Amazon (SAA-C03) Exam Questions And Answers page 26
A company is preparing to deploy a data lake on AWS. A solutions architect must define the encryption strategy tor data at rest m Amazon S3/ The company s security policy states:
• Keys must be rotated every 90 days.
• Strict separation of duties between key users and key administrators must be implemented.
• Auditing key usage must be possible.
What should the solutions architect recommend?
• Keys must be rotated every 90 days.
• Strict separation of duties between key users and key administrators must be implemented.
• Auditing key usage must be possible.
What should the solutions architect recommend?
Server-side encryption with AWS KMS managed keys (SSE-KMS) with AWS managed customer master keys (CMKs)
Server-side encryption with Amazon S3 managed keys (SSE-S3) with customer managed customer master keys (CMKs)
Server-side encryption with Amazon S3 managed keys (SSE-S3) with AWS managed customer master keys (CMKs)
Specify Secure Applications and Architectures
A company is preparing to deploy a new serverless workload. A solutions architect needs to configure permissions for invoking an AWS Lambda function. The function will be triggered by an Amazon EventBridge (Amazon CloudWatch Events) rule. Permissions should be configured using the principle of least privilege.
Which solution will meet these requirements?
Which solution will meet these requirements?
Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
Add an execution rote to the function with lambda:InvokeFunction as the action and Service:eventsamazonaws.com as the principal.
Add a resource-based policy to the function with lambda: as the action and Service:events.amazonaws.com as the principal.
Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service:events.amazonaws.com as the principal.
Define Performant Architectures
Specify Secure Applications and Architectures
A company is preparing to deploy a new serverless workload. A solutions architect needs to configure permissions for invoking an AWS Lambda function. The function will be triggered by an Amazon EventBridge (Amazon CloudWatch Events) rule. Permissions should be configured using the principle of least privilege.
Which solution will meet these requirements?
Which solution will meet these requirements?
Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
Add an execution role to the function with lambda:InvokeFunction as the action and Service:amazonaws.com as the principal.
Add a resource-based policy to the function with lambda: * as the action and Service:events.amazonaws.com as the principal.
Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service:events.amazonaws.com as the principal.
Define Performant Architectures
Specify Secure Applications and Architectures
A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an Elastic Load Balancer (ELB). A third party service is used for the DNS. The company s solutions architect must recommend a solution to detect and protect against largescale DDoS attacks.
Which solution meets these requirements?
Which solution meets these requirements?
Enable Amazon GuardDuty on the account.
Enable Amazon Inspector on the EC2 instances.
Enable AWS Shield and assign Amazon Route 53 to it.
Enable AWS Shield Advanced and assign the ELB to it.
Specify Secure Applications and Architectures
Design Cost-Optimized Architectures
A company is preparing to migrate its on-premises application to AWS. The application consists of application servers and a Microsoft SQL Server database The database cannot be migrated to a different engine because SQL Server features are used in the application s NET code. The company wants to attain the greatest availability possible while minimizing operational and management overhead.
What should a solutions architect do to accomplish this?
What should a solutions architect do to accomplish this?
Install SQL Server on Amazon EC2 in a Multi-AZ deployment.
Migrate the data to Amazon RDS for SQL Server in a Multi-AZ deployment.
Deploy the database on Amazon RDS for SQL Server with Multi-AZ Replicas.
Migrate the data to Amazon RDS for SQL Server in a cross-Region Multi-AZ deployment.
Design Resilient Architectures
Define Performant Architectures
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?
Which solution meets these requirements and is the MOST operationally efficient?
Server-side encryption with customer-provided keys (SSE-C)
Server-side encryption with Amazon S3 managed keys (SSE-S3)
Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation
Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation
Specify Secure Applications and Architectures
Design Cost-Optimized Architectures
A company is processing data on a daily basis. The results of the operations are stored in an Amazon S3 bucket, analyzed daily for one week, and then must remain immediately accessible for occasional analysis.
What is the MOST cost-effective storage solution alternative to the current configuration?
What is the MOST cost-effective storage solution alternative to the current configuration?
Configure a lifecycle policy to delete the objects after 30 days.
Configure a lifecycle policy to transition the objects to Amazon S3 Glacier after 30 days.
Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
Design Cost-Optimized Architectures
A company is Re-architecting a strongly coupled application to be loosely coupled. Previously the application used a request/response pattern to communicate between tiers. The company plans to use Amazon Simple Queue Service (Amazon SQS) to achieve decoupling requirements. The initial design contains one queue for requests and one for responses. However, this approach is not processing all the messages as the application scales.
What should a solutions architect do to resolve this issue?
What should a solutions architect do to resolve this issue?
Configure a dead-letter queue on the ReceiveMessage API action of the SQS queue.
Configure a FIFO queue, and use the message deduplication ID and message group ID.
Create a temporary queue, with the Temporary Queue Client to receive each response message.
Create a queue for each request and response on startup for each producer, and use a correlation ID message attribute.
Design Resilient Architectures
Define Performant Architectures
A company is relocating its data center and wants to securely transfer 50 TB of data to AWS within 2 weeks. The existing data center has a Site-to-Site VPN connection to AWS that is 90% utilized.
Which AWS service should a solutions architect use to meet these requirements?
Which AWS service should a solutions architect use to meet these requirements?
AWS DataSync with a VPC endpoint
AWS Direct Connect
AWS Snowball Edge Storage Optimized
AWS Storage Gateway
Specify Secure Applications and Architectures
A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers.
What should a solutions architect do to correct this issue?
What should a solutions architect do to correct this issue?
Create security group rules using the instance ID as the source or destination.
Create security group rules using the security group ID as the source or destination.
Create security group rules using the VPC CIDR blocks as the source or destination.
Create security group rules using the subnet CIDR blocks as the source or destination.
Specify Secure Applications and Architectures
Comments