Amazon SAA-C03 Question Answers

What is Amazon SAA-C03?

Amazon SAA-C03 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Associate Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified Solutions Architect - Associate (SAA-C03) Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon SAA-C03 Practice Questions. Passing AWS Certified Solutions Architect - Associate (SAA-C03) will be your ticket to a better future!

Pass with Amazon SAA-C03 Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified Solutions Architect - Associate (SAA-C03) is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon SAA-C03 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Associate certification is all about having the right information. Hence, we filled our Amazon SAA-C03 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified Solutions Architect - Associate (SAA-C03) Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon SAA-C03 Braindumps now!

We aim to provide all AWS Certified Associate certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon SAA-C03 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Amazon SAA-C03 PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified Solutions Architect - Associate (SAA-C03) candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Associate solutions. Amazon SAA-C03 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon SAA-C03 Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at support@salesforcexamdumps.com.

Question # 1

A solutions architect needs to host a high performance computing (HPC) workload in the AWS Cloud. The workload will run on hundreds of Amazon EC2 instances and will require parallel access to a shared file system to enable distributed processing of large datasets. Datasets will be accessed across multiple instances simultaneously. The workload requires access latency within 1 ms. After processing has completed, engineers will need access to the dataset for manual postprocessing. Which solution will meet these requirements?

A. Use Amazon Elastic File System (Amazon EFS) as a shared fie system. Access the dataset from Amazon EFS. 
B. Mount an Amazon S3 bucket to serve as the shared file system. Perform postprocessing directly from the S3 bucket. 
C. Use Amazon FSx for Lustre as a shared file system. Link the file system to an Amazon S3 bucket for postprocessing. 
D. Configure AWS Resource Access Manager to share an Amazon S3 bucket so that it can be mounted to all instances for processing and postprocessing. 

Show / Hide Answer

---

Question # 2

A company that has multiple AWS accounts maintains an on-premises Microsoft Active Directory. The company needs a solution to implement Single Sign-On for its employees. The company wants to use AWS IAM Identity Center. The solution must meet the following requirements: Allow users to access AWS accounts and third-party applications by using existing Active Directory credentials. Enforce multi-factor authentication (MFA) to access AWS accounts. Centrally manage permissions to access AWS accounts and applications. Options:

A. Create an IAM identity provider for Active Directory in each AWS account. Ensure that Active Directory users and groups access AWS accounts directly through IAM roles. Use IAM Identity Center to enforce MFA in each account for all users. 
B. Use AWS Directory Service to create a new AWS Managed Microsoft AD Active Directory. Configure IAM Identity Center in each account to use the new AWS Managed Microsoft AD Active Directory as the identity source. Use IAM Identity Center to enforce MFA for all users. 
C. Use IAM Identity Center with the existing Active Directory as the identity source. Enforce MFA for all users. Use AWS Organizations and Active Directory groups to manage access permissions for AWS accounts and application access. 
D. Use AWS Lambda functions to periodically synchronize Active Directory users and groups with IAM users and groups in each AWS account. Use IAM roles and policies to manage application access. Create a second Lambda function to enforce MFA. 

Show / Hide Answer

---

Question # 3

A company has an application that receives and processes purchase orders. The application supports only XML data. The company needs to configure the application to accept orders in JSON format. The company does not want to modify the application. A solutions architect is using an Amazon API Gateway HTTP API to create a new purchase order API. The solutions architect needs to modify the application DNS record to point to the new HTTP API.

A. Use an HTTP proxy integration to pass XML requests to the application. For JSON requests, use API Gateway mappings to convert the purchase orders to XML. Use an AWS Lambda function that is integrated with API Gateway to call the application.
B. Use an HTTP proxy integration to pass XML requests to the application. For JSON requests, use an AWS Lambda function that is integrated with API Gateway to convert the purchase orders from JSON to XML and to call the application.
C. Use an HTTP custom integration to pass XML requests to the application. For JSON requests, use API Gateway mappings to convert the purchase orders to XML. Use an AWS Lambda function that is integrated with API Gateway to call the application.
D. Use an HTTP custom integration to pass XML requests to the application. For JSON requests, use an AWS Lambda function that is integrated with API Gateway to convert the purchase orders to JSON and to call the application.

Show / Hide Answer

---

Question # 4

A company wants to deploy an AWS Lambda function that will read and write objects to Amazon S3 bucket. The Lambda function must be connected to the company's VPC. The company must deploy the Lambda function only to private subnets in the VPC. The Lambda function must not be allowed to access the internet. Which solutions will meet these requirements? (Select TWO.)

A. Create a private NAT gateway to access the S3 bucket.
B. Attach an Elastic IP address to the NAT gateway.
C. Create a gateway VPC endpoint for the S3 bucket.
D. Create an interface VPC endpoint for the S3 bucket.
E. Create a public NAT gateway to access the S3 bucket.

Show / Hide Answer

---

Question # 5

A gaming company is building an application that uses a database to store user data. The company wants the database to have an active-active configuration that allows data writes to a secondary AWS Region. The database must achieve a sub-second recovery point objective (RPO). Options:

A. Deploy an Amazon ElastiCache (Redis OSS) cluster. Configure a global data store for disaster recovery. Configure the ElastiCache cluster to cache data from an Amazon RDS database that is deployed in the primary Region. 
B. Deploy an Amazon DynamoDB table in the primary Region and the secondary Region. Configure Amazon DynamoDB Streams to invoke an AWS Lambda function to write changes from the table in the primary Region to the table in the secondary Region. 
C. Deploy an Amazon Aurora MySQL database in the primary Region. Configure a global database for the secondary Region. 
D. Deploy an Amazon DynamoDB table in the primary Region. Configure global tables for the secondary Region. 

Show / Hide Answer

---

Question # 6

A company hosts an application that processes highly sensitive customer transactions on AWS. The application uses Amazon RDS as its database. The company manages its own encryption keys to secure the data in Amazon RDS. The company needs to update the customer-managed encryption keys at least once each year. Which solution will meet these requirements with the LEAST operational overhead?

A. Set up automatic key rotation in AWS Key Management Service (AWS KMS) for the encryption keys. 
B. Configure AWS Key Management Service (AWS KMS) to alert the company to rotate the encryption keys annually. 
C. Schedule an AWS Lambda function to rotate the encryption keys annually. 
D. Create an AWS CloudFormation stack to run an AWS Lambda function that deploys new encryption keys once each year. 

Show / Hide Answer

---

Question # 7

A company recently launched a new application for its customers. The application runs on multiple Amazon EC2 instances across two Availability Zones. End users use TCP to communicate with the application. The application must be highly available and must automatically scale as the number of users increases. Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

A. Add a Network Load Balancer in front of the EC2 instances. 
B. Configure an Auto Scaling group for the EC2 instances. 
C. Add an Application Load Balancer in front of the EC2 instances. 
D. Manually add more EC2 instances for the application. 
E. Add a Gateway Load Balancer in front of the EC2 instances. 

Show / Hide Answer

---

Question # 8

A solutions architect is designing the architecture for a company website that is composed of static content. The company's target customers are located in the United States and Europe. Which architecture should the solutions architect recommend to MINIMIZE cost?

A. Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to limit the edge locations in use. 
B. Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to maximize the use of edge locations. 
C. Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront geolocation routing policy to route requests to the closest Region to the user. 
D. Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront distribution with an Amazon Route 53 latency routing policy to route requests to the closest Region to the user. 

Show / Hide Answer

---

Question # 9

A company wants to design a microservices architecture for an application. Each microservice must perform operations that can be completed within 30 seconds. The microservices need to expose RESTful APIs and must automatically scale in response to varying loads. The APIs must also provide client access control and rate limiting to maintain equitable usage and service availability. Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 to host each microservice. Use Amazon API Gateway to manage the RESTful API requests. 
B. Deploy each microservice as a set of AWS Lambda functions. Use Amazon API Gateway to manage the RESTful API requests. 
C. Host each microservice on Amazon EC2 instances in Auto Scaling groups behind an Elastic Load Balancing (ELB) load balancer. Use the ELB to manage the RESTful API requests. 
D. Deploy each microservice on Amazon Elastic Beanstalk. Use Amazon CloudFront to manage the RESTful API requests. 

Show / Hide Answer

---

Question # 10

A solutions architect is designing the network architecture for an application that runs on Amazon EC2 instances in an Auto Scaling group. The application needs to access data that is in Amazon S3 buckets. Traffic to the S3 buckets must not use public IP addresses. The solutions architect will deploy the application in a VPC that has public and private subnets. Which solutions will meet these requirements? (Select TWO.)

A. Deploy the EC2 instances in a private subnet. Configure a default route to an egressonly internet gateway. 
B. Deploy the EC2 instances in a public subnet. Create a gateway endpoint for Amazon S3. Associate the endpoint with the subnet's route table. 
C. Deploy the EC2 instances in a public subnet. Create an interface endpoint for Amazon S3. Configure DNS hostnames and DNS resolution for the VPC. 
D. Deploy the EC2 instances in a private subnet. Configure a default route to a NAT gateway in a public subnet. 
E. Deploy the EC2 instances in a private subnet. Configure a default route to a customer gateway. 

Show / Hide Answer

---

Question # 11

A company is building a serverless application to process orders from an ecommerce site. The application needs to handle bursts of traffic during peak usage hours and to maintain high availability. The orders must be processed asynchronously in the order the application receives them. Which solution will meet these requirements?

A. Use an Amazon Simple Notification Service (Amazon SNS) topic to receive orders. Use an AWS Lambda function to process the orders. 
B. Use an Amazon Simple Queue Service (Amazon SQS) FIFO queue to receive orders. Use an AWS Lambda function to process the orders. 
C. Use an Amazon Simple Queue Service (Amazon SQS) standard queue to receive orders. Use AWS Batch jobs to process the orders. 
D. Use an Amazon Simple Notification Service (Amazon SNS) topic to receive orders. Use AWS Batch jobs to process the orders. 

Show / Hide Answer

---

Question # 12

A company plans to use AWS to run high-performance computing (HPC) workloads and analytics workloads. The company will run HPC workloads on Amazon EC2 instances. The workloads require a high-performance file system that can scale to millions of input/output operations per second (IOPS). Which combination of steps will meet these requirements? (Select TWO.)

A. Use Amazon Elastic File System (Amazon EFS) as a high-performance file system.
B. Use Amazon FSx for Lustre as a high-performance file system.
C. Create an Auto Scaling group of Amazon EC2 instances. Use Reserved Instances. Configure a spread placement group. Use AWS Batch to run the analytics workloads.
D. Use Mountpoint for Amazon S3 as a high-performance file system.
E. Create an Auto Scaling group of Amazon EC2 instances. Use a mix of On-Demand Instances, Reserved Instances, and Spot Instances. Configure a cluster placement group. Use Amazon EMR to run the analytics workloads.

Show / Hide Answer

---

Question # 13

A company is designing a new Amazon Elastic Kubernetes Service (Amazon EKS) deployment to host multi-tenant applications that use a single cluster. The company wants to ensure that each pod has its own hosted environment. The environments must not share CPU, memory, storage, or elastic network interfaces. Which solution will meet these requirements?

A. Use Amazon EC2 instances to host self-managed Kubernetes clusters. Use taints and tolerations to enforce isolation boundaries.
B. Use Amazon EKS with AWS Fargate. Use Fargate to manage resources and to enforce isolation boundaries. 
C. Use Amazon EKS and self-managed node groups. Use taints and tolerations to enforce isolation boundaries. 
D. Use Amazon EKS and managed node groups. Use taints and tolerations to enforce isolation boundaries. 

Show / Hide Answer

---

Question # 14

A solutions architect is investigating compute options for a critical analytics application. The application uses long-running processes to prepare and aggregate data. The processes cannot be interrupted. The application has a known baseline load. The application needs to handle occasional usage surges. Which solution will meet these requirements MOST cost-effectively?

A. Create an Amazon EC2 Auto Scaling group. Set the Min capacity and Desired capacity parameters to the number of instances required to handle the baseline load. Purchase Reserved Instances for the Auto Scaling group. 
B. Create an Amazon EC2 Auto Scaling group. Set the Min capacity, Max capacity, and Desired capacity parameters to the number of instances required to handle the baseline load. Use On-Demand Instances to address occasional usage surges. 
C. Create an Amazon EC2 Auto Scaling group. Set the Min capacity and Desired capacity parameters to the number of instances required to handle the baseline load. Purchase Reserved Instances for the Auto Scaling group. Use the OnDemandPercentageAboveBaseCapacity parameter to configure the launch template to launch Spot Instances. 
D. Re-architect the application to use AWS Lambda functions instead of Amazon EC2 instances. Purchase a one-year Compute Savings Plan to reduce the cost of Lambda usage. 

Show / Hide Answer

---

Question # 15

A company runs its workloads on Amazon Elastic Container Service (Amazon ECS). The container images that the ECS task definition uses need to be scanned for Common Vulnerabilities and Exposures (CVEs). New container images that are created also need to be scanned. Which solution will meet these requirements with the FEWEST changes to the workloads?

A. Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository to store the container images. Specify scan on push filters for the ECR basic scan. 
B. Store the container images in an Amazon S3 bucket. Use Amazon Macie to scan the images. Use an S3 Event Notification to initiate a Made scan for every event with an s3:ObjeclCreated:Put event type 
C. Deploy the workloads to Amazon Elastic Kubernetes Service (Amazon EKS). Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository. Specify scan on push filters for the ECR enhanced scan. 
D. Store the container images in an Amazon S3 bucket that has versioning enabled. Configure an S3 Event Notification for s3:ObjectCrealed:* events to invoke an AWS Lambda function. Configure the Lambda function to initiate an Amazon Inspector scan. 

Show / Hide Answer

---

Question # 16

A company is migrating a new application from an on-premises data center to a new VPC in the AWS Cloud. The company has multiple AWS accounts and VPCs that share many subnets and applications. The company wants to have fine-grained access control for the new application. The company wants to ensure that all network resources across accounts and VPCs that are granted permission to access the new application can access the application.

A. Set up a VPC peering connection for each VPC that needs access to the new application VPC. Update route tables in each VPC to enable connectivity. 
B. Deploy a transit gateway in the account that hosts the new application. Share the transit gateway with each account that needs to connect to the application. Update route tables in the VPC that hosts the new application and in the transit gateway to enable connectivity. 
C. Use an AWS PrivateLink endpoint service to make the new application accessible to other VPCs. Control access to the application by using an endpoint policy. 
D. Use an Application Load Balancer (ALB) to expose the new application to the internet. Configure authentication and authorization processes to ensure that only specified VPCs can access the application. 

Show / Hide Answer

---

Question # 17

A company wants to restrict access to the content of its web application. The company needs to protect the content by using authorization techniques that are available on AWS. The company also wants to implement a serverless architecture for authorization and authentication that has low login latency. The solution must integrate with the web application and serve web content globally. The application currently has a small user base, but the company expects the application's user base to increase Which solution will meet these requirements?

A. Configure Amazon Cognito for authentication. Implement Lambda@Edge for authorization. Configure Amazon CloudFront to serve the web application globally 
B. Configure AWS Directory Service for Microsoft Active Directory for authentication. Implement AWS Lambda for authorization. Use an Application Load Balancer to serve the web application globally. 
C. Configure Amazon Cognito for authentication. Implement AWS Lambda for authorization Use Amazon S3 Transfer Acceleration to serve the web application globally. 
D. Configure AWS Directory Service for Microsoft Active Directory for authentication. Implement Lambda@Edge for authorization. Use AWS Elastic Beanstalk to serve the web application globally. 

Show / Hide Answer

---

Question # 18

A consulting company provides professional services to customers worldwide. The company provides solutions and tools for customers to expedite gathering and analyzing data on AWS. The company needs to centrally manage and deploy a common set of solutions and tools for customers to use for self-service purposes. Which solution will meet these requirements?

A. Create AWS Cloud Formation templates for the customers.
B. Create AWS Service Catalog products for the customers.
C. Create AWS Systems Manager templates for the customers.
D. Create AWS Config items for the customers.

Show / Hide Answer

---

Question # 19

A company has a static website that is hosted on Amazon CloudFront in front of Amazon S3. The static website uses a database backend. The company notices that the website does not reflect updates that have been made in the website's Git repository. The company checks the continuous integration and continuous delivery (CI/CD) pipeline between the Git repository and Amazon S3. The company verifies that the webhooks are configured properly and that the CI/CD pipeline Is sending messages that indicate successful deployments. A solutions architect needs to implement a solution that displays the updates on the website. Which solution will meet these requirements?

A. Add an Application Load Balancer. 
B. Add Amazon ElastiCache for Redis or Memcached to the database layer of the web application. 
C. Invalidate the CloudFront cache. 
D. Use AWS Certificate Manager (ACM) to validate the website's SSL certificate. 

Show / Hide Answer

---

Question # 20

A solutions architect needs to optimize a large data analytics job that runs on an Amazon EMR cluster. The job takes 13 hours to finish. The cluster has multiple core nodes and worker nodes deployed on large, compute-optimized instances. After reviewing EMR logs, the solutions architect discovers that several nodes are idle for more than 5 hours while the job is running. The solutions architect needs to optimize cluster performance. Which solution will meet this requirement MOST cost-effectively?

A. Increase the number of core nodes to ensure there is enough processing power to handle the analytics job without any idle time. 
B. Use the EMR managed scaling feature to automatically resize the cluster based on workload. 
C. Migrate the analytics job to a set of AWS Lambda functions. Configure reserved concurrency for the functions. 
D. Migrate the analytics job core nodes to a memory-optimized instance type to reduce the total job runtime. 

Show / Hide Answer

---

Question # 21

A company hosts an application on AWS. The application gives users the ability to upload photos and store the photos in an Amazon S3 bucket. The company wants to use Amazon CloudFront and a custom domain name to upload the photo files to the S3 bucket in the euwest- 1 Region. Which solution will meet these requirements? (Select TWO.)

A. Use AWS Certificate Manager (ACM) to create a public certificate in the us-east-1 Region. Use the certificate in CloudFront
B. Use AWS Certificate Manager (ACM) to create a public certificate in eu-west-1. Use the certificate in CloudFront. 
C. Configure Amazon S3 to allow uploads from CloudFront. Configure S3 Transfer Acceleration. 
D. Configure Amazon S3 to allow uploads from CloudFront origin access control (OAC). 
E. Configure Amazon S3 to allow uploads from CloudFront. Configure an Amazon S3 website endpoint. 

Show / Hide Answer

---

Question # 22

How can DynamoDB data be made available for long-term analytics with minimal operational overhead?

A. Configure DynamoDB incremental exports to S3.
B. Configure DynamoDB Streams to write records to S3.
C. Configure EMR to copy DynamoDB data to S3.
D. Configure EMR to copy DynamoDB data to HDFS.

Show / Hide Answer

---

Question # 23

A company wants to publish a private website for its on-premises employees. The website consists of several HTML pages and image files. The website must be available only through HTTPS and must be available only to on-premises employees. A solutions architect plans to store the website files in an Amazon S3 bucket. Which solution will meet these requirements?

A. Create an S3 bucket policy to deny access when the source IP address is not the public IP address of the on-premises environment Set up an Amazon Route 53 alias record to point to the S3 bucket. Provide the alias record to the on-premises employees to grant the employees access to the website. 
B. Create an S3 access point to provide website access. Attach an access point policy to deny access when the source IP address is not the public IP address of the on-premises environment. Provide the S3 access point alias to the on-premises employees to grant the employees access to the website. 
C. Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Use AWS Certificate Manager for SSL. Use AWS WAF with an IP set rule that allows access for the on-premises IP address. Set up an Amazon Route 53 alias record to point to the CloudFront distribution. 
D. Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Create a CloudFront signed URL for the objects in the bucket. Set up an Amazon Route 53 alias record to point to the CloudFront distribution. Provide the signed URL to the on-premises employees to grant the employees access to the website. 

Show / Hide Answer

---

Question # 24

A company has a large amount of data in an Amazon DynamoDB table. A large batch of data is appended to the table once each day. The company wants a solution that will make all the existing and future data in DynamoDB available for analytics on a long-term basis. Which solution meets these requirements with the LEAST operational overhead?

A. Configure DynamoDB incremental exports to Amazon S3. 
B. Configure Amazon DynamoDB Streams to write records to Amazon S3. 
C. Configure Amazon EMR to copy DynamoDB data to Amazon S3. 
D. Configure Amazon EMR to copy DynamoDB data to Hadoop Distributed File System (HDFS). 

Show / Hide Answer

---

Question # 25

A company is developing a public web application that needs to access multiple AWS services. The application will have hundreds of users who must log in to the application first before using the services. The company needs to implement a secure and scalable method to grant the web application temporary access to the AWS resources. Which solution will meet these requirements?

A. Create an IAM role for each AWS service that the application needs to access. Assign the roles directly to the instances that the web application runs on.
B. Create an IAM role that has the access permissions the web application requires. Configure the web application to use AWS Security Token Service (AWS STS) to assume the IAM role. Use STS tokens to access the required AWS services. 
C. Use AWS IAM Identity Center to create a user pool that includes the application users. Assign access credentials to the web application users. Use the credentials to access the required AWS services.
D. Create an IAM user that has programmatic access keys for the AWS services. Store the access keys in AWS Systems Manager Parameter Store. Retrieve the access keys from Parameter Store. Use the keys in the web application. 

Show / Hide Answer

---

Question # 26

A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally. The company's security team needs a single sign-on solution across all the company's AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory Which solution will meet these requirements?

A. Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft Active Directory. Configure the Active Directory to be the identity source for AWS 1AM Identity Center 
B. Enable AWS 1AM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with 1AM Identity Center by using AWS Directory Service for Microsoft Active Directory. 
C. Use AWS Directory Service and create a two-way trust relationship with the company's self-managed Active Directory. 
D. Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS 1AM Identity Center. 

Show / Hide Answer

---

Question # 27

A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally. The company's security team needs a single sign-on solution across all the company's AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory Which solution will meet these requirements?

A. Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft Active Directory. Configure the Active Directory to be the identity source for AWS 1AM Identity Center 
B. Enable AWS 1AM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with 1AM Identity Center by using AWS Directory Service for Microsoft Active Directory. 
C. Use AWS Directory Service and create a two-way trust relationship with the company's self-managed Active Directory. 
D. Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS 1AM Identity Center. 

Show / Hide Answer

---

Question # 28

A company is implementing a new policy to enhance the security of its AWS environment. The policy requires all administrative actions that users perform on the AWS Management Console to be secured by multi-factor authentication (MFA). Which solution will allow the company to enforce this policy in the MOST operationally efficient way?

A. Enable MFA on the root account. Ensure that all administrators use the root account to perform administrative actions. 
B. Create an 1AM policy that requires MFA to be enabled for the 1AM roles that administrators assume to perform administrative actions. 
C. Configure an Amazon CloudWatch alarm that sends an email notification when an administrator performs an administrative action without MFA. 
D. Use AWS Config to periodically audit 1AM users and to automatically attach an 1AM policy that requires MFA when AWS Config detects administrative actions. 

Show / Hide Answer

---

Question # 29

A company creates operations data and stores the data in an Amazon S3 bucket for the company's annual audit, an external consultant needs to access an annual report that is stored in the S3 bucket. The external consultant needs to access the report for 7 days. The company must implement a solution to allow the external consultant access to only the report. Which solution will meet these requirements with the MOST operational efficiency?

A. Create a new S3 bucket that is configured to host a public static website. Migrate the operations data to the new S3 bucket. Share the S3 website URL with the external consultant. 
B. Enable public access to the S3 bucket for 7 days. Remove access to the S3 bucket when the external consultant completes the audit. 
C. Create a new 1AM user that has access to the report in the S3 bucket. Provide the access keys to the external consultant. Revoke the access keys after 7 days. 
D. Generate a presigned URL that has the required access to the location of the report on the S3 bucket. Share the presigned URL with the external consultant. 

Show / Hide Answer

---

Question # 30

A solutions architect needs to implement a solution that can handle up to 5,000 messages per second. The solution must publish messages as events to multiple consumers. The messages are up to 500 KB in size. The message consumers need to have the ability to use multiple programming languages to consume the messages with minimal latency. The solution must retain published messages for more than 3 months. The solution must enforce strict ordering of the messages. Which solution will meet these requirements?

A. Publish messages to an Amazon Kinesis Data Streams data stream. Enable enhanced fan-out. Ensure that consumers ingest the data stream by using dedicated throughput. 
B. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use an Amazon Simple Queue Service (Amazon SQS) FIFO queue to subscribe to the topic. 
C. Publish messages to Amazon EventBridge. Allow each consumer to create rules to deliver messages to the consumer's own target. 
D. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use Amazon Data Firehose to subscribe to the topic. 

Show / Hide Answer

---

Question # 31

An online gaming company is transitioning user data storage to Amazon DynamoDB to support the company's growing user base. The current architecture includes DynamoDB tables that contain user profiles, achievements, and in-game transactions. The company needs to design a robust, continuously available, and resilient DynamoDB architecture to maintain a seamless gaming experience for users. Which solution will meet these requirements MOST cost-effectively?

A. Create DynamoDB tables in a single AWS Region. Use on-demand capacity mode. Use global tables to replicate data across multiple Regions. 
B. Use DynamoDB Accelerator (DAX) to cache frequently accessed data. Deploy tables in a single AWS Region and enable auto scaling. Configure Cross-Region Replication manually to additional Regions. 
C. Create DynamoDB tables in multiple AWS Regions. Use on-demand capacity mode. Use DynamoDB Streams for Cross-Region Replication between Regions. 
D. Use DynamoDB global tables for automatic multi-Region replication. Deploy tables in multiple AWS Regions. Use provisioned capacity mode. Enable auto scaling. 

Show / Hide Answer

---

Question # 32

A company needs a solution to enforce data encryption at rest on Amazon EC2 instances. The solution must automatically identify noncompliant resources and enforce compliance policies on findings. Which solution will meet these requirements with the LEAST administrative overhead?

A. Use an 1AM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate the detection and remediation of unencrypted EBS volumes. 
B. Use AWS Key Management Service (AWS KMS) to manage access to encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Lambda and Amazon EventBridge to automate the detection and remediation of unencrypted EBS volumes. 
C. Use Amazon Macie to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes. 
D. Use Amazon Inspector to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes. 

Show / Hide Answer

---

Question # 33

A company wants to use an API to translate text from one language to another. The API must receive an HTTP header value and pass the value to an embedded library. The API translates documents in 6 minutes. The API requires a custom authorization mechanism.

A. Configure an Amazon API Gateway REST API with AWS_PROXY integration to synchronously call an AWS Lambda function to perform translations.
B. Configure an AWS Lambda function with a Lambda function URL to synchronously call a second function to perform translations. 
C. Configure an Amazon API Gateway REST API with AWS_PROXY integration to asynchronously call an AWS Lambda function to perform translations. 
D. Configure an Amazon API Gateway REST API with HTTP PROXY integration to synchronously call a web endpoint that is hosted on an EC2 instance. 

Show / Hide Answer

---

Question # 34

A company runs an order management application on AWS. The application allows customers to place orders and pay with a credit card. The company uses an Amazon CloudFront distribution to deliver the application. A security team has set up logging for all incoming requests. The security team needs a solution to generate an alert if any user modifies the logging configuration. Which combination of solutions will meet these requirements? (Select TWO.)

A. Configure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule. 
B. Create an Application Load Balancer (ALB). Enable AWS WAF rules for the ALB. Configure an AWS Config rule to detect security violations. 
C. Create an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team. 
D. Set up Amazon GuardDuty. Configure GuardDuty to monitor findings from the CloudFront distribution. Create an AWS Lambda function to address the findings. 
E. Create a private API in Amazon API Gateway. Use AWS WAF rules to protect the private API from common security problems. 

Show / Hide Answer

---

Question # 35

A solutions architect is designing the architecture for a company website that is composed of static content. The company's target customers are located in the United States and Europe. Which architecture should the solutions architect recommend to MINIMIZE cost?

A. Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to limit the edge locations in use. 
B. Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to maximize the use of edge locations. 
C. Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront geolocation routing policy to route requests to the closest Region to the user. 
D. Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront distribution with an Amazon Route 53 latency routing policy to route requests to the closest Region to the user. 

Show / Hide Answer

---

Question # 36

A company is developing an application in the AWS Cloud. The application's HTTP API contains critical information that is published in Amazon API Gateway. The critical information must be accessible from only a limited set of trusted IP addresses that belong to the company's internal network. Which solution will meet these requirements?

A. Set up an API Gateway private integration to restrict access to a predefined set ot IP addresses. 
B. Create a resource policy for the API that denies access to any IP address that is not specifically allowed. 
C. Directly deploy the API in a private subnet. Create a network ACL. Set up rules to allow the traffic from specific IP addresses. 
D. Modify the security group that is attached to API Gateway to allow inbound traffic from only the trusted IP addresses. 

Show / Hide Answer

---

Question # 37

A company is migrating a new application from an on-premises data center to a new VPC in the AWS Cloud. The company has multiple AWS accounts and VPCs that share many subnets and applications. The company wants to have fine-grained access control for the new application. The company wants to ensure that all network resources across accounts and VPCs that are granted permission to access the new application can access the application. Which solution will meet these requirements?

A. Set up a VPC peering connection for each VPC that needs access to the new application VPC. Update route tables in each VPC to enable connectivity. 
B. Deploy a transit gateway in the account that hosts the new application. Share the transit gateway with each account that needs to connect to the application. Update route tables in the VPC that hosts the new application and in the transit gateway to enable connectivity. 
C. Use an AWS PrivateLink endpoint service to make the new application accessible to other VPCs. Control access to the application by using an endpoint policy. 
D. Use an Application Load Balancer (ALB) to expose the new application to the internet. Configure authentication and authorization processes to ensure that only specified VPCs can access the application. 

Show / Hide Answer

---

Question # 38

A company is designing a microservice-based architecture tor a new application on AWS. Each microservice will run on its own set of Amazon EC2 instances. Each microservice will need to interact with multiple AWS services such as Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The company wants to manage permissions for each EC2 instance based on the principle of least privilege. Which solution will meet this requirement?

A. Assign an 1AM user to each micro-service. Use access keys stored within the application code to authenticate AWS service requests. 
B. Create a single 1AM role that has permission to access all AWS services. Associate the 1AM role with all EC2 instances that run the microservices 
C. Use AWS Organizations to create a separate account for each microservice. Manage permissions at the account level. 
D. Create individual 1AM roles based on the specific needs of each microservice. Associate the 1AM roles with the appropriate EC2 instances. 

