to migrate the on-premises database to an Amazon RDS instance. Retire the on-premises database. Maintain the RDS instance in a stopped state until the data is needed for reports.

B.

Set up database replication from the on-premises database to an Amazon EC2 instance. Retire the on-premises database. Make a snapshot of the EC2 instance. Maintain the EC2 instance in a stopped state until the data is needed for reports.

C.

Create a database backup on premises. Use AWS DataSync to transfer the data to Amazon S3. Create an S3 Lifecycle configuration to move the data to S3 Glacier Deep Archive. Restore the backup to Amazon EC2 instances to run reports.

D.

Use AWS DMS to migrate the on-premises databases to Amazon S3 in Apache Parquet format. Store the data in S3 Glacier Flexible Retrieval. Use Amazon Athena to run reports.

Question 255

A company runs its application by using Amazon EC2 instances and AWS Lambda functions. The EC2 instances run in private subnets of a VPC. The Lambda functions need direct network access to the EC2 instances for the application to work.

The application will run for 1 year. The number of Lambda functions that the application uses will increase during the 1-year period. The company must minimize costs on all application resources.

Which solution will meet these requirements?

Options:

A.

Purchase an EC2 Instance Savings Plan. Connect the Lambda functions to the private sub-nets that contain the EC2 instances.

B.

Purchase an EC2 Instance Savings Plan. Connect the Lambda functions to new public sub-nets in the same VPC where the EC2 instances run.

C.

Purchase a Compute Savings Plan. Connect the Lambda functions to the private subnets that contain the EC2 instances.

D.

Purchase a Compute Savings Plan. Keep the Lambda functions in the Lambda service VPC.

Question 256

A company stores 5 PB of archived data on physical tapes. The company needs to preserve the data for another 10 years. The data center that stores the tapes has a 10 Gbps Direct Connect connection to an AWS Region. The company wants to migrate the data to AWS within the next 6 months.

Options:

A.

Read the data from the tapes on premises. Use local storage to stage the data. Use AWS DataSync to migrate the data to Amazon S3 Glacier Flexible Retrieval storage.

B.

Use an on-premises backup application to read the data from the tapes. Use the backup application to write directly to Amazon S3 Glacier Deep Archive storage.

C.

Order multiple AWS Snowball Edge devices. Copy the physical tapes to virtual tapes on the Snowball Edge devices. Ship the Snowball Edge devices to AWS. Create an S3 Lifecycle policy to move the tapes to Amazon S3 Glacier Instant Retrieval storage.

D.

Configure an on-premises AWS Storage Gateway Tape Gateway. Create virtual tapes in the AWS Cloud. Use backup software to copy the physical tapes to the virtual tapes. Move the virtual tapes to Amazon S3 Glacier Deep Archive storage.

Question 257

A company has an application that processes information from documents that users upload. When a user uploads a new document to an Amazon S3 bucket, an AWS Lambda function is invoked. The Lambda function processes information from the documents.

The company discovers that the application did not process many recently uploaded documents. The company wants to ensure that the application processes each document with retries if there is an error during the first attempt to process the document.

Which solution will meet these requirements?

Options:

A.

Create an Amazon API Gateway REST API that has a proxy integration to the Lambda function. Update the application to send requests to the REST API.

B.

Configure a replication policy on the S3 bucket to stage the documents in another S3 bucket that an AWS Batch job processes on a daily schedule.

C.

Deploy an Application Load Balancer in front of the Lambda function that processes the documents.

D.

Configure an Amazon Simple Queue Service (Amazon SQS) queue as an event source for the Lambda function. Configure an S3 event notification on the S3 bucket to send new document upload events to the SQS queue.

Question 258

A consulting company provides professional services to customers worldwide. The company provides solutions and tools for customers to expedite gathering and analyzing data on AWS. The company needs to centrally manage and deploy a common set of solutions and tools for customers to use for self-service purposes.

Which solution will meet these requirements?

Options:

A.

Create AWS Cloud Formation templates for the customers.

B.

Create AWS Service Catalog products for the customers.

C.

Create AWS Systems Manager templates for the customers.

