Exams > Amazon > AWS Certified Solutions Architect - Professional
AWS Certified Solutions Architect - Professional
Page 22 out of 101 pages Questions 211-220 out of 1009 questions
Question#211

Who is responsible for modifying the routing tables and networking ACLs in a VPC to ensure that a DB instance is reachable from other instances in the VPC?

  • A. AWS administrators
  • B. The owner of the AWS account
  • C. Amazon
  • D. The DB engine vendor
Discover Answer Hide Answer

B
You are in charge of configuring the routing tables of your VPC as well as the network ACLs rules needed to make your DB instances accessible from all the instances of your VPC that need to communicate with it.
Reference:
http://aws.amazon.com/rds/faqs/

Question#212

An organization is planning to host a web application in the AWS VPC. The organization does not want to host a database in the public cloud due to statutory requirements.
How can the organization setup in this scenario?

  • A. The organization should plan the app server on the public subnet and database in the organization's data center and connect them with the VPN gateway.
  • B. The organization should plan the app server on the public subnet and use RDS with the private subnet for a secure data operation.
  • C. The organization should use the public subnet for the app server and use RDS with a storage gateway to access as well as sync the data securely from the local data center.
  • D. The organization should plan the app server on the public subnet and database in a private subnet so it will not be in the public cloud.
Discover Answer Hide Answer

A
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all the traffic of the VPN subnet. If the virtual private gateway is attached with VPC and the user deletes the VPC from the console it will first automatically detach the gateway and only then delete the VPC.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

Question#213

A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume.
What is the possible root cause for this?

  • A. PIOPS is supported for EBS higher than 500 GB size
  • B. The maximum IOPS supported by EBS is 3000
  • C. The ratio between IOPS and the EBS volume is higher than 30
  • D. The ratio between IOPS and the EBS volume is lower than 50
Discover Answer Hide Answer

D

Question#214

A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

  • A. Create VPC subnets in two separate availability zones and launch instances in different subnets.
  • B. Create VPC with only one public subnet and launch instances in different AZs using that subnet.
  • C. Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC.
  • D. Create VPC with only one private subnet and launch instances in different AZs using that subnet.
Discover Answer Hide Answer

A
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span across zones.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPCSubnet

Question#215

A user is creating a PIOPS volume. What is the maximum ratio the user should configure between PIOPS and the volume size?

  • A. 5
  • B. 10
  • C. 20
  • D. 30
Discover Answer Hide Answer

D
Provisioned IOPS volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads that are sensitive to storage performance and consistency in random access I/O throughput. A provisioned IOPS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume.
The ratio of IOPS provisioned to the volume size requested can be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

Question#216

What is a possible reason you would need to edit claims issued in a SAML token?

  • A. The NameIdentifier claim cannot be the same as the username stored in AD.
  • B. Authentication fails consistently.
  • C. The NameIdentifier claim cannot be the same as the claim URI.
  • D. The NameIdentifier claim must be the same as the username stored in AD.
Discover Answer Hide Answer

A
The two reasons you would need to edit claims issued in a SAML token are:
The NameIdentifier claim cannot be the same as the username stored in AD, and The app requires a different set of claim URIs.
Reference:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-saml-claims-customization/

Question#217

A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this.
However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open.
Which of the following is correct in regards to those security groups?

  • A. A security group that has no ports open to your network.
  • B. A security group that has only port 3389 (for RDP) open to your network.
  • C. A security group that has only port 22 (for SSH) open to your network.
  • D. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.
Discover Answer Hide Answer

D
AWS CloudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.
AWS CloudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the
AWS CloudHSM service. One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into this subnet.
One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this subnet.
An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources to AWS CloudHSM.
An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed. This instance is referred to as the control instance and is used to connect to and manage the HSM appliance.
A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This security group is attached to your control instances so you can access them remotely.

Question#218

What is the network performance offered by the c4.8xlarge instance in Amazon EC2?

  • A. Very High but variable
  • B. 20 Gigabit
  • C. 5 Gigabit
  • D. 10 Gigabit
Discover Answer Hide Answer

D
Networking performance offered by the c4.8xlarge instance is 10 Gigabit.
Reference:
http://aws.amazon.com/ec2/instance-types/

Question#219

An organization is setting up a web application with the JEE stack. The application uses the JBoss app server and MySQL DB. The application has a logging module which logs all the activities whenever a business function of the JEE application is called. The logging activity takes some time due to the large size of the log file.
If the application wants to setup a scalable infrastructure which of the below mentioned options will help achieve this setup?

  • A. Host the log files on EBS with PIOPS which will have higher I/O.
  • B. Host logging and the app server on separate servers such that they are both in the same zone.
  • C. Host logging and the app server on the same instance so that the network latency will be shorter.
  • D. Create a separate module for logging and using SQS compartmentalize the module such that all calls to logging are asynchronous.
Discover Answer Hide Answer

D
The organization can always launch multiple EC2 instances in the same region across multiple AZs for HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that they can both run in parallel without affecting the performance of the main application. In this scenario logging takes a longer time due to the large size of the log file. Thus, it is recommended that the organization should separate them out and make separate modules and make asynchronous calls among them. This way the application can scale as per the requirement and the performance will not bear the impact of logging.
Reference:
http://www.awsarchitectureblog.com/2014/03/aws-and-compartmentalization.html

Question#220

You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CloudFront."
Which of the following statements is probably the reason why you are getting this error?

  • A. Before you can delete an SSL certificate you need to set up https on your server.
  • B. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM
  • C. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate.
  • D. You can't delete SSL certificates. You need to request it from AWS.
Discover Answer Hide Answer

C
CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css,.php, and image files, to end users. Every
CloudFront web distribution must be associated either with the default CloudFront certificate or with a custom SSL certificate. Before you can delete an SSL certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom
SSL certificate to using the default CloudFront certificate.
Reference:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Troubleshooting.html

chevron rightPrevious Nextchevron right