Show / Hide Answer

---

Question # 39

A company hosts a multi-tier inventory reporting application on AWS. The company needs a cost-effective solution to generate inventory reports on demand. Admin users need to have the ability to generate new reports. Reports take approximately 5-10 minutes to finish. The application must send reports to the email address of the admin user who generates each report. Options:

A. Use Amazon Elastic Container Service (Amazon ECS) to host the report generation code. Use an Amazon API Gateway HTTP API to invoke the code. Use Amazon Simple Email Service (Amazon SES) to send the reports to admin users. 
B. Use Amazon EventBridge to invoke a scheduled AWS Lambda function to generate the reports. Use Amazon Simple Notification Service (Amazon SNS) to send the reports to admin users. 
C. Use Amazon Elastic Kubernetes Service (Amazon EKS) to host the report generation code. Use an Amazon API Gateway REST API to invoke the code. Use Amazon Simple Notification Service (Amazon SNS) to send the reports to admin users. 
D. Create an AWS Lambda function to generate the reports. Use a function URL to invoke the function. Use Amazon Simple Email Service (Amazon SES) to send the reports to admin users.

Show / Hide Answer

---

Question # 40

A solutions architect needs to secure an Amazon API Gateway REST API. Users need to be able to log in to the API by using common external social identity providers (IdPs). The social IdPs must use standard authentication protocols such as SAML or OpenID Connect (OIDC). The solutions architect needs to protect the API against attempts to exploit application vulnerabilities. Which combination of steps will meet these security requirements? (Select TWO.)

A. Create an AWS WAF web ACL that is associated with the REST API. Add the appropriate managed rules to the ACL. 
B. Subscribe to AWS Shield Advanced. Enable DDoS protection. Associate Shield Advanced with the REST API.
C. Create an Amazon Cognito user pool with a federation to the social IdPs. Integrate the user pool with the REST API. 
D. Create an API key in API Gateway. Associate the API key with the REST API. 
E. Create an IP address filter in AWS WAF that allows only the social IdPs. Associate the filter with the web ACL and the API. 

Show / Hide Answer

---

Question # 41

A company is launching a new application that will be hosted on Amazon EC2 instances. A solutions architect needs to design a solution that does not allow public IPv4 access that originates from the internet. However, the solution must allow the EC2 instances to make outbound IPv4 internet requests.

A. Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure one route table for each private subnet.
B. Deploy an internet gateway in public subnets in both Availability Zones. Create and configure a shared route table for the private subnets. 
C. Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure a shared route table for the private subnets. 
D. Deploy an egress-only internet gateway in public subnets in both Availability Zones. Create and configure one route table for each private subnet. 

Show / Hide Answer

---

Question # 42

A company runs HPC workloads requiring high IOPS. Which combination of steps will meet these requirements? (Select TWO)

A. Use Amazon EFS as a high-performance file system.
B. Use Amazon FSx for Lustre as a high-performance file system.
C. Create an Auto Scaling group of EC2 instances. Use Reserved Instances. Configure a spread placement group. Use AWS Batch for analytics.
D. Use Mountpoint for Amazon S3 as a high-performance file system.
E. Create an Auto Scaling group of EC2 instances. Use mixed instance types and a cluster placement group. Use Amazon EMR for analytics.

Show / Hide Answer

---

Question # 43

A website uses EC2 instances with Auto Scaling and EFS. How can the company optimize costs?

A. Reconfigure the Auto Scaling group to set a desired number of instances. Turn off scheduled scaling. 
B. Create a new launch template version that uses larger EC2 instances. 
C. Reconfigure the Auto Scaling group to use a target tracking scaling policy. 
D. Replace the EFS volume with instance store volumes. 

Show / Hide Answer

---

Question # 44

A company has customers located across the world. The company wants to use automation to secure its systems and network infrastructure The company's security team must be able to track and audit all incremental changes to the infrastructure. Which solution will meet these requirements?

A. Use AWS Organizations to set up the infrastructure. Use AWS Config to track changes 
B. Use AWS Cloud Formation to set up the infrastructure. Use AWS Config to track changes. 
C. Use AWS Organizations to set up the infrastructure. Use AWS Service Catalog to track changes. 
D. Use AWS Cloud Formation to set up the infrastructure. Use AWS Service Catalog to track changes. 

Show / Hide Answer

---

Question # 45

A company is designing a web application with an internet-facing Application Load Balancer (ALB). The company needs the ALB to receive HTTPS web traffic from the public internet. The ALB must send only HTTPS traffic to the web application servers hosted on the Amazon EC2 instances on port 443. The ALB must perform a health check of the web application servers over HTTPS on port 8443. Which combination of configurations of the security group that is associated with the ALB will meet these requirements? (Select THREE.)

A. Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443. 
B. Allow all outbound traffic to 0.0.0.0/0 for port 443. 
C. Allow HTTPS outbound traffic to the web application instances for port 443. 
D. Allow HTTPS inbound traffic from the web application instances for port 443.  ALBs
E. Allow HTTPS outbound traffic to the web application instances for the health check on port 8443. 
F. Allow HTTPS inbound traffic from the web application instances for the health check on port 8443. 

Show / Hide Answer

---

Question # 46

A company wants to create an API to authorize users by using JSON Web Tokens (JWTs). The company needs to support dynamic access to multiple AWS services by using pathbased routing. Which solution will meet these requirements?

A. Deploy an Application Load Balancer behind an Amazon API Gateway REST API. Configure 1AM authorization. 
B. Deploy an Application Load Balancer behind an Amazon API Gateway HTTP API. Use Amazon Cognito for authorization. 
C. Deploy a Network Load Balancer behind an Amazon API Gateway REST API. Use an AWS Lambda function as a custom authorizer. 
D. Deploy a Network Load Balancer behind an Amazon API Gateway HTTP API. Use Amazon Cognito for authorization. 

Show / Hide Answer

---

Question # 47

A company runs a production database on Amazon RDS for MySQL. The company wants to upgrade the database version for security compliance reasons. Because the database contains critical data, the company wants a quick solution to upgrade and test functionality without losing any data. Which solution will meet these requirements with the LEAST operational overhead?

A. Create an RDS manual snapshot. Upgrade to the new version of Amazon RDS for MySQL. 
B. Use native backup and restore. Restore the data to the upgraded new version of Amazon RDS for MySQL. 
C. Use AWS Database Migration Service (AWS DMS) to replicate the data to the upgraded new version of Amazon RDS for MySQL. 
D. Use Amazon RDS Blue/Green Deployments to deploy and test production changes. 

Show / Hide Answer

---

Question # 48

A solutions architect is designing an application that helps users fill out and submit registration forms. The solutions architect plans to use a two-tier architecture that includes a web application server tier and a worker tier. The application needs to process submitted forms quickly. The application needs to process each form exactly once. The solution must ensure that no data is lost. Which solution will meet these requirements?

A. Use an Amazon Simple Queue Service {Amazon SQS) FIFO queue between the web application server tier and the worker tier to store and forward form data. 
B. Use an Amazon API Gateway HTTP API between the web application server tier and the worker tier to store and forward form data. 
C. Use an Amazon Simple Queue Service (Amazon SQS) standard queue between the web application server tier and the worker tier to store and forward form data. 
D. Use an AWS Step Functions workflow. Create a synchronous workflow between the web application server tier and the worker tier that stores and forwards form data. 

Show / Hide Answer

---

Question # 49

A company tracks customer satisfaction by using surveys that the company hosts on its website. The surveys sometimes reach thousands of customers every hour. Survey results are currently sent in email messages to the company so company employees can manually review results and assess customer sentiment. The company wants to automate the customer survey process. Survey results must be available for the previous 12 months. Which solution will meet these requirements in the MOST scalable way?

A. Send the survey results data to an Amazon API Gateway endpoint that is connected to an Amazon Simple Queue Service (Amazon SQS) queue. Create an AWS Lambda function to poll the SQS queue, call Amazon Comprehend for sentiment analysis, and save the results to an Amazon DynamoDB table. Set the TTL for all records to 365 days in the future. 
B. Send the survey results data to an API that is running on an Amazon EC2 instance. Configure the API to store the survey results as a new record in an Amazon DynamoDB table, call Amazon Comprehend for sentiment analysis, and save the results in a second DynamoDB table. Set the TTL for all records to 365 days in the future. 
C. Write the survey results data to an Amazon S3 bucket. Use S3 Event Notifications to invoke an AWS Lambda function to read the data and call Amazon Rekognition for sentiment analysis. Store the sentiment analysis results in a second S3 bucket. Use S3 Lifecycle policies on each bucket to expire objects after 365 days. 
D. Send the survey results data to an Amazon API Gateway endpoint that is connected to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the SQS queue to invoke an AWS Lambda function that calls Amazon Lex for sentiment analysis and saves the results to an Amazon DynamoDB table. Set the TTL for all records to 365 days in the future.

Show / Hide Answer

---

Question # 50

A company runs an order management application on AWS. The application allows customers to place orders and pay with a credit card. The company uses an Amazon CloudFront distribution to deliver the application. A security team has set up logging for all incoming requests. The security team needs a solution to generate an alert if any user modifies the logging configuration. Options (Select TWO):

A. Configure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule. 
B. Create an Application Load Balancer (ALB). Enable AWS WAF rules for the ALB. Configure an AWS Config rule to detect security violations. 
C. Create an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team. 
D. Set up Amazon GuardDuty. Configure GuardDuty to monitor findings from the CloudFront distribution. Create an AWS Lambda function to address the findings. 
E. Create a private API in Amazon API Gateway. Use AWS WAF rules to protect the private API from common security problems. 

Show / Hide Answer

---

Question # 51

A company is launching a new gaming application. The company will use Amazon EC2 Auto Scaling groups to deploy the application. The application stores user data in a relational database. The company has office locations around the world that need to run analytics on the user data in the database. The company needs a cost-effective database solution that provides cross-Region disaster recovery with low-latency read performance across AWS Regions. Which solution will meet these requirements?

A. Create an Amazon ElastiCache for Redis cluster in the Region where the application is deployed. Create read replicas in Regions where the company offices are located. Ensure the company offices read from the read replica instances. 
B. Create Amazon DynamoDB global tables. Deploy the tables to the Regions where the company offices are located and to the Region where the application is deployed. Ensure that each company office reads from the tables that are in the same Region as the office. 
C. Create an Amazon Aurora global database. Configure the primary cluster to be in the Region where the application is deployed. Configure the secondary Aurora replicas to be in the Regions where the company offices are located. Ensure the company offices read from the Aurora replicas. 
D. Create an Amazon RDS Multi-AZ DB cluster deployment in the Region where the application is deployed. Ensure the company offices read from read replica instances. 

Show / Hide Answer

---

Question # 52

How can trade data from DynamoDB be ingested into an S3 data lake for near realtime analysis?

A. Use DynamoDB Streams to invoke a Lambda function that writes to S3. 
B. Use DynamoDB Streams to invoke a Lambda function that writes to Data Firehose, which writes to S3. 
C. Enable Kinesis Data Streams on DynamoDB. Configure it to invoke a Lambda function that writes to S3. 
D. Enable Kinesis Data Streams on DynamoDB. Use Data Firehose to write to S3. 

Show / Hide Answer

---

Question # 53

A logistics company is creating a data exchange platform to share shipment status information with shippers. The logistics company can see all shipment information and metadata. The company distributes shipment data updates to shippers. Each shipper should see only shipment updates that are relevant to their company. Shippers should not see the full detail that is visible to the logistics company. The company creates an Amazon Simple Notification Service (Amazon SNS) topic for each shipper to share data. Some shippers use a mobile app to submit shipment status updates. The company needs to create a data exchange platform that provides each shipper specific access to the data that is relevant to their company. Which solution will meet these requirements with the LEAST operational overhead?

A. Ingest the shipment updates from the mobile app into Amazon Simple Queue Service (Amazon SQS). Publish the updates to the SNS topic. Apply a filter policy to rewrite the body of each message. 
B. Ingest the shipment updates from the mobile app into Amazon Simple Queue Service (Amazon SQS). Use an AWS Lambda function to consume the updates from Amazon SQS and rewrite the body of each message. Publish the updates to the SNS topic. 
C. Ingest the shipment updates from the mobile app into a second SNS topic. Publish the updates to the shipper SNS topic. Apply a filter policy to rewrite the body of each message. 
D. Ingest the shipment updates from the mobile app into Amazon Simple Queue Service (Amazon SQS). Filter and rewrite the messages in Amazon EventBridge Pipes. Publish the updates to the SNS topic. 

Show / Hide Answer

---

Question # 54

A company has developed an API using Amazon API Gateway REST API and AWS Lambda. How can latency be reduced for users worldwide?

A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding to compress data in transit. 
B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding to compress data in transit. 
C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for Lambda functions. 
D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for Lambda functions.

Show / Hide Answer

---

Question # 55

A company has developed an API using Amazon API Gateway REST API and AWS Lambda. How can latency be reduced for users worldwide?

A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding to compress data in transit. 
B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding to compress data in transit. 
C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for Lambda functions. 
D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for Lambda functions.

Show / Hide Answer

---

Question # 56

A company hosts an Amazon EC2 instance in a private subnet in a new VPC. The VPC also has a public subnet that has the default route set to an internet gateway. The private subnet does not have outbound internet access. The EC2 instance needs to have the ability to download monthly security updates from an outside vendor. However, the company must block any connections that are initiated from the internet. Which solution will meet these requirements?

A. Configure the private subnet route table to use the internet gateway as the default route. 
B. Create a NAT gateway in the public subnet. Configure the private subnet route table to use the NAT gateway as the default route. 
C. Create a NAT instance in the private subnet. Configure the private subnet route table to use the NAT instance as the default route. 
D. Create a NAT instance in the private subnet. Configure the private subnet route table to use the internet gateway as the default route. 

Show / Hide Answer

---

Question # 57

A company hosts an Amazon EC2 instance in a private subnet in a new VPC. The VPC also has a public subnet that has the default route set to an internet gateway. The private subnet does not have outbound internet access. The EC2 instance needs to have the ability to download monthly security updates from an outside vendor. However, the company must block any connections that are initiated from the internet. Which solution will meet these requirements?

A. Configure the private subnet route table to use the internet gateway as the default route. 
B. Create a NAT gateway in the public subnet. Configure the private subnet route table to use the NAT gateway as the default route. 
C. Create a NAT instance in the private subnet. Configure the private subnet route table to use the NAT instance as the default route. 
D. Create a NAT instance in the private subnet. Configure the private subnet route table to use the internet gateway as the default route. 

Show / Hide Answer

---

Question # 58

A finance company has a web application that generates credit reports for customers. The company hosts the frontend of the web application on a fleet of Amazon EC2 instances that is associated with an Application Load Balancer (ALB). The application generates reports by running queries on an Amazon RDS for SQL Server database. The company recently discovered that malicious traffic from around the world is abusing the application by submitting unnecessary requests. The malicious traffic is consuming significant compute resources. The company needs to address the malicious traffic. Which solution will meet this requirement?

A. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Update the web ACL to block IP addresses that are associated with malicious traffic. 
B. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Use the AWS WAF Bot Control managed rule feature. 
C. Set up AWS Shield to protect the ALB and the database. 
D. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Configure the AWS WAF IP reputation rule. 

Show / Hide Answer

---

Question # 59

An international company needs to share data from an Amazon S3 bucket to employees who are located around the world. The company needs a secure solution to provide employees with access to the S3 bucket. The employees are already enrolled in AWS 1AM Identity Center. Which solution will meet these requirements with the LEAST operational overhead?

A. Create a help desk application to generate an Amazon S3 presigned URL for each employee. Configure the presigned URLs to have short expirations. Instruct employees to contact the company help desk to receive a presigned URL to access the S3 bucket. 
B. Create a group for Amazon S3 access in 1AM Identity Center. Add the employees who require access to the S3 bucket to the group. Create an 1AM policy to allow Amazon S3 access from the group. Instruct employees to use the AWS access portal to access the AWS Management Console and navigate to the S3 bucket. 
C. Create an Amazon S3 File Gateway. Create one share for data uploads and a second share for data downloads. Set up an SFTP service on an Amazon EC2 instance. Mount the shares to the EC2 instance. Instruct employees to use the SFTP server. 
D. Configure AWS Transfer Family SFTP endpoints. Select the custom identity provider option. Use AWS Secrets Manager to manage the user credentials. Instruct employees to use Transfer Family SFTP. 

Show / Hide Answer

---

Question # 60

A company needs a solution to automate email ingestion. The company needs to automatically parse email messages, look for email attachments, and save any attachments to an Amazon S3 bucket in near real time. Email volume varies significantly from day to day. Which solution will meet these requirements?

A. Set up email receiving in Amazon Simple Email Service {Amazon SES). Create a rule set and a receipt rule. Create an AWS Lambda function that Amazon SES can invoke to process the email bodies and attachments. 
B. Set up email content filtering in Amazon Simple Email Service (Amazon SES). Create a content filtering rule based on sender, recipient, message body, and attachments. 
C. Set up email receiving in Amazon Simple Email Service (Amazon SES). Configure Amazon SES and S3 Event Notifications to process the email bodies and attachments. 
D. Create an AWS Lambda function to process the email bodies and attachments. Use Amazon EventBridge to invoke the Lambda function. Configure an EventBridge rule to listen for incoming emails.

Show / Hide Answer

---

Question # 61

A company hosts a database that runs on an Amazon RDS instance that is deployed to multiple Availability Zones. The company periodically runs a script against the database to report new entries that are added to the database. The script that runs against the database negatively affects the performance of a critical application. The company needs to improve application performance with minimal costs. Which solution will meet these requirements with the LEAST operational overhead?

A. Add functionality to the script to identify the instance that has the fewest active connections. Configure the script to read from that instance to report the total new entries. 
B. Create a read replica of the database. Configure the script to query only the read replica to report the total new entries. 
C. Instruct the development team to manually export the new entries for the day in the database at the end of each day. 
D. Use Amazon ElastiCache to cache the common queries that the script runs against the database. 

Show / Hide Answer

---

Question # 62

A company recently migrated a data warehouse to AWS. The company has an AWS Direct Connect connection to AWS. Company users query the data warehouse by using a visualization tool. The average size of the queries that the data warehouse returns is 50 MB. The average visualization that the visualization tool produces is 500 KB in size. The result sets that the data warehouse returns are not cached. The company wants to optimize costs for data transfers between the data warehouse and the company. Which solution will meet this requirement?

A. Host the visualization tool on premises. Connect to the data warehouse directly through the internet. 
B. Host the visualization tool in the same AWS Region as the data warehouse. Access the visualization tool through the internet. 
C. Host the visualization tool on premises. Connect to the data warehouse through the Direct Connect connection. 
D. Host the visualization tool in the same AWS Region as the data warehouse. Access the visualization tool through the Direct Connect connection. 

Show / Hide Answer

---

Question # 63

A company has an ecommerce application that users access through multiple mobile apps and web applications. The company needs a solution that will receive requests from the mobile apps and web applications through an API. Request traffic volume varies significantly throughout each day. Traffic spikes during sales events. The solution must be loosely coupled and ensure that no requests are lost.

A. Create an Application Load Balancer (ALB). Create an AWS Elastic Beanstalk endpoint to process the requests. Add the Elastic Beanstalk endpoint to the target group of the ALB. 
B. Set up an Amazon API Gateway REST API with an integration to an Amazon Simple Queue Service (Amazon SQS) queue. Configure a dead-letter queue. Create an AWS Lambda function to poll the queue to process the requests. 
C. Create an Application Load Balancer (ALB). Create an AWS Lambda function to process the requests. Add the Lambda function as a target of the ALB. 
D. Set up an Amazon API Gateway HTTP API with an integration to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function to process the requests. Subscribe the function to the SNS topic to process the requests. 

Show / Hide Answer

---

Question # 64

A company has a large data workload that runs for 6 hours each day. The company cannot lose any data while the process is running. A solutions architect is designing an Amazon EMR cluster configuration to support this critical data workload. Which solution will meet these requirements MOST cost-effectively?

A. Configure a long-running cluster that runs the primary node and core nodes on On- Demand Instances and the task nodes on Spot Instances.
B. Configure a transient cluster that runs the primary node and core nodes on On-Demand Instances and the task nodes on Spot Instances. 
C. Configure a transient cluster that runs the primary node on an On-Demand Instance and the core nodes and task nodes on Spot Instances. 
D. Configure a long-running cluster that runs the primary node on an On-Demand Instance, the core nodes on Spot Instances, and the task nodes on Spot Instances. 

Show / Hide Answer

---

Question # 65

A manufacturing company runs an order processing application in its VPC. The company wants to securely send messages from the application to an external Salesforce system that uses Open Authorization (OAuth). A solutions architect needs to integrate the company's order processing application with the external Salesforce system. Which solution will meet these requirements?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic in a fanout configuration that pushes data to an HTTPS endpoint. Configure the order processing application to publish messages to the SNS topic. 
B. Create an Amazon Simple Notification Service (Amazon SNS) topic in a fanout configuration that pushes data to an Amazon Data Firehose delivery stream that has a HTTP destination. Configure the order processing application to publish messages to the SNS topic. 
C. Create an Amazon EventBridge rule and configure an Amazon EventBridge API destination partner Configure the order processing application to publish messages to Amazon EventBridge. 
D. Create an Amazon Managed Streaming for Apache Kafka (Amazon MSK) topic that has an outbound MSK Connect connector. Configure the order processing application to publish messages to the MSK topic. 

Show / Hide Answer

---

Question # 66

A company is building a serverless application to process clickstream data from its website. The clickstream data is sent to an Amazon Kinesis Data Streams data stream from the application web servers. The company wants to enrich the clickstream data by joining the clickstream data with customer profile data from an Amazon Aurora Multi-AZ database. The company wants to use Amazon Redshift to analyze the enriched data. The solution must be highly available. Which solution will meet these requirements?

A. Use an AWS Lambda function to process and enrich the clickstream data. Use the same Lambda function to write the clickstream data to Amazon S3. Use Amazon Redshift Spectrum to query the enriched data in Amazon S3.
B. Use an Amazon EC2 Spot Instance to poll the data stream and enrich the clickstream data. Configure the EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.
C. Use an Amazon Elastic Container Service (Amazon ECS) task with AWS Fargate Spot capacity to poll the data stream and enrich the clickstream data. Configure an Amazon EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.
D. Use Amazon Kinesis Data Firehose to load the clickstream data from Kinesis Data Streams to Amazon S3. Use AWS Glue crawlers to infer the schema and populate the AWS Glue Data Catalog. Use Amazon Athena to query the raw data in Amazon S3.

Show / Hide Answer

---

Question # 67

A company maintains its accounting records in a custom application that runs on Amazon EC2 instances. The company needs to migrate the data to an AWS managed service for development and maintenance of the application data. The solution must require minimal operational support and provide immutable, cryptographically verifiable logs of data changes. Which solution will meet these requirements MOST cost-effectively?

A. Copy the records from the application into an Amazon Redshift cluster.
B. Copy the records from the application into an Amazon Neptune cluster.
C. Copy the records from the application into an Amazon Timestream database.
D. Copy the records from the application into an Amazon Quantum Ledger Database (Amazon QLDB) ledger.

Show / Hide Answer

---

Question # 68

A company is planning to migrate an on-premises online transaction processing (OLTP) database that uses MySQL to an AWS managed database management system. Several reporting and analytics applications use the on-premises database heavily on weekends and at the end of each month. The cloud-based solution must be able to handle read-heavy surges during weekends and at the end of each month. Which solution will meet these requirements?

A. Migrate the database to an Amazon Aurora MySQL cluster. Configure Aurora Auto Scaling to use replicas to handle surges.
B. Migrate the database to an Amazon EC2 instance that runs MySQL. Use an EC2 instance type that has ephemeral storage. Attach Amazon EBS Provisioned IOPS SSD (io2) volumes to the instance.
C. Migrate the database to an Amazon RDS for MySQL database. Configure the RDS for MySQL database for a Multi-AZ deployment, and set up auto scaling.
D. Migrate from the database to Amazon Redshift. Use Amazon Redshift as the database for both OLTP and analytics applications.

Show / Hide Answer

---

Question # 69

A company wants to run big data workloads on Amazon EMR. The workloads need to process terabytes of data in memory. A solutions architect needs to identify the appropriate EMR cluster instance configuration for the workloads. Which solution will meet these requirements?

A. Use a storage optimized instance for the primary node. Use compute optimized instances for core nodes and task nodes. 
B. Use a memory optimized instance for the primary node. Use storage optimized instances for core nodes and task nodes. 
C. Use a general purpose instance for the primary node. Use memory optimized instances for core nodes and task nodes. 
D. Use general purpose instances for the primary, core, and task nodes. 

Show / Hide Answer

---

Question # 70

A company wants to provide a third-party system that runs in a private data center with access to its AWS account. The company wants to call AWS APIs directly from the thirdparty system. The company has an existing process for managing digital certificates. The company does not want to use SAML or OpenID Connect (OIDC) capabilities and does not want to store long-term AWS credentials. Which solution will meet these requirements?

A. Configure mutual TLS to allow authentication of the client and server sides of the communication channel. 
B. Configure AWS Signature Version 4 to authenticate incoming HTTPS requests to AWS APIs. 
C. Configure Kerberos to exchange tickets for assertions that can be validated by AWS APIs. 
D. Configure AWS Identity and Access Management (IAM) Roles Anywhere to exchange X.509 certificates for AWS credentials to interact with AWS APIs. 

Show / Hide Answer

---

Question # 71

A company runs a critical public application on Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The application has a microservices architecture. The company needs to implement a solution that collects, aggregates, and summarizes metrics and logs from the application in a centralized location. Which solution will meet these requirements in the MOST operationally efficient way?

A. Run the Amazon CloudWatch agent in the existing EKS cluster. Use a CloudWatch dashboard to view the metrics and logs. 
B. Configure a data stream in Amazon Kinesis Data Streams. Use Amazon Kinesis Data Firehose to read events and to deliver the events to an Amazon S3 bucket. Use Amazon Athena to view the events. 
C. Configure AWS CloudTrail to capture data events. Use Amazon OpenSearch Service to query CloudTrail. 
D. Configure Amazon CloudWatch Container Insights in the existing EKS cluster. Use a CloudWatch dashboard to view the metrics and logs. 

Show / Hide Answer

---

Question # 72

A marketing team wants to build a campaign for an upcoming multi-sport event. The team has news reports from the past five years in PDF format. The team needs a solution to extract insights about the content and the sentiment of the news reports. The solution must use Amazon Textract to process the news reports. Which solution will meet these requirements with the LEAST operational overhead?

A. Provide the extracted insights to Amazon Athena for analysis Store the extracted insights and analysis in an Amazon S3 bucket. 
B. Store the extracted insights in an Amazon DynamoDB table. Use Amazon SageMaker to build a sentiment model. 
C. Provide the extracted insights to Amazon Comprehend for analysis. Save the analysis to an Amazon S3 bucket. 
D. Store the extracted insights in an Amazon S3 bucket. Use Amazon QuickSight to visualize and analyze the data. 

Show / Hide Answer

---

Question # 73

A company runs its databases on Amazon RDS for PostgreSQL. The company wants a secure solution to manage the master user password by rotating the password every 30 days. Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon EventBridge to schedule a custom AWS Lambda function to rotate the password every 30 days. 
B. Use the modlfy-db-instance command in the AWS CLI to change the password. 
C. Integrate AWS Secrets Manager with Amazon RDS for PostgreSQL to automate password rotation. 
D. Integrate AWS Systems Manager Parameter Store with Amazon RDS for PostgreSQL to automate password rotation. 

Show / Hide Answer

---

Question # 74

A company hosts a video streaming web application in a VPC. The company uses a Network Load Balancer (NLB) to handle TCP traffic for real-time data processing. There have been unauthorized attempts to access the application. The company wants to improve application security with minimal architectural change to prevent unauthorized attempts to access the application. Which solution will meet these requirements?

A. Implement a series of AWS WAF rules directly on the NLB to filter out unauthorized traffic.
B. Recreate the NLB with a security group to allow only trusted IP addresses.
C. Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.
D. Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.

Show / Hide Answer

---

Question # 75

A company has Amazon EC2 instances in multiple AWS Regions. The instances all store and retrieve confidential data from the same Amazon S3 bucket. The company wants to improve the security of its current architecture. The company wants to ensure that only the Amazon EC2 instances within its VPC can access the S3 bucket. The company must block all other access to the bucket. Which solution will meet this requirement?

A. Use 1AM policies to restrict access to the S3 bucket. 
B. Use server-side encryption (SSE) to encrypt data in the S3 bucket at rest. Store the encryption key on the EC2 instances. 
C. Create a VPC endpoint for Amazon S3. Configure an S3 bucket policy to allow connections only from the endpoint. 
D. Use AWS Key Management Service (AWS KMS) with customer-managed keys to encrypt the data before sending the data to the S3 bucket. 

Show / Hide Answer

---

Question # 76

A company wants to implement new security compliance requirements for its development team to limit the use of approved Amazon Machine Images (AMIs). The company wants to provide access to only the approved operating system and software for all its Amazon EC2 instances. The company wants the solution to have the least amount of lead time for launching EC2 instances. Which solution will meet these requirements?

A. Create a portfolio by using AWS Service Catalog that includes only EC2 instances launched with approved AMIs. Ensure that all required software is preinstalled on the AMIs. Create the necessary permissions for developers to use the portfolio. 
B. Create an AMI that contains the approved operating system and software by using EC2 Image Builder. Give developers access to that AMI to launch the EC2 instances. 
C. Create an AMI that contains the approved operating system Tell the developers to use the approved AMI Create an Amazon EventBridge rule to run an AWS Systems Manager script when a new EC2 instance is launched. Configure the script to install the required software from a repository. 
D. Create an AWS Config rule to detect the launch of EC2 instances with an AMI that is not approved. Associate a remediation rule to terminate those instances and launch the instances again with the approved AMI. Use AWS Systems Manager to automatically install the approved software on the launch of an EC2 instance. 

Show / Hide Answer

---

Question # 77

A company needs to migrate a MySQL database from an on-premises data center to AWS within 2 weeks. The database is 180 TB in size. The company cannot partition the database. The company wants to minimize downtime during the migration. The company's internet connection speed is 100 Mbps. Which solution will meet these requirements?