D.

Create AWS Config items for the customers.

Question 259

A company runs an on-premises application on a Kubernetes cluster. The company recently added millions of new customers. The company ' s existing on-premises infrastructure is unable to handle the large number of new customers. The company needs to migrate the on-premises application to the AWS Cloud.

The company will migrate to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company does not want to manage the underlying compute infrastructure for the new architecture on AWS.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use a self-managed node to supply compute capacity. Deploy the application to the new EKS cluster.

B.

Use managed node groups to supply compute capacity. Deploy the application to the new EKS cluster.

C.

Use AWS Fargate to supply compute capacity. Create a Fargate profile. Use the Fargate profile to deploy the application.

D.

Use managed node groups with Karpenter to supply compute capacity. Deploy the application to the new EKS cluster.

Question 260

A company is building a critical data processing application that will run on Amazon EC2 instances. The company must not run any two nodes on the same underlying hardware. The company requires at least 99.99% availability for the application.

Which solution will meet these requirements?

Options:

A.

Deploy the application to one Availability Zone by using a cluster placement group strategy.

B.

Deploy the application to three Availability Zones by using a spread placement group strategy.

C.

Deploy the application to three Availability Zones by using a cluster placement group strategy.

D.

Deploy the application to one Availability Zone by using a partition placement group strategy.

Question 261

A company wants to release a new device that will collect data to track overnight sleep on an intelligent mattress. Sensors will send data that will be uploaded to an Amazon S3 bucket. Each mattress generates about 2 MB of data each night.

An application must process the data and summarize the data for each user. The application must make the results available as soon as possible. Every invocation of the application will require about 1 GB of memory and will finish running within 30 seconds.

Which solution will run the application MOST cost-effectively?

Options:

A.

AWS Lambda with a Python script

B.

AWS Glue with a Scala job

C.

Amazon EMR with an Apache Spark script

D.

AWS Glue with a PySpark job

Question 262

A company creates a VPC that has one public subnet and one private subnet. The company attaches an internet gateway to the VPC. An Application Load Balancer (ALB) in the public subnet communicates with Amazon EC2 instances in the private subnet.

The EC2 instances in the private subnet must be able to download operating system and application updates from the internet. The instances must not be accessible from the internet.

Which combination of steps will meet these requirements? (Select THREE.)

Options:

A.

Associate an Elastic IP address with the NAT gateway.

B.

Add a route of 0.0.0.0/0 to the private subnet route table. Set the NAT gateway as a target.

C.

Deploy a NAT gateway in the public subnet.

D.

Deploy a NAT gateway in the private subnet.

E.

Add a route of 0.0.0.0/0 to the public subnet route table. Set the NAT gateway as a target.

F.

Associate an Elastic IP address with the internet gateway.

Question 263

A website runs on Amazon EC2 behind an ALB with Amazon CloudFront in front. The site is receiving a high rate of unwanted requests from specific IP addresses.

How should the solutions architect address this problem?

Options:

A.

Use AWS Shield to configure IP deny rules.

B.

Increase Auto Scaling capacity.

C.

Configure VPC network ACL deny rules.

D.

Use AWS WAF with a rate-based rule on the CloudFront distribution.

Question 264

A company has a multi-tier web application. The application ' s internal service components are deployed on Amazon EC2 instances. The internal service components need to access third-party software as a service (SaaS) APIs that are hosted on AWS.

The company needs to provide secure and private connectivity from the application ' s internal services to the third-party SaaS application. The company needs to ensure that there is minimal public internet exposure.

Which solution will meet these requirements?

Options:

A.

Implement an AWS Site-to-Site VPN to establish a secure connection with the third-party SaaS provider.

B.

Deploy AWS Transit Gateway to manage and route traffic between the application ' s VPC and the third-party SaaS provider.

C.

Configure AWS PrivateLink to allow only outbound traffic from the VPC without enabling the third-party SaaS provider to establish a return path to the network.

D.

Use AWS PrivateLink to create a private connection between the application ' s VPC and the third-party SaaS provider.

