A company hosts a two-tier application that consists of a publicly accessible web server that communicates with a private database. Only HTTPS port 443 traffic to the web server must be allowed from the Internet.
Which of the following options will achieve these requirements? (Choose two.)
- A. Security group rule that allows inbound Internet traffic for port 443.
- B. Security group rule that denies all inbound Internet traffic except port 443.
- C. Network ACL rule that allows port 443 inbound and all ports outbound for Internet traffic.
- D. Security group rule that allows Internet traffic for port 443 in both inbound and outbound.
- E. Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic.
A Solutions Architect is designing an Amazon VPC. Applications in the VPC must have private connectivity to Amazon DynamoDB in the same AWS Region.
The design should route DynamoDB traffic through:
- A. VPC peering connection.
- B. NAT gateway
- C. VPC endpoint
- D. AWS Direct Connect
A Solutions Architect is architecting a workload that requires a performant object-based storage system that must be shared with multiple Amazon EC2 instances.
Which AWS service meets this requirement?
- A. Amazon EFS
- B. Amazon S3
- C. Amazon EBS
- D. Amazon ElastiCache
A Solutions Architect is developing a solution for sharing files in an organization. The solution must allow multiple users to access the storage service at once from different virtual machines and scale automatically. It must also support file-level locking.
Which storage service meets the requirements of this use case?
- A. Amazon S3
- B. Amazon EFS
- C. Amazon EBS
- D. Cached Volumes
A company runs a legacy application with a single-tier architecture on an Amazon EC2 instance. Disk I/O is low, with occasional small spikes during business hours. The company requires the instance to be stopped from 8 PM to 8 AM daily.
Which storage option is MOST appropriate for this workload?
- A. Amazon EC2 instance storage
- B. Amazon EBS General Purpose SSD (gp2) storage
- C. Amazon S3
- D. Amazon EBS Provision IOPS SSD (io1) storage
Correct Answer: B
As part of securing an API layer built on Amazon API gateway, a Solutions Architect has to authorize users who are currently authenticated by an existing identity provider. The users must be denied access for a period of one hour after three unsuccessful attempts.
How can the Solutions Architect meet these requirements?
- A. Use AWS IAM authorization and add least-privileged permissions to each respective IAM role.
- B. Use an API Gateway custom authorizer to invoke an AWS Lambda function to validate each user’s identity.
- C. Use Amazon Cognito user pools to provide built-in user management.
- D. Use Amazon Cognito user pools to integrate with external identity providers.
An organization runs an online media site, hosted on-premises. An employee posted a product review that contained videos and pictures. The review went viral and the organization needs to handle the resulting spike in website traffic.
What action would provide an immediate solution?
- A. Redesign the website to use Amazon API Gateway, and use AWS Lambda to deliver content.
- B. Add server instances using Amazon EC2 and use Amazon Route 53 with a failover routing policy.
- C. Serve the images and videos via an Amazon CloudFront distribution created using the news site as the origin.
- D. Use Amazon ElasticCache for Redis for caching and reducing the load requests from the origin.
A client notices that their engineers often make mistakes when creating Amazon SQS queues for their backend system.
Which action should a Solutions Architect recommend to improve this process?
- A. Use the AWS CLI to create queues using AWS IAM Access Keys.
- B. Write a script to create the Amazon SQS queue using AWS Lambda.
- C. Use AWS Elastic Beanstalk to automatically create the Amazon SQS queues.
- D. Use AWS CloudFormation Templates to manage the Amazon SQS queue creation.
A development team is building an application with front-end and backend application tiers. Each tier consists of Amazon EC2 instances behind an ELB Classic
Load Balancer. The instances run in Auto Scaling groups across multiple Availability Zones. The network team has allocated the 10.0.0.0/24 address space for this application. Only the front-end load balancer should be exposed to the Internet. There are concerns about the limited size of the address space and the ability of each tier to scale.
What should the VPC subnet design be in each Availability Zone?
- A. One public subnet for the load balancer tier, one public subnet for the front-end tier, and one private subnet for the backend tier.
- B. One shared public subnet for all tiers of the application.
- C. One public subnet for the load balancer tier and one shared private subnet for the application tiers.
- D. One shared private subnet for all tiers of the application.
A Solutions Architect must select the storage type for a big data application that requires very high sequential I/O. The data must persist if the instance is stopped.
Which of the following storage types will provide the best fit at the LOWEST cost for the application?
- A. An Amazon EC2 instance store local SSD volume.
- B. An Amazon EBS provisioned IOPS SSD volume.
- C. An Amazon EBS throughput optimized HDD volume.