A. Order an AWS Snowball Edge Storage Optimized device. Use AWS Database Migration Service (AWS DMS) and the AWS Schema Conversion Tool (AWS SCT) to migrate the database to Amazon RDS for MySQL and replicate ongoing changes. Send the Snowball Edge device back to AWS to finish the migration. Continue to replicate ongoing changes.
B. Establish an AWS Site-to-Site VPN connection between the data center and AWS. Use AWS Database Migration Service (AWS DMS) and the AWS Schema Conversion Tool (AWS SCT) to migrate the database to Amazon RDS tor MySQL and replicate ongoing changes. 
C. Establish a 10 Gbps dedicated AWS Direct Connect connection between the data center and AWS. Use AWS DataSync to replicate the database to Amazon S3. Create a script to import the data from Amazon S3 to a new Amazon RDS for MySQL database instance. 
D. Use the company's existing internet connection. Use AWS DataSync to replicate the database to Amazon S3. Create a script to import the data from Amazon S3 to a new Amazon RDS for MySQL database instance.

Show / Hide Answer

---

Question # 78

A company has 15 employees. The company stores employee start dates in an Amazon DynamoDB table. The company wants to send an email message to each employee on the day of the employee's work anniversary. Which solution will meet these requirements with the MOST operational efficiency?

A. Create a script that scans the DynamoDB table and uses Amazon Simple Notification Service (Amazon SNS) to send email messages to employees when necessary. Use a cron job to run this script every day on an Amazon EC2 instance. 
B. Create a script that scans the DynamoDB table and uses Amazon Simple Queue Service {Amazon SQS) to send email messages to employees when necessary. Use a cron job to run this script every day on an Amazon EC2 instance.
C. Create an AWS Lambda function that scans the DynamoDB table and uses Amazon Simple Notification Service (Amazon SNS) to send email messages to employees when necessary. Schedule this Lambda function to run every day. 
D. Create an AWS Lambda function that scans the DynamoDB table and uses Amazon Simple Queue Service (Amazon SQS) to send email messages to employees when necessary Schedule this Lambda function to run every day. 

Show / Hide Answer

---

Question # 79

A company wants to improve the availability and performance of its hybrid application. The application consists of a stateful TCP-based workload hosted on Amazon EC2 instances in different AWS Regions and a stateless UDP-based workload hosted on premises. Which combination of actions should a solutions architect take to improve availability and performance? (Select TWO.)

A. Create an accelerator using AWS Global Accelerator. Add the load balancers as endpoints.
B. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the load balancers. 
C. Configure two Application Load Balancers in each Region. The first will route to the EC2 endpoints. and the second will route lo the on-premises endpoints. 
D. Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure a Network Load Balancer in each Region that routes to the on-premises endpoints. 
E. Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure an Application Load Balancer in each Region that routes to the on-premises endpoints.

Show / Hide Answer

---

Question # 80

A company is deploying a new gaming application on Amazon EC2 instances. The gaming application needs to have access to shared storage. The company requires a high-performance solution to give the application the ability to use an existing custom protocol to access shared storage. The solution must ensure low latency and must be operationally efficient. Which solution will meet these requirements?

A. Create an Amazon FSx File Gateway. Create a file share that uses the existing custom protocol. Connect the EC2 instances that host the application to the file share. 
B. Create an Amazon EC2 Windows instance. Install and configure a Windows file share role on the instance. Connect the EC2 instances that host the application to the file share. 
C. Create an Amazon Elastic File System (Amazon EFS) file system. Configure the file system to support Lustre. Connect the EC2 instances that host the application to the file system. 
D. Create an Amazon FSx for Lustre file system. Connect the EC2 instances that host the application to the file system.

Show / Hide Answer

---

Question # 81

A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic. The notifications contain protected health information (PHI). The SNS topic uses AWS Key Management Service (AWS KMS) customer-managed keys for encryption. The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic. Which combination of steps will meet these requirements? (Select THREE.)

A. Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic. 
B. Use server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer-managed keys. 
C. Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions. 
D. Specify the Lambda function's Amazon Resource Name (ARN) in the SNS topic's resource policy. 
E. Associate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies. 
F. Configure a Lambda execution role that has the necessary IAM permissions to use a customer-managed key in AWS KMS.

Show / Hide Answer

---

Question # 82

A global company is migrating its workloads from an on-premises data center to AWS. The AWS environment includes multiple AWS accounts. 1AM roles. AWS Config rules, and a VPC. The company wants an automated process to provision new accounts on demand when the company's business units require new accounts. Which solution will meet these requirements with LEAST effort?

A. Use AWS Control Tower to set up an organization in AWS Organizations. Use AWS Control Tower Account Factory for Terraform (AFT) to provision new AWS accounts. 
B. Create an organization in AWS Organizations. Use the AWS CLI CreateAccount API action to provision new AWS accounts. Organize the business units with organizational units (OUs). 
C. Create an AWS Lambda function that uses the AWS Organizations API to create new accounts. Invoke the Lambda function from an AWS CloudFormation template in AWS Service Catalog. 
D. Create an organization in AWS Organizations. Use AWS Step Functions to orchestrate the account creation process. Send account creation requests to an Amazon API Gateway API endpoint to invoke an AWS Lambda function that creates new accounts. 

Show / Hide Answer

---

Question # 83

A company wants to create a payment processing application. The application must run when a payment record arrives in an existing Amazon S3 bucket. The application must process each payment record exactly once. The company wants to use an AWS Lambda function to process the payments. Which solution will meet these requirements?

A. Configure the existing S3 bucket to send object creation events to Amazon EventBridge. Configure EventBridge to route events to an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Configure the Lambda function to run when a new event arrives in the SQS queue. 
B. Configure the existing S3 bucket to send object creation events to an Amazon Simple Notification Service (Amazon SNS) topic. Configure the Lambda function to run when a new event arrives in the SNS topic. 
C. Configure the existing S3 bucket to send object creation events to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function to run when a new event arrives in the SQS queue. 
D. Configure the existing S3 bucket to send object creation events directly to the Lambda function. Configure the Lambda function to handle object creation events and to process the payments.

Show / Hide Answer

---

Question # 84

An ecommerce company wants a disaster recovery solution for its Amazon RDS DB instances that run Microsoft SQL Server Enterprise Edition. The company's current recovery point objective (RPO) and recovery time objective (RTO) are 24 hours. Which solution will meet these requirements MOST cost-effectively?

A. Create a cross-Region read replica and promote the read replica to the primary instance 
B. Use AWS Database Migration Service (AWS DMS) to create RDS cross-Region replication. 
C. Use cross-Region replication every 24 hours to copy native backups to an Amazon S3 bucket 
D. Copy automatic snapshots to another Region every 24 hours. 

Show / Hide Answer

---

Question # 85

A company has multiple Amazon RDS DB instances that run in a development AWS account. All the instances have tags to identify them as development resources. The company needs the development DB instances to run on a schedule only during business hours. Which solution will meet these requirements with the LEAST operational overhead?

A. Create an Amazon CloudWatch alarm to identify RDS instances that need to be stopped Create an AWS Lambda function to start and stop the RDS instances. 
B. Create an AWS Trusted Advisor report to identify RDS instances to be started and stopped. Create an AWS Lambda function to start and stop the RDS instances. 
C. Create AWS Systems Manager State Manager associations to start and stop the RDS instances. 
D. Create an Amazon EventBridge rule that invokes AWS Lambda functions to start and stop the RDS instances. 

Show / Hide Answer

---

Question # 86

A company is developing a social media application that must scale to meet demand spikes and handle ordered processes. Which AWS services meet these requirements?

A. ECS with Fargate, RDS, and SQS for decoupling.
B. ECS with Fargate, RDS, and SNS for decoupling.
C. DynamoDB, Lambda, DynamoDB Streams, and Step Functions.
D. Elastic Beanstalk, RDS, and SNS for decoupling.

Show / Hide Answer

---

Question # 87

A company hosts its applications in multiple private and public subnets in a VPC. The applications in the private subnets need to access an API. The API is available on the internet and is hosted in the company's on-premises data center. A solutions architect needs to establish connectivity for applications in the private subnets. Which solution will meet these requirements MOST cost-effectively?

A. Create a transit gateway to connect the VPC to the on-premises network. Use the transit gateway to route API calls from the private subnets to the on-premises data center. 
B. Create a NAT gateway in the public subnet of the VPC. Use the NAT gateway to allow the private subnets to access the API over the internet. 
C. Establish an AWS PrivateLink connection to connect the VPC to the on-premises network. Use PrivateLink to make API calls from the private subnets to the on-premises data center. 
D. Implement an AWS Site-to-Site VPN connection between the VPC and the on-premises data center. Use the VPN connection to make API calls from the private subnets to the onpremises data center.

Show / Hide Answer

---

Question # 88

An ecommerce company is migrating its on-premises workload to the AWS Cloud. The workload currently consists of a web application and a backend Microsoft SQL database for storage. The company expects a high volume of customers during a promotional event. The new infrastructure in the AWS Cloud must be highly available and scalable. Which solution will meet these requirements with the LEAST administrative overhead?

A. Migrate the web application to two Amazon EC2 instances across two Availability Zones behind an Application Load Balancer. Migrate the database to Amazon RDS for Microsoft SQL Server with read replicas in both Availability Zones. 
B. Migrate the web application to an Amazon EC2 instance that runs in an Auto Scaling group across two Availability Zones behind an Application Load Balancer. Migrate the database to two EC2 instances across separate AWS Regions with database replication. 
C. Migrate the web application to Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones behind an Application Load Balancer. Migrate the database to Amazon RDS with Multi-AZ deployment. 
D. Migrate the web application to three Amazon EC2 instances across three Availability Zones behind an Application Load Balancer. Migrate the database to three EC2 instances across three Availability Zones.

Show / Hide Answer

---

Question # 89

A company hosts a website analytics application on a single Amazon EC2 On-Demand Instance. The analytics application is highly resilient and is designed to run in stateless mode. The company notices that the application is showing signs of performance degradation during busy times and is presenting 5xx errors. The company needs to make the application scale seamlessly. Which solution will meet these requirements MOST cost-effectively?

A. Create an Amazon Machine Image (AMI) of the web application. Use the AMI to launch a second EC2 On-Demand Instance. Use an Application Load Balancer to distribute the load across the two EC2 instances. 
B. Create an Amazon Machine Image (AMI) of the web application. Use the AMI to launch a second EC2 On-Demand Instance. Use Amazon Route 53 weighted routing to distribute the load across the two EC2 instances. 
C. Create an AWS Lambda function to stop the EC2 instance and change the instance type. Create an Amazon CloudWatch alarm to invoke the Lambda function when CPU utilization is more than 75%. 
D. Create an Amazon Machine Image (AMI) of the web application. Apply the AMI to a launch template. Create an Auto Scaling group that includes the launch template. Configure the launch template to use a Spot Fleet. Attach an Application Load Balancer to the Auto Scaling group.

Show / Hide Answer

---

Question # 90

A company provides a trading platform to customers. The platform uses an Amazon API Gateway REST API, AWS Lambda functions, and an Amazon DynamoDB table. Each trade that the platform processes invokes a Lambda function that stores the trade data in Amazon DynamoDB. The company wants to ingest trade data into a data lake in Amazon S3 for near real-time analysis. Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon DynamoDB Streams to capture the trade data changes. Configure DynamoDB Streams to invoke a Lambda function that writes the data to Amazon S3. 
B. Use Amazon DynamoDB Streams to capture the trade data changes. Configure DynamoDB Streams to invoke a Lambda function that writes the data to Amazon Data Firehose. Write the data from Data Firehose to Amazon S3. 
C. Enable Amazon Kinesis Data Streams on the DynamoDB table to capture the trade data changes. Configure Kinesis Data Streams to invoke a Lambda function that writes the data to Amazon S3. 
D. Enable Amazon Kinesis Data Streams on the DynamoDB table to capture the trade data changes. Configure a data stream to be the input for Amazon Data Firehose. Write the data from Data Firehose to Amazon S3.

Show / Hide Answer

---

Question # 91

A healthcare provider is planning to store patient data on AWS as PDF files. To comply with regulations, the company must encrypt the data and store the files in multiple locations. The data must be available for immediate access from any environment.

A. Store the files in an Amazon S3 bucket. Use the Standard storage class. Enable serverside encryption with Amazon S3 managed keys (SSE-S3) on the bucket. Configure cross- Region replication on the bucket.
B. Store the files in an Amazon Elastic File System (Amazon EFS) volume. Use an AWS KMS managed key to encrypt the EFS volume. Use AWS DataSync to replicate the EFS volume to a second AWS Region. 
C. Store the files in an Amazon Elastic Block Store (Amazon EBS) volume. Configure AWS Backup to back up the volume on a regular schedule. Use an AWS KMS key to encrypt the backups. 
D. Store the files in an Amazon S3 bucket. Use the S3 Glacier Flexible Retrieval storage class. Ensure that all PDF files are encrypted by using client-side encryption before the files are uploaded. Configure cross-Region replication on the bucket. 

Show / Hide Answer

---

Question # 92

A company is developing a rating system for its ecommerce web application. The company needs a solution to save ratings that users submit in an Amazon DynamoDB table. The company wants to ensure that developers do not need to interact directly with the DynamoDB table. The solution must be scalable and reusable. Which solution will meet these requirements with the LEAST operational overhead?

A. Create an Application Load Balancer (ALB). Create an AWS Lambda function, and set the function as a target group in the ALB. Invoke the Lambda function by using the put_item method through the ALB.
B. Create an AWS Lambda function. Configure the Lambda function to interact with the DynamoDB table by using the put-item method from Boto3. Invoke the Lambda function from the web application.
C. Create an Amazon Simple Queue Service (Amazon SQS) queue and an AWS Lambda function that has an SQS trigger type. Instruct the developers to add customer ratings to the SQS queue as JSON messages. Configure the Lambda function to fetch the ratings from the queue and store the ratings in DynamoDB.
D. Create an Amazon API Gateway REST API Define a resource and create a new POST method Choose AWS as the integration type, and select DynamoDB as the service. Set the action to PutItem.

Show / Hide Answer

---

Question # 93

A company is designing a new application that uploads files to an Amazon S3 bucket. The uploaded files are processed to extract metadata. Processing must take less than 5 seconds. The volume and frequency of the uploads vary from a few files each hour to hundreds of concurrent uploads. Which solution will meet these requirements MOST cost-effectively?

A. Configure AWS CloudTrail trails to log Amazon S3 API calls. Use AWS AppSync to process the files. 
B. Configure a new object created S3 event notification within the bucket to invoke an AWS Lambda function to process the files. 
C. Configure Amazon Kinesis Data Streams to deliver the files to the S3 bucket. Invoke an AWS Lambda function to process the files. 
D. Deploy an Amazon EC2 instance. Create a script that lists all files in the S3 bucket and processes new files. Use a cron job that runs every minute to run the script. 

Show / Hide Answer

---

Question # 94

A company runs an application on EC2 instances that need access to RDS credentials stored in AWS Secrets Manager. Which solution meets this requirement?

A. Create an IAM role, and attach the role to each EC2 instance profile. Use an identitybased policy to grant the role access to the secret.
B. Create an IAM user, and attach the user to each EC2 instance profile. Use a resourcebased policy to grant the user access to the secret.
C. Create a resource-based policy for the secret. Use EC2 Instance Connect to access the secret.
D. Create an identity-based policy for the secret. Grant direct access to the EC2 instances.

Show / Hide Answer

---

Question # 95

A company is developing a new application that will run on Amazon EC2 instances. The application needs to access multiple AWS services. The company needs to ensure that the application will not use long-term access keys to access AWS services.

A. Create an IAM user. Assign the IAM user to the application. Create programmatic access keys for the IAM user. Embed the access keys in the application code.
B. Create an IAM user that has programmatic access keys. Store the access keys in AWS Secrets Manager. Configure the application to retrieve the keys from Secrets Manager when the application runs.
C. Create an IAM role that can access AWS Systems Manager Parameter Store. Associate the role with each EC2 instance profile. Create IAM access keys for the AWS services, and store the keys in Parameter Store. Configure the application to retrieve the keys from Parameter Store when the application runs.
D. Create an IAM role that has permissions to access the required AWS services. Associate the IAM role with each EC2 instance profile.

Show / Hide Answer

---

Question # 96

A company stores petabytes of historical medical information on premises. The company has a process to manage encryption of the data to comply with regulations. The company needs a cloud-based solution for data backup, recovery, and archiving. The company must retain control over the encryption key material. Which combination of solutions will meet these requirements? (Select TWO.)

A. Create an AWS Key Management Service (AWS KMS) key without key material. Import the company's key material into the KMS key.
B. Create an AWS Key Management Service (AWS KMS) encryption key that contains key material generated by AWS KMS. 
C. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage. Use S3 Bucket Keys with AWS Key Management Service (AWS KMS) keys. 
D. Store the data in an Amazon S3 Glacier storage class. Use server-side encryption with customer-provided keys (SSE-C). 
E. Store the data in AWS Snowball devices. Use server-side encryption with AWS KMS keys (SSE-KMS). 

Show / Hide Answer

---

Question # 97

A media company is launching a new product platform that artists from around the world can use to upload videos and images directly to an Amazon S3 bucket. The company owns and maintains the S3 bucket. The artists must be able to upload files from personal devices without the need for AWS credentials or an AWS account. Which solution will meet these requirements MOST securely?

A. Enable cross-origin resource sharing (CORS) on the S3 bucket.
B. Turn off block public access for the S3 bucket. Share the bucket URL to the artists to enable uploads without credentials.
C. Use an IAM role that has upload permissions for the S3 bucket to generate presigned URLs for S3 prefixes that are specific to each artist. Share the URLs to the artists.
D. Create a web interface that uses an IAM role that has permission to upload and view objects in the S3 bucket. Share the web interface URL to the artists.

Show / Hide Answer

---

Question # 98

A company needs to ingest and analyze telemetry data from vehicles at scale for machine learning and reporting. Which solution will meet these requirements?

A. Use Amazon Timestream for LiveAnalytics to store data points. Grant Amazon SageMaker permission to access the data. Use Amazon QuickSight to visualize the data.
B. Use Amazon DynamoDB to store data points. Use DynamoDB Connector to ingest data into Amazon EMR for processing. Use Amazon QuickSight to visualize the data.
C. Use Amazon Neptune to store data points. Use Amazon Kinesis Data Streams to ingest data into a Lambda function for processing. Use Amazon QuickSight to visualize the data.
D. Use Amazon Timestream for LiveAnalytics to store data points. Grant Amazon SageMaker permission to access the data. Use Amazon Athena to visualize the data.

Show / Hide Answer

---

Question # 99

A company is creating a low-latency payment processing application that supports TLS connections from IPv4 clients. The application requires outbound access to the public internet. Users must access the application from a single entry point. The bank wants to use Amazon Elastic Container Service (Amazon ECS) tasks to deploy the application. The company wants to enable AWSVPC network mode. Which solution will meet these requirements MOST securely?

A. Create a VPC that has an internet gateway, public subnets, and private subnets. Deploy a Network Load Balancer and a NAT gateway in the public subnets. Deploy the ECS tasks in the private subnets.
B. Create a VPC that has an outbound-only internet gateway, public subnets, and private subnets. Deploy an Application Load Balancer and a NAT gateway in the public subnets. Deploy the ECS tasks in the private subnets.
C. Create a VPC that has an internet gateway, public subnets, and private subnets. Deploy an Application Load Balancer in the public subnets. Deploy the ECS tasks in the public subnets.
D. Create a VPC that has an outbound-only internet gateway, public subnets, and private subnets. Deploy a Network Load Balancer in the public subnets. Deploy the ECS tasks in the public subnets.

Show / Hide Answer

---

Question # 100

A company has developed an API using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static and dynamic content to users worldwide. The company wants to decrease the latency of transferring content for API requests. Options:

A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

Show / Hide Answer

---

Question # 101

A company is developing a social media application. The company anticipates rapid and unpredictable growth in users and data volume. The application needs to handle a continuous high volume of user requests. User requests include long-running processes that store large amounts of user-generated content and user profiles in a relational format. The processes must run in a specific order. The company requires an architecture that can scale resources to meet demand spikes without downtime or performance degradation. The company must ensure that the components of the application can evolve independently without affecting other parts of the system. Which combination of AWS services will meet these requirements?

A. Deploy the application on Amazon Elastic Container Service (Amazon ECS) with the AWS Fargate launch type. Use Amazon RDS as the database. Use Amazon Simple Queue Service (Amazon SQS) to decouple message processing between components.
B. Deploy the application on Amazon Elastic Container Service (Amazon ECS) with the AWS Fargate launch type. Use Amazon RDS as the database. Use Amazon Simple Notification Service (Amazon SNS) to decouple message processing between components.
C. Use Amazon DynamoDB as the database. Use AWS Lambda functions to implement the application. Configure Amazon DynamoDB Streams to invoke the Lambda functions. Use AWS Step Functions to manage workflows between services.
D. Use an AWS Elastic Beanstalk environment with auto scaling to deploy the application. Use Amazon RDS as the database. Use Amazon Simple Notification Service (Amazon SNS) to decouple message processing between components.

Show / Hide Answer

---

Question # 102

A company has developed an API by using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static content and dynamic content to users worldwide. The company wants to decrease the latency of transferring the content for API requests. Which solution will meet these requirements?

A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.

Show / Hide Answer

---

Question # 103

An ecommerce company is planning to migrate an on-premises Microsoft SQL Server database to the AWS Cloud. The company needs to migrate the database to SQL Server Always On availability groups. The cloud-based solution must be highly available. Options:

A. Deploy three Amazon EC2 instances with SQL Server across three Availability Zones. Attach one Amazon Elastic Block Store (Amazon EBS) volume to the EC2 instances. 
B. Migrate the database to Amazon RDS for SQL Server. Configure a Multi-AZ deployment and read replicas. 
C. Deploy three Amazon EC2 instances with SQL Server across three Availability Zones. Use Amazon FSx for Windows File Server as the storage tier. 
D. Deploy three Amazon EC2 instances with SQL Server across three Availability Zones. Use Amazon S3 as the storage tier. 

Show / Hide Answer

---

Question # 104

A solutions architect is building an Amazon S3 data lake for a company. The company uses Amazon Kinesis Data Firehose to ingest customer personally identifiable information (PII) and transactional data in near real-time to an S3 bucket. The company needs to mask all PII data before storing the data in the data lake. Which solution will meet these requirements?

A. Create an AWS Lambda function to detect and mask PII. Invoke the function from Kinesis Data Firehose.
B. Use Amazon Macie to scan the S3 bucket. Configure Macie to detect and mask PII.
C. Enable server-side encryption (SSE) on the S3 bucket.
D. Create an AWS Lambda function that integrates with AWS CloudHSM. Configure the function to detect and mask PII.

Show / Hide Answer

---

Question # 105

A company is using microservices to build an ecommerce application on AWS. The company wants to preserve customer transaction information after customers submit orders. The company wants to store transaction data in an Amazon Aurora database. The company expects sales volumes to vary throughout each year.

A. Use an Amazon API Gateway REST API to invoke an AWS Lambda function to send transaction data to the Aurora database. Send transaction data to an Amazon Simple Queue Service (Amazon SQS) queue that has a dead-letter queue. Use a second Lambda function to read from the SQS queue and to update the Aurora database. 
B. Use an Amazon API Gateway HTTP API to send transaction data to an Application Load Balancer (ALB). Use the ALB to send the transaction data to Amazon Elastic Container Service (Amazon ECS) on Amazon EC2. Use ECS tasks to store the data in Aurora database. 
C. Use an Application Load Balancer (ALB) to route transaction data to Amazon Elastic Kubernetes Service (Amazon EKS). Use Amazon EKS to send the data to the Aurora database. 
D. Use Amazon Data Firehose to send transaction data to Amazon S3. Use AWS Database Migration Service (AWS DMS) to migrate the data from Amazon S3 to the Aurora database. 

Show / Hide Answer

---

Question # 106

A company runs its production workload on Amazon EC2 instances with Amazon Elastic Block Store (Amazon EBS) volumes. A solutions architect needs to analyze the current EBS volume cost and to recommend optimizations. The recommendations need to include estimated monthly saving opportunities. Which solution will meet these requirements?

A. Use Amazon Inspector reporting to generate EBS volume recommendations for optimization.
B. Use AWS Systems Manager reporting to determine EBS volume recommendations for optimization.
C. Use Amazon CloudWatch metrics reporting to determine EBS volume recommendations for optimization.
D. Use AWS Compute Optimizer to generate EBS volume recommendations for optimization.

Show / Hide Answer

---

Question # 107

A company is performing a security review of its Amazon EMR API usage. The company's developers use an integrated development environment (IDE) that is hosted on Amazon EC2 instances. The IDE is configured to authenticate users to AWS by using access keys. Traffic between the company's EC2 instances and EMR cluster uses public IP addresses. A solutions architect needs to improve the company's overall security posture. The solutions architect needs to reduce the company's use of long-term credentials and to limit the amount of communication that uses public IP addresses. Which combination of steps will MOST improve the security of the company's architecture? (Select TWO.)

A. Set up a gateway endpoint to the EMR cluster.
B. Set up interface VPC endpoints to connect to the EMR cluster.
C. Set up a private NAT gateway to connect to the EMR cluster.
D. Set up 1AM roles for the developers to use to connect to the Amazon EMR API.
E. Set up AWS Systems Manager Parameter Store to store access keys for each developer.

Show / Hide Answer

---

Question # 108

A company is redesigning a static website. The company needs a solution to host the new website in the company's AWS account. The solution must be secure and scalable. Which combination of solutions will meet these requirements? (Select THREE.)

A. Configure an Amazon CloudFront distribution. Set the Amazon S3 bucket as the origin.
B. Associate an AWS Certificate Manager (ACM) TLS certificate to the Amazon CloudFront distribution.
C. Enable static website hosting for the Amazon S3 bucket.
D. Create an Amazon S3 bucket to store the static website content.
E. Export the website's SSL/TLS certificate from AWS Certificate Manager (ACM) to the root of the Amazon S3 bucket.
F. Turn off Block Public Access for the Amazon S3 bucket.

Show / Hide Answer

---

Question # 109

A company needs a cloud-based solution for backup, recovery, and archiving while retaining encryption key material control. Which combination of solutions will meet these requirements? (Select TWO)

A. Create an AWS Key Management Service (AWS KMS) key without key material. Import the company's key material into the KMS key.
B. Create an AWS KMS encryption key that contains key material generated by AWS KMS.
C. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Use S3 Bucket Keys with AWS KMS keys.
D. Store the data in an Amazon S3 Glacier storage class. Use server-side encryption with customer-provided keys (SSE-C).
E. Store the data in AWS Snowball devices. Use server-side encryption with AWS KMS keys (SSE-KMS).

Show / Hide Answer

---

Question # 110

A company recently launched a new product that is highly available in one AWS Region The product consists of an application that runs on Amazon Elastic Container Service (Amazon ECS), a public Application Load Balancer (ALB), and an Amazon DynamoDB table. The company wants a solution that will make the application highly available across Regions. Which combination of steps will meet these requirements? (Select THREE.)

A. In a different Region, deploy the application to a new ECS cluster that is accessible through a new ALB.
B. Create an Amazon Route 53 failover record.
C. Modify the DynamoDB table to create a DynamoDB global table.
D. In the same Region, deploy the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is accessible through a new ALB.
E. Modify the DynamoDB table to create global secondary indexes (GSIs).
F. Create an AWS PrivateLink endpoint for the application.

Show / Hide Answer

---

Question # 111

A company hosts its core network services, including directory services and DNS, in its on- premises data center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS accounts are planned that will require quick, cost-effective, and consistent access to these network services. What should a solutions architect implement to meet these requirements with the LEAST amount of operational overhead?

A. Create a DX connection in each new account. Route the network traffic to the onpremises servers. 
B. Configure VPC endpoints in the DX VPC for all required services. Route the network traffic to the on-premises servers. 
C. Create a VPN connection between each new account and the DX VPC. Route the network traffic to the on-premises servers. 
D. Configure AWS Transit Gateway between the accounts. Assign DX to the transit gateway and route network traffic to the on-premises servers. 

Show / Hide Answer

---

Question # 112

A company is developing a containerized web application that needs to be highly available and scalable. The application requires access to GPU resources.

A. Package the application as an AWS Lambda function in a container image. Use Lambda to run the containerized application on a runtime with GPU access.
B. Deploy the application container to Amazon Elastic Kubernetes Service (Amazon EKS). Use AWS Fargate to manage compute resources and access to GPU resources.
C. Deploy the application container to Amazon Elastic Container Registry (Amazon ECR). Use Amazon ECR to run the containerized application with an attached GPU.
D. Run the application on Amazon EC2 instances from a GPU instance family by using Amazon Elastic Container Service (Amazon ECS) for orchestration.

Show / Hide Answer

---

Question # 113

A company is creating an application. The company stores data from tests of the application in multiple on-premises locations. The company needs to connect the onpremises locations to VPCs in an AWS Region in the AWS Cloud. The number of accounts and VPCs will increase during the next year. The network architecture must simplify the administration of new connections and must provide the ability to scale. Which solution will meet these requirements with the LEAST administrative overhead?

A. Create a peering connection between the VPCs. Create a VPN connection between the VPCs and the on-premises locations.
B. Launch an Amazon EC2 instance. On the instance, include VPN software that uses a VPN connection to connect all VPCs and on-premises locations.
C. Create a transit gateway. Create VPC attachments for the VPC connections. Create VPN attachments for the on-premises connections.
D. Create an AWS Direct Connect connection between the on-premises locations and a central VPC. Connect the central VPC to other VPCs by using peering connections.

Show / Hide Answer

---

Question # 114

A company has developed a non-production application that is composed of multiple microservices for each of the company's business units. A single development team maintains all the microservices. The current architecture uses a static web frontend and a Java-based backend that contains the application logic. The architecture also uses a MySQL database that the company hosts on an Amazon EC2 instance. The company needs to ensure that the application is secure and available globally. Which solution will meet these requirements with the LEAST operational overhead

A. Use Amazon CloudFront and AWS Amplify to host the static web frontend. Refactor the microservices to use AWS Lambda functions that the microservices access by using Amazon API Gateway. Migrate the MySQL database to an Amazon EC2 Reserved Instance.
B. Use Amazon CloudFront and Amazon S3 to host the static web frontend. Refactor the microservices to use AWS Lambda functions that the microservices access by using Amazon API Gateway. Migrate the MySQL database to Amazon RDS for MySQL.
C. Use Amazon CloudFront and Amazon S3 to host the static web frontend. Refactor the microservices to use AWS Lambda functions that are in a target group behind a Network Load Balancer. Migrate the MySQL database to Amazon RDS for MySQL.
D. Use Amazon S3 to host the static web frontend. Refactor the microservices to use AWS Lambda functions that are in a target group behind an Application Load Balancer. Migrate the MySQL database to an Amazon EC2 Reserved Instance.