Question 265

A company wants to deploy its containerized application workloads to a VPC across three Availability Zones. The company needs a solution that is highly available across Availability Zones. The solution must require minimal changes to the application.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use Amazon ECS. Configure Amazon ECS Service Auto Scaling to use target tracking scaling. Set the minimum capacity to 3. Set the task placement strategy type to spread with an Availability Zone attribute.

B.

Use Amazon EKS self-managed nodes. Configure Application Auto Scaling to use target tracking scaling. Set the minimum capacity to 3.

C.

Use Amazon EC2 Reserved Instances. Launch three EC2 instances in a spread placement group. Configure an Auto Scaling group to use target tracking scaling. Set the minimum capacity to 3.

D.

Use an AWS Lambda function. Configure the Lambda function to connect to a VPC. Configure Application Auto Scaling to use Lambda as a scalable target. Set the minimum capacity to 3.

Question 266

A company is migrating a distributed application to AWS. The application serves variable workloads. The legacy platform consists of a primary server that coordinates jobs across multiple compute nodes. The company wants to modernize the application with a solution that maximizes resiliency and scalability.

How should a solutions architect design the architecture to meet these requirements?

Options:

A.

Configure an Amazon Simple Queue Service (Amazon SQS) queue as a destination for the jobs. Implement the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling group. Configure EC2 Auto Scaling to use scheduled scaling.

B.

Configure an Amazon Simple Queue Service (Amazon SQS) queue as a destination for the jobs. Implement the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling group. Configure EC2 Auto Scaling based on the size of the queue.

C.

Implement the primary server and the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling group. Configure AWS CloudTrail as a destination for the jobs. Configure EC2 Auto Scaling based on the load on the primary server.

D.

Implement the primary server and the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling group. Configure Amazon EventBridge as a destination for the jobs. Configure EC2 Auto Scaling based on the load on the compute nodes.

Question 267

A company tracks customer satisfaction by using surveys that the company hosts on its website. The surveys sometimes reach thousands of customers every hour. Survey results are currently sent in email messages to the company so company employees can manually review results and assess customer sentiment.

The company wants to automate the customer survey process. Survey results must be available for the previous 12 months.

Which solution will meet these requirements in the MOST scalable way?

Options:

A.

Send the survey results data to an Amazon API Gateway endpoint that is connected to an Amazon Simple Queue Service (Amazon SQS) queue. Create an AWS Lambda function to poll the SQS queue, call Amazon Comprehend for sentiment analysis, and save the results to an Amazon DynamoDB table. Set the TTL for all records to 365 days in the future.

B.

Send the survey results data to an API that is running on an Amazon EC2 instance. Configure the API to store the survey results as a new record in an Amazon DynamoDB table, call Amazon Comprehend for sentiment analysis, and save the results in a second DynamoDB table. Set the TTL for all records to 365 days in the future.

C.

Write the survey results data to an Amazon S3 bucket. Use S3 Event Notifications to invoke an AWS Lambda function to read the data and call Amazon Rekognition for sentiment analysis. Store the sentiment analysis results in a second S3 bucket. Use S3 Lifecycle policies on each bucket to expire objects after 365 days.

D.

Send the survey results data to an Amazon API Gateway endpoint that is connected to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the SQS queue to invoke an AWS Lambda function that calls Amazon Lex for sentiment analysis and saves the results to an Amazon DynamoDB table. Set the TTL for all records to 365 days in the future.

Question 268

A solutions architect is creating a data reporting application that will send traffic through third-party network firewalls in an AWS security account. The firewalls and application servers must be load balanced.

The application uses TCP connections to generate reports. The reports can run for several hours and can be idle for up to 1 hour. The reports must not time out during an idle period.

Which solution will meet these requirements?

Options:

A.

Use a Gateway Load Balancer (GWLB) for the firewalls. Use an Application Load Balancer (ALB) for the application servers. Set the ALB idle timeout period to 1 hour.

B.

Use a single firewall in the security account. Use an Application Load Balancer (ALB) for the application servers. Set the ALB idle timeout and firewall idle timeout periods to 1 hour.

C.

