Exams > Amazon > AWS Certified Solutions Architect - Associate SAA-C02
AWS Certified Solutions Architect - Associate SAA-C02
Page 34 out of 83 pages Questions 331-340 out of 822 questions
Question#331

A company currently operates a web application backed by an Amazon RDS MySQL database. It has automated backups that are run daily and are not encrypted. A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed. The company will make at least one encrypted backup before destroying the old backups.
What should be done to enable encryption for future backups?

  • A. Enable default encryption for the Amazon S3 bucket where backups are stored.
  • B. Modify the backup section of the database configuration to toggle the Enable encryption check box.
  • C. Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.
  • D. Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance.
Discover Answer Hide Answer

C
However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.
DB instances that are encrypted can't be modified to disable encryption.
You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance.
Encrypted read replicas must be encrypted with the same key as the source DB instance when both are in the same AWS Region.
You can't restore an unencrypted backup or snapshot to an encrypted DB instance.
To copy an encrypted snapshot from one AWS Region to another, you must specify the KMS key identifier of the destination AWS Region. This is because KMS encryption keys are specific to the AWS Region that they are created in.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

Question#332

A company is hosting a website behind multiple Application Load Balancers. The company has different distribution rights for its content around the world. A solutions architect needs to ensure that users are served the correct content without violating distribution rights.
Which configuration should the solutions architect choose to meet these requirements?

  • A. Configure Amazon CloudFront with AWS WAF.
  • B. Configure Application Load Balancers with AWS WAF.
  • C. Configure Amazon Route 53 with a geolocation policy.
  • D. Configure Amazon Route 53 with a geoproximity routing policy.
Discover Answer Hide Answer

C
Reference:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
(geolocation routing)

Question#333

A solutions architect has created a new AWS account and must secure AWS account root user access.
Which combination of actions will accomplish this? (Choose two.)

  • A. Ensure the root user uses a strong password.
  • B. Enable multi-factor authentication to the root user.
  • C. Store root user access keys in an encrypted Amazon S3 bucket.
  • D. Add the root user to a group containing administrative permissions.
  • E. Apply the required permissions to the root user with an inline policy document.
Discover Answer Hide Answer

AB

Question#334

A solutions architect at an ecommerce company wants to back up application log data to Amazon S3. The solutions architect is unsure how frequently the logs will be accessed or which logs will be accessed the most. The company wants to keep costs as low as possible by using the appropriate S3 storage class.
Which S3 storage class should be implemented to meet these requirements?

  • A. S3 Glacier
  • B. S3 Intelligent-Tiering
  • C. S3 Standard-Infrequent Access (S3 Standard-IA)
  • D. S3 One Zone-Infrequent Access (S3 One Zone-IA)
Discover Answer Hide Answer

B
S3 Intelligent-Tiering -
S3 Intelligent-Tiering is a new Amazon S3 storage class designed for customers who want to optimize storage costs automatically when data access patterns change, without performance impact or operational overhead. S3 Intelligent-Tiering is the first cloud object storage class that delivers automatic cost savings by moving data between two access tiers ג€" frequent access and infrequent access ג€" when access patterns change, and is ideal for data with unknown or changing access patterns.
S3 Intelligent-Tiering stores objects in two access tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access. For a small monthly monitoring and automation fee per object, S3 Intelligent-Tiering monitors access patterns and moves objects that have not been accessed for 30 consecutive days to the infrequent access tier. There are no retrieval fees in S3 Intelligent-Tiering. If an object in the infrequent access tier is accessed later, it is automatically moved back to the frequent access tier. No additional tiering fees apply when objects are moved between access tiers within the
S3 Intelligent-Tiering storage class. S3 Intelligent-Tiering is designed for 99.9% availability and 99.999999999% durability, and offers the same low latency and high throughput performance of S3 Standard.
Reference:
https://aws.amazon.com/about-aws/whats-new/2018/11/s3-intelligent-tiering/

Question#335

A company's website is used to sell products to the public. The site runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer
(ALB). There is also an Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the
CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.
What should a solutions architect do to protect the application?