- D. An Amazon EBS general purpose SSD volume.
Two Auto Scaling applications, Application A and Application B, currently run within a shared set of subnets. A Solutions Architect wants to make sure that
Application A can make requests to Application B, but Application B should be denied from making requests to Application A.
Which is the SIMPLEST solution to achieve this policy?
- A. Using security groups that reference the security groups of the other application
- B. Using security groups that reference the application server’s IP addresses
- C. Using Network Access Control Lists to allow/deny traffic based on application IP addresses
- D. Migrating the applications to separate subnets from each other
Legacy applications currently send messages through a single Amazon EC2 instance, which then routes the messages to the appropriate destinations. The
Amazon EC2 instance is a bottleneck and single point of failure, so the company would like to address these issues.
Which services could address this architectural use case? (Choose two.)
- A. Amazon SNS
- B. AWS STS
- C. Amazon SQS
- D. Amazon Route 53
- E. AWS Glue
A Solutions Architect needs to design an architecture for a new, mission-critical batch processing billing application. The application is required to run Monday,
Wednesday, and Friday from 5 AM to 11 AM.
Which is the MOST cost-effective Amazon EC2 pricing model?
- A. Amazon EC2 Spot Instances
- B. On-Demand Amazon EC2 Instances
- C. Scheduled Reserved Instances
- D. Dedicated Amazon EC2 Instances
A workload consists of downloading an image from an Amazon S3 bucket, processing the image, and moving it to another Amazon S3 bucket. An Amazon EC2 instance runs a scheduled task every hour to perform the operation.
How should a Solutions Architect redesign the process so that it is highly available?
- A. Change the Amazon EC2 instance to compute optimized.
- B. Launch a second Amazon EC2 instance to monitor the health of the first.
- C. Trigger a Lambda function when a new object is uploaded.
- D. Initially copy the images to an attached Amazon EBS volume.
An application is running on an Amazon EC2 instance in a private subnet. The application needs to read and write data onto Amazon Kinesis Data Streams, and corporate policy requires that this traffic should not go to the internet.
How can these requirements be met?
- A. Configure a NAT gateway in a public subnet and route all traffic to Amazon Kinesis through the NAT gateway.
- B. Configure a gateway VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway VPC endpoint.
- C. Configure an interface VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway VPC endpoint.
- D. Configure an AWS Direct Connect private virtual interface for Kinesis and route all traffic to Kinesis through the virtual interface.
A Solutions Architect is building an application that stores object data. Compliance requirements state that the data stored is immutable.
Which service meets these requirements?
- A. Amazon S3
- B. Amazon Glacier
- C. Amazon EFS
- D. AWS Storage Gateway
Data stored in Amazon Glacier is immutable, meaning that after an archive is created it cannot be updated. This ensures that data such as compliance and regulatory records cannot be altered after they have been archived.
A Solutions Architect is defining a shared Amazon S3 bucket where corporate applications will save objects.
How can the Architect ensure that when an application uploads an object to the Amazon S3 bucket, the object is encrypted?
- A. Set a CORS configuration.
- B. Set a bucket policy to encrypt all Amazon S3 objects.
- C. Enable default encryption on the bucket.
- D. Set permission for users.
An application tier currently hosts two web services on the same set of instances, listening on different ports.
Which AWS service should a Solutions Architect use to route traffic to the service based on the incoming request path?
- A. AWS Application Load Balancer
- B. Amazon CloudFront
- C. Amazon Classic Load Balancer
- D. Amazon Route 53
A data analytics startup company asks a Solutions Architect to recommend an AWS data store options for indexed data. The data processing engine will generate and input more than 64 TB of processed data every day, with item sizes reaching up to 300 KB. The startup is flexible with data storage and is more interested in a database that requires minimal effort to scale with growing dataset size.
Which AWS data store service should the Architect recommend?
- A. Amazon RDS
- B. Amazon Redshift
- C. Amazon DynamoDB
- D. Amazon S3
A Solutions Architect needs to allow developers to have SSH connectivity to web servers. The requirements are as follows:
✑ Limit access to users origination from the corporate network.
✑ Web servers cannot have SSH access directly from the Internet.
✑ Web servers reside in a private subnet.
Which combination of steps must the Architect complete to meet these requirements? (Choose two.)
- A. Create a bastion host that authenticates users against the corporate directory.
- B. Create a bastion host with security group rules that only allow traffic from the corporate network.
- C. Attach an IAM role to the bastion host with relevant permissions.
- D. Configure the web servers’ security group to allow SSH traffic from a bastion host.
- E. Deny all SSH traffic from the corporate network in the inbound network ACL.
Correct Answer: BD