Show / Hide Answer

---

Question # 115

A company's reporting system delivers hundreds of .csv files to an Amazon S3 bucket each day. The company must convert these files to Apache Parquet format and must store the files in a transformed data bucket. Which solution will meet these requirements with the LEAST development effort?

A. Create an Amazon EMR cluster with Apache Spark installed. Write a Spark application to transform the data. Use EMR File System (EMRFS) to write files to the transformed data bucket.
B. Create an AWS Glue crawler to discover the data. Create an AWS Glue extract, transform, and load (ETL) job to transform the data. Specify the transformed data bucket in the output step.
C. Use AWS Batch to create a job definition with Bash syntax to transform the data and output the data to the transformed data bucket. Use the job definition to submit a job. Specify an array job as the job type.
D. Create an AWS Lambda function to transform the data and output the data to the transformed data bucket. Configure an event notification for the S3 bucket. Specify the Lambda function as the destination for the event notification.

Show / Hide Answer

---

Question # 116

A company stores data for multiple business units in a single Amazon S3 bucket that is in the company's payer AWS account. To maintain data isolation, the business units store data in separate prefixes in the S3 bucket by using an S3 bucket policy. The company plans to add a large number of dynamic prefixes. The company does not want to rely on a single S3 bucket policy to manage data access at scale. The company wants to develop a secure access management solution in addition to the bucket policy to enforce prefix-level data isolation.

A. Configure the S3 bucket policy to deny s3:GetObject permissions for all users. Configure the bucket policy to allow s3:* access to individual business units.
B. Enable default encryption on the S3 bucket by using server-side encryption with Amazon S3 managed keys (SSE-S3).
C. Configure resource-based permissions on the S3 bucket by creating an S3 access point for each business unit.
D. Use pre-signed URLs to provide access to the S3 bucket.

Show / Hide Answer

---

Question # 117

A company is developing a new application that uses a relational database to store user data and application configurations. The company expects the application to have steady user growth. The company expects the database usage to be variable and read-heavy, with occasional writes. The company wants to cost-optimize the database solution. The company wants to use an AWS managed database solution that will provide the necessary performance. Which solution will meet these requirements MOST cost-effectively?

A. Deploy the database on Amazon RDS. Use Provisioned IOPS SSD storage to ensure consistent performance for read and write operations. 
B. Deploy the database on Amazon Aurora Serveriess to automatically scale the database capacity based on actual usage to accommodate the workload. 
C. Deploy the database on Amazon DynamoDB. Use on-demand capacity mode to automatically scale throughput to accommodate the workload. 
D. Deploy the database on Amazon RDS Use magnetic storage and use read replicas to accommodate the workload 

Show / Hide Answer

---

Question # 118

A company wants to implement a data lake in the AWS Cloud. The company must ensure that only specific teams have access to sensitive data in the data lake. The company must have row-level access control for the data lake. Options:

A. Use Amazon RDS to store the data. Use IAM roles and permissions for data governance and access control. 
B. Use Amazon Redshift to store the data. Use IAM roles and permissions for data governance and access control. 
C. Use Amazon S3 to store the data. Use AWS Lake Formation for data governance and access control. 
D. Use AWS Glue Catalog to store the data. Use AWS Glue DataBrew for data governance and access control. 

Show / Hide Answer

---

Question # 119

How can a law firm make files publicly readable while preventing modifications or deletions until a specific future date?

A. Upload files to an Amazon S3 bucket configured for static website hosting. Grant readonly IAM permissions to any AWS principals.
B. Create an S3 bucket. Enable S3 Versioning. Use S3 Object Lock with a retention period. Create a CloudFront distribution. Use a bucket policy to restrict access.
C. Create an S3 bucket. Enable S3 Versioning. Configure an event trigger with AWS Lambda to restore modified objects from a private S3 bucket.
D. Upload files to an S3 bucket for static website hosting. Use S3 Object Lock with a retention period. Grant read-only IAM permissions.

Show / Hide Answer

---

Question # 120

A finance company is migrating its trading platform to AWS. The trading platform processes a high volume of market data and processes stock trades. The company needs to establish a consistent, low-latency network connection from its on-premises data center to AWS. The company will host resources in a VPC. The solution must not use the public internet. Which solution will meet these requirements?

A. Use AWS Client VPN to connect the on-premises data center to AWS.
B. Use AWS Direct Connect to set up a connection from the on-premises data center to AWS
C. Use AWS PrivateLink to set up a connection from the on-premises data center to AWS.
D. Use AWS Site-to-Site VPN to connect the on-premises data center to AWS.

Show / Hide Answer

---

Question # 121

A company is building a new furniture inventory application. The company has deployed the application on a fleet of Amazon EC2 instances across multiple Availability Zones. The EC2 instances run behind an Application Load Balancer (ALB) in their VPC. A solutions architect has observed that incoming traffic seems to favor one EC2 instance, resulting in latency for some requests. What should the solutions architect do to resolve this issue?

A. Disable session affinity (sticky sessions) on the ALB.
B. Replace the ALB with a Network Load Balancer.
C. Increase the number of EC2 instances in each Availability Zone.
D. Adjust the frequency of the health checks on the ALB's target group.

Show / Hide Answer

---

Question # 122

A company is designing a new internal web application in the AWS Cloud. The new application must securely retrieve and store multiple employee usernames and passwords from an AWS managed service. Which solution will meet these requirements with the LEAST operational overhead?

A. Store the employee credentials in AWS Systems Manager Parameter Store. Use AWS Cloud Formation and the BatchGetSecretValue API to retrieve usernames and passwords from Parameter Store.
B. Store the employee credentials in AWS Secrets Manager. Use AWS Cloud Formation and AWS Batch with the BatchGetSecretValue API to retrieve the usernames and passwords from Secrets Manager.
C. Store the employee credentials in AWS Systems Manager Parameter Store. Use AWS Cloud Formation and AWS Batch with the BatchGetSecretValue API to retrieve the usernames and passwords from Parameter Store.
D. Store the employee credentials in AWS Secrets Manager. Use AWS Cloud Formation and the BatchGetSecretValue API to retrieve the usernames and passwords from Secrets Manager.

Show / Hide Answer

---

Question # 123

A law firm needs to make hundreds of files readable for the general public. The law firm must prevent members of the public from modifying or deleting the files before a specified future date. Which solution will meet these requirements MOST securely?

A. Upload the files to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM permissions to any AWS principals that access the S3 bucket until the specified date. 
B. Create a new Amazon S3 bucket. Enable S3 Versioning. Use S3 Object Lock and set a retention period based on the specified date. Create an Amazon CloudFront distribution to serve content from the bucket. Use an S3 bucket policy to restrict access to the CloudFront origin access control (OAC). 
C. Create a new Amazon S3 bucket. Enable S3 Versioning. Configure an event trigger to run an AWS Lambda function if a user modifies or deletes an object. Configure the Lambda function to replace the modified or deleted objects with the original versions of the objects from a private S3 bucket. 
D. Upload the files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that contains the files. Use S3 Object Lock with a retention period based on the specified date. Grant read-only IAM permissions to any AWS principals that access the S3 bucket.

Show / Hide Answer

---

Question # 124

A company is designing an application on AWS that processes sensitive data. The application stores and processes financial data for multiple customers. To meet compliance requirements, the data for each customer must be encrypted separately at rest by using a secure, centralized key management solution. The company wants to use AWS Key Management Service (AWS KMS) to implement encryption. Which solution will meet these requirements with the LEAST operational overhead'

A. Generate a unique encryption key for each customer. Store the keys in an Amazon S3 bucket. Enable server-side encryption.
B. Deploy a hardware security appliance in the AWS environment that securely stores customer-provided encryption keys. Integrate the security appliance with AWS KMS to encrypt the sensitive data in the application.
C. Create a single AWS KMS key to encrypt all sensitive data across the application.
D. Create separate AWS KMS keys for each customer's data that have granular access control and logging enabled.

Show / Hide Answer

---

Question # 125

A company needs to give a globally distributed development team secure access to the company's AWS resources in a way that complies with security policies. The company currently uses an on-premises Active Directory for internal authentication. The company uses AWS Organizations to manage multiple AWS accounts that support multiple projects. The company needs a solution to integrate with the existing infrastructure to provide centralized identity management and access control. Which solution will meet these requirements with the LEAST operational overhead?

A. Set up AWS Directory Service to create an AWS managed Microsoft Active Directory on AWS. Establish a trust relationship with the on-premises Active Directory. Use 1AM roles that are assigned to Active Directory groups to access AWS resources within the company's AWS accounts.
B. Create an 1AM user for each developer. Manually manage permissions for each 1AM user based on each user's involvement with each project. Enforce multi-factor authentication (MFA) as an additional layer of security.
C. Use AD Connector in AWS Directory Service to connect to the on-premises Active Directory. Integrate AD Connector with AWS 1AM Identity Center. Configure permissions sets to give each AD group access to specific AWS accounts and resources.
D. Use Amazon Cognito to deploy an identity federation solution. Integrate the identity federation solution with the on-premises Active Directory. Use Amazon Cognito to provide access tokens for developers to access AWS accounts and resources.

Show / Hide Answer

---

Question # 126

A company deploys its applications on Amazon Elastic Kubernetes Service (Amazon EKS) behind an Application Load Balancer in an AWS Region. The application needs to store data in a PostgreSQL database engine. The company wants the data in the database to be highly available. The company also needs increased capacity for read workloads. Which solution will meet these requirements with the MOST operational efficiency?

A. Create an Amazon DynamoDB database table configured with global tables.
B. Create an Amazon RDS database with Multi-AZ deployments
C. Create an Amazon RDS database with Multi-AZ DB cluster deployment.
D. Create an Amazon RDS database configured with cross-Region read replicas.

Show / Hide Answer

---

Question # 127

A company deploys its applications on Amazon Elastic Kubernetes Service (Amazon EKS) behind an Application Load Balancer in an AWS Region. The application needs to store data in a PostgreSQL database engine. The company wants the data in the database to be highly available. The company also needs increased capacity for read workloads. Which solution will meet these requirements with the MOST operational efficiency?

A. Create an Amazon DynamoDB database table configured with global tables.
B. Create an Amazon RDS database with Multi-AZ deployments
C. Create an Amazon RDS database with Multi-AZ DB cluster deployment.
D. Create an Amazon RDS database configured with cross-Region read replicas.

Show / Hide Answer

---

Question # 128

A company has an application that runs on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on Amazon EC2 instances. The application has a U1 that uses Amazon DynamoDB and data services that use Amazon S3 as part of the application deployment. The company must ensure that the EKS Pods for the U1 can access only Amazon DynamoDB and that the EKS Pods for the data services can access only Amazon S3. The company uses AWS Identity and Access Management |IAM). Which solution meets these requirements?

A. Create separate 1AM policies (or Amazon S3 and DynamoDB access with the required permissions. Attach both 1AM policies to the EC2 instance profile. Use role-based access control (RBAC) to control access to Amazon S3 or DynamoDB (or the respective EKS Pods.
B. Create separate 1AM policies (or Amazon S3 and DynamoDB access with the required permissions. Attach the Amazon S3 1AM policy directly to the EKS Pods (or the data services and the DynamoDB policy to the EKS Pods for the U1.
C. Create separate Kubernetes service accounts for the U1 and data services to assume an 1AM role. Attach the Amazon S3 Full Access policy to the data services account and the AmazonDynamoDBFullAccess policy to the U1 service account.
D. Create separate Kubernetes service accounts for the U1 and data services to assume an 1AM role. Use 1AM Role for Service Accounts (IRSA) to provide access to the EKS Pods for the U1 to Amazon S3 and the EKS Pods for the data services to DynamoDB.

Show / Hide Answer

---

Question # 129

A company stores data in Amazon S3. According to regulations, the data must not contain personally identifiable information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The company needs to automatically detect PII in S3 buckets and to notify the company's security team. Which solution will meet these requirements?

A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
B. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
C. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData:S3Object/Personal event type from Macie findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.
D. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.

Show / Hide Answer

---

Question # 130

A company stores 5 PB of archived data on physical tapes. The company needs to preserve the data for another 10 years. The data center that stores the tapes has a 10 Gbps Direct Connect connection to an AWS Region. The company wants to migrate the data to AWS within the next 6 months.

A. Read the data from the tapes on premises. Use local storage to stage the data. Use AWS DataSync to migrate the data to Amazon S3 Glacier Flexible Retrieval storage.
B. Use an on-premises backup application to read the data from the tapes. Use the backup application to write directly to Amazon S3 Glacier Deep Archive storage.
C. Order multiple AWS Snowball Edge devices. Copy the physical tapes to virtual tapes on the Snowball Edge devices. Ship the Snowball Edge devices to AWS. Create an S3 Lifecycle policy to move the tapes to Amazon S3 Glacier Instant Retrieval storage.
D. Configure an on-premises AWS Storage Gateway Tape Gateway. Create virtual tapes in the AWS Cloud. Use backup software to copy the physical tapes to the virtual tapes. Move the virtual tapes to Amazon S3 Glacier Deep Archive storage.

Show / Hide Answer

---

Question # 131

A solutions architect needs to implement a solution that can handle up to 5,000 messages per second. The solution must publish messages as events to multiple consumers. The messages are up to 500 KB in size. The message consumers need to have the ability to use multiple programming languages to consume the messages with minimal latency. The solution must retain published messages for more than 3 months. The solution must enforce strict ordering of the messages.

A. Publish messages to an Amazon Kinesis Data Streams data stream. Enable enhanced fan-out. Ensure that consumers ingest the data stream by using dedicated throughput. 
B. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use an Amazon Simple Queue Service (Amazon SQS) FIFO queue to subscribe to the topic. 
C. Publish messages to Amazon EventBridge. Allow each consumer to create rules to deliver messages to the consumer's own target. 
D. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use Amazon Data Firehose to subscribe to the topic. 

Show / Hide Answer

---

Question # 132

A company runs a Microsoft Windows SMB file share on-premises to support an application. The company wants to migrate the application to AWS. The company wants to share storage across multiple Amazon EC2 instances. Which solutions will meet these requirements with the LEAST operational overhead? (Select TWO.)

A. Create an Amazon Elastic File System (Amazon EFS) file system with elastic throughput.
B. Create an Amazon FSx for NetApp ONTAP file system.
C. Use Amazon Elastic Block Store (Amazon EBS) to create a self-managed Windows file share on the instances.
D. Create an Amazon FSx for Windows File Server file system.
E. Create an Amazon FSx for OpenZFS file system.

Show / Hide Answer

---

Question # 133

A company is building a serverless application to process large video files that users upload. The application performs multiple tasks to process each video file. Processing can take up to 30 minutes for the largest files. The company needs a scalable architecture to support the processing application. Which solution will meet these requirements?

A. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure a schedule in Amazon EventBridge Scheduler to invoke an AWS Lambda function periodically to check for new files. Configure the Lambda function to perform all the processing tasks.
B. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure an Amazon EFS event notification to start an AWS Step Functions workflow that uses AWS Fargate tasks to perform the processing tasks.
C. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to send an event to Amazon EventBridge when a user uploads a new video file. Configure an AWS Step Functions workflow as a target for an EventBridge rule. Use the workflow to manage AWS Fargate tasks to perform the processing tasks.
D. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to invoke an AWS Lambda function when a user uploads a new video file. Configure the Lambda function to perform all the processing tasks.

Show / Hide Answer

---

Question # 134

A company is building a serverless application to process large video files that users upload. The application performs multiple tasks to process each video file. Processing can take up to 30 minutes for the largest files. The company needs a scalable architecture to support the processing application. Which solution will meet these requirements?

A. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure a schedule in Amazon EventBridge Scheduler to invoke an AWS Lambda function periodically to check for new files. Configure the Lambda function to perform all the processing tasks.
B. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure an Amazon EFS event notification to start an AWS Step Functions workflow that uses AWS Fargate tasks to perform the processing tasks.
C. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to send an event to Amazon EventBridge when a user uploads a new video file. Configure an AWS Step Functions workflow as a target for an EventBridge rule. Use the workflow to manage AWS Fargate tasks to perform the processing tasks.
D. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to invoke an AWS Lambda function when a user uploads a new video file. Configure the Lambda function to perform all the processing tasks.

Show / Hide Answer

---

Question # 135

A company has a payroll application that runs in the AWS Cloud. The application uses an Amazon Aurora MySQL database cluster for data storage. The company’s auditing team needs to review the last 90 days of payroll data. A solutions architect needs to design a solution to provide the auditing team access to the payroll data. Which solution will meet these requirements with the MOST operational efficiency?

A. Use Aurora automated backups. Restore the database by using point-in-time recovery.
B. Create a backup plan by using AWS Backup with point-in-time recovery. Restore the database by using the backups from the backup vault.
C. Create daily manual backups of the Aurora cluster for the last 90 days. Restore the databases by using the backups. Delete the older backup files by using scripted CLI calls.
D. Create a backup plan by using AWS Backup with the daily backup option. Set the retention to 90 days. Restore the database by using the backups from the backup vault.

Show / Hide Answer

---

Question # 136

A company uses an Amazon EC2 Auto Scaling group to host an API. The EC2 instances are in a target group that is associated with an Application Load Balancer (ALB). The company stores data in an Amazon Aurora PostgreSQL database. The API has a weekly maintenance window. The company must ensure that the API returns a static maintenance response during the weekly maintenance window. Which solution will meet this requirement with the LEAST operational overhead?

A. Create a table in Aurora PostgreSQL that has fields to contain keys and values. Create a key for a maintenance flag. Set the flag when the maintenance window starts. Configure the API to query the table for the maintenance flag and to return a maintenance response if the flag is set. Reset the flag when the maintenance window is finished. 
B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the EC2 instances to the queue. Publish a message to the queue when the maintenance window starts. Configure the API to return a maintenance message if the instances receive a maintenance start message from the queue. Publish another message to the queue when the maintenance window is finished to restore normal operation. 
C. Create a listener rule on the ALB to return a maintenance response when the path on a request matches a wildcard. Set the rule priority to one. Perform the maintenance. When the maintenance window is finished, delete the listener rule. 
D. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the EC2 instances to the topic Publish a message to the topic when the maintenance window starts. Configure the API to return a maintenance response if the instances receive the maintenance start message from the topic. Publish another message to the topic when the maintenance window finshes to restore normal operation. 

Show / Hide Answer

---

Question # 137

A finance company uses backup software to back up its data to physical tape storage onpremises. To comply with regulations, the company needs to store the data for 7 years. The company must be able to restore archived data within one week when necessary. The company wants to migrate the backup data to AWS to reduce costs. The company does not want to change the current backup software. Which solution will meet these requirements MOST cost-effectively?

A. Use AWS Storage Gateway Tape Gateway to copy the data to virtual tapes. Use AWS DataSync to migrate the virtual tapes to the Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Change the target of the backup software to S3 Standard-IA. 
B. Convert the physical tapes to virtual tapes. Use AWS DataSync to migrate the virtual tapes to Amazon S3 Glacier Flexible Retrieval. Change the target of the backup software to the S3 Glacier Flexible Retrieval. 
C. Use AWS Storage Gateway Tape Gateway to copy the data to virtual tapes. Migrate the virtual tapes to Amazon S3 Glacier Deep Archive. Change the target of the backup software to the virtual tapes. 
D. Convert the physical tapes to virtual tapes. Use AWS Snowball Edge storage-optimized devices to migrate the virtual tapes to Amazon S3 Glacier Flexible Retrieval. Change the target of the backup software to S3 Glacier Flexible Retrieval. 

Show / Hide Answer

---

Question # 138

A company runs an application on Amazon EC2 instances. The instances need to access an Amazon RDS database by using specific credentials. The company uses AWS Secrets Manager to contain the credentials the EC2 instances must use. Which solution will meet this requirement?

A. Create an IAM role, and attach the role to each EC2 instance profile. Use an identitybased policy to grant the new IAM role access to the secret that contains the database credentials.
B. Create an IAM user, and attach the user to each EC2 instance profile. Use a resourcebased policy to grant the new IAM user access to the secret that contains the database credentials.
C. Create a resource-based policy for the secret that contains the database credentials. Use EC2 Instance Connect to access the secret.
D. Create an identity-based policy for the secret that contains the database credentials. Grant direct access to the EC2 instances.

Show / Hide Answer

---

Question # 139

A company hosts its multi-tier, public web application in the AWS Cloud. The web application runs on Amazon EC2 instances, and its database runs on Amazon RDS. The company is anticipating a large increase in sales during an upcoming holiday weekend. A solutions architect needs to build a solution to analyze the performance of the web application with a granularity of no more than 2 minutes. What should the solutions architect do to meet this requirement?

A. Send Amazon CloudWatch logs to Amazon Redshift. Use Amazon QuickSight to perform further analysis.
B. Enable detailed monitoring on all EC2 instances. Use Amazon CloudWatch metrics to perform further analysis.
C. Create an AWS Lambda function to fetch EC2 logs from Amazon CloudWatch Logs. Use Amazon CloudWatch metrics to perform further analysis.
D. Send EC2 logs to Amazon S3. Use Amazon Redshift to fetch togs from the S3 bucket to process raw data tor further analysis with Amazon QuickSight.

Show / Hide Answer

---

Question # 140

A company hosts a database that runs on an Amazon RDS instance deployed to multiple Availability Zones. A periodic script negatively affects a critical application by querying the database. How can application performance be improved with minimal costs?

A. Add functionality to the script to identify the instance with the fewest active connections and query that instance.
B. Create a read replica of the database. Configure the script to query only the read replica.
C. Instruct the development team to manually export new entries at the end of the day.
D. Use Amazon ElastiCache to cache the common queries the script runs.

Show / Hide Answer

---

Question # 141

A company uses Amazon S3 to store customer data that contains personally identifiable information (PII) attributes. The company needs to make the customer information available to company resources through an AWS Glue Catalog. The company needs to have fine-grained access control for the data so that only specific IAM roles can access the PII data.

A. Create one IAM policy that grants access to PII. Create a second IAM policy that grants access to non-PII data. Assign the PII policy to the specified IAM roles.
B. Create one IAM role that grants access to PII. Create a second IAM role that grants access to non-PII data. Assign the PII policy to the specified IAM roles.
C. Use AWS Lake Formation to provide the specified IAM roles access to the PII data.
D. Use AWS Glue to create one view for PII data. Create a second view for non-PII data. Provide the specified IAM roles access to the PII view.

Show / Hide Answer

---

Question # 142

A digital image processing company wants to migrate its on-premises monolithic application to the AWS Cloud. The company processes thousands of images and generates large files as part of the processing workflow. The company needs a solution to manage the growing number of image processing jobs. The solution must also reduce the manual tasks in the image processing workflow. The company does not want to manage the underlying infrastructure of the solution. Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 Spot Instances to process the images. Configure Amazon Simple Queue Service (Amazon SQS) to orchestrate the workflow. Store the processed files in Amazon Elastic File System (Amazon EFS)
B. Use AWS Batch jobs to process the images. Use AWS Step Functions to orchestrate the workflow. Store the processed files in an Amazon S3 bucket.
C. Use AWS Lambda functions and Amazon EC2 Spot Instances lo process the images. Store the processed files in Amazon FSx.
D. Deploy a group of Amazon EC2 instances to process the images. Use AWS Step Functions to orchestrate the workflow. Store the processed files in an Amazon Elastic Block Store (Amazon EBS) volume.

Show / Hide Answer

---

Question # 143

A company uses a set of Amazon EC2 instances to host a website. The website uses an Amazon S3 bucket to store images and media files. The company wants to automate website infrastructure creation to deploy the website to multiple AWS Regions. The company also wants to provide the EC2 instances access to the S3 bucket so the instances can store and access data by using AWS Identity and Access Management (1AM). Which solution will meet these requirements MOST securely?

A. Create an AWS Cloud Format ion template for the web server EC2 instances. Save an 1AM access key in the UserData section of the AWS;:EC2::lnstance entity in the CloudFormation template.
B. Create a file that contains an 1AM secret access key and access key ID. Store the file in a new S3 bucket. Create an AWS CloudFormation template. In the template, create a parameter to specify the location of the S3 object that contains the access key and access key ID.
C. Create an 1AM role and an 1AM access policy that allows the web server EC2 instances to access the S3 bucket. Create an AWS CloudFormation template for the web server EC2 instances that contains an 1AM instance profile entity that references the 1AM role and the 1AM access policy.
D. Create a script that retrieves an 1AM secret access key and access key ID from 1AM and stores them on the web server EC2 instances. Include the script in the UserData section of the AWS::EC2::lnstance entity in an AWS CloudFormation template.

Show / Hide Answer

---

Question # 144

A media company hosts a web application on AWS. The application gives users the ability to upload and view videos. The application stores the videos in an Amazon S3 bucket. The company wants to ensure that only authenticated users can upload videos. Authenticated users must have the ability to upload videos only within a specified time frame after authentication. Which solution will meet these requirements with the LEAST operational overhead?

A. Configure the application to generate IAM temporary security credentials for authenticated users. 
B. Create an AWS Lambda function that generates pre-signed URLs when a user authenticates. 
C. Develop a custom authentication service that integrates with Amazon Cognito to control and log direct S3 bucket access through the application. 
D. Use AWS Security Token Service (AWS STS) to assume a pre-defined IAM role that grants authenticated users temporary permissions to upload videos directly to the S3 bucket.

Show / Hide Answer

---

Question # 145

A media company hosts its video processing workload on AWS. The workload uses Amazon EC2 instances in an Auto Scaling group to handle varying levels of demand. The workload stores the original videos and the processed videos in an Amazon S3 bucket. The company wants to ensure that the video processing workload is scalable. The company wants to prevent failed processing attempts because of resource constraints. The architecture must be able to handle sudden spikes in video uploads without impacting the processing capability. Which solution will meet these requirements with the LEAST overhead?

A. Migrate the workload from Amazon EC2 instances to AWS Lambda functions. Configure an Amazon S3 event notification to invoke the Lambda functions when a new video is uploaded. Configure the Lambda functions to process videos directly and to save processed videos back to the S3 bucket.
B. Migrate the workload from Amazon EC2 instances to AWS Lambda functions. Use Amazon S3 to invoke an Amazon Simple Notification Service (Amazon SNS) topic when a new video is uploaded. Subscribe the Lambda functions to the SNS topic. Configure the Lambda functions to process the videos asynchronously and to save processed videos back to the S3 bucket.
C. Configure an Amazon S3 event notification to send a message to an Amazon Simple Queue Service (Amazon SQS) queue when a new video is uploaded. Configure the existing Auto Scaling group to poll the SQS queue, process the videos, and save processed videos back to the S3 bucket.
D. Configure an Amazon S3 upload trigger to invoke an AWS Step Functions state machine when a new video is uploaded. Configure the state machine to orchestrate the video processing workflow by placing a job message in the Amazon SQS queue. Configure the job message to invoke the EC2 instances to process the videos. Save processed videos back to the S3 bucket.

Show / Hide Answer

---

Question # 146

A company uses Amazon RDS (or PostgreSQL to run its applications in the us-east-1 Region. The company also uses machine learning (ML) models to forecast annual revenue based on neat real-time reports. The reports are generated by using the same RDS for PostgreSQL database. The database performance slows during business hours. The company needs to improve database performance. Which solution will meet these requirements MOST cost-effectively?

A. Create a cross-Region read replica. Configure the reports to be generated from the read replica.
B. Activate Multi-AZ DB instance deployment for RDS for PostgreSQL. Configure the reports to be generated from the standby database.
C. Use AWS Data Migration Service (AWS DMS) to logically replicate data lo a new database. Configure the reports to be generated from the new database.
D. Create a read replica in us-east-1. Configure the reports to be generated from the read replica.

Show / Hide Answer

---

Question # 147

A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403 (Access Denied) error message. The administrator is using an IAM role that has the following IAM policy attached:


What is the cause of the unsuccessful request?

A. The EC2 instance has a resource-based policy with a Deny statement.
B. The principal has not been specified in the policy statement
C. The "Action" field does not grant the actions that are required to terminate the EC2 instance.
D. The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0 113.0/24

Show / Hide Answer

---

Question # 148

A media company is using video conversion tools that run on Amazon EC2 instances. The video conversion tools run on a combination of Windows EC2 instances and Linux EC2 instances. Each video file is tens of gigabytes in size. The video conversion tools must process the video files in the shortest possible amount of time. The company needs a single, centralized file storage solution that can be mounted on all the EC2 instances that host the video conversion tools. Which solution will meet these requirements?

A. Deploy Amazon FSx for Windows File Server with hard disk drive (HDD) storage.
B. Deploy Amazon FSx for Windows File Server with solid state drive (SSD) storage.
C. Deploy Amazon Elastic File System (Amazon EFS) with Max I/O performance mode.
D. Deploy Amazon Elastic File System (Amazon EFS) with General Purpose performance mode.

Show / Hide Answer

---

Question # 149

A company has a website that handles dynamic traffic loads. The website architecture is based on Amazon EC2 instances in an Auto Scaling group that is configured to use scheduled scaling. Each EC2 instance runs code from an Amazon Elastic File System (Amazon EFS) volume and stores shared data back to the same volume. The company wants to optimize costs for the website. Which solution will meet this requirement?

A. Reconfigure the Auto Scaling group to set a desired number of instances. Turn off scheduled scaling.
B. Create a new launch template version for the Auto Scaling group that uses larger EC2 instances.
C. Reconfigure the Auto Scaling group to use a target tracking scaling policy.
D. Replace the EFS volume with instance store volumes.

Show / Hide Answer

---

Question # 150

A company runs a payment processing system in the AWS Cloud Sometimes when a payment fails because of insufficient funds or technical issues, users attempt to resubmit the payment. Sometimes payment resubmissions invoke multiple payment messages for the same payment ID. A solutions architect needs to ensure that the payment processing system receives payment messages that have the same payment ID sequentially, according to when the messages were generated. The processing system must process the messages in the order in which the messages are received. The solution must retain all payment messages for 10 days for analytics. Which solutions will meet these requirements? (Select TWO.)

A. Write the payment messages to an Amazon DynamoDB table that uses the payment ID as the partition key.
B. Write the payment messages to an Amazon Kinesis data stream that uses the payment ID as the partition key.
C. Write the payment messages to an Amazon ElastiCache for Memcached cluster that uses the payment ID as the key
D. Write the payment messages to an Amazon Simple Queue Service (Amazon SQS) queue. Set the message attribute to use the payment ID.
E. Write the payment messages to an Amazon Simple Queue Service (Amazon SQS) FIFO queue Set the message group to use the payment ID.

