SOLUTIONS ARCHITECT ASSOCIATE - 43

You have a team of developers in your company, and you would like to ensure they can quickly experiment with AWS Managed Policies by attaching them to their accounts, but you would like to prevent them from doing an escalation of privileges, by granting themselves the AdministratorAccess managed policy. How should you proceed?. For each developer, define an IAM permission boundary that will restrict the managed policies they can attach to themselves. Create a Service Control Policy (SCP) on your AWS account that restricts developers from attaching themselves the AdministratorAccess policy. Attach an IAM policy to your developers, that prevents them from attaching the AdministratorAccess policy. Put the developers into an IAM group, and then define an IAM permission boundary on the group that will restrict the managed policies they can attach to themselves.

Your company has an on-premises Distributed File System Replication (DFSR) service to keep files synchronized on multiple Windows servers, and would like to migrate to AWS cloud. What do you recommend as a replacement for the DFSR?. FSx for Windows. FSx for Lustre. EFS. Amazon S3.

You would like to store a database password in a secure place, and enable automatic rotation of that password every 90 days. What do you recommend?. Secrets Manager. KMS. CloudHSM. SSM Parameter Store.

You are establishing a monitoring solution for desktop systems, that will be sending telemetry data into AWS every 1 minute. Data for each system must be processed in order, independently, and you would like to scale the number of consumers to be possibly equal to the number of desktop systems that are being monitored. What do you recommend?. Use an SQS FIFO queue, and make sure the telemetry data is sent with a Group ID attribute representing the value of the Desktop ID. Use an SQS FIFO queue, and send the telemetry data as is. Use an SQS standard queue, and send the telemetry data as is. Use a Kinesis Data Stream, and send the telemetry data with a Partition ID that uses the value of the Desktop ID.

You have multiple AWS accounts within a single AWS Region managed by AWS Organizations and you would like to ensure all EC2 instances in all these accounts can communicate privately. Which of the following solutions provides the capability at the CHEAPEST cost?. Create a VPC in an account and share one or more of its subnets with the other accounts using Resource Access Manager. Create a Private Link between all the EC2 instances. Create a VPC peering connection between all VPCs. Create a Transit Gateway and link all the VPC in all the accounts together.

The engineering team at a logistics company has noticed that the Auto Scaling group (ASG) is not terminating an unhealthy Amazon EC2 instance. As a Solutions Architect, which of the following options would you suggest to troubleshoot the issue? (Select three). The health check grace period for the instance has not expired. The instance maybe in Impaired status. The instance has failed the ELB health check status. The EC2 instance could be a spot instance type, which cannot be terminated by ASG. A user might have updated the configuration of ASG and increased the minimum number of instances forcing ASG to keep all instances alive. A custom health check might have failed. ASG does not terminate instances that are set unhealthy by custom checks.

A big-data consulting firm is working on a client engagement where the ETL workloads are currently handled via a Hadoop cluster deployed in the on-premises data center. The client wants to migrate their ETL workloads to AWS Cloud. The AWS Cloud solution needs to be highly available with about 50 EC2 instances per Availability Zone. As a solutions architect, which of the following EC2 placement groups would you recommend handling the distributed ETL workload?. Partition placement group. Cluster placement group. Spread placement group. Both Spread placement group and Partition placement group.

A manufacturing company receives unreliable service from its data center provider because the company is located in an area prone to natural disasters. The company is not ready to fully migrate to the AWS Cloud, but it wants a failover environment on AWS in case the on-premises data center fails. The company runs web servers that connect to external vendors. The data available on AWS and on-premises must be uniform. Which of the following solutions would have the LEAST amount of downtime?. Set up a Route 53 failover record. Run application servers on EC2 instances behind an Application Load Balancer in an Auto Scaling group. Set up AWS Storage Gateway with stored volumes to back up data to S3. Set up a Route 53 failover record. Execute an AWS CloudFormation template from a script to provision EC2 instances behind an Application Load Balancer. Set up AWS Storage Gateway with stored volumes to back up data to S3. Set up a Route 53 failover record. Run an AWS Lambda function to execute an AWS CloudFormation template to launch two EC2 instances. Set up AWS Storage Gateway with stored volumes to back up data to S3. Set up an AWS Direct Connect connection between a VPC and the data center. Set up a Route 53 failover record. Set up an AWS Direct Connect connection between a VPC and the data center. Run application servers on EC2 in an Auto Scaling group. Run an AWS Lambda function to execute an AWS CloudFormation template to create an Application Load Balancer.

To improve the performance and security of the application, the engineering team at a company has created a CloudFront distribution with an Application Load Balancer as the custom origin. The team has also set up a Web Application Firewall (WAF) with CloudFront distribution. The security team at the company has noticed a surge in malicious attacks from a specific IP address to steal sensitive data stored on the EC2 instances. As a solutions architect, which of the following actions would you recommend to stop the attacks?. Create an IP match condition in the WAF to block the malicious IP address. Create a deny rule for the malicious IP in the NACL associated with each of the instances. Create a deny rule for the malicious IP in the Security Groups associated with each of the instances. Create a ticket with AWS support to take action against the malicious IP.

