AWS Certified Solutions Architect - Professional Exam

Questions and Answers

Which solution will meet the requirement to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source in the NonProd OU with the least operational overhead?

Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.

Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. (correct)

Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic.

Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0.

Which solution will meet the requirements of moving the webhook functionality to a serverless architecture with the least operational overhead?

Deploy the webhook logic to AWS App Runner.

Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. (correct)

For each webhook, create and configure an AWS Lambda function URL.

Containerize the webhook logic and run it in AWS Fargate.

What type of metrics does the company want to gather for the 1,000 on-premises servers being migrated to AWS?

CPU details, RAM usage, operating system information

Which data migration strategy should the company use to move its workload to AWS?

Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File System (Amazon EFS).

Which solution will meet the requirements of resiliency across multiple AWS Regions with the least operational overhead?

Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region.

What steps should a solutions architect take to design a scalable and highly available solution for a three-tier web application?

Create a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster.

What should the solutions architect do to deploy CloudFormation StackSets in all AWS accounts?

Create a stack set in the Organizations management account with service-managed permissions.

Which combination of steps should a solutions architect take to migrate workloads to AWS in a cost-effective manner?

Generate recommended instance types and costs using AWS Migration Hub.

What solution should a solutions architect recommend to migrate an image-processing service to AWS cost-effectively?

Create a queue using Amazon SQS and invoke an AWS Lambda function for processing files.

Which most cost-effective solution should a solutions architect recommend for data retention compliance with OpenSearch Service?

Reduce the number of data nodes and configure the indexes to transition to UltraWarm.

Which combination of instances should be run in the Availability Zones to meet the requirement of splitting 12 instances?

Run two instances in each Availability Zone as On-Demand Instances with Capacity Reservations; four instances in each Availability Zone as Spot Instances.

Which resources in the CloudFormation template will meet the security engineer’s requirements?

Generate the password as a SecureString in Systems Manager Parameter Store and use an AppSync DataSource for rotation.

Which solutions meet the requirements for making data accessible publicly through a simple API over HTTPS?

Create an Amazon API Gateway REST API with direct integrations to DynamoDB.

What combination of steps should the solutions architect take to implement a redirect service for the domains?

Use API Gateway with a custom domain to invoke a Lambda function.

Which solution meets the requirements for re-architecting the web application that analyzes uploaded videos?

Host the web application in Amazon S3 and process the SQS queue with an AWS Lambda function.

What should a solutions architect do to accurately identify the cost of security tools on EC2 instances?

Activate the costCenter tag and retrieve the monthly AWS Cost and Usage Report from the management account.

How can the company decrease the time to deploy new versions of the Lambda functions and reduce error detection time?

Use AWS SAM and AWS CodeDeploy to deploy the new Lambda version.

Which steps meet the requirements for establishing connectivity between VPCs in member accounts using AWS Transit Gateway?

Launch a CloudFormation stack set from the management account to create new VPCs and transit gateway attachments in member accounts.

What is the MOST efficient way to allow developers to purchase third-party software through AWS Marketplace while enforcing restrictions?

Create the role only in shared services accounts and use root-level SCPs for access control.

What solution meets the requirements for storing a large number of archived documents securely and at the lowest cost?

Create an Amazon S3 bucket with S3 Glacier Deep Archive.

What should the solutions architect do to eliminate the ability of developers to use services outside the allowed ones in the SCP?

Create explicit deny statements for each excluded AWS service.

What will meet the requirements for integrating on-premises Active Directory for AWS account sign-in?

Configure AWS IAM Identity Center (AWS Single Sign-On) with SAML 2.0.

What should be recommended to improve the customer experience with increased PUT request errors?

Implement retry logic with exponential backoff.

Which solution can handle increased traffic for a monolithic REST-based API hosted on EC2 instances?

Create an Application Load Balancer and place EC2 instances in private subnets.

How can a solutions architect provide usage cost breakdowns across AWS accounts under each engineering team's OU?

Create an AWS Cost and Usage Report (CUR) for each OU using AWS Resource Access Manager.

