SOLUTIONS ARCHITECT ASSOCIATE - 28

An application consists of a web tier in a public subnet and a MySQL cluster hosted on Amazon EC2 instances in a private subnet. The MySQL instances must retrieve product data from a third-party provider over the internet. A Solutions Architect must determine a strategy to enable this access with maximum security and minimum operational overhead. What should the Solutions Architect do to meet these requirements?. Deploy a NAT gateway in the public subnet. Modify the route table in the private subnet to direct all internet traffic to the NAT gateway. Deploy a NAT instance in the private subnet. Direct all internet traffic to the NAT instance. Create an internet gateway and attach it to the VPC. Modify the private subnet route table to direct internet traffic to the internet gateway. Create a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct internet traffic to the virtual private gateway.

A web app allows users to upload images for viewing online. The compute layer that processes the images is behind an Auto Scaling group. The processing layer should be decoupled from the front end and the ASG needs to dynamically adjust based on the number of images being uploaded. How can this be achieved?. Create an Amazon SQS queue and custom CloudWatch metric to measure the number of messages in the queue. Configure the ASG to scale based on the number of messages in the queue. Create an Amazon SNS Topic to generate a notification each time a message is uploaded. Have the ASG scale based on the number of SNS messages. Create a target tracking policy that keeps the ASG at 70% CPU utilization. Create a scheduled policy that scales the ASG at times of expected peak load.

An application runs on Amazon EC2 instances in a private subnet. The EC2 instances process data that is stored in an Amazon S3 bucket. The data is highly confidential and a private and secure connection is required between the EC2 instances and the S3 bucket. Which solution meets these requirements?. Set up S3 bucket policies to allow access from a VPC endpoint. Set up an IAM policy to grant read-write access to the S3 bucket. Configure encryption for the S3 bucket using an AWS KMS key. Configure a custom SSL/TLS certificate on the S3 bucket.

Health related data in Amazon S3 needs to be frequently accessed for up to 90 days. After that time the data must be retained for compliance reasons for seven years and is rarely accessed. Which storage classes should be used?. Store data in STANDARD for 90 days then transition the data to DEEP_ARCHIVE. Store data in INTELLIGENT_TIERING for 90 days then transition to STANDARD_IA. Store data in STANDARD for 90 days then expire the data. Store data in STANDARD for 90 days then transition to REDUCED_REDUNDANCY.

An application has multiple components for receiving requests that must be processed and subsequently processing the requests. The company requires a solution for decoupling the application components. The application receives around 10,000 requests per day and requests can take up to 2 days to process. Requests that fail to process must be retained. Which solution meets these requirements most efficiently?. Decouple the application components with an Amazon SQS queue. Configure a dead-letter queue to collect the requests that failed to process. Decouple the application components with an Amazon SQS Topic. Configure the receiving component to subscribe to the SNS Topic. Use an Amazon Kinesis data stream to decouple application components and integrate the processing component with the Kinesis Client Library (KCL). Create an Amazon DynamoDB table and enable DynamoDB streams. Configure the processing component to process requests from the stream.

A company operates a production web application that uses an Amazon RDS MySQL database. The database has automated, non-encrypted daily backups. To increase the security of the data, it has been recommended that encryption should be enabled for backups. Unencrypted backups will be destroyed after the first encrypted backup has been completed. What should be done to enable encryption for future backups?. Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot. Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance. Modify the backup section of the database configuration to toggle the Enable encryption check box. Enable default encryption for the Amazon S3 bucket where backups are stored.

A Solutions Architect is designing a mobile application that will capture receipt images to track expenses. The Architect wants to store the images on Amazon S3. However, uploading the images through the web server will create too much traffic. What is the MOST efficient method to store images from a mobile application on Amazon S3?. Upload directly to S3 using a pre-signed URL. Expand the web server fleet with Spot instances to provide the resources to handle the images. Upload to a second bucket, and have a Lambda event copy the image to the primary bucket. Upload to a separate Auto Scaling Group of server behind an ELB Classic Load Balancer, and have the server instances write to the Amazon S3 bucket.