Show / Hide Answer

---

Question # 151

A company is migrating an online marketplace application from a mainframe system to an Auto Scaling group of Amazon EC2 instances. The EC2 instances access an Amazon Aurora cluster. The application requires a scalable, persistent caching solution to store the results of in-progress transactions and SQL queries.

A. Use an Amazon ElastiCache (Redis OSS) cluster to serve transaction and query results.
B. Use an Amazon CloudFront distribution with an Amazon S3 bucket as the origin to cache the transactions. Add an Amazon EC2 instance store volume to the EC2 instances for query result caching.
C. Use an Amazon ElastiCache (Memcached) cluster to serve transaction and query results.
D. Use an Amazon ElastiCache (Redis OSS) cluster to cache the transactions. Add an Amazon EC2 instance store volume to the EC2 instances for query result caching.

Show / Hide Answer

---

Question # 152

How can a company detect and notify security teams about PII in S3 buckets?

A. Use Amazon Macie. Create an EventBridge rule for SensitiveData findings and send an SNS notification.
B. Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SNS notification.
C. Use Amazon Macie. Create an EventBridge rule for SensitiveData:S3Object/Personal findings and send an SQS notification.
D. Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SQS notification.

Show / Hide Answer

---

Question # 153

A company has applications that run in an organization in AWS Organizations. The company outsources operational support of the applications. The company needs to provide access for the external support engineers without compromising security. The external support engineers need access to the AWS Management Console. The external support engineers also need operating system access to the company's fleet of Amazon EC2 instances that run Amazon Linux in private subnets. Which solution will meet these requirements MOST securely?

A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS 1AM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
B. Confirm that AWS Systems Manager Agent {SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local 1AM user credentials in each AWS account to the external support engineers for console access.
C. Confirm that all instances have a security group that allows SSH access only from the external support engineers source IP address ranges. Provide local 1AM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances.
D. Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers' IP address ranges Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account 1AM user credentials to the engineers for console access.

Show / Hide Answer

---

Question # 154

A company runs an environment where data is stored in an Amazon S3 bucket. The objects are accessed frequently throughout the day. The company has strict data encryption requirements for data that is stored in the S3 bucket. The company currently uses AWS Key Management Service (AWS KMS) for encryption. The company wants to optimize costs associated with encrypting S3 objects without making additional calls to AWS KMS. Which solution will meet these requirements?

A. Use server-side encryption with Amazon S3 managed keys (SSE-S3).
B. Use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on the new objects.
C. Use client-side encryption with AWS KMS customer managed keys.
D. Use server-side encryption with customer-provided keys (SSE-C) stored in AWS KMS.

Show / Hide Answer

---

Question # 155

A company is designing the architecture for a new mobile app that uses the AWS Cloud. The company uses organizational units (OUs) in AWS Organizations to manage its accounts. The company wants to tag Amazon EC2 instances with data sensitivity by using values of sensitive and nonsensitive 1AM identities must not be able to delete a tag or create instances without a tag Which combination of steps will meet these requirements? (Select TWO.)

A. In Organizations, create a new tag policy that specifies the data sensitivity tag key and the required values. Enforce the tag values for the EC2 instances Attach the tag policy to the appropriate OU.
B. In Organizations, create a new service control policy (SCP) that specifies the data sensitivity tag key and the required tag values Enforce the tag values for the EC2 instances. Attach the SCP to the appropriate OU.
C. Create a tag policy to deny running instances when a tag key is not specified. Create another tag policy that prevents identities from deleting tags Attach the tag policies to the appropriate OU.
D. Create a service control policy (SCP) to deny creating instances when a tag key is not specified. Create another SCP that prevents identities from deleting tags Attach the SCPs to the appropriate OU.
E. Create an AWS Config rule to check if EC2 instances use the data sensitivity tag and the specified values. Configure an AWS Lambda function to delete the resource if a noncompliant resource is found.

Show / Hide Answer

---

Question # 156

A company is running a media store across multiple Amazon EC2 instances distributed across multiple Availability Zones in a single VPC. The company wants a high-performing solution to share data between all the EC2 instances, and prefers to keep the data within the VPC only. What should a solutions architect recommend?

A. Create an Amazon S3 bucket and call the service APIs from each instance's application.
B. Create an Amazon S3 bucket and configure all instances to access it as a mounted volume.
C. Configure an Amazon Elastic Block Store (Amazon EBS) volume and mount it across all instances.
D. Configure an Amazon Elastic File System (Amazon EFS) file system and mount It across all instances.

Show / Hide Answer

---

Question # 157

A company stores user data in AWS. The data is used continuously with peak usage during business hours. Access patterns vary, with some data not being used for months at a time. A solutions architect must choose a cost-effective solution that maintains the highest level of durability while maintaining high availability. Which storage solution meets these requirements? 

A. Amazon S3 Standard
B. Amazon S3 Intelligent-Tiering
C. Amazon S3 Glacier Deep Archive
D. Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Show / Hide Answer

---

Question # 158

A weather forecasting company collects temperature readings from various sensors on a continuous basis. An existing data ingestion process collects the readings and aggregates the readings into larger Apache Parquet files. Then the process encrypts the files by using client-side encryption with KMS managed keys (CSE-KMS). Finally, the process writes the files to an Amazon S3 bucket with separate prefixes for each calendar day. The company wants to run occasional SQL queries on the data to take sample moving averages for a specific calendar day. Which solution will meet these requirements MOST cost-effectively?

A. Configure Amazon Athena to read the encrypted files. Run SQL queries on the data directly in Amazon S3.
B. Use Amazon S3 Select to run SQL queries on the data directly in Amazon S3.
C. Configure Amazon Redshift to read the encrypted files Use Redshift Spectrum and Redshift query editor v2 to run SQL queries on the data directly in Amazon S3.
D. Configure Amazon EMR Serverless to read the encrypted files. Use Apache SparkSQL to run SQL queries on the data directly in Amazon S3.

Show / Hide Answer

---

Question # 159

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of costs and security concerns, the company wants to control which services each AWS account can use Which solution will meet these requirements with the LEAST operational overhead?

A. Use AWS Systems Manager templates to control which AWS services each department can use
B. Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.
C. Use AWS CloudFormation to automatically provision only the AWS services that each department can use.
D. Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services

Show / Hide Answer

---

Question # 160

A company is building a web application that serves a content management system. The content management system runs on Amazon EC2 instances behind an Application Load Balancer (Al B). The FC? instances run in an Auto Scaling group across multiple Availability 7ones. Users are constantly adding and updating files, blogs and other website assets in the content management system. A solutions architect must implement a solution in which all the EC2 Instances share up-todate website content with the least possible lag time. Which solution meets these requirements?

A. Update the EC2 user data in the Auto Scaling group lifecycle policy to copy the website assets from the EC2 instance that was launched most recently. Configure the ALB to make changes to the website assets only in the newest EC2 instance.
B. Copy the website assets to an Amazon Elastic File System (Amazon EFS) file system. Configure each EC2 instance to mount the EFS file system locally. Configure the website hosting application to reference the website assets that are stored in the EFS file system.
C. Copy the website assets to an Amazon S3 bucket. Ensure that each EC2 Instance downloads the website assets from the S3 bucket to the attached Amazon Elastic Block Store (Amazon EBS) volume. Run the S3 sync command once each hour to keep files up to date.
D. Restore an Amazon Elastic Block Store (Amazon EBS) snapshot with the website assets. Attach the EBS snapshot as a secondary EBS volume when a new CC2 instance is launched. Configure the website hosting application to reference the website assets that are stored in the secondary EDS volume.

Show / Hide Answer

---

Question # 161

A company is building an application in the AWS Cloud. The application is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 for the DNS. The company needs a managed solution with proactive engagement to detect against DDoS attacks. Which solution will meet these requirements?

A. Enable AWS Config. Configure an AWS Config managed rule that detects DDoS attacks.
B. Enable AWS WAF on the ALB Create an AWS WAF web ACL with rules to detect and prevent DDoS attacks. Associate the web ACL with the ALB.
C. Store the ALB access logs in an Amazon S3 bucket. Configure Amazon GuardDuty to detect and take automated preventative actions for DDoS attacks.
D. Subscribe to AWS Shield Advanced. Configure hosted zones in Route 53 Add ALB resources as protected resources.

Show / Hide Answer

---

Question # 162

A company runs a Node.js function on a server in its on-premises data center. The data center stores data in a PostgreSQL database. The company stores the credentials in a connection string in an environment variable on the server. The company wants to migrate its application to AWS and to replace the Node.js application server with AWS Lambda. The company also wants to migrate to Amazon RDS for PostgreSQL and to ensure that the database credentials are securely managed. Which solution will meet these requirements with the LEAST operational overhead?

A. Store the database credentials as a parameter in AWS Systems Manager Parameter Store. Configure Parameter Store to automatically rotate the secrets every 30 days. Update the Lambda function to retrieve the credentials from the parameter.
B. Store the database credentials as a secret in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials every 30 days Update the Lambda function to retrieve the credentials from the secret.
C. Store the database credentials as an encrypted Lambda environment variable. Write a custom Lambda function to rotate the credentials. Schedule the Lambda function to run every 30 days.
D. Store the database credentials as a key in AWS Key Management Service (AWS KMS). Configure automatic rotation for the key. Update the Lambda function to retrieve the credentials from the KMS key.

Show / Hide Answer

---

Question # 163

A company runs several websites on AWS for its different brands Each website generates tens of gigabytes of web traffic logs each day. A solutions architect needs to design a scalable solution to give the company's developers the ability to analyze traffic patterns across all the company's websites. This analysis by the developers will occur on demand once a week over the course of several months. The solution must support queries with standard SQL. Which solution will meet these requirements MOST cost-effectively?

A. Store the logs in Amazon S3. Use Amazon Athena for analysis.
B. Store the logs in Amazon RDS. Use a database client for analysis.
C. Store the logs in Amazon OpenSearch Service. Use OpenSearch Service for analysis.
D. Store the logs in an Amazon EMR cluster. Use a supported open-source framework for SQL-based analysis.

Show / Hide Answer

---

Question # 164

A company runs its production workload on an Amazon Aurora MySQL DB cluster that includes six Aurora Replicas. The company wants near-real-time reporting queries from one of its departments to be automatically distributed across three of the Aurora Replicas. Those three replicas have a different compute and memory specification from the rest of the DB cluster. Which solution meets these requirements?

A. Create and use a custom endpoint for the workload.
B. Create a three-node cluster clone and use the reader endpoint.
C. Use any of the instance endpoints for the selected three nodes.
D. Use the reader endpoint to automatically distribute the read-only workload.

Show / Hide Answer

---

Question # 165

A company is building a cloud-based application on AWS that will handle sensitive customer data. The application uses Amazon RDS for the database. Amazon S3 for object storage, and S3 Event Notifications that invoke AWS Lambda for serverless processing. The company uses AWS 1AM Identity Center to manage user credentials. The development, testing, and operations teams need secure access to Amazon RDS and Amazon S3 while ensuring the confidentiality of sensitive customer data. The solution must comply with the principle of least privilege. Which solution meets these requirements with the LEAST operational overhead?

A. Use 1AM roles with least privilege to grant all the teams access. Assign 1AM roles to each team with customized 1AM policies defining specific permission for Amazon RDS and S3 object access based on team responsibilities.
B. Enable 1AM Identity Center with an Identity Center directory. Create and configure permission sets with granular access to Amazon RDS and Amazon S3. Assign all the teams to groups that have specific access with the permission sets.
C. Create individual 1AM users for each member in all the teams with role-based permissions. Assign the 1AM roles with predefined policies for RDS and S3 access to each user based on user needs. Implement 1AM Access Analyzer for periodic credential evaluation.
D. Use AWS Organizations to create separate accounts for each team. Implement crossaccount 1AM roles with least privilege Grant specific permission for RDS and S3 access based on team roles and responsibilities. Answer: B

Show / Hide Answer

---

Question # 166

A company is implementing a new application on AWS. The company will run the application on multiple Amazon EC2 instances across multiple Availability Zones within multiple AWS Regions. The application will be available through the internet. Users will access the application from around the world. The company wants to ensure that each user who accesses the application is sent to the EC2 instances that are closest to the user's location. Which solution will meet these requirements?

A. Implement an Amazon Route 53 geolocation routing policy. Use an internet-facing Application Load Balancer to distribute the traffic across all Availability Zones within the same Region.
B. Implement an Amazon Route 53 geoproximity routing policy. Use an internet-facing Network Load Balancer to distribute the traffic across all Availability Zones within the same Region.
C. Implement an Amazon Route 53 multivalue answer routing policy Use an internet-facing Application Load Balancer to distribute the traffic across all Availability Zones within the same Region.
D. Implement an Amazon Route 53 weighted routing policy. Use an internet-facing Network Load Balancer to distribute the traffic across all Availability Zones within the same Region.

Show / Hide Answer

---

Question # 167

An ecommerce company runs several internal applications in multiple AWS accounts. The company uses AWS Organizations to manage its AWS accounts. A security appliance in the company's networking account must inspect interactions between applications across AWS accounts. Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the NLB by using an interface VPC endpoint in the application accounts
B. Deploy an Application Load Balancer (ALB) in the application accounts to send traffic directly to the security appliance.
C. Deploy a Gateway Load Balancer (GWLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the GWLB by using an interface GWLB endpoint in the application accounts
D. Deploy an interface VPC endpoint in the application accounts to send traffic directly to the security appliance.

Show / Hide Answer

---

Question # 168

A company stores data in an on-premises Oracle relational database. The company needs to make the data available in Amazon Aurora PostgreSQL for analysis The company uses an AWS Site-to-Site VPN connection to connect its on-premises network to AWS. The company must capture the changes that occur to the source database during the migration to Aurora PostgreSQL. Which solution will meet these requirements?

A. Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use the AWS Database Migration Service (AWS DMS) fullload migration task to migrate the data.
B. Use AWS DataSync to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.
C. Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora PostgreSQL schema. Use AWS Database Migration Service (AWS DMS) to migrate the existing data and replicate the ongoing changes.
D. Use an AWS Snowball device to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.

Show / Hide Answer

---

Question # 169

A company has an employee web portal. Employees log in to the portal to view payroll details. The company is developing a new system to give employees the ability to upload scanned documents for reimbursement. The company runs a program to extract text-based data from the documents and attach the extracted information to each employee's reimbursement IDs for processing. The employee web portal requires 100% uptime. The document extract program runs infrequently throughout the day on an on-demand basis. The company wants to build a scalable and cost-effective new system that will require minimal changes to the existing web portal. The company does not want to make any code changes. Which solution will meet these requirements with the LEAST implementation effort?

A. Run Amazon EC2 On-Demand Instances in an Auto Scaling group for the web portal. Use an AWS Lambda function to run the document extract program. Invoke the Lambda function when an employee uploads a new reimbursement document.
B. Run Amazon EC2 Spot Instances in an Auto Scaling group for the web portal. Run the document extract program on EC2 Spot Instances Start document extract program instances when an employee uploads a new reimbursement document.
C. Purchase a Savings Plan to run the web portal and the document extract program. Run the web portal and the document extract program in an Auto Scaling group.
D. Create an Amazon S3 bucket to host the web portal. Use Amazon API Gateway and an AWS Lambda function for the existing functionalities. Use the Lambda function to run the document extract program. Invoke the Lambda function when the API that is associated with a new document upload is called.

Show / Hide Answer

---

Question # 170

A medical company wants to perform transformations on a large amount of clinical trial data that comes from several customers. The company must extract the data from a relational database that contains the customer data. Then the company will transform the data by using a series of complex rules. The company will load the data to Amazon S3 when the transformations are complete. All data must be encrypted where it is processed before the company stores the data in Amazon S3. All data must be encrypted by using customer-specific keys. Which solution will meet these requirements with the LEAST amount of operational effort?

A. Create one AWS Glue job for each customer Attach a security configuration to each job that uses server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data.
B. Create one Amazon EMR cluster for each customer Attach a security configuration to each cluster that uses client-side encryption with a custom client-side root key (CSECustom) to encrypt the data.
C. Create one AWS Glue job for each customer Attach a security configuration to each job that uses client-side encryption with AWS KMS managed keys (CSE-KMS) to encrypt the data.
D. Create one Amazon EMR cluster for each customer Attach a security configuration to each cluster that uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the data.

Show / Hide Answer

---

Question # 171

A company needs to optimize its Amazon S3 storage costs for an application that generates many files that cannot be recreated Each file is approximately 5 MB and is stored in Amazon S3 Standard storage. The company must store the files for 4 years before the files can be deleted The files must be immediately accessible The files are frequently accessed in the first 30 days of object creation, but they are rarely accessed after the first 30 days. Which solution will meet these requirements MOST cost-effectively?

A. Create an S3 Lifecycle policy to move the files to S3 Glacier Instant Retrieval 30 days after object creation. Delete the files 4 years after object creation.
B. Create an S3 Lifecycle policy to move the files to S3 One Zone-Infrequent Access (S3 One Zone-IA) 30 days after object creation Delete the files 4 years after object creation.
C. Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) 30 days after object creation Delete the files 4 years after object creation.
D. Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) 30 days after object creation. Move the files to S3 Glacier Flexible Retrieval 4 years after object creation.

Show / Hide Answer

---

Question # 172

A startup company is hosting a website for its customers on an Amazon EC2 instance. The website consists of a stateless Python application and a MySQL database. The website serves only a small amount of traffic. The company is concerned about the reliability of the instance and needs to migrate to a highly available architecture. The company cannot modify the application code. Which combination of actions should a solutions architect take to achieve high availability for the website? (Select TWO.)

A. Provision an internet gateway in each Availability Zone in use.
B. Migrate the database to an Amazon RDS for MySQL Multi-AZ DB instance.
C. Migrate the database to Amazon DynamoDB. and enable DynamoDB auto scaling.
D. Use AWS DataSync to synchronize the database data across multiple EC2 instances.
E. Create an Application Load Balancer to distribute traffic to an Auto Scaling group of EC2 instances that are distributed across two Availability Zones.

Show / Hide Answer

---

Question # 173

A company has migrated several applications to AWS in the past 3 months. The company wants to know the breakdown of costs for each of these applications. The company wants to receive a regular report that Includes this Information. Which solution will meet these requirements MOST cost-effectively?

A. Use AWS Budgets to download data for the past 3 months into a csv file. Look up the desired information.
B. Load AWS Cost and Usage Reports into an Amazon RDS DB instance. Run SQL queries to gel the desired information.
C. Tag all the AWS resources with a key for cost and a value of the application's name. Activate cost allocation tags Use Cost Explorer to get the desired information.
D. Tag all the AWS resources with a key for cost and a value of the application's name. Use the AWS Billing and Cost Management console to download bills for the past 3 months. Look up the desired information.

Show / Hide Answer

---

Question # 174

A company is migrating a legacy application from an on-premises data center to AWS. The application relies on hundreds of cron Jobs that run between 1 and 20 minutes on different recurring schedules throughout the day. The company wants a solution to schedule and run the cron jobs on AWS with minimal refactoring. The solution must support running the cron jobs in response to an event in the future. Which solution will meet these requirements?

A. Create a container image for the cron jobs. Use Amazon EventBridge Scheduler to create a recurring schedule. Run the cron job tasks as AWS Lambda functions.
B. Create a container image for the cron jobs. Use AWS Batch on Amazon Elastic Container Service (Amazon ECS) with a scheduling policy to run the cron jobs.
C. Create a container image for the cron jobs. Use Amazon EventBridge Scheduler to create a recurring schedule Run the cron job tasks on AWS Fargate.
D. Create a container image for the cron jobs. Create a workflow in AWS Step Functions that uses a Wait state to run the cron jobs at a specified time. Use the RunTask action to run the cron job tasks on AWS Fargate.

Show / Hide Answer

---

Question # 175

A company uses Amazon API Gateway to manage its REST APIs that third-party service providers access The company must protect the REST APIs from SQL injection and crosssite scripting attacks. What is the MOST operationally efficient solution that meets these requirements?

A. Configure AWS Shield.
B. Configure AWS WAR
C. Set up API Gateway with an Amazon CloudFront distribution Configure AWS Shield in CloudFront.
D. Set up API Gateway with an Amazon CloudFront distribution. Configure AWS WAF in CloudFront

Show / Hide Answer

---

Question # 176

A company is using AWS DataSync to migrate millions of files from an on-premises system to AWS. The files are 10 KB in size on average. The company wants to use Amazon S3 for file storage. For the first year after the migration the files will be accessed once or twice and must be immediately available. After 1 year the files must be archived for at least 7 years. Which solution will meet these requirements MOST cost-effectively?

A. Use an archive tool lo group the files into large objects. Use DataSync to migrate the objects. Store the objects in S3 Glacier Instant Retrieval for the first year. Use a lifecycle configuration to transition the files to S3 Glacier Deep Archive after 1 year with a retention period of 7 years.
B. Use an archive tool to group the files into large objects. Use DataSync to copy the objects to S3 Standard-Infrequent Access (S3 Standard-IA). Use a lifecycle configuration to transition the files to S3 Glacier Instant Retrieval after 1 year with a retention period of 7 years.
C. Configure the destination storage class for the files as S3 Glacier Instant. Retrieval Use a lifecycle policy to transition the files to S3 Glacier Flexible Retrieval after 1 year with a retention period of 7 years.
D. Configure a DataSync task to transfer the files to S3 Standard-Infrequent Access (S3 Standard-IA) Use a lifecycle configuration to transition the files to S3. Deep Archive after 1 year with a retention period of 7 years.

Show / Hide Answer

---

Question # 177

A company is migrating its on-premises Oracle database to an Amazon RDS for Oracle database. The company needs to retain data for 90 days to meet regulatory requirements. The company must also be able to restore the database to a specific point in time for up to 14 days. Which solution will meet these requirements with the LEAST operational overhead?

A. Create Amazon RDS automated backups. Set the retention period to 90 days.
B. Create an Amazon RDS manual snapshot every day. Delete manual snapshots that are older than 90 days.
C. Use the Amazon Aurora Clone feature for Oracle to create a point-in-time restore. Delete clones that are older than 90 days
D. Create a backup plan that has a retention period of 90 days by using AWS Backup for Amazon RDS.

Show / Hide Answer

---

Question # 178

A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotation of the encryption keys. Which solution will meet these requirements with the LEAST operational overhead?

A. Create a customer managed key Use the key to encrypt the EBS volumes.
B. Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.
C. Create an external KMS key with imported key material. Use the key to encrypt the EBS volumes.
D. Use an AWS owned key to encrypt the EBS volumes.

Show / Hide Answer

---

Question # 179

A company uses an Amazon DynamoDB table to store data that the company receives from devices. The DynamoDB table supports a customer-facing website to display recent activity on customer devices The company configured the table with provisioned throughput for writes and reads The company wants to calculate performance metrics for customer device data on a daily basis. The solution must have minimal effect on the table's provisioned read and write capacityWhich solution will meet these requirements? 

A. Use an Amazon Athena SQL query with the Amazon Athena DynamoDB connector to calculate performance metrics on a recurring schedule.
B. Use an AWS Glue job with the AWS Glue DynamoDB export connector to calculate performance metrics on a recurring schedule.
C. Use an Amazon Redshift COPY command to calculate performance metrics on a recurring schedule.
D. Use an Amazon EMR job with an Apache Hive external table to calculate performance metrics on a recurring schedule.

Show / Hide Answer

---

Question # 180

A company sets up an organization in AWS Organizations that contains 10AWS accounts. A solutions architect must design a solution to provide access to the accounts for several thousand employees. The company has an existing identity provider (IdP). The company wants to use the existing IdP for authentication to AWS. Which solution will meet these requirements?

A. Create 1AM users for the employees in the required AWS accounts. Connect 1AM users to the existing IdP. Configure federated authentication for the 1AM users.
B. Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.
C. Configure AWS 1AM Identity Center Connect 1AM Identity Center to the existing IdP Provision users and groups from the existing IdP 
D. Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the users in the existing IdP.

Show / Hide Answer

---

Question # 181

A company currently runs an on-premises stock trading application by using Microsoft Windows Server. The company wants to migrate the application to the AWS Cloud. The company needs to design a highly available solution that provides low-latency access to block storage across multiple Availability Zones. Which solution will meet these requirements with the LEAST implementation effort?

A. Configure a Windows Server cluster that spans two Availability Zones on Amazon EC2 instances. Install the application on both cluster nodes. Use Amazon FSx for Windows File Server as shared storage between the two cluster nodes.
B. Configure a Windows Server cluster that spans two Availability Zones on Amazon EC2 instances. Install the application on both cluster nodes Use Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp3) volumes as storage attached to the EC2 instances. Set up application-level replication to sync data from one EBS volume in one Availability Zone to another EBS volume in the second Availability Zone.
C. Deploy the application on Amazon EC2 instances in two Availability Zones Configure one EC2 instance as active and the second EC2 instance in standby mode. Use an Amazon FSx for NetApp ONTAP Multi-AZ file system to access the data by using Internet Small Computer Systems Interface (iSCSI) protocol.
D. Deploy the application on Amazon EC2 instances in two Availability Zones. Configure one EC2 instance as active and the second EC2 instance in standby mode. Use Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io2) volumes as storage attached to the EC2 instances. Set up Amazon EBS level replication to sync data from one io2 volume in one Availability Zone to another io2 volume in the second Availability Zone.

Show / Hide Answer

---

Question # 182

A company is migrating its databases to Amazon RDS for PostgreSQL. The company is migrating its applications to Amazon EC2 instances. The company wants to optimize costs for long-running workloads. Which solution will meet this requirement MOST cost-effectively?

A. Use On-Demand Instances for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year Compute Savings Plan with the No Upfront option for the EC2 instances.
B. Purchase Reserved Instances for a 1 year term with the No Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year EC2 Instance Savings Plan with the No Upfront option for the EC2 instances.
C. Purchase Reserved Instances for a 1 year term with the Partial Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 1 year EC2 Instance Savings Plan with the Partial Upfront option for the EC2 instances.
D. Purchase Reserved Instances for a 3 year term with the All Upfront option for the Amazon RDS for PostgreSQL workloads. Purchase a 3 year EC2 Instance Savings Plan with the All Upfront option for the EC2 instances.

Show / Hide Answer

---

Question # 183

A company hosts an application in a private subnet. The company has already integrated the application with Amazon Cognito. The company uses an Amazon Cognito user pool to authenticate users. The company needs to modify the application so the application can securely store user documents in an Amazon S3 bucket. Which combination of steps will securely integrate Amazon S3 with the application? (Select TWO.)

A. Create an Ama2on Cognito identity pool to generate secure Amazon S3 access tokens for users when they successfully log in.
B. Use the existing Amazon Cognito user pool to generate Amazon S3 access tokens for users when they successfully log in.
C. Create an Amazon S3 VPC endpoint in the same VPC where the company hosts the application.
D. Create a NAT gateway in the VPC where the company hosts the application. Assign a policy to the S3 bucket to deny any request that is not initiated from Amazon Cognito. 
E. Attach a policy to the S3 bucket that allows access only from the users' IP addresses.

Show / Hide Answer

---

Question # 184

A company hosts its application on several Amazon EC2 instances inside a VPC. The company creates a dedicated Amazon S3 bucket for each customer to store their relevant information in Amazon S3. The company wants to ensure that the application running on EC2 instances can securely access only the S3 buckets that belong to the company's AWS account. Which solution will meet these requirements with the LEAST operational overhead?

A. Create a gateway endpoint for Amazon S3 that is attached to the VPC Update the 1AM instance profile policy to provide access to only the specific buckets that the application needs.
B. Create a NAT gateway in a public subnet with a security group that allows access to only Amazon S3 Update the route tables to use the NAT Gateway.
C. Create a gateway endpoint for Amazon S3 that is attached to the VPC Update the 1AM instance profile policy with a Deny action and the following condition key:
D. Create a NAT Gateway in a public subnet Update route tables to use the NAT Gateway Assign bucket policies for all buckets with a Deny action and the following condition key:

Show / Hide Answer

---

Question # 185

A company wants to standardize its Amazon Elastic Block Store (Amazon EBS) volume encryption strategy. The company also wants to minimize the cost and configuration effort required to operate the volume encryption check. Which solution will meet these requirements?

A. Write API calls to describe the EBS volumes and to confirm the EBS volumes are encrypted. Use Amazon EventBridge to schedule an AWS Lambda function to run the API calls.
B. Write API calls to describe the EBS volumes and to confirm the EBS volumes are encrypted. Run the API calls on an AWS Fargate task.
C. Create an AWS Identity and Access Management (1AM) policy that requires the use of tags on EBS volumes. Use AWS Cost Explorer to display resources that are not properly tagged. Encrypt the untagged resources manually.
D. Create an AWS Config rule for Amazon EBS to evaluate if a volume is encrypted and to flag the volume if it is not encrypted.

Show / Hide Answer

---

Question # 186

An online gaming company hosts its platform on Amazon EC2 instances behind Network Load Balancers (NLBs) across multiple AWS Regions. The NLBs can route requests to targets over the internet. The company wants to improve the customer playing experience by reducing end-to-end load time for its global customer base. Which solution will meet these requirements?

A. Create Application Load Balancers (ALBs) in each Region to replace the existing NLBs. Register the existing EC2 instances as targets for the ALBs in each Region.
B. Configure Amazon Route 53 to route equally weighted traffic to the NLBs in each Region.
C. Create additional NLBs and EC2 instances in other Regions where the company has large customer bases.
D. Create a standard accelerator in AWS Global Accelerator. Configure the existing NLBs as target endpoints.

Show / Hide Answer

---

Question # 187

A company has stored millions of objects across multiple prefixes in an Amazon S3 bucket by using the Amazon S3 Glacier Deep Archive storage class. The company needs to delete all data older than 3 years except for a subset of data that must be retained. The company has identified the data that must be retained and wants to implement a serverless solution. Which solution will meet these requirements?

A. Use S3 Inventory to list all objects. Use the AWS CLI to create a script that runs on an Amazon EC2 instance that deletes objects from the inventory list.
B. Use AWS Batch to delete objects older than 3 years except for the data that must be retained
C. Provision an AWS Glue crawler to query objects older than 3 years. Save the manifest file of old objects. Create a script to delete objects in the manifest.
D. Enable S3 Inventory. Create an AWS Lambda function to filter and delete objects. Invoke the Lambda function with S3 Batch Operations to delete objects by using the inventory reports.