  • A. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.
  • B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
  • C. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
  • D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Discover Answer Hide Answer

B
If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.
AWS Web Application Firewall (WAF) ג€" Helps to protect your web applications from common application-layer exploits that can affect availability or consume excessive resources. As you can see in my post (New ג€" AWS WAF), WAF allows you to use access control lists (ACLs), rules, and conditions that define acceptable or unacceptable requests or IP addresses. You can selectively allow or deny access to specific parts of your web application and you can also guard against various SQL injection attacks. We launched WAF with support for Amazon CloudFront.
Reference:
https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-loadbalancers/ https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-ip-conditions.html https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-ip-conditions.html https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/

Question#336

A solutions architect is designing an application for a two-step order process. The first step is synchronous and must return to the user with little latency. The second step takes longer, so it will be implemented in a separate component. Orders must be processed exactly once and in the order in which they are received.
How should the solutions architect integrate these components?

  • A. Use Amazon SQS FIFO queues.
  • B. Use an AWS Lambda function along with Amazon SQS standard queues.
  • C. Create an SNS topic and subscribe an Amazon SQS FIFO queue to that topic.
  • D. Create an SNS topic and subscribe an Amazon SQS Standard queue to that topic.
Discover Answer Hide Answer

C
Reference:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html

Question#337

A web application is deployed in the AWS Cloud. It consists of a two-tier architecture that includes a web layer and a database layer. The web server is vulnerable to cross-site scripting (XSS) attacks.
What should a solutions architect do to remediate the vulnerability?

  • A. Create a Classic Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
  • B. Create a Network Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
  • C. Create an Application Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
  • D. Create an Application Load Balancer. Put the web layer behind the load balancer and use AWS Shield Standard.
Discover Answer Hide Answer

C
Working with cross-site scripting match conditions
Attackers sometimes insert scripts into web requests in an effort to exploit vulnerabilities in web applications. You can create one or more cross-site scripting match conditions to identify the parts of web requests, such as the URI or the query string, that you want AWS WAF Classic to inspect for possible malicious scripts. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious scripts.

Web Application Firewall -
You can now use AWS WAF to protect your web applications on your Application Load Balancers. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Reference:
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-xss-conditions.html https://aws.amazon.com/elasticloadbalancing/features/

Question#338

A company's website is using an Amazon RDS MySQL Multi-AZ DB instance for its transactional data storage. There are other internal systems that query this DB instance to fetch data for internal batch processing. The RDS DB instance slows down significantly when the internal systems fetch data. This impacts the website's read and write performance, and the users experience slow response times.
Which solution will improve the website's performance?

  • A. Use an RDS PostgreSQL DB instance instead of a MySQL database.
  • B. Use Amazon ElastiCache to cache the query responses for the website.
  • C. Add an additional Availability Zone to the current RDS MySQL Multi-AZ DB instance.
  • D. Add a read replica to the RDS DB instance and configure the internal systems to query the read replica.
Discover Answer Hide Answer

D
Amazon RDS Read Replicas -

Enhanced performance -
You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. Read replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they are useful as part of a sharding implementation.
To further maximize read performance, Amazon RDS for MySQL allows you to add table indexes directly to Read Replicas, without those indexes being present on the master.
Reference:
https://aws.amazon.com/rds/features/read-replicas

Question#339

An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application
Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?

  • A. Use a simple scaling policy to dynamically scale the Auto Scaling group.
  • B. Use a target tracking policy to dynamically scale the Auto Scaling group.
  • C. Use an AWS Lambda function to update the desired Auto Scaling group capacity.
  • D. Use scheduled scaling actions to scale up and scale down the Auto Scaling group.
Discover Answer Hide Answer

B
ג€With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 AutoScaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling djustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the targetvalue, a target tracking scaling policy also adjusts to changes in the metric due to a changing load pattern. For example, you can use target tracking scaling to: Configure a target tracking scaling policy to keep the average aggregate CPU utilization of your Auto Scaling group at 40 percent. Configure a target tracking scaling policy to keep the request count per target of your Application Load Balancer target group at 1000 for your AutoScaling group.ג€
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html

Question#340

A company runs an internal browser-based application. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales up to 20 instances during work hours, but scales down to
2 instances overnight. Staff are complaining that the application is very slow when the day begins, although it runs well by mid-morning.
How should the scaling be changed to address the staff complaints and keep costs to a minimum?

  • A. Implement a scheduled action that sets the desired capacity to 20 shortly before the office opens.
  • B. Implement a step scaling action triggered at a lower CPU threshold, and decrease the cooldown period.
  • C. Implement a target tracking action triggered at a lower CPU threshold, and decrease the cooldown period.
  • D. Implement a scheduled action that sets the minimum and maximum capacity to 20 shortly before the office opens.
Discover Answer Hide Answer

A
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-simple-step.html

chevron rightPrevious Nextchevron right