You have been hired as a Solutions Architect to advise a company on the various authentication/authorization mechanisms that AWS offers to authorize an API call within the API Gateway. The company would prefer a solution that offers built-in user management. Which of the following solutions would you suggest as the best fit for the given use-case?. Use Amazon Cognito User Pools. Use AWS_IAM authorization. Use API Gateway Lambda authorizer. Use Amazon Cognito Identity Pools.

You have an in-memory database launched on an EC2 instance and you would like to be able to stop and start the EC2 instance without losing the in-memory state of your database. What do you recommend?. Use EC2 Instance Hibernate. Create an AMI from the instance. Use an EC2 Instance Store. Mount an in-memory EBS Volume.

You would like to mount a network file system on Linux instances, where files will be stored and accessed frequently at first, and then infrequently. What solution is the MOST cost-effective?. EFS IA. S3 Intelligent Tiering. Glacier Deep Archive. FSx for Lustre.

Upon a security review of your AWS account, an AWS consultant has found that a few RDS databases are un-encrypted. As a Solutions Architect, what steps must be taken to encrypt the RDS databases?. Take a snapshot of the database, copy it as an encrypted snapshot, and restore a database from the encrypted snapshot. Terminate the previous database. Create a Read Replica of the database, and encrypt the read replica. Promote the read replica as a standalone database, and terminate the previous database. Enable Multi-AZ for the database, and make sure the standby instance is encrypted. Stop the main database to that the standby database kicks in, then disable Multi-AZ. Enable encryption on the RDS database using the AWS Console.

A retail company wants to share sensitive accounting data that is stored in an Amazon RDS DB instance with an external auditor. The auditor has its own AWS account and needs its own copy of the database. Which of the following would you recommend to securely share the database with the auditor?. Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key. Create a snapshot of the database in Amazon S3 and assign an IAM role to the auditor to grant access to the object in that bucket. Export the database contents to text files, store the files in Amazon S3, and create a new IAM user for the auditor with access to that bucket. Set up a read replica of the database and configure IAM standard database authentication to grant the auditor access.

An e-commerce company operates multiple AWS accounts and has interconnected these accounts in a hub-and-spoke style using the AWS Transit Gateway. VPCs have been provisioned across these AWS accounts to facilitate network isolation. Which of the following solutions would reduce both the administrative overhead and the costs while providing shared access to services required by workloads in each of the VPCs?. Build a shared services VPC. Use Transit VPC to reduce cost and share the resources across VPCs. Use Fully meshed VPC Peers. Use VPCs connected with AWS Direct Connect.

Your company has a monthly big data workload, running for about 2 hours, which can be efficiently distributed across multiple servers of various sizes, with a variable number of CPUs. The solution for the workload should be able to withstand server failures. Which is the MOST cost-optimal solution for this workload?. Run the workload on a Spot Fleet. Run the workload on Spot Instances. Run the workload on Reserved Instances. Run the workload on Dedicated Hosts.

The engineering team at an e-commerce company is working on cost optimizations for EC2 instances. The team wants to manage the workload using a mix of on-demand and spot instances across multiple instance types. They would like to create an Auto Scaling group with a mix of these instances. Which of the following options would allow the engineering team to provision the instances for this use-case?. You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost. You can only use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost. You can use a launch configuration or a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost. You can neither use a launch configuration nor a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost.

You would like to deploy an application behind an Application Load Balancer, that will have some Auto Scaling capability and efficiently leverage a mix of Spot Instances and On-Demand instances to meet demand. What do you recommend to manage the instances?. Create an ASG with a launch template. Create a Spot Instance Request. Create a Spot Fleet Request. Create an ASG with a launch configuration.

A financial services company wants a single log processing model for all the log files (consisting of system logs, application logs, database logs, etc) that can be processed in a serverless fashion and then durably stored for downstream analytics. The company wants to use an AWS managed service that automatically scales to match the throughput of the log data and requires no ongoing administration. As a solutions architect, which of the following AWS services would you recommend solving this problem?. Kinesis Data Firehose. Amazon EMR. AWS Lambda. Kinesis Data Streams.

A retail company wants to rollout and test a blue-green deployment for its global application in the next 48 hours. Most of the customers use mobile phones which are prone to DNS caching. The company has only two days left for the annual Thanksgiving sale to commence. As a Solutions Architect, which of the following options would you recommend to test the deployment on as many users as possible in the given time frame?. Use AWS Global Accelerator to distribute a portion of traffic to a particular deployment. Use Route 53 weighted routing to spread traffic across different deployments. Use Elastic Load Balancer to distribute traffic across deployments. Use AWS CodeDeploy deployment options to choose the right deployment.