Show / Hide Answer

---

Question # 188

A solutions architect needs to connect a company's corporate network to its VPC to allow on-premises access to its AWS resources. The solution must provide encryption of all traffic between the corporate network and the VPC at the network layer and the session layer. The solution also must provide security controls to prevent unrestricted access between AWS and the on-premises systems. Which solution meets these requirements?

A. Configure AWS Direct Connect to connect to the VPC. Configure the VPC route tables to allow and deny traffic between AWS and on premises as required.
B. Create an 1AM policy to allow access to the AWS Management Console only from a defined set of corporate IP addresses Restrict user access based on job responsibility by using an 1AM policy and roles
C. Configure AWS Site-to-Site VPN to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.
D. Configure AWS Transit Gateway to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.

Show / Hide Answer

---

Question # 189

A company currently stores 5 TB of data in on-premises block storage systems. The company's current storage solution provides limited space for additional data. The company runs applications on premises that must be able to retrieve frequently accessed data with low latency. The company requires a cloud-based storage solution. Which solution will meet these requirements with the MOST operational efficiency?

A. Use Amazon S3 File Gateway Integrate S3 File Gateway with the on-premises applications to store and directly retrieve files by using the SMB file system.
B. Use an AWS Storage Gateway Volume Gateway with cached volumes as iSCSt targets.
C. Use an AWS Storage Gateway Volume Gateway with stored volumes as iSCSI targets.
D. Use an AWS Storage Gateway Tape Gateway. Integrate Tape Gateway with the onpremises applications to store virtual tapes in Amazon S3.

Show / Hide Answer

---

Question # 190

A company has a three-tier web application that processes orders from customers. The web tier consists of Amazon EC2 instances behind an Application Load Balancer. The processing tier consists of EC2 instances. The company decoupled the web tier and processing tier by using Amazon Simple Queue Service (Amazon SQS). The storage layer uses Amazon DynamoDB. At peak times some users report order processing delays and halts. The company has noticed that during these delays, the EC2 instances are running at 100% CPU usage, and the SQS queue fills up. The peak times are variable and unpredictable. The company needs to improve the performance of the application Which solution will meet these requirements?

A. Use scheduled scaling for Amazon EC2 Auto Scaling to scale out the processing tier instances for the duration of peak usage times. Use the CPU Utilization metric to determine when to scale.
B. Use Amazon ElastiCache for Redis in front of the DynamoDB backend tier. Use target utilization as a metric to determine when to scale.
C. Add an Amazon CloudFront distribution to cache the responses for the web tier. Use HTTP latency as a metric to determine when to scale.
D. Use an Amazon EC2 Auto Scaling target tracking policy to scale out the processing tier instances. Use the ApproximateNumberOfMessages attribute to determine when to scale.

Show / Hide Answer

---

Question # 191

A company runs database workloads on AWS that are the backend for the company's customer portals. The company runs a Multi-AZ database cluster on Amazon RDS for PostgreSQL. The company needs to implement a 30-day backup retention policy. The company currently has both automated RDS backups and manual RDS backups. The company wants to maintain both types of existing RDS backups that are less than 30 days old. Which solution will meet these requirements MOST cost-effectively?

A. Configure the RDS backup retention policy to 30 days tor automated backups by using AWS Backup. Manually delete manual backups that are older than 30 days.
B. Disable RDS automated backups. Delete automated backups and manual backups that are older than 30 days. Configure the RDS backup retention policy to 30 days tor automated backups.
C. Configure the RDS backup retention policy to 30 days for automated backups. Manually delete manual backups that are older than 30 days
D. Disable RDS automated backups. Delete automated backups and manual backups that are older than 30 days automatically by using AWS CloudFormation. Configure the RDS backup retention policy to 30 days for automated backups.

Show / Hide Answer

---

Question # 192

A company is building an application on AWS that connects to an Amazon RDS database. The company wants to manage the application configuration and to securely store and retrieve credentials for the database and other services. Which solution will meet these requirements with the LEAST administrative overhead?

A. Use AWS AppConfig to store and manage the application configuration. Use AWS Secrets Manager to store and retrieve the credentials.
B. Use AWS Lambda to store and manage the application configuration. Use AWS Systems Manager Parameter Store to store and retrieve the credentials.
C. Use an encrypted application configuration file Store the file in Amazon S3 for the application configuration. Create another S3 file to store and retrieve the credentials.
D. Use AWS AppConfig to store and manage the application configuration. Use Amazon RDS to store and retrieve the credentials.

Show / Hide Answer

---

Question # 193

A company is planning to migrate a legacy application to AWS. The application currently uses NFS to communicate to an on-premises storage solution to store application data. The application cannot be modified to use any other communication protocols other than NFS for this purpose. Which storage solution should a solutions architect recommend for use after the migration?

A. AWS DataSync
B. Amazon Elastic Block Store (Amazon EB5)
C. Amazon Elastic File System (Amazon EF5)
D. Amazon EMR File System (Amazon EMRFS)

Show / Hide Answer

---

Question # 194

A financial services company plans to launch a new application on AWS to handle sensitive financial transactions. The company will deploy the application on Amazon EC2 instances. The company will use Amazon RDS for MySQL as the database. The company's security policies mandate that data must be encrypted at rest and in transit. Which solution will meet these requirements with the LEAST operational overhead?

A. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
B. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure IPsec tunnels for encryption in transit
C. Implement third-party application-level data encryption before storing data in Amazon RDS for MySQL. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
D. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys Configure a VPN connection to enable private connectivity to encrypt data in transit.

Show / Hide Answer

---

Question # 195

A company's application is deployed on Amazon EC2 instances and uses AWS Lambda functions for an event-driven architecture. The company uses nonproduction development environments in a different AWS account to test new features before the company deploys the features to production. The production instances show constant usage because of customers in different time zones. The company uses nonproduction instances only during business hours on weekdays. The company does not use the nonproduction instances on the weekends. The company wants to optimize the costs to run its application on AWS. Which solution will meet these requirements MOST cost-effectively

A. Use On-Demand Instances (or the production instances. Use Dedicated Hosts for the nonproduction instances on weekends only.
B. Use Reserved instances for the production instances and the nonproduction instances Shut down the nonproduction instances when not in use.
C. Use Compute Savings Plans for the production instances. Use On-Demand Instances for the nonproduction instances Shut down the nonproduction instances when not in use.
D. Use Dedicated Hosts for the production instances. Use EC2 Instance Savings Plans for the nonproduction instances.

Show / Hide Answer

---

Question # 196

A company recently migrated a monolithic application to an Amazon EC2 instance and Amazon RDS. The application has tightly coupled modules. The existing design of the application gives the application the ability to run on only a single EC2 instance. The company has noticed high CPU utilization on the EC2 instance during peak usage times. The high CPU utilization corresponds to degraded performance on Amazon RDS for read requests. The company wants to reduce the high CPU utilization and improve read request performance. Which solution will meet these requirements?

A. Resize the EC2 instance to an EC2 instance type that has more CPU capacity. Configure an Auto Scaling group with a minimum and maximum size of 1. Configure an RDS read replica for read requests.
B. Resize the EC2 instance to an EC2 instance type that has more CPU capacity. Configure an Auto Scaling group with a minimum and maximum size of 1. Add an RDS read replica and redirect all read/write traffic to the replica.
C. Configure an Auto Scaling group with a minimum size of 1 and maximum size of 2. Resize the RDS DB instance to an instance type that has more CPU capacity.
D. Resize the EC2 instance to an EC2 instance type that has more CPU capacity Configure an Auto Scaling group with a minimum and maximum size of 1. Resize the RDS DB instance to an instance type that has more CPU capacity.

Show / Hide Answer

---

Question # 197

A company runs multiple workloads on virtual machines (VMs) in an on-premises data center. The company is expanding rapidly. The on-premises data center is not able to scale fast enough to meet business needs. The company wants to migrate the workloads to AWS. The migration is time sensitive. The company wants to use a lift-and-shift strategy for noncritical workloads. Which combination of steps will meet these requirements? (Select THREE.)

A. Use the AWS Schema Conversion Tool (AWS SCT) to collect data about the VMs.
B. Use AWS Application Migration Service. Install the AWS Replication Agent on the VMs.
C. Complete the initial replication of the VMs. Launch test instances to perform acceptance tests on the VMs.
D. Stop all operations on the VMs Launch a cutover instance.
E. Use AWS App2Container (A2C) to collect data about the VMs.
F. Use AWS Database Migration Service (AWS DMS) to migrate the VMs.

Show / Hide Answer

---

Question # 198

An ecommerce company runs Its application on AWS. The application uses an Amazon Aurora PostgreSQL cluster in Multi-AZ mode for the underlying database. During a recent promotional campaign, the application experienced heavy read load and write load. Users experienced timeout issues when they attempted to access the application. A solutions architect needs to make the application architecture more scalable and highly available. Which solution will meet these requirements with the LEAST downtime?

A. Create an Amazon EventBndge rule that has the Aurora cluster as a source. Create an AWS Lambda function to log the state change events of the Aurora cluster. Add the Lambda function as a target for the EventBndge rule Add additional reader nodes to fail over to.
B. Modify the Aurora cluster and activate the zero-downtime restart (ZDR) feature. Use Database Activity Streams on the cluster to track the cluster status.
C. Add additional reader instances to the Aurora cluster Create an Amazon RDS Proxy target group for the Aurora cluster.
D. Create an Amazon ElastiCache for Redis cache. Replicate data from the Aurora cluster to Redis by using AWS Database Migration Service (AWS DMS) with a write-around approach.

Show / Hide Answer

---

Question # 199

A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance. The Lambda function processes input data and saves its output as an object to Amazon S3. Intermittently, the Lambda function times out while trying to upload the object because of saturated traffic on the NAT instance's network The company wants to access Amazon S3 without traversing the internet. Which solution will meet these requirements? 
 

A. Replace the EC2 NAT instance with an AWS managed NAT gateway.
B. Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type
C. Provision a gateway endpoint for Amazon S3 in the VPC. Update the route tables of the subnets accordingly.
D. Provision a transit gateway. Place transit gateway attachments in the private subnetswhere the Lambda function is running.

Show / Hide Answer

---

Question # 200

A solutions architect is designing an asynchronous application to process credit card data validation requests for a bank. The application must be secure and be able to process each request at least once. Which solution will meet these requirements MOST cost-effectively? 
 

A. Use AWS Lambda event source mapping. Set Amazon Simple Queue Service (AmazonSQS) standard queues as the event source. Use AWS KeyManagement Service (SSE-KMS) for encryption. Add the kms:Decrypt permission for theLambda execution role.
B. Use AWS Lambda event source mapping. Use Amazon Simple Queue Service (AmazonSQS) FIFO queues as the event source. Use SQS managed encryption keys (SSE-SQS)for encryption. Add the encryption key invocation permission for the Lambda function.
C. Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service(Amazon SQS) FIFO queues as the event source. Use AWS KMS keys (SSE-KMS). Addthe kms:Decrypt permission for the Lambda execution role.
D. Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service(Amazon SQS) standard queues as the event source. Use AWS KMS keys (SSE-KMS) forencryption. Add the encryption key invocation permission for the Lambda function.

Show / Hide Answer

---

Question # 201

A company hosts an application on Amazon EC2 On-Demand Instances in an Auto Scaling group. Application peak hours occur at the same time each day. Application users report slow application performance at the start of peak hours. The application performs normally 2-3 hours after peak hours begin. The company wants to ensure that the application works properly at the start o* peak hours. Which solution will meet these requirements? 
 

A. Configure an Application Load Balancer to distribute traffic properly to the Instances.
B. Configure a dynamic scaling policy for the Auto Scaling group to launch new instancesbased on memory utilization
C. Configure a dynamic scaling policy for the Auto Scaling group to launch new instancesbased on CPU utilization.
D. Configure a scheduled scaling policy for the Auto Scaling group to launch new instancesbefore peak hours.

Show / Hide Answer

---

Question # 202

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (1AM) resources that include an inline policy or "•" in the statement The solution must also prohibit deployment ot Amazon EC2 instances with public IP addresses The company has AWS Control Tower enabled in its organization in AWS Organizations. Which solution will meet these requirements? 
 

A. Use AWS Control Tower proactive controls to block deployment of EC2 instances withpublic IP addresses and inline policies with elevated access or "*"
B. Use AWS Control Tower detective controls to block deployment of EC2 instances withpublic IP addresses and inline policies with elevated access or ""
C. Use AWS Config to create rules for EC2 and 1AM compliance Configure the rules to runan AWS Systems Manager Session Manager automation to delete a resource when it isnot compliant
D. Use a service control policy (SCP) to block actions for the EC2 instances and 1AMresources if the actions lead to noncompliance

Show / Hide Answer

---

Question # 203

A company is migrating a document management application to AWS. The application runs on Linux servers. The company will migrate the application to Amazon EC2 instances in an Auto Scaling group. The company stores 7 TiB of documents in a shared storage file system. An external relational database tracks the documents. Documents are stored once and can be retrieved multiple times for reference at any time. The company cannot modify the application during the migration. The storage solution must be highly available and must support scaling over time. Which solution will meet these requirements MOST cost-effectively? 

A. Deploy an EC2 instance with enhanced networking as a shared NFS storage system.Export the NFS share. Mount the NFS share on the EC2 instances in theAuto Scaling group.
B. Create an Amazon S3 bucket that uses the S3 Standard-Infrequent Access (S3Standard-IA) storage class Mount the S3 bucket on the EC2 instances in theAuto Scaling group.
C. Deploy an SFTP server endpoint by using AWS Transfer for SFTP and an Amazon S3bucket. Configure the EC2 instances in the Auto Scaling group toconnect to the SFTP server.
D. Create an Amazon.. System (Amazon fcFS) file system with mount points in multipleAvailability Zones. Use the bFS Stondard-intrcqucnt Access (Standard-IA) storage class.Mount the NFS share on the EC2 instances in the Auto Scaling group.

Show / Hide Answer

---

Question # 204

A company is migrating five on-premises applications to VPCs in the AWS Cloud. Each application is currently deployed in isolated virtual networks on premises and should be deployed similarly in the AWS Cloud. The applications need to reach a shared services VPC. All the applications must be able to communicate with each other. If the migration is successful, the company will repeat the migration process for more than 100 applications. Which solution will meet these requirements with the LEAST administrative overhead? 

A. Deploy software VPN tunnels between the application VPCs and the shared servicesVPC. Add routes between the application VPCs in their subnets to the shared servicesVPC.
B. Deploy VPC peering connections between the application VPCs and the sharedservices VPC. Add routes between the application VPCs in their subnets to the sharedservices VPC through the peering connection.
C. Deploy an AWS Direct Connect connection between the application VPCs and theshared services VPC. Add routes from the application VPCs in their subnets to the sharedservices VPC and the applications VPCs. Add routes from the shared services VPCsubnets to the applications VPCs.
D. Deploy a transit gateway with associations between the transit gateway and theapplication VPCs and the shared services VPC Add routes between the application VPCsin their subnets and the application VPCs to the shared services VPC through the transitgateway.

Show / Hide Answer

---

Question # 205

A company uses an Amazon CloudFront distribution to serve content pages for its website. The company needs to ensure that clients use a TLS certificate when accessing the company's website. The company wants to automate the creation and renewal of the Tl S certificates. Which solution will meet these requirements with the MOST operational efficiency? 
 

A. Use a CloudFront security policy lo create a certificate.
B. Use a CloudFront origin access control (OAC) to create a certificate.
C. Use AWS Certificate Manager (ACM) to create a certificate. Use DNS validation for thedomain.
D. Use AWS Certificate Manager (ACM) to create a certificate. Use email validation for thedomain.

Show / Hide Answer

---

Question # 206

A company uses Amazon RDS with default backup settings for Its database tier The company needs to make a dally backup of the database to meet regulatory requirements. The company must retain the backups (or 30 days. Which solution will meet these requirements with the LEAST operational overhead? 
 

A. Write an AWS Lambda function to create an RDS snapshot every day.
B. Modify the RDS database lo have a retention period of 30 days for automated backups.
C. Use AWS Systems Manager Maintenance Windows to modify the RDS backup retentionperiod.
D. Create a manual snapshot every day by using the AWS CLI. Modify the RDS backupretention period.

Show / Hide Answer

---

Question # 207

A company runs its application on Oracle Database Enterprise Edition The company needs to migrate the application and the database to AWS. The company can use the Bring Your Own License (BYOL) model while migrating to AWS The application uses third-party database features that require privileged access. A solutions architect must design a solution for the database migration. Which solution will meet these requirements MOST cost-effectively? 
 

A. Migrate the database to Amazon RDS for Oracle by using native tools. Replace thethird-party features with AWS Lambda.
B. Migrate the database to Amazon RDS Custom for Oracle by using native toolsCustomize the new database settings to support the third-party features.
C. Migrate the database to Amazon DynamoDB by using AWS Database Migration Service{AWS DMS). Customize the new database settings to support the third-party features.
D. Migrate the database to Amazon RDS for PostgreSQL by using AWS DatabaseMigration Service (AWS DMS). Rewrite the application code to remove the dependency onthird-party features.

Show / Hide Answer

---

Question # 208

A company stores several petabytes of data across multiple AWS accounts The company uses AWS Lake Formation to manage its data lake The company's data science team wants to securely share selective data from its accounts with the company’s engineering team for analytical purposes. Which solution will meet these requirements with the LEAST operational overhead? 
 

A. Copy the required data to a common account. Create an 1AM access role in thataccount Grant access by specifying a permission policy that includes users from theengineering team accounts as trusted entities.
B. Use the Lake Formation permissions Grant command in each account where the data isstored to allow the required engineering team users to access the data.
C. Use AWS Data Exchange to privately publish the required data to the requiredengineering team accounts
D. Use Lake Formation tag-based access control to authorize and grant cross-accountpermissions for the required data to the engineering team accounts

Show / Hide Answer

---

Question # 209

A company has an on-premises SFTP file transfer solution. The company is migrating to the AWS Cloud to scale the file transfer solution and to optimize costs by using Amazon S3. The company's employees will use their credentials for the on-premises Microsoft Active Directory (AD) to access the new solution The company wants to keep the current authentication and file access mechanisms. Which solution will meet these requirements with the LEAST operational overhead? 
 

A. Configure an S3 File Gateway. Create SMB file shares on the file gateway that use theexisting Active Directory to authenticate
B. Configure an Auto Scaling group with Amazon EC2 instances to run an SFTP solutionConfigure the group to scale up at 60% CPU utilization.
C. Create an AWS Transfer Family server with SFTP endpoints Choose the AWS DirectoryService option as the identity provider Use AD Connector to connect the on-premisesActive Directory.
D. Create an AWS Transfer Family SFTP endpoint. Configure the endpoint to use the AWSDirectory Service option as the identity provider to connect to the existing Active Directory.

Show / Hide Answer

---

Question # 210

A video game company is deploying a new gaming application to its global users. The company requires a solution that will provide near real-time reviews and rankings of the players. A solutions architect must design a solution to provide fast access to the data. The solution must also ensure the data persists on disks in the event that the company restarts the application. Which solution will meet these requirements with the LEAST operational overhead? 
 

A. Configure an Amazon CloudFront distribution with an Amazon S3 bucket as the origin.Store the player data in the S3 bucket.
B. Create Amazon EC2 instances in multiple AWS Regions. Store the player data on theEC2 instances. Configure Amazon Route 53 with geolocation records to direct users to theclosest EC2 instance.
C. Deploy an Amazon ElastiCache for Redis cluster. Store the player data in theElastiCache cluster.
D. Deploy an Amazon ElastiCache for Memcached cluster. Store the player data in theElastiCache cluster.

Show / Hide Answer

---

Question # 211

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database Compliance regulations mandate that all personally identifiable information (Pll) be encrypted at rest. Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure? 
 

A. Deploy AWS Certificate Manager to generate certificates Use the certificates to encryptthe database volume
B. Deploy AWS CloudHSM. generate encryption keys, and use the keys to encryptdatabase volumes.
C. Configure SSL encryption using AWS Key Management Service {AWS KMS) keys toencrypt database volumes.
D. Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDSencryption with AWS Key Management Service (AWS KMS) keys to encrypt instance anddatabase volumes.

Show / Hide Answer

---

Question # 212

A company that uses AWS Organizations runs 150 applications across 30 different AWS accounts The company used AWS Cost and Usage Report to create a new report in the management account The report is delivered to an Amazon S3 bucket that is replicated to a bucket in the data collection account. The company's senior leadership wants to view a custom dashboard that provides NAT gateway costs each day starting at the beginning of the current month. Which solution will meet these requirements? 
 

A. Share an Amazon QuickSight dashboard that includes the requested table visual.Configure QuickSight to use AWS DataSync to query the new report
B. Share an Amazon QuickSight dashboard that includes the requested table visual.Configure QuickSight to use Amazon Athena to query the new report.
C. Share an Amazon CloudWatch dashboard that includes the requested table visualConfigure CloudWatch to use AWS DataSync to query the new report
D. Share an Amazon CloudWatch dashboard that includes the requested table visual.Configure CloudWatch to use Amazon Athena to query the new report

Show / Hide Answer

---

Question # 213

A company runs containers in a Kubernetes environment in the company's local data center. The company wants to use Amazon Elastic Kubernetes Service (Amazon EKS) and other AWS managed services Data must remain locally in the company's data center and cannot be stored in any remote site or cloud to maintain compliance Which solution will meet these requirements? 
 

A. Deploy AWS Local Zones in the company's data center
B. Use an AWS Snowmobile in the company's data center
C. Install an AWS Outposts rack in the company's data centerc
D. Install an AWS Snowball Edge Storage Optimized node in the data center

Show / Hide Answer

---

Question # 214

A company runs a self-managed Microsoft SOL Server on Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS). Daily snapshots are taken of the EBSvolumes. Recently, all the company's EBS snapshots were accidentally deleted while running a snapshot cleaning script that deletes all expired EBS snapshots. A solutions architect needs to update the architecture to prevent data loss without retaining EBS snapshots indefinitely. Which solution will meet these requirements with the LEAST development effort? 

A. Change the 1AM policy of the user to deny EBS snapshot deletion.
B. Copy the EBS snapshots to another AWS Region after completing the snapshots daily.
C. Create a 7-day EBS snapshot retention rule in Recycle Bin and apply the rule for allsnapshots.
D. Copy EBS snapshots to Amazon S3 Standard-Infrequent Access (S3 Standard-IA).

Show / Hide Answer

---

Question # 215

Asocial media company has workloads that collect and process data The workloads store the data in on-premises NFS storage The data store cannot scale fast enough to meet the company's expanding business needs The company wants to migrate the current data store to AWS Which solution will meet these requirements MOST cost-effectively? 

A. Set up an AWS Storage Gateway Volume Gateway Use an Amazon S3 Lifecycle policyto transition the data to the appropnate storage class
B. Set up an AWS Storage Gateway Amazon S3 File Gateway Use an Amazon S3Lifecycle policy to transition the data to the appropriate storage class
C. Use the Amazon Elastic File System (Amazon EFS) Standard-Infrequent Access(Standard-IA) storage class Activate the infrequent access lifecycle policy
D. Use the Amazon Elastic File System (Amazon EFS) One Zone-Infrequent Access (OneZone-IA) storage class Activate the infrequent access lifecycle policy

Show / Hide Answer

---

Question # 216

A company uses Amazon FSx for NetApp ONTAP in its primary AWS Region for CIFS and NFS file shares. Applications that run on Amazon EC2 instances access the file shares The company needs a storage disaster recovery (OR) solution in a secondary Region. The data that is replicated in the secondary Region needs to be accessed by using the same protocols as the primary Region. Which solution will meet these requirements with the LEAST operational overhead? 

A. Create an AWS Lambda function lo copy the data to an Amazon S3 bucket. Replicatethe S3 bucket (o the secondary Region.
B. Create a backup of the FSx for ONTAP volumes by using AWS Backup. Copy thevolumes to the secondary Region. Create a new FSx for ONTAP instance from the backup.
C. Create an FSx for ONTAP instance in the secondary Region. Use NetApp SnapMirror toreplicate data from the primary Region to the secondary Region.
D. Create an Amazon Elastic File System (Amazon EFS) volume. Migrate the current datato the volume. Replicate the volume to the secondary Region.

Show / Hide Answer

---

Question # 217

A company has migrated a fleet of hundreds of on-premises virtual machines (VMs) to Amazon EC2 instances. The instances run a diverse fleet of Windows Server versionsalong with several Linux distributions. The company wants a solution that will automate inventory and updates of the operating systems. The company also needs a summary of common vulnerabilities of each instance for regular monthly reviews. What should a solutions architect recommend to meet these requirements? 

A. Set up AWS Systems Manager Patch Manager to manage all the EC2 instances.Configure AWS Security Hub to produce monthly reports.
B. Set up AWS Systems Manager Patch Manager to manage all the EC2 instances DeployAmazon Inspector, and configure monthly reports
C. Set up AWS Shield Advanced, and configure monthly reports Deploy AWS Config toautomate patch installations on the EC2 instances
D. Set up Amazon GuardDuty in the account to monitor all EC2 instances Deploy AWSConfig to automate patch installations on the EC2 instances.

Show / Hide Answer

---

Question # 218

A large international university has deployed all of its compute services in the AWS Cloud These services include Amazon EC2. Amazon RDS. and Amazon DynamoDB. The university currently relies on many custom scripts to back up its infrastructure. However, the university wants to centralize management and automate data backups as much as possible by using AWS native options. Which solution will meet these requirements? 
 

A. Use third-party backup software with an AWS Storage Gateway tape gateway virtualtape library.
B. Use AWS Backup to configure and monitor all backups for the services in use
C. Use AWS Config to set lifecycle management to take snapshots of all data sources on aschedule.
D. Use AWS Systems Manager State Manager to manage the configuration and monitoringof backup tasks.

Show / Hide Answer

---

Question # 219

A company runs a critical data analysis job each week before the first day of the work week The job requires at least 1 hour to complete the analysis The job is stateful and cannot tolerate interruptions. The company needs a solution to run the job on AWS. Which solution will meet these requirements? 

A. Create a container for the job. Schedule the job to run as an AWS Fargate task on anAmazon Elastic Container Service (Amazon ECS) cluster by using Amazon EventBridgeScheduler.
B. Configure the job to run in an AWS Lambda function. Create a scheduled rule inAmazon EventBridge to invoke the Lambda function.
C. Configure an Auto Scaling group of Amazon EC2 Spot Instances that run Amazon LinuxConfigure a crontab entry on the instances to run the analysis.
D. Configure an AWS DataSync task to run the job Configure a cron expression to run thetask on a schedule.

Show / Hide Answer

---

Question # 220

A company has several on-premises Internet Small Computer Systems Interface (iSCSI) network storage servers The company wants to reduce the number of these servers by moving to the AWS Cloud. A solutions architect must provide low-latency access to frequently used data and reduce the dependency on on-premises servers with a minimal number of infrastructure changes. Which solution will meet these requirements? 
 

A. Deploy an Amazon S3 File Gateway
B. Deploy Amazon Elastic Block Store (Amazon EBS) storage with backups to Amazon S3
C. Deploy an AWS Storage Gateway volume gateway that is configured with storedvolumes
D. Deploy an AWS Storage Gateway volume gateway that is configured with cachedvolumes.

Show / Hide Answer

---

Question # 221

A company uses GPS trackers to document the migration patterns of thousands of sea turtles. The trackers check every 5 minutes to see if a turtle has moved more than 100 yards (91.4 meters). If a turtle has moved, its tracker sends the new coordinates to a web application running on three Amazon EC2 instances that are in multiple Availability Zones in one AWS Region. Jgpently. the web application was overwhelmed while processing an unexpected volume of tracker data. Data was lost with no way to replay the events. A solutions ftitect must prevent this problem from happening again and needs a solution with the least operational overhead. at should the solutions architect do to meet these requirements? 

A. Create an Amazon S3 bucket to store the data. Configure the application to scan fornew data in the bucket for processing.
B. Create an Amazon API Gateway endpoint to handle transmitted location coordinates.Use an AWS Lambda function to process each item concurrently.
C. Create an Amazon Simple Queue Service (Amazon SOS) queue to store the incomingdata. Configure the application to poll for new messages for processing.
D. Create an Amazon DynamoDB table to store transmitted location coordinates. Configurethe application to query the table for new data for processing. Use TTL to remove data thathas been processed.

Show / Hide Answer

---

Question # 222

A company is designing a new multi-tier web application that consists of the following components: • Web and application servers that run on Amazon EC2 instances as part of Auto Scaling groups • An Amazon RDS DB instance for data storage A solutions architect needs to limit access to the application servers so that only the web servers can access them. Which solution will meet these requirements? 

A. Deploy AWS PrivateLink in front of the application servers. Configure the network ACLto allow only the web servers to access the application servers.
B. Deploy a VPC endpoint in front of the application servers Configure the security group toallow only the web servers to access the application servers
C. Deploy a Network Load Balancer with a target group that contains the applicationservers' Auto Scaling group Configure the network ACL to allow only the web servers toaccess the application servers.
D. Deploy an Application Load Balancer with a target group that contains the applicationservers' Auto Scaling group. Configure the security group to allow only the web servers toaccess the application servers.

Show / Hide Answer

---

Question # 223

A company has an Amazon S3 data lake The company needs a solution that transforms the data from the data lake and loads the data into a data warehouse every day The data warehouse must have massively parallel processing (MPP) capabilities. Data analysts then need to create and train machine learning (ML) models by using SQL commands on the data The solution must use serverless AWS services wherever possible Which solution will meet these requirements? 

A. Run a daily Amazon EMR job to transform the data and load the data into AmazonRedshift Use Amazon Redshift ML to create and train the ML models
B. Run a daily Amazon EMR job to transform the data and load the data into AmazonAurora Serverless Use Amazon Aurora ML to create and train the ML models
C. Run a daily AWS Glue job to transform the data and load the data into Amazon RedshiftServerless Use Amazon Redshift ML to create and tram the ML models
D. Run a daily AWS Glue job to transform the data and load the data into Amazon Athenatables Use Amazon Athena ML to create and train the ML models

Show / Hide Answer

---

Question # 224

content management system runs on Amazon EC2 instances behind an Application Load Balancer (Al B). The FC? instances run in an Auto Scaling group across multiple Availability 7ones. Users are constantly adding and updating files, blogs and other website assets in the content management system. A solutions architect must implement a solution in which all the EC2 Instances share up-todate website content with the least possible lag time. Which solution meets these requirements? 
 