Use a Gateway Load Balancer (GWLB) for the firewalls. Use an Application Load Balancer (ALB) for the application servers. Set the idle timeout periods for the ALB, the GWLB, and the firewalls to 1 hour.

D.

Use a Gateway Load Balancer (GWLB) for the firewalls. Use an Application Load Balancer (ALB) for the application servers. Configure the ALB idle timeout period to 1 hour. Increase the application server capacity to finish the report generation faster.

Question 269

A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotation of the encryption keys.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create a customer managed key Use the key to encrypt the EBS volumes.

B.

Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.

C.

Create an external KMS key with imported key material. Use the key to encrypt the EBS volumes.

D.

Use an AWS owned key to encrypt the EBS volumes.

Question 270

A company is developing an application that uses an Amazon Aurora MySQL database. The company plans to regularly make changes to the MySQL database schema to test new features. The tests must not affect the existing production database.

When the company finishes testing, a developer needs to replicate the changes to the production database. The solution must cause minimal downtime.

Which solution will meet these requirements?

Options:

A.

Create a new staging Aurora MySQL database cluster based on the existing database. Make the schema changes to the new staging database cluster to test the new features.

B.

Create a read replica based on the existing Aurora MySQL database. Make the schema changes to the read replica. Promote the read replica to primary after successful testing.

C.

Create a blue/green deployment of the Aurora MySQL database. Make schema changes in the staging environment to test new features. Direct traffic from the green environment to the blue environment when testing is complete.

D.

Replicate the Aurora MySQL database to an Amazon DynamoDB table. Make the schema changes to the DynamoDB table to test the new features. Configure the application to use the DynamoDB table when testing is complete.

Question 271

A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations. The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion.

Which solution will meet these requirements?

Options:

A.

Create an asymmetric customer managed KMS key. Enable automatic key rotation.

B.

Create a symmetric customer managed KMS key. Disable the envelope encryption option.

C.

Create a symmetric customer managed KMS key. Enable automatic key rotation.

D.

Create an asymmetric customer managed KMS key. Disable the envelope encryption option.

Question 272

A company is developing a highly available natural language processing (NLP) application. The application handles large volumes of concurrent requests. The application performs NLP tasks such as entity recognition, sentiment analysis, and key phrase extraction on text data.

The company needs to store data that the application processes in a highly available and scalable database.

Options:

Options:

A.

Create an Amazon API Gateway REST API endpoint to handle incoming requests. Configure the REST API to invoke an AWS Lambda function for each request. Configure the Lambda function to call Amazon Comprehend to perform NLP tasks on the text data. Store the processed data in Amazon DynamoDB.

B.

Create an Amazon API Gateway HTTP API endpoint to handle incoming requests. Configure the HTTP API to invoke an AWS Lambda function for each request. Configure the Lambda function to call Amazon Translate to perform NLP tasks on the text data. Store the processed data in Amazon ElastiCache.

C.

Create an Amazon SQS queue to buffer incoming requests. Deploy the NLP application on Amazon EC2 instances in an Auto Scaling group. Use Amazon Comprehend to perform NLP tasks. Store the processed data in an Amazon RDS database.

D.

Create an Amazon API Gateway WebSocket API endpoint to handle incoming requests. Configure the WebSocket API to invoke an AWS Lambda function for each request. Configure the Lambda function to call Amazon Textract to perform NLP tasks on the text data. Store the processed data in Amazon ElastiCache.

Question 273

A marketing company receives a large amount of new clickstream data in Amazon S3 from a marketing campaign The company needs to analyze the clickstream data in Amazon S3 quickly. Then the company needs to determine whether to process the data further in the data pipeline.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create external tables in a Spark catalog Configure jobs in AWS Glue to query the data

B.

Configure an AWS Glue crawler to crawl the data. Configure Amazon Athena to query the data.

C.

Create external tables in a Hive metastore. Configure Spark jobs in Amazon EMR to query the data.

D.

Configure an AWS Glue crawler to crawl the data. Configure Amazon Kinesis Data Analytics to use SQL to query the data

Page: 1 / 91
Total 911 questions