A company requires a high-performance file system that can be mounted on Amazon EC2 Windows instances and Amazon EC2 Linux instances. Applications running on the EC2 instances perform separate processing of the same files and the solution must provide a file system that can be mounted by all instances simultaneously. Which solution meets these requirements?. Use Amazon FSx for Windows File Server for the Windows instances and the Linux instances. Use Amazon FSx for Windows File Server for the Windows instances. Use Amazon Elastic File System (Amazon EFS) with Max I/O performance mode for the Linux instances. Use Amazon Elastic File System (Amazon EFS) with General Purpose performance mode for the Windows instances and the Linux instances. Use Amazon FSx for Windows File Server for the Windows instances. Use Amazon FSx for Lustre for the Linux instances. Link both Amazon FSx file systems to the same Amazon S3 bucket.

An application is deployed on multiple AWS regions and accessed from around the world. The application exposes static public IP addresses. Some users are experiencing poor performance when accessing the application over the Internet. What should a solutions architect recommend to reduce internet latency?. Set up AWS Global Accelerator and add endpoints. Set up AWS Direct Connect locations in multiple Regions. Set up an Amazon CloudFront distribution to access an application. Set up an Amazon Route 53 geoproximity routing policy to route traffic.

An online store uses an Amazon Aurora database. The database is deployed as a Multi-AZ deployment. Recently, metrics have shown that database read requests are high and causing performance issues which result in latency for write requests. What should the solutions architect do to separate the read requests from the write requests?. Update the application to read from the Aurora Replica. Create a read replica and modify the application to use the appropriate endpoint. Enable read through caching on the Amazon Aurora database. Create a second Amazon Aurora database and link it to the primary database as a read replica.

A company has deployed an API in a VPC behind an internal Network Load Balancer (NLB). An application that consumes the API as a client is deployed in a second account in private subnets. Which architectural configurations will allow the API to be consumed without using the public Internet? (Select TWO.). Configure a VPC peering connection between the two VPCs. Access the API using the private address. Configure a PrivateLink connection for the API into the client VPC. Access the API using the PrivateLink address. Configure an AWS Direct Connect connection between the two VPCs. Access the API using the private address. Configure a ClassicLink connection for the API into the client VPC. Access the API using the ClassicLink address. Configure an AWS Resource Access Manager connection between the two accounts. Access the API using the private address.

A Kinesis consumer application is reading at a slower rate than expected. It has been identified that multiple consumer applications have total reads exceeding the per-shard limits. How can this situation be resolved?. Increase the number of shards in the Kinesis data stream. Implement API throttling to restrict the number of requests per-shard. Increase the number of read transactions per shard. Implement read throttling for the Kinesis data stream.

A company is planning to migrate a large quantity of important data to Amazon S3. The data will be uploaded to a versioning enabled bucket in the us-west-1 Region. The solution needs to include replication of the data to another Region for disaster recovery purposes. How should a solutions architect configure the replication?. Create an additional S3 bucket with versioning in another Region and configure cross-Region replication. Create an additional S3 bucket in another Region and configure cross-Region replication. Create an additional S3 bucket in another Region and configure cross-origin resource sharing (CORS). Create an additional S3 bucket with versioning in another Region and configure cross-origin resource sharing (CORS).

A security team wants to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained. What should a solutions architect do to accomplish this?. Create a service control policy in the root organizational unit to deny access to the services or actions. Create an ACL to provide access to the services or actions. Create a security group to allow accounts and attach it to user groups. Create cross-account roles in each account to deny access to the services or actions.

An Architect needs to find a way to automatically and repeatably create many member accounts within an AWS Organization. The accounts also need to be moved into an OU and have VPCs and subnets created. What is the best way to achieve this?. Use CloudFormation with scripts. Use the AWS Organizations API. Use the AWS Management Console. Use the AWS CLI.

A Solutions Architect needs a solution for hosting a website that will be used by a development team. The website contents will consist of HTML, CSS, client-side JavaScript, and images. Which solution is MOST cost-effective?. Create an Amazon S3 bucket and host the website there. Launch an Amazon EC2 instance and host the website there. Use a Docker container to host the website on AWS Fargate. Create an Application Load Balancer with an AWS Lambda target.

An application on Amazon Elastic Container Service (ECS) performs data processing in two parts. The second part takes much longer to complete. How can an Architect decouple the data processing from the backend application component?. Process each part using a separate ECS task. Create an Amazon SQS queue. Process both parts using the same ECS task. Create an Amazon Kinesis Firehose stream. Process each part using a separate ECS task. Create an Amazon SNS topic and send a notification when the processing completes. Create an Amazon DynamoDB table and save the output of the first part to the table.