A. Update the EC2 user data in the Auto Scaling group lifecycle policy to copy the websiteassets from the EC2 instance that was launched most recently. Configure the ALB to makechanges to the website assets only in the newest EC2 instance.
B. Copy the website assets to an Amazon Elastic File System (Amazon EFS) file system.Configure each EC2 instance to mount the EFS file system locally.Configure the website hosting application to reference the website assets that are stored inthe EFS file system.
C. Copy the website assets to an Amazon S3 bucket. Ensure that each EC2 Instancedownloads the website assets from the S3 bucket to the attached AmazonElastic Block Store (Amazon EBS) volume. Run the S3 sync command once each hour tokeep files up to date.
D. Restore an Amazon Elastic Block Store (Amazon EBS) snapshot with the websiteassets. Attach the EBS snapshot as a secondary EBS volume when a new CC2 instance islaunched. Configure the website hosting application to reference the website assets thatare stored in the secondary EDS volume.

Show / Hide Answer

---

Question # 225

A company wants to add its existing AWS usage cost to its operation cost dashboard A solutions architect needs to recommend a solution that will give the company access to its usage cost programmatically. The company must be able to access cost data for the current year and forecast costs for the next 12 months. Which solution will meet these requirements with the LEAST operational overhead? 

A. Access usage cost-related data by using the AWS Cost Explorer API with pagination.
B. Access usage cost-related data by using downloadable AWS Cost Explorer report csv files.
C. Configure AWS Budgets actions to send usage cost data to the company through FTP.
D. Create AWS Budgets reports for usage cost data Send the data to the company throughSMTP.

Show / Hide Answer

---

Question # 226

A company runs an application in a VPC with public and private subnets. The VPC extends across multiple Availability Zones. The application runs on Amazon EC2 instances in private subnets. The application uses an Amazon Simple Queue Service (Amazon SOS) queue. A solutions architect needs to design a secure solution to establish a connection between the EC2 instances and the SOS queue Which solution will meet these requirements? 
 

A. Implement an interface VPC endpoint tor Amazon SOS. Configure the endpoint to usethe private subnets. Add to the endpoint a security group that has aninbound access rule that allows traffic from the EC2 instances that are in the privatesubnets.
B. Implement an interface VPC endpoint tor Amazon SOS. Configure the endpoint to usethe public subnets. Attach to the interface endpoint a VPC endpointpolicy that allows access from the EC2 Instances that are in the private subnetsc
C. Implement an interface VPC endpoint for Ama7on SOS. Configure the endpoint to usethe public subnets Attach an Amazon SOS access policy to the interface VPC endpoint thatallows requests from only a specified VPC endpoint.
D. Implement a gateway endpoint tor Amazon SOS. Add a NAT gateway to the privatesubnets. Attach an 1AM role to the EC2 Instances that allows access to the SOS queue.

Show / Hide Answer

---

Question # 227

A company has an internal application that runs on Amazon EC2 instances in an Auto Scaling group. The EC2 instances are compute optimized and use Amazon Elastic Block Store (Amazon EBS) volumes. The company wants to identify cost optimizations across the EC2 instances, the Auto Scaling group, and the EBS volumes. Which solution will meet these requirements with the MOST operational efficiency? 
 

A. Create a new AWS Cost and Usage Report. Search the report for costrecommendations for the EC2 instances, the Auto Scaling group, and the EBS volumes.
B. Create new Amazon CloudWatch billing alerts. Check the alert statuses for costrecommendations for the EC2 instances, the Auto Scaling group, and the EBS volumes.
C. Configure AWS Compute Optimizer for cost recommendations for the EC2 instances,the Auto Scaling group, and the EBS volumes.
D. Configure AWS Compute Optimizer for cost recommendations for the EC2 instances.Create a new AWS Cost and Usage Report. Search the report for cost recommendationsfor the Auto Scaling group and the EBS volumes.

Show / Hide Answer

---

Question # 228

A company's near-real-time streaming application is running on AWS. As the data is ingested, a Job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data. A solutions architect needs to design a scalable and serverless solution to enhance performance. Which combination of steps should the solutions architect take? (Select TWO.) 

A. Use Amazon Kinesis Data Firehose to Ingest the data.
B. Use AWS Lambda with AWS Step Functions to process the data.
C. Use AWS Database Migration Service (AWS DMS) to ingest the data
D. Use Amazon EC2 instances in an Auto Seating group to process the data.
E. Use AWS Fargate with Amazon Elastic Container Service (Amazon ECS) to process the data.

Show / Hide Answer

---

Question # 229

A solutions architect is creating an application that will handle batch processing of large amounts of data. The input data will be held in Amazon S3 and the ou data will be stored in a different S3 bucket. For processing, the application will transfer the data over the network between multiple Amazon EC2 instances. What should the solutions architect do to reduce the overall data transfer costs? 

A. Place all the EC2 instances in an Auto Scaling group.
B. Place all the EC2 instances in the same AWS Region.
C. Place all the EC2 instances in the same Availability Zone.
D. Place all the EC2 instances in private subnets in multiple Availability Zones.

Show / Hide Answer

---

Question # 230

A company has two AWS accounts: Production and Development. The company needs to push code changes in the Development account to the Production account. In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers will need access to perform testing. Which solution will meet these requirements? 

A. Create two policy documents by using the AWS Management Console in each account.Assign the policy to developers who need access.
B. Create an 1AM role in the Development account Grant the 1AM role access to theProduction account. Allow developers to assume the role
C. Create an IAM role in the Production account. Define a trust policy that specifies theDevelopment account Allow developers to assume the role
D. Create an IAM group in the Production account. Add the group as a principal in a trustpolicy that specifies the Production account. Add developers to the group.

Show / Hide Answer

---

Question # 231

A company uses 50 TB of data for reporting The company wants to move this data from on premises to AWS A custom application in the company's data center runs a weekly data transformation job The company plans to pause the application until the data transfer is complete and needs to begin the transfer process as soon as possible The data center does not have any available network bandwidth for additional workloads. A solutions architect must transfer the data and must configure the transformation job to continue to run in the AWS Cloud. Which solution will meet these requirements with the LEAST operational overhead? 

A. Use AWS DataSync to move the data Create a custom transformation job by using AWS Glue.
B. Order an AWS Snowcone device to move the data Deploy the transformation application to the device.
C. Order an AWS Snowball Edge Storage Optimized device. Copy the data to the device.Create a custom transformation Job by using AWS Glue.
D. Order an AWS Snowball Edge Storage Optimized device that includes Amazon EC2compute Copy the data to the device Create a new EC2 instance on AWS to run thetransformation application.

Show / Hide Answer

---

Question # 232

A company serves its website by using an Auto Scaling group of Amazon EC2 instances in a single AWS Region. The website does not require a database The company is expanding, and the company's engineering team deploys the website to a second Region. The company wants to distribute traffic across both Regions to accommodate growth and for disaster recovery purposes The solution should not serve traffic from a Region in which the website is unhealthy. Which policy or resource should the company use to meet these requirements? 

A. An Amazon Route 53 simple routing policy
B. An Amazon Route 53 multivalue answer routing policy
C. An Application Load Balancer in one Region with a target group that specifies the EC2instance IDs from both Regions
D. An Application Load Balancer in one Region with a target group that specifies the IPaddresses of the EC2 instances from both Regions

Show / Hide Answer

---

Question # 233

A company wants to build a logging solution for its multiple AWS accounts. The company currently stores the logs from all accounts in a centralized account. The company has created an Amazon S3 bucket in the centralized account to store the VPC flow logs and AWS CloudTrail logs. All logs must be highly available for 30 days for frequent analysis, retained tor an additional 60 days tor backup purposes, and deleted 90 days after creation. Which solution will meet these requirements MOST cost-effectively? 

A. Transition objects to the S3 Standard storage class 30 days after creation. Write anexpiration action that directs Amazon S3 to delete objects after 90 days.
B. Transition objects lo the S3 Standard-Infrequent Access (S3 Standard-IA) storage class30 days after creation Move all objects to the S3 Glacier FlexibleRetrieval storage class after 90 days. Write an expiration action that directs Amazon S3 todelete objects after 90 days.
C. Transition objects to the S3 Glacier Flexible Retrieval storage class 30 days aftercreation. Write an expiration action that directs Amazon S3 to delete objects alter 90 days.
D. Transition objects to the S3 One Zone-Infrequent Access (S3 One Zone-IA) storageclass 30 days after creation. Move all objects to the S3 Glacier Flexible Retrieval storageclass after 90 days. Write an expiration action that directs Amazon S3 to delete objectsafter 90 days.

Show / Hide Answer

---

Question # 234

A company is hosting a high-traffic static website on Amazon S3 with an Amazon CloudFront distribution that has a default TTL of 0 seconds The company wants to implement caching to improve performance for the website However, the company also wants to ensure that stale content Is not served for more than a few minutes after a deployment Which combination of caching methods should a solutions architect implement to meet these requirements? (Select TWO.) 

A. Set the CloudFront default TTL to 2 minutes.
B. Set a default TTL of 2 minutes on the S3 bucket
C. Add a Cache-Control private directive to the objects in Amazon S3.
D. Create an AWS Lambda@Edge function to add an Expires header to HTTP responsesConfigure the function to run on viewer response.
E. Add a Cache-Control max-age directive of 24 hours to the objects in Amazon S3. Ondeployment, create a CloudFront invalidation to clear any changed files from edge caches

Show / Hide Answer

---

Question # 235

A company needs to optimize the cost of its Amazon EC2 Instances. The company also needs to change the type and family of its EC2 instances every 2-3 months. What should the company do lo meet these requirements? 

A. Purchase Partial Upfront Reserved Instances tor a 3-year term.
B. Purchase a No Upfront Compute Savings Plan for a 1-year term.
C. Purchase All Upfront Reserved Instances for a 1 -year term.
D. Purchase an All Upfront EC2 Instance Savings Plan for a 1-year term.

Show / Hide Answer

---

Question # 236

A company runs an application on Amazon EC2 Instances in a private subnet. The application needs to store and retrieve data in Amazon S3 buckets. According to regulatory requirements, the data must not travel across the public internet. What should a solutions architect do to meet these requirements MOST cost-effectively? 
 

A. Deploy a NAT gateway to access the S3 buckets.
B. Deploy AWS Storage Gateway to access the S3 buckets.
C. Deploy an S3 interface endpoint to access the S3 buckets.
D. Deploy an S3 gateway endpoint to access the S3 buckets.

Show / Hide Answer

---

Question # 237

A company uses an Amazon S3 bucket as its data lake storage platform The S3 bucket contains a massive amount of data that is accessed randomly by multiple teams and hundreds of applications. The company wants to reduce the S3 storage costs and provide immediate availability for frequently accessed objects What is the MOST operationally efficient solution that meets these requirements? 
 

A. Create an S3 Lifecycle rule to transition objects to the S3 Intelligent-Tiering storageclass
B. Store objects in Amazon S3 Glacier Use S3 Select to provide applications with accessto the data.
C. Use data from S3 storage class analysis to create S3 Lifecycle rules to automaticallytransition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class.
D. Transition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage classCreate an AWS Lambda function to transition objects to the S3 Standard storage classwhen they are accessed by an application

Show / Hide Answer

---

Question # 238

A company's SAP application has a backend SQL Server database in an on-premises environment. The company wants to migrate its on-premises application and database server to AWS. The company needs an instance type that meets the high demands of its SAP database. On-premises performance data shows that both the SAP application and the database have high memory utilization. Which solution will meet these requirements? 
 

A. Use the compute optimized Instance family for the application Use the memoryoptimized instance family for the database.
B. Use the storage optimized instance family for both the application and the database
C. Use the memory optimized instance family for both the application and the database
D. Use the high performance computing (HPC) optimized instance family for theapplication. Use the memory optimized instance family for the database.

Show / Hide Answer

---

Question # 239

A company needs to design a hybrid network architecture The company's workloads are currently stored in the AWS Cloud and in on-premises data centers The workloads require single-digit latencies to communicate The company uses an AWS Transit Gateway transit gateway to connect multiple VPCs Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.) 

A. Establish an AWS Site-to-Site VPN connection to each VPC.
B. Associate an AWS Direct Connect gateway with the transit gateway that is attached to the VPCs.
C. Establish an AWS Site-to-Site VPN connection to an AWS Direct Connect gateway.
D. Establish an AWS Direct Connect connection. Create a transit virtual interface (VIF) to a Direct Connect gateway.
E. Associate AWS Site-to-Site VPN connections with the transit gateway that is attached to the VPCs

Show / Hide Answer

---

Question # 240

A company has an application that runs on Amazon EC2 instances in a private subnet The application needs to process sensitive information from an Amazon S3 bucket The application must not use the internet to connect to the S3 bucket. Which solution will meet these requirements? 

A. Configure an internet gateway. Update the S3 bucket policy to allow access from theinternet gateway Update the application to use the new internet gateway
B. Configure a VPN connection. Update the S3 bucket policy to allow access from the VPNconnection. Update the application to use the new VPN connection.
C. Configure a NAT gateway. Update the S3 bucket policy to allow access from the NATgateway. Update the application to use the new NAT gateway.
D. Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPCendpoint. Update the application to use the new VPC endpoint.

Show / Hide Answer

---

Question # 241

A company is planning to deploy its application on an Amazon Aurora PostgreSQL Serverless v2 cluster. The application will receive large amounts of traffic. The company wants to optimize the storage performance of the cluster as the load on the application increases Which solution will meet these requirements MOST cost-effectively? 

A. Configure the cluster to use the Aurora Standard storage configuration.
B. Configure the cluster storage type as Provisioned IOPS.
C. Configure the cluster storage type as General Purpose.
D. Configure the cluster to use the Aurora l/O-Optimized storage configuration.

Show / Hide Answer

---

Question # 242

A company plans to rehost an application to Amazon EC2 instances that use Amazon Elastic Block Store (Amazon EBS) as the attached storage A solutions architect must design a solution to ensure that all newly created Amazon EBS volumes are encrypted by default. The solution must also prevent the creation of unencrypted EBS volumes Which solution will meet these requirements? 

A. Configure the EC2 account attributes to always encrypt new EBS volumes.
B. Use AWS Config. Configure the encrypted-volumes identifier Apply the default AWS KeyManagement Service (AWS KMS) key.
C. Configure AWS Systems Manager to create encrypted copies of the EBS volumes.Reconfigure the EC2 instances to use the encrypted volumes
D. Create a customer managed key in AWS Key Management Service (AWS KMS)Configure AWS Migration Hub to use the key when the company migrates workloads.

Show / Hide Answer

---

Question # 243

A company uses AWS to host its public ecommerce website. The website uses an AWS Global Accelerator accelerator for traffic from the internet. Tt\e Global Accelerator accelerator forwards the traffic to an Application Load Balancer (ALB) that is the entry point for an Auto Scaling group. The company recently identified a ODoS attack on the website. The company needs a solution to mitigate future attacks. Which solution will meet these requirements with the LEAST implementation effort? 
 

A. Configure an AWS WAF web ACL for the Global Accelerator accelerator to block trafficby using rate-based rules.
B. Configure an AWS Lambda function to read the ALB metrics to block attacks byupdating a VPC network ACL.
C. Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules.
D. Configure an Ama7on CloudFront distribution in front of the Global Accelerator accelerator

Show / Hide Answer

---

Question # 244

A media company uses an Amazon CloudFront distribution to deliver content over the internet The company wants only premium customers to have access to the media streams and file content. The company stores all content in an Amazon S3 bucket. The company also delivers content on demand to customers for a specific purpose, such as movie rentals or music downloads. Which solution will meet these requirements? 
 

A. Generate and provide S3 signed cookies to premium customers
B. Generate and provide CloudFront signed URLs to premium customers.
C. Use origin access control (OAC) to limit the access of non-premium customers
D. Generate and activate field-level encryption to block non-premium customers.

Show / Hide Answer

---

Question # 245

A media company has a multi-account AWS environment in the us-east-1 Region. The company has an Amazon Simple Notification Service {Amazon SNS) topic in a production account that publishes performance metrics. The company has an AWS Lambda function in an administrator account to process and analyze log data. The Lambda function that is in the administrator account must be invoked by messages from the SNS topic that is in the production account when significant metrics tM* reported. Which combination of steps will meet these requirements? (Select TWO.) 
 

A. Create an IAM resource policy for the Lambda function that allows Amazon SNS toinvoke the function. Implement an Amazon Simple Queue Service (Amazon SQS) queue inthe administrator account to buffer messages from the SNS topic that is in the productionaccount. Configure the SOS queue to invoke the Lambda function.
B. Create an IAM policy for the SNS topic that allows the Lambda function to subscribe tothe topic.
C. Use an Amazon EventBridge rule in the production account to capture the SNS topicnotifications. Configure the EventBridge rule to forward notifications to the Lambda functionthat is in the administrator account.
D. Store performance metrics in an Amazon S3 bucket in the production account. UseAmazon Athena to analyze the metrics from the administrator account.

Show / Hide Answer

---

Question # 246

A weather forecasting company needs to process hundreds of gigabytes of data with submillisecond latency. The company has a high performance computing (HPC) environment in its data center and wants to expand its forecasting capabilities. A solutions architect must identify a highly available cloud storage solution that can handle large amounts of sustained throughput Files that are stored in the solution should be accessible to thousands of compute instances that will simultaneously access and process the entire dataset. What should the solutions architect do to meet these requirements? 

A. Use Amazon FSx for Lustre scratch file systems
B. Use Amazon FSx for Lustre persistent file systems.
C. Use Amazon Elastic File System (Amazon EFS) with Bursting Throughput mode.
D. Use Amazon Elastic File System (Amazon EFS) with Provisioned Throughput mode.

Show / Hide Answer

---

Question # 247

A company uses a Microsoft SOL Server database. The company's applications are connected to the database. The company wants to migrate to an Amazon Aurora PostgreSQL database with minimal changes to the application code. Which combination of steps will meet these requirements? (Select TWO.) 

A. Use the AWS Schema Conversion Tool <AWS SCT) to rewrite the SOL queries in theapplications.
B. Enable Babelfish on Aurora PostgreSQL to run the SQL queues from the applications.
C. Migrate the database schema and data by using the AWS Schema Conversion Tool(AWS SCT) and AWS Database Migration Service (AWS DMS).
D. Use Amazon RDS Proxy to connect the applications to Aurora PostgreSQL
E. Use AWS Database Migration Service (AWS DMS) to rewrite the SOI queries in theapplications

Show / Hide Answer

---

Question # 248

A company has an application that is running on Amazon EC2 instances A solutions architect has standardized the company on a particular instance family and various instance sizes based on the current needs of the company. The company wants to maximize cost savings for the application over the next 3 years. The company needs to be able to change the instance family and sizes in the next 6 months based on application popularity and usage Which solution will meet these requirements MOST cost-effectively? 

A. Compute Savings Plan
B. EC2 Instance Savings Plan
C. Zonal Reserved Instances
D. Standard Reserved Instances

Show / Hide Answer

---

Question # 249

A company stores sensitive data in Amazon S3 A solutions architect needs to create an encryption solution The company needs to fully control the ability of users to create, rotate, and disable encryption keys with minimal effort for any data that must be encrypted. Which solution will meet these requirements? 

A. Use default server-side encryption with Amazon S3 managed encryption keys (SSE-S3)to store the sensitive data
B. Create a customer managed key by using AWS Key Management Service (AWS KMS).Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMSkeys (SSE-KMS).
C. Create an AWS managed key by using AWS Key Management Service {AWS KMS)Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMSkeys (SSE-KMS).
D. Download S3 objects to an Amazon EC2 instance. Encrypt the objects by usingcustomer managed keys. Upload the encrypted objects back into Amazon S3.

Show / Hide Answer

---

Question # 250

A company wants to migrate an application to AWS. The company wants to increase the application's current availability The company wants to use AWS WAF in the application's architecture. Which solution will meet these requirements? 
 

A. Create an Auto Scaling group that contains multiple Amazon EC2 instances that hostthe application across two Availability Zones. Configure an Application Load Balancer(ALB) and set the Auto Scaling group as the target. Connect a WAF to the ALB.
B. Create a cluster placement group that contains multiple Amazon EC2 instances thathosts the application Configure an Application Load Balancer and set the EC2 instances asthe targets. Connect a WAF to the placement group.
C. Create two Amazon EC2 instances that host the application across two AvailabilityZones. Configure the EC2 instances as the targets of an Application Load Balancer (ALB).Connect a WAF to the ALB.
D. Create an Auto Scaling group that contains multiple Amazon EC2 instances that hostthe application across two Availability Zones. Configure an Application Load Balancer(ALB) and set the Auto Scaling group as the target Connect a WAF to the Auto Scalinggroup.

Show / Hide Answer

---

Question # 251

A development team uses multiple AWS accounts for its development, staging, and production environments. Team members have been launching large Amazon EC2 instances that are underutilized. A solutions architect must prevent large instances from being launched in all accounts. How can the solutions architect meet this requirement with the LEAST operational overhead? 

A. Update the 1AM policies to deny the launch of large EC2 instances. Apply the policies toall users.
B. Define a resource in AWS Resource Access Manager that prevents the launch of largeEC2 instances.
C. Create an (AM role in each account that denies the launch of large EC2 instances.Grant the developers 1AM group access to the role.
D. Create an organization in AWS Organizations in the management account with thedefault policy. Create a service control policy (SCP) that denies the launch of large EC2Instances, and apply it to the AWS accounts.

Show / Hide Answer

---

Question # 252

A company is developing an application to support customer demands. The company wants to deploy the application on multiple Amazon EC2 Nitro-based instances within the same Availability Zone. The company also wants to give the application the ability to write to multiple block storage volumes in multiple EC2 Nitro-based instances simultaneously to achieve higher application availability. Which solution will meet these requirements? 

A. Use General Purpose SSD (gp3) EBS volumes with Amazon Elastic Block Store(Amazon EBS) Multi-Attach.
B. Use Throughput Optimized HDD (st1) EBS volumes with Amazon Elastic Block Store(Amazon EBS) Multi-Attach
C. Use Provisioned IOPS SSD (io2) EBS volumes with Amazon Elastic Block Store(Amazon EBS) Multi-Attach.
D. Use General Purpose SSD (gp2) EBS volumes with Amazon Elastic Block Store(Amazon E8S) Multi-Attach.

Show / Hide Answer

---

Question # 253

A company runs a stateful production application on Amazon EC2 instances The application requires at least two EC2 instances to always be running. A solutions architect needs to design a highly available and fault-tolerant architecture for the application. The solutions architect creates an Auto Scaling group of EC2 instances. Which set of additional steps should the solutions architect take to meet these requirements? 

A. Set the Auto Scaling group's minimum capacity to two. Deploy one On-DemandInstance in one Availability Zone and one On-Demand Instance in a second AvailabilityZone.
B. Set the Auto Scaling group's minimum capacity to four Deploy two On-DemandInstances in one Availability Zone and two On-Demand Instances in a second AvailabilityZone
C. Set the Auto Scaling group's minimum capacity to two. Deploy four Spot Instances inone Availability Zone.
D. Set the Auto Scaling group's minimum capacity to four Deploy two On-DemandInstances in one Availability Zone and two Spot Instances in a second Availability Zone.

Show / Hide Answer

---

Question # 254

A company recently migrated its web application to the AWS Cloud The company uses an Amazon EC2 instance to run multiple processes to host the application. The processes include an Apache web server that serves static content The Apache web server makes requests to a PHP application that uses a local Redis server for user sessions. The company wants to redesign the architecture to be highly available and to use AWS managed solutions Which solution will meet these requirements? 

A. Use AWS Elastic Beanstalk to host the static content and the PHP application.Configure Elastic Beanstalk to deploy its EC2 instance into a public subnet Assign a publicIP address.
B. Use AWS Lambda to host the static content and the PHP application. Use an AmazonAPI Gateway REST API to proxy requests to the Lambda function. Set the API GatewayCORS configuration to respond to the domain name. Configure Amazon ElastiCache forRedis to handle session information
C. Keep the backend code on the EC2 instance. Create an Amazon ElastiCache for Rediscluster that has Multi-AZ enabled Configure the ElastiCache for Redis cluster in clustermode Copy the frontend resources to Amazon S3 Configure the backend code to referencethe EC2 instance
D. Configure an Amazon CloudFront distribution with an Amazon S3 endpoint to an S3bucket that is configured to host the static content. Configure an Application Load Balancerthat targets an Amazon Elastic Container Service (Amazon ECS) service that runs AWSFargate tasks for the PHP application. Configure the PHP application to use an AmazonElastiCache for Redis cluster that runs in multiple Availability Zones

Show / Hide Answer

---

Question # 255

A company's software development team needs an Amazon RDS Multi-AZ cluster. The RDS cluster will serve as a backend for a desktop client that is deployed on premises. The desktop client requires direct connectivity to the RDS cluster. The company must give the development team the ability to connect to the cluster by using the client when the team is in the office. Which solution provides the required connectivity MOST securely? 

A. Create a VPC and two public subnets. Create the RDS cluster in the public subnets.Use AWS Site-to-Site VPN with a customer gateway in the company's office.
B. Create a VPC and two private subnets. Create the RDS cluster in the private subnets.Use AWS Site-to-Site VPN with a customer gateway in the company's office.
C. Create a VPC and two private subnets. Create the RDS cluster in the private subnets.Use RDS security groups to allow the company's office IP ranges to access the cluster.
D. Create a VPC and two public subnets. Create the RDS cluster in the public subnets.Create a cluster user for each developer. Use RDS security groups to allow the users toaccess the cluster.

Show / Hide Answer

---

Question # 256

A company uses an Amazon Aurora PostgreSQL provisioned cluster with its application. The application's peak traffic occurs several times a day for periods of 30 minutes to several hours. The database capacity is provisioned to handle peak traffic from the application, but the database has wasted capacity during non-peak hours. The company wants to reduce the database costs. Which solution will meet these requirements with the LEAST operational effort? 

A. Set up an Amazon CloudWatch alarm to monitor database utilization. Scale up or scaledown the database capacity based on the amount of traffic.
B. Migrate the database to Amazon EC2 instances in on Auto Scaling group. Increase ordecrease the number of instances based on the amount of traffic.
C. Migrate the database to an Amazon Aurora Serverless DB cluster to scale up or scaledown the capacity based on the amount of traffic.
D. Schedule an AWS Lambda function to provision the required database capacity at thestart of each day. Schedule another Lambda function to reduce the capacity at the end ofeach day.

Show / Hide Answer

---

Question # 257

A company has applications that run on Amazon EC2 instances in a VPC One of the applications needs to call the Amazon S3 API to store and read objects. According to the company's security regulations, no traffic from the applications is allowed to travel across the internet. Which solution will meet these requirements? 

A. Configure an S3 gateway endpoint.
B. Create an S3 bucket in a private subnet.
C. Create an S3 bucket in the same AWS Region as the EC2 instances.
D. Configure a NAT gateway in the same subnet as the EC2 instances

Show / Hide Answer

---

Question # 258

A company needs a secure connection between its on-premises environment and AWS. This connection does not need high bandwidth and will handle a small amount of traffic. The connection should be set up quickly. What is the MOST cost-effective method to establish this type of connection? 
 

A. Implement a client VPN
B. Implement AWS Direct Connect.
C. Implement a bastion host on Amazon EC2.
D. Implement an AWS Site-to-Site VPN connection.

Show / Hide Answer

---

Question # 259

A social media company wants to store its database of user profiles, relationships, and interactions in the AWS Cloud. The company needs an application to monitor any changes in the database. The application needs to analyze the relationships between the data entities and to provide recommendations to users. Which solution will meet these requirements with the LEAST operational overhead? 

A. Use Amazon Neptune to store the information. Use Amazon Kinesis Data Streams toprocess changes in the database.
B. Use Amazon Neptune to store the information. Use Neptune Streams to processchanges in the database.
C. Use Amazon Quantum Ledger Database (Amazon QLDB) to store the information. UseAmazon Kinesis Data Streams to process changes in the database.
D. Use Amazon Quantum Ledger Database (Amazon QLDB) to store the information. UseNeptune Streams to process changes in the database.

Show / Hide Answer

---

Question # 260

A company wants to create a mobile app that allows users to stream slow-motion video clips on their mobile devices. Currently, the app captures video clips and uploads the video clips in raw format into an Amazon S3 bucket. The app retrieves these video clips directly from the S3 bucket. However, the videos are large in their raw format. Users are experiencing issues with buffering and playback on mobile devices. The company wants to implement solutions to maximize the performance and scalability of the app while minimizing operational overhead. Which combination of solutions will meet these requirements? (Select TWO.) 

A. Deploy Amazon CloudFront for content delivery and caching
B. Use AWS DataSync to replicate the video files across AWS Regions in other S3 buckets
C. Use Amazon Elastic Transcoder to convert the video files to more appropriate formats.
D. Deploy an Auto Scaling group of Amazon EC2 instances in Local Zones for contentdelivery and caching
E. Deploy an Auto Scaling group of Amazon EC2 Instances to convert the video files tomore appropriate formats.

Show / Hide Answer

---

Question # 261

A marketing company receives a large amount of new clickstream data in Amazon S3 from a marketing campaign The company needs to analyze the clickstream data in Amazon S3 quickly. Then the company needs to determine whether to process the data further in the data pipeline. Which solution will meet these requirements with the LEAST operational overhead? 

A. Create external tables in a Spark catalog Configure jobs in AWS Glue to query the data
B. Configure an AWS Glue crawler to crawl the data. Configure Amazon Athena to querythe data.
C. Create external tables in a Hive metastore. Configure Spark jobs in Amazon EMR toquery the data.
D. Configure an AWS Glue crawler to crawl the data. Configure Amazon Kinesis DataAnalytics to use SQL to query the data

Show / Hide Answer

---

Question # 262

A company hosts its core network services, including directory services and DNS, in its onpremises data center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS accounts are planned that will require quick, cost-effective, and consistent access to these network services. What should a solutions architect implement to meet these requirements with the LEAST amount of operational overhead? 

A. Create a DX connection in each new account. Route the network traffic to the onpremisesservers.
B. Configure VPC endpoints in the DX VPC for all required services. Route the networktraffic to the on-premises servers.
C. Create a VPN connection between each neV account and the DX VPC. Route thenetwork traffic to the on-premises servers.
D. Configure AWS Transit Gateway between the accounts. Assign DX to the transitgateway and route network traffic to the on-premises servers.

Show / Hide Answer

---

Question # 263

A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs). The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs to notify the company's operations team of any changes. Which solution will meet these requirements with the LEAST operational overhead? 

A. Provision the AWS accounts by using AWS Control Tower. Use account driftnotifications to Identify the changes to the OU hierarchy.
B. Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregatedrules to identify the changes to the OU hierarchy.
C. Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrailorganization trail to identify the changes to the OU hierarchy.
D. Use AWS CloudFormation templates to create accounts in Organizations. Use the driftdetection operation on a stack to identify the changes to the OUhierarchy.

Show / Hide Answer

---

Question # 264

A company has released a new version of its production application The company's workload uses Amazon EC2. AWS Lambda. AWS Fargate. and Amazon SageMaker. The company wants to cost optimize the workload now that usage is at a steady state. The company wants to cover the most services with the fewest savings plans. Which combination of savings plans will meet these requirements? (Select TWO.) 

A. Purchase an EC2 Instance Savings Plan for Amazon EC2 and SageMaker.
B. Purchase a Compute Savings Plan for Amazon EC2. Lambda, and SageMaker
C. Purchase a SageMaker Savings Plan
D. Purchase a Compute Savings Plan for Lambda, Fargate, and Amazon EC2
E. Purchase an EC2 Instance Savings Plan for Amazon EC2 and Fargate

Show / Hide Answer

---

Question # 265

A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the LC2 instances. Which solution will meet these requirements? 

A. Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPNconnection between the company and the VPC.
B. Deploys gateway VPC endpoint for Amazon S3 Set up an AWS Direct Connect connection between the on-premises network and the VPC.
C. Set up on AWS Transit Gateway connection from the VPC to the S3 buckets. Create anAWS Site-to-Site VPN connection between the company and the VPC.
D. Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxyEC2 instances lo fetch S3 data and feed the application instances.

Show / Hide Answer

---

Question # 266

A company regularly uploads GB-sized files to Amazon S3. After Ihe company uploads the files, the company uses a fleet of Amazon EC2 Spot Instances to transcode the file format.The company needs to scale throughput when the company uploads data from the onpremises data center to Amazon S3 and when Ihe company downloads data from Amazon S3 to the EC2 instances. gUkicn solutions will meet these requirements? (Select TWO.) 

A. Use the S3 bucket access point instead of accessing the S3 bucket directly.
B. Upload the files into multiple S3 buckets.
C. Use S3 multipart uploads.
D. Fetch multiple byte-ranges of an object in parallel. fe
E. Add a random prefix to each object when uploading the files.

Show / Hide Answer

---

Question # 267

A company has a mobile app for customers The app's data is sensitive and must be encrypted at rest The company uses AWS Key Management Service (AWS KMS) The company needs a solution that prevents the accidental deletion of KMS keys The solution must use Amazon Simple Notification Service (Amazon SNS) to send an email notification to administrators when a user attempts to delete a KMS key Which solution will meet these requirements with the LEAST operational overhead'' 

A. Create an Amazon EventBndge rule that reacts when a user tries to delete a KMS keyConfigure an AWS Config rule that cancels any deletion of a KMS key Add the AWS Configrule as a target of the EventBridge rule Create an SNS topic that notifies the administrators
B. Create an AWS Lambda function that has custom logic to prevent KMS key deletionCreate an Amazon CloudWatch alarm that is activated when a user tries to delete a KMSkey Create an Amazon EventBridge rule that invokes the Lambda function when theDeleteKey operation is performed Create an SNS topic Configure the EventBndge rule topublish an SNS message that notifies the administrators
C. Create an Amazon EventBndge rule that reacts when the KMS DeleteKey operation isperformed Configure the rule to initiate an AWS Systems Manager Automationrunbook Configure the runbook to cancel the deletion of the KMS key Create an SNS topicConfigure the EventBndge rule to publish an SNS message that notifies the administrators.
D. Create an AWS CloudTrail trail Configure the trail to delrver logs to a new AmazonCloudWatch log group Create a CloudWatch alarm based on the metric filter for theCloudWatch log group Configure the alarm to use Amazon SNS to notify the administratorswhen the KMS DeleteKey operation is performed

Show / Hide Answer

---

Question # 268

A company has an on-premises business application that generates hundreds of files each day. These files are stored on an SMB file share and require a low-latency connection to the application servers. A new company policy states all application-generated files must be copied to AWS. There is already a VPN connection to AWS. The application development team does not have time to make the necessary code modifications to move the application to AWS Which service should a solutions architect recommend to allow the application to copy files to AWS? 

A. Amazon Elastic File System (Amazon EFS)
B. Amazon FSx for Windows File Server
C. AWS Snowball
D. AWS Storage Gateway

Show / Hide Answer

---

Question # 269

A company has a web application in the AWS Cloud and wants to collect transaction data in real time. The company wants to prevent data duplication and does not want to manage infrastructure. The company wants to perform additional processing on the data after the data is collected. Which solution will meet these requirements? 

A. Configure an Amazon Simple Queue Service (Amazon SOS) FIFO queue. Configure anAWS Lambda function with an event source mapping for the FIFO queue to process thedata.
B. Configure an Amazon Simple Queue Service (Amazon SQS) FIFO queue Use an AWSBatch job to remove duplicate data from the queue Configure an AWSLambda function to process the data.
C. Use Amazon Kinesis Data Streams to send the Incoming transaction data to an AWSBatch job that removes duplicate data. Launch an Amazon EC2 instance that runs acustom script lo process the data.
D. Set up an AWS Step Functions state machine to send incoming transaction data to anAWS Lambda function to remove duplicate data. Launch an Amazon EC2 instance thatruns a custom script to process the data.

Show / Hide Answer

---

Question # 270

A company wants to isolate its workloads by creating an AWS account for each workload. The company needs a solution that centrally manages networking components for the workloads. The solution also must create accounts with automatic security controls (guardrails). Which solution will meet these requirements with the LEAST operational overhead? 

A. Use AWS Control Tower to deploy accounts. Create a networking account that has aVPC with private subnets and public subnets. Use AWS Resource Access Manager (AWSRAM) to share the subnets with the workload accounts.
B. Use AWS Organizations to deploy accounts. Create a networking account that has aVPC with private subnets and public subnets. Use AWS Resource Access Manager (AWSRAM) to share the subnets with the workload accounts.
C. Use AWS Control Tower to deploy accounts. Deploy a VPC in each workload account.Configure each VPC to route through an inspection VPC by using a transit gatewayattachment.
D. Use AWS Organizations to deploy accounts. Deploy a VPC in each workload account.Configure each VPC to route through an inspection VPC by using a transit gatewayattachment.

Show / Hide Answer

---

Question # 271

A company's web application consists of multiple Amazon EC2 instances that run behind an Application Load Balancer in a VPC. An Amazon RDS for MySQL DB instance contains the data The company needs the ability to automatically detect and respond to suspicious or unexpected behavior in its AWS environment. The company already has added AWS WAF to its architecture. What should a solutions architect do next to protect against threats? 

A. Use Amazon GuardDuty to perform threat detection. Configure Amazon EventBridge tofilter for GuardDuty findings and to Invoke an AWS Lambda function to adjust the AWSWAF rules.
B. Use AWS Firewall Manager to perform threat detection. Configure Amazon EventBridgeto filter for Firewall Manager findings and to invoke an AWS Lambda function to adjust theAWS WAF web ACL
C. Use Amazon Inspector to perform threat detection and lo update the AWS WAF rules. Create a VPC network ACL to limit access to the web application.
D. Use Amazon Macie to perform threat detection and to update the AWS WAF rules.Create a VPC network ACL to limit access to the web application.

Show / Hide Answer

---

Question # 272

A company is storing petabytes of data in Amazon S3 Standard The data is stored in multiple S3 buckets and is accessed with varying frequency The company does not know access patterns for all the data. The company needs to implement a solution for each S3 bucket to optimize the cost of S3 usage. Which solution will meet these requirements with the MOST operational efficiency? 

A. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucketto S3 Intelligent-Tiering.
B. Use the S3 storage class analysis tool to determine the correct tier for each object in theS3 bucket. Move each object to the identified storage tier.
C. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucketto S3 Glacier Instant Retrieval.
D. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucketto S3 One Zone-Infrequent Access (S3 One Zone-IA).

Show / Hide Answer

---

Question # 273

A company needs to optimize its Amazon S3 storage costs for an application that generates many files that cannot be recreated Each file is approximately 5 MB and is stored in Amazon S3 Standard storage. The company must store the files for 4 years before the files can be deleted The files must be immediately accessible The files are frequently accessed in the first 30 days of object creation, but they are rarely accessed after the first 30 days. Which solution will meet these requirements MOST cost-effectively 

A. Create an S3 Lifecycle policy to move the files to S3 Glacier Instant Retrieval 30 daysafter object creation. Delete the files 4 years after object creation.
B. Create an S3 Lifecycle policy to move the files to S3 One Zone-Infrequent Access (S3One Zone-IA) 30 days after object creation Delete the files 4 years after object creation.
C. Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3Standard-IA) 30 days after object creation Delete the files 4 years after object creation.
D. Create an S3 Lifecycle policy to move the files to S3 Standard-Infrequent Access (S3Standard-IA) 30 days after object creation. Move the files to S3 Glacier Flexible Retrieval 4years after object creation.

Show / Hide Answer

---

Question # 274

A company is planning to migrate data to an Amazon S3 bucket The data must be encrypted at rest within the S3 bucket The encryption key must be rotated automatically every year. Which solution will meet these requirements with the LEAST operational overhead? 

A. Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managedkeys (SSE-S3). Use the built-in key rotation behavior of SSE-S3encryption keys.
B. Create an AWS Key Management Service (AWS KMS) customer managed key Enableautomatic key rotation Set the S3 bucket's default encryption behavior to use the customermanaged KMS key. Migrate the data to the S3 bucket.
C. Create an AWS Key Management Service (AWS KMS) customer managed key Set theS3 bucket's default encryption behavior to use the customer managed KMS key. Migratethe data to the S3 bucket. Manually rotate the KMS key every year.
D. Use customer key material to encrypt the data Migrate the data to the S3 bucket. Createan AWS Key Management Service (AWS KMS) key without key material Import thecustomer key material into the KMS key. Enable automatic key rotation.

Show / Hide Answer

---

Question # 275

An online photo-sharing company stores Hs photos in an Amazon S3 bucket that exists in the us-west-1 Region. The company needs to store a copy of all new photos in the us-east- 1 Region. Which solution will meet this requirement with the LEAST operational effort? 

A. Create a second S3 bucket in us-east-1. Use S3 Cross-Region Replication to copyphotos from the existing S3 bucket to the second S3 bucket.
B. Create a cross-origin resource sharing (CORS) configuration of the existing S3 bucket.Specify us-east-1 in the CORS rule's AllowedOngm element.
C. Create a second S3 bucket in us-east-1 across multiple Availability Zones. Create an S3Lifecycle rule to save photos into the second S3 bucket,
D. Create a second S3 bucket In us-east-1. Configure S3 event notifications on objectcreation and update events to Invoke an AWS Lambda function to copy photos from theexisting S3 bucket to the second S3 bucket.

Show / Hide Answer

---

Question # 276

A robotics company is designing a solution for medical surgery The robots will use advanced sensors, cameras, and Al algorithms to perceive their environment and to complete surgeries. The company needs a public load balancer in the AWS Cloud that will ensure seamless communication with backend services. The load balancer must be capable of routing traffic based on the query strings to different target groups. The traffic must also be encrypted Which solution will meet these requirements? 

A. Use a Network Load Balancer with a certificate attached from AWS Certificate Manager(ACM) Use query parameter-based routing
B. Use a Gateway Load Balancer. Import a generated certificate in AWS Identity andAccess Management (1AM). Attach the certificate to the load balancer. Use HTTP pathbasedrouting.
C. Use an Application Load Balancer with a certificate attached from AWS CertificateManager (ACM). Use query parameter-based routing.
D. Use a Network Load Balancer. Import a generated certificate in AWS Identity andAccess Management (1AM). Attach the certificate to the load balancer. Use queryparameter-based routing.

Show / Hide Answer

---

Question # 277

A company's application is running on Amazon EC2 instances within an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer Based on the application's history, the company anticipates a spike in traffic during a holiday each year. A solutions architect must design a strategy to ensure that the Auto Scaling group proactively increases capacity to minimize any performance impact on application users. Which solution will meet these requirements? 

A. Create an Amazon CloudWatch alarm to scale up the EC2 instances when CPUutilization exceeds 90%.
B. Create a recurring scheduled action to scale up the Auto Scaling group before theexpected period of peak demand
C. Increase the minimum and maximum number of EC2 instances in the Auto Scalinggroup during the peak demand period
D. Configure an Amazon Simple Notification Service (Amazon SNS) notification to sendalerts when there are autoscaling:EC2_INSTANCE_LAUNCH events.

Show / Hide Answer

---

Question # 278

A company manages a data lake in an Amazon S3 bucket that numerous applications access The S3 bucket contains a unique prefix for each application The company wants to restrict each application to its specific prefix and to have granular control of the objects under each prefix. Which solution will meet these requirements with the LEAST operational overhead? 

A. Create dedicated S3 access points and access point policies for each application.
B. Create an S3 Batch Operations job to set the ACL permissions for each object in the S3bucket
C. Replicate the objects in the S3 bucket to new S3 buckets for each application. Createreplication rules by prefix
D. Replicate the objects in the S3 bucket to new S3 buckets for each application Creatededicated S3 access points for each application

Show / Hide Answer

---

Question # 279

A company is migrating its workloads to AWS. The company has sensitive and critical data in on-premises relational databases that run on SQL Server instances. The company wants to use the AWS Cloud to increase security and reduce operational overhead for the databases. Which solution will meet these requirements? 
 

A. Migrate the databases to Amazon EC2 instances. Use an AWS Key ManagementService (AWS KMS) AWS managed key for encryption.
B. Migrate the databases to a Multi-AZ Amazon RDS for SQL Server DB instance Use anAWS Key Management Service (AWS KMS) AWS managed key for encryption.
C. Migrate the data to an Amazon S3 bucket Use Amazon Macie to ensure data security
D. Migrate the databases to an Amazon DynamoDB table. Use Amazon CloudWatch Logsto ensure data security

Show / Hide Answer

---

Question # 280

A company runs workloads in the AWS Cloud The company wants to centrally collect security data to assess security across the entire company and to improve workload protection. Which solution will meet these requirements with the LEAST development effort? 

A. Configure a data lake in AWS Lake Formation Use AWS Glue crawlers to ingest thesecurity data into the data lake.
B. Configure an AWS Lambda function to collect the security data in csv format. Upload thedata to an Amazon S3 bucket
C. Configure a data lake in Amazon Security Lake to collect the security data Upload thedata to an Amazon S3 bucket.
D. Configure an AWS Database Migration Service (AWS DMS) replication instance to loadthe security data into an Amazon RDS cluster

Show / Hide Answer

---

Question # 281

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of costs and security concerns, the company wants to control which services each AWS account can use Which solution will meet these requirements with the LEAST operational overhead 

A. Use AWS Systems Manager templates to control which AWS services each departmentcan use
B. Create organization units (OUs) for each department in AWS Organizations. Attachservice control policies (SCPs) to the OUs.
C. Use AWS CloudFormation to automatically provision only the AWS services that eachdepartment can use.
D. Set up a list of products in AWS Service Catalog in the AWS accounts to manage andcontrol the usage of specific AWS services

Show / Hide Answer

---

Question # 282

A global company runs its workloads on AWS The company's application uses Amazon S3 buckets across AWS Regions for sensitive data storage and analysis. The company stores millions of objects in multiple S3 buckets daily. The company wants to identify all S3 buckets that are not versioning-enabled. Which solution will meet these requirements? 
 

A. Set up an AWS CloudTrail event that has a rule to identify all S3 buckets that are notversioning-enabled across Regions
B. Use Amazon S3 Storage Lens to identify all S3 buckets that are not versioning-enabledacross Regions.
C. Enable IAM Access Analyzer for S3 to identify all S3 buckets that are not versioningenabledacross Regions
D. Create an S3 Multi-Region Access Point to identify all S3 buckets that are notversioning-enabled across Regions

Show / Hide Answer

---

Question # 283

A company is designing an event-driven order processing system Each order requires multiple validation steps after the order is created. An independent AWS Lambda function performs each validation step. Each validation step is independent from the other validation steps Individual validation steps need only a subset of the order event information. The company wants to ensure that each validation step Lambda function has access to only the information from the order event that the function requires The components of the order processing system should be loosely coupled to accommodate future business changes. Which solution will meet these requirements? 
 

A. Create an Amazon Simple Queue Service (Amazon SQS> queue for each validationstep. Create a new Lambda function to transform the order data to the format that eachvalidation step requires and to publish the messages to the appropriate SQS queuesSubscribe each validation step Lambda function to its corresponding SQS queue
B. Create an Amazon Simple Notification Service {Amazon SNS) topic. Subscribe thevalidation step Lambda functions to the SNS topic. Use message body filtering to send only the required data to each subscribed Lambda function.
C. Create an Amazon EventBridge event bus. Create an event rule for each validation stepConfigure the input transformer to send only the required data to each target validation stepLambda function.
D. Create an Amazon Simple Queue Service {Amazon SQS) queue Create a new Lambdafunction to subscribe to the SQS queue and to transform the order data to the format thateach validation step requires. Use the new Lambda function to perform synchronousinvocations of the validation step Lambda functions in parallel on separate threads.

Show / Hide Answer

---

Question # 284

A company uses Amazon API Gateway to manage its REST APIs that third-party service providers access The company must protect the REST APIs from SQL injection and crosssite scripting attacks. What is the MOST operationally efficient solution that meets these requirements 

A. Configure AWS Shield.
B. Configure AWS WAR
C. Set up API Gateway with an Amazon CloudFront distribution Configure AWS Shield inCloudFront.
D. Set up API Gateway with an Amazon CloudFront distribution. Configure AWS WAF inCloudFront

Show / Hide Answer

---

Question # 285

A company has multiple VPCs across AWS Regions to support and run workloads that are isolated from workloads in other Regions Because of a recent application launch requirement, the company's VPCs must communicate with all other VPCs across all Regions. Which solution will meet these requirements with the LEAST amount of administrative effort? 

A. Use VPC peering to manage VPC communication in a single Region Use VPC peeringacross Regions to manage VPC communications.
B. Use AWS Direct Connect gateways across all Regions to connect VPCs across regionsand manage VPC communications.
C. Use AWS Transit Gateway to manage VPC communication in a single Region andTransit Gateway peering across Regions to manage VPC communications.
D. Use AWS PrivateLink across all Regions to connect VPCs across Regions and manageVPC communications.

Show / Hide Answer

---

Question # 286

A company is creating a prototype of an ecommerce website on AWS. The website consists of an Application Load Balancer, an Auto Scaling group of Amazon EC2 instances for web servers, and an Amazon RDS for MySQL DB instance that runs with the Single-AZ configuration. The website is slow to respond during searches of the product catalog. The product catalog is a group of tables in the MySQL database that the company does not ate frequently. A solutions architect has determined that the CPU utilization on the DB instance is high when product catalog searches occur. What should the solutions architect recommend to improve the performance of the website dunng searches of the product catalog? 
 

A. Migrate the product catalog to an Amazon Redshift database. Use the COPY commandto load the product catalog tables.
B. Implement an Amazon ElastiCache for Redis cluster to cache the product catalog. Uselazy loading to populate the cache.
C. Add an additional scaling policy to the Auto Scaling group to launch additional EC2instances when database response is slow.
D. Turn on the Multi-AZ configuration for the DB instance. Configure the EC2 instances tothrottle the product catalog queries that are sent to the database.

Show / Hide Answer

---

Question # 287

A global ecommerce company runs its critical workloads on AWS. The workloads use an Amazon RDS for PostgreSQL DB instance that is configured for a Multi-AZ deployment. Customers have reported application timeouts when the company undergoes database failovers. The company needs a resilient solution to reduce failover time Which solution will meet these requirements? 

A. Create an Amazon RDS Proxy. Assign the proxy to the DB instance.
B. Create a read replica for the DB instance Move the read traffic to the read replica.
C. Enable Performance Insights. Monitor the CPU load to identify the timeouts.
D. Take regular automatic snapshots Copy the automatic snapshots to multiple AWSRegions

Show / Hide Answer

---

Question # 288

A company wants to use Amazon Elastic Container Service (Amazon ECS) to run its onpremises application in a hybrid environment The application currently runs on containers on premises. The company needs a single container solution that can scale in an on-premises, hybrid, or cloud environment The company must run new application containers in the AWS Cloud and must use a load balancer for HTTP traffic. Which combination of actions will meet these requirements? (Select TWO.) 

A. Set up an ECS cluster that uses the AWS Fargate launch type for the cloud applicationcontainers Use an Amazon ECS Anywhere external launch type for theon-premises application containers.
B. Set up an Application Load Balancer for cloud ECS services
C. Set up a Network Load Balancer for cloud ECS services.
D. Set up an ECS cluster that uses the AWS Fargate launch type Use Fargate for the cloud application containers and the on-premises application containers.
E. Set up an ECS cluster that uses the Amazon EC2 launch type for the cloud applicationcontainers. Use Amazon ECS Anywhere with an AWS Fargate launch type for the onpremisesapplication containers.

Show / Hide Answer

---

Question # 289

A company runs an application that uses Amazon RDS for PostgreSQL The application receives traffic only on weekdays during business hours The company wants to optimize costs and reduce operational overhead based on this usage. Which solution will meet these requirements? 
 

A. Use the Instance Scheduler on AWS to configure start and stop schedules.
B. Turn off automatic backups. Create weekly manual snapshots of the database.
C. Create a custom AWS Lambda function to start and stop the database based onminimum CPU utilization.
D. Purchase All Upfront reserved DB instances

Show / Hide Answer

---

Question # 290

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year. Which solution meets these requirements and is the MOST operationally efficient? 

A. Server-side encryption with customer-provided keys (SSE-C)
B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
C. Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
D. Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Show / Hide Answer

---

Question # 291

A news company that has reporters all over the world is hosting its broadcast system on AWS. The reporters send live broadcasts to the broadcast system. The reporters use software on their phones to send live streams through the Real Time Messaging Protocol (RTMP). A solutions architect must design a solution that gives the reporters the ability to send the highest quality streams The solution must provide accelerated TCP connections back to the broadcast system. What should the solutions architect use to meet these requirements? 

A. Amazon CloudFront
B. AWS Global Accelerator
C. AWS Client VPN
D. Amazon EC2 instances and AWS Elastic IP addresses

Show / Hide Answer

---

Question # 292

A solutions architect is creating an application. The application will run on Amazon EC2 instances in private subnets across multiple Availability Zones in a VPC. The EC2 instances will frequently access large files that contain confidential information. These files are stored in Amazon S3 buckets for processing. The solutions architect must optimize the network architecture to minimize data transfer costs. What should the solutions architect do to meet these requirements? 
 

A. Create a gateway endpoint for Amazon S3 in the VPC. In the route tables for the privatesubnets, add an entry for the gateway endpoint
B. Create a single NAT gateway in a public subnet. In the route tables for the privatesubnets, add a default route that points to the NAT gateway
C. Create an AWS PrivateLink interface endpoint for Amazon S3 in the VPC. In the routetables for the private subnets, add an entry for the interface endpoint.
D. Create one NAT gateway for each Availability Zone in public subnets. In each of theroute labels for the private subnets, add a default route that points lo the NAT gateway inthe same Availability Zone

Show / Hide Answer

---

Question # 293

A company plans to run a high performance computing (HPC) workload on Amazon EC2 Instances The workload requires low-latency network performance and high network throughput with tightly coupled node-to-node communication. Which solution will meet these requirements? 

A. Configure the EC2 instances to be part of a cluster placement group
B. Launch the EC2 instances with Dedicated Instance tenancy.
C. Launch the EC2 instances as Spot Instances.
D. Configure an On-Demand Capacity Reservation when the EC2 instances are launched.

Show / Hide Answer

---

Question # 294

A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) to run its self-managed database The company has 350 TB of data spread across all EBS volumes. The company takes daily EBS snapshots and keeps the snapshots for 1 month. The dally change rate is 5% of the EBS volumes. Because of new regulations, the company needs to keep the monthly snapshots for 7 years. The company needs to change its backup strategy to comply with the new regulations and to ensure that data is available with minimal administrative effort. Which solution will meet these requirements MOST cost-effectively? 

A. Keep the daily snapshot in the EBS snapshot standard tier for 1 month Copy themonthly snapshot to Amazon S3 Glacier Deep Archive with a 7-year retentionperiod.
B. Continue with the current EBS snapshot policy. Add a new policy to move the monthlysnapshot to Amazon EBS Snapshots Archive with a 7-year retention period.
C. Keep the daily snapshot in the EBS snapshot standard tier for 1 month Keep themonthly snapshot in the standard tier for 7 years Use incremental snapshots.
D. Keep the daily snapshot in the EBS snapshot standard tier. Use EBS direct APIs to takesnapshots of all the EBS volumes every month. Store the snapshots in an Amazon S3bucket in the Infrequent Access tier for 7 years.

Show / Hide Answer

---

Question # 295

A company has an application that serves clients that are deployed in more than 20.000 retail storefront locations around the world. The application consists of backend web services that are exposed over HTTPS on port 443 The application is hosted on Amazon EC2 Instances behind an Application Load Balancer (ALB). The retail locations communicate with the web application over the public internet. The company allows each retail location to register the IP address that the retail location has been allocated by its local ISP. The company's security team recommends to increase the security of the application endpoint by restricting access to only the IP addresses registered by the retail locations. What should a solutions architect do to meet these requirements? 

A. Associate an AWS WAF web ACL with the ALB Use IP rule sets on the ALB to filtertraffic Update the IP addresses in the rule to Include the registered IP addresses
B. Deploy AWS Firewall Manager to manage the ALB. Configure firewall rules to restricttraffic to the ALB Modify the firewall rules to include the registered IP addresses.
C. Store the IP addresses in an Amazon DynamoDB table. Configure an AWS Lambdaauthorization function on the ALB to validate that incoming requests are from the registeredIP addresses.
D. Configure the network ACL on the subnet that contains the public interface of the ALBUpdate the ingress rules on the network ACL with entries for each of the registered IPaddresses.

Show / Hide Answer

---

Question # 296

A company has an application that customers use to upload images to an Amazon S3 bucket Each night, the company launches an Amazon EC2 Spot Fleet that processes all the images that the company received that day. The processing for each image takes 2 minutes and requires 512 MB of memory. A solutions architect needs to change the application to process the images when the images are uploaded Which change will meet these requirements MOST cost-effectively? 

A. Use S3 Event Notifications to write a message with image details to an Amazon SimpleQueue Service (Amazon SQS) queue. Configure an AWS Lambda function to read themessages from the queue and to process the images
B. Use S3 Event Notifications to write a message with image details to an Amazon SimpleQueue Service (Amazon SQS) queue Configure an EC2 Reserved Instance to read themessages from the queue and to process the images.
C. Use S3 Event Notifications to publish a message with image details to an AmazonSimple Notification Service (Amazon SNS) topic. Configure a container instance in AmazonElastic Container Service (Amazon ECS) to subscribe to the topic and to process theimages.
D. Use S3 Event Notifications to publish a message with image details to an AmazonSimple Notification Service (Amazon SNS) topic. to subscribe to the topic and to process the images.

Show / Hide Answer

---

Question # 297

A company has a web application that has thousands of users. The application uses 8-10 user-uploaded images to generate Al images. Users can download the generated Al Images once every 6 hours. The company also has a premium user option that gives users the ability to download the generated Al images anytime The company uses the user-uploaded images to run Al model training twice a year. The company needs a storage solution to store the images. Which storage solution meets these requirements MOST cost-effectively? 

A. Move uploaded images to Amazon S3 Glacier Deep Archive. Move premium usergeneratedAl images to S3 Standard. Move non-premium user-generated Al images to S3Standard-Infrequent Access (S3 Standard-IA).
B. Move uploaded images to Amazon S3 Glacier Deep Archive. Move all generated Al images to S3 Glacier Flexible Retrieval.
C. Move uploaded images to Amazon S3 One Zone-Infrequent Access {S3 One Zone-IA)Move premium user-generated Al images to S3 Standard. Move non-premium usergeneratedAl images to S3 Standard-Infrequent Access (S3 Standard-IA).
D. Move uploaded images to Amazon S3 One Zone-Infrequent Access {S3 One Zone-IA)Move all generated Al images to S3 Glacier Flexible Retrieval

Show / Hide Answer

---

Question # 298

A company wants to build a map of its IT infrastructure to identify and enforce policies on resources that pose security risks. The company's security team must be able to query data in the IT infrastructure map and quickly identify security risks. Which solution will meet these requirements with the LEAST operational overhead? 

A. Use Amazon RDS to store the data. Use SQL to query the data to identify security risks.
B. Use Amazon Neptune to store the data. Use SPARQL to query the data to identifysecurity risks.
C. Use Amazon Redshift to store the data. Use SQL to query the data to identify securityrisks.
D. Use Amazon DynamoDB to store the data. Use PartiQL to query the data to identifysecurity risks.

Show / Hide Answer

---

Question # 299

A company maintains about 300 TB in Amazon S3 Standard storage month after month The S3 objects are each typically around 50 GB in size and are frequently replaced with multipart uploads by their global application The number and size of S3 objects remain constant but the company's S3 storage costs are increasing each month. How should a solutions architect reduce costs in this situation? 

A. Switch from multipart uploads to Amazon S3 Transfer Acceleration.
B. Enable an S3 Lifecycle policy that deletes incomplete multipart uploads.
C. Configure S3 inventory to prevent objects from being archived too quickly.
D. Configure Amazon CloudFront to reduce the number of objects stored in Amazon S3.

Show / Hide Answer

---

Question # 300

A company is building a microservices-based application that will be deployed on Amazon Elastic Kubernetes Service (Amazon EKS). The microservices will interact with each other. The company wants to ensure that the application is observable to identify performance issues in the future. Which solution will meet these requirements? 

A. Configure the application to use Amazon ElastiCache to reduce the number of requeststhat are sent to the microservices.
B. Configure Amazon CloudWatch Container Insights to collect metrics from the EKSclusters Configure AWS X-Ray to trace the requests between the microservices.
C. Configure AWS CloudTrail to review the API calls. Build an Amazon QuickSightdashboard to observe the microservice interactions.
D. Use AWS Trusted Advisor to understand the performance of the application.

Show / Hide Answer

---

Amazon SAA-C03 Frequently Asked Questions