A Solutions Architect is designing an application that will run on Amazon EC2 instances. The application will use Amazon S3 for storing image files and an Amazon DynamoDB table for storing customer information. The security team require that traffic between the EC2 instances and AWS services must not traverse the public internet. How can the Solutions Architect meet the security team’s requirements?. Create gateway VPC endpoints for Amazon S3 and DynamoDB. Create a NAT gateway in a public subnet and configure route tables. Create interface VPC endpoints for Amazon S3 and DynamoDB. Create a virtual private gateway and configure VPC route tables.

An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%. What should a solutions architect do to maintain the desired performance across all instances in the group?. Use a target tracking policy to dynamically scale the Auto Scaling group. Use a simple scaling policy to dynamically scale the Auto Scaling group. Use an AWS Lambda function to update the desired Auto Scaling group capacity. Use scheduled scaling actions to scale up and scale down the Auto Scaling group.

A company is deploying a solution for sharing media files around the world using Amazon CloudFront with an Amazon S3 origin configured as a static website. The company requires that all traffic for the website must be inspected by AWS WAF. Which solution meets these requirements?. Deploy CloudFront with an S3 origin and configure an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the CloudFront distribution. Create a Network ACL that limits access to the S3 bucket to the CloudFront IP addresses. Attach a WebACL to the CloudFront distribution. Use an Amazon Route 53 Alias record to forward traffic for the website to AWS WAF. Configure AWS WAF to inspect traffic and attach the CloudFront distribution. Create an S3 bucket policy with a condition that only allows requests that originate from AWS WAF.

A Solutions Architect must design a solution to allow many Amazon EC2 instances across multiple subnets to access a shared data store. The data must be accessed by all instances simultaneously and access should use the NFS protocol. The solution must also be highly scalable and easy to implement. Which solution best meets these requirements?. Create an Amazon EFS file system. Configure a mount target in each Availability Zone. Attach each instance to the appropriate mount target. Configure an additional EC2 instance as a file server. Create a role in AWS IAM that grants permissions to the file share and attach the role to the EC2 instances. Create an Amazon S3 bucket and configure a Network ACL. Grant the EC2 instances permission to access the bucket using the NFS protocol. Create an Amazon EBS volume and create a resource-based policy that grants an AWS IAM role access to the data. Attach the role to the EC2 instances.

A company has some statistical data stored in an Amazon RDS database. The company wants to allow users to access this information using an API. A solutions architect must create a solution that allows sporadic access to the data, ranging from no requests to large bursts of traffic. Which solution should the solutions architect suggest?. Set up an Amazon API Gateway and use AWS Lambda functions. Set up an Amazon API Gateway and use Amazon ECS. Set up an Amazon API Gateway and use AWS Elastic Beanstalk. Set up an Amazon API Gateway and use Amazon EC2 with Auto Scaling.

A company hosts statistical data in an Amazon S3 bucket that users around the world download from their website using a URL that resolves to a domain name. The company needs to provide low latency access to users and plans to use Amazon Route 53 for hosting DNS records. Which solution meets these requirements?. Create a web distribution on Amazon CloudFront pointing to an Amazon S3 origin. Create an ALIAS record in the Amazon Route 53 hosted zone that points to the CloudFront distribution, resolving to the application's URL domain name. Create a web distribution on Amazon CloudFront pointing to an Amazon S3 origin. Create a CNAME record in a Route 53 hosted zone that points to the CloudFront distribution, resolving to the application's URL domain name. Create an A record in Route 53, use a Route 53 traffic policy for the web application, and configure a geolocation rule. Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy. Create an A record in Route 53, use a Route 53 traffic policy for the web application, and configure a geoproximity rule. Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy.

An application runs on a fleet of Amazon EC2 instances in an Amazon EC2 Auto Scaling group behind an Elastic Load Balancer. The operations team has determined that the application performs best when the CPU utilization of the EC2 instances is at or near 60%. Which scaling configuration should a Solutions Architect use to optimize the applications performance?. Use a target tracking policy to dynamically scale the Auto Scaling group. Use a simple scaling policy to dynamically scale the Auto Scaling group. Use a step scaling policy to dynamically scale the Auto Scaling group. Use a scheduled scaling policy to dynamically the Auto Scaling group.