What is the most cost-effective solution for running a data-intensive application on AWS with a shared file system?

Migrate data to Amazon S3 using FSx for Lustre on demand.

What solution ensures high availability for a service using TCP on a static port?

Create EC2 instances with Elastic IP addresses and an NLB.

What is the most cost-effective solution for a company with an on-premises data analytics platform moving to AWS?

Adopt a consumption-based model with on-demand EC2 for scheduled jobs.

Which combination of steps will improve the application's architecture for automatic recovery in the least downtime? (Choose three)

Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum capacity of two instances.

Which combination of steps will provide a custom error page for the Application Load Balancer with the least operational overhead? (Choose two)

Add a custom error response by configuring a CloudFront custom error page. Modify DNS records to point to a publicly accessible webpage.

Which combination of actions will allow sharing a common network across multiple AWS accounts? (Choose two)

Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.

Which solution meets the requirements for private connectivity with a third-party SaaS application? (Choose one)

Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit access to the endpoint. Associate the security group with the endpoint.

Which set of actions will ensure that patching is reported correctly across servers and EC2 instances? (Choose one)

Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch compliance reports.

What actions will ensure log files are copied from terminated EC2 instances to S3? (Choose one)

Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.

What actions should be taken to resolve an issue where a CNAME record is not resolvable on an EC2 instance? (Choose two)

Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.

What is the most cost-efficient and scalable deployment to resolve buffering and timeout issues for a blog site? (Choose one)

Set up an Amazon CloudFront distribution for all site contents, and point the distribution at the ALB.

What solution meets the connectivity requirements for adding a redundant Direct Connect connection? (Choose one)

Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.

Which architecture should the company use to meet these DNS resolution requirements with the HIGHEST performance?

Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

Which solution will give the API the ability to fail over to a different AWS Region?

Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a failover record. Enable target health monitoring. Convert the DynamoDB tables to global tables.

Which option will allow administrators to update existing AWS Config rules after onboarding a new account?

Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.

Which solution will provide a consistent user experience for the application and database tiers to scale?

Enable Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions enabled.

Which solution should the company use for migrating the service to AWS while supporting older devices?

Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.

Which combination of steps must the companies take for User_DataProcessor to access the S3 bucket successfully?

In Account A, set the S3 bucket policy to allow access for User_DataProcessor.

Which solution meets the company's needs for a serverless architecture while refactoring the application?

Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Container Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the ECS clusters.

What should a solutions architect recommend to meet the company’s requirements for reducing RTO?

Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Configure Route 53 with a health check that monitors the web application and sends an Amazon Simple Notification Service (Amazon SNS) notification to the Lambda function when the health check status is unhealthy. Update the application’s Route 53 record with a failover policy that routes traffic to the ALB in the backup Region when a health check failure occurs.

Study Notes

Hybrid DNS Solution

• A company requires a hybrid DNS architecture using Amazon Route 53 private hosted zones for resources in VPCs.
• On-premises systems and all VPCs need to resolve the domain cloud.example.com.
• An AWS Direct Connect connection is already established between on-premises networks and the AWS Transit Gateway.
• Recommended architecture includes associating the private hosted zone to all VPCs and creating a Route 53 inbound resolver in a shared services VPC with forwarding rules to the resolver.

API Failover Solution

• A weather data API hosted with Amazon API Gateway and AWS Lambda needs failover capabilities across AWS Regions.
• Existing data is stored in Amazon DynamoDB.
• Suggested approach involves deploying a new set of Lambda functions in a secondary Region, updating API Gateway to use an edge-optimized endpoint, and converting DynamoDB tables into global tables for seamless data access.

AWS Config Rule Management

• AWS Organizations is used to manage multiple accounts under a single Production OU with deny list Service Control Policies (SCPs).
• A new account from an acquired business unit cannot update AWS Config rules.
• Possible solutions include creating a temporary Onboarding OU with allow SCPs for AWS Config actions or adjusting existing SCPs to permit changes based on needs.

Migration of Web Application to AWS

• A company transitions a stateful web application and separate PostgreSQL database to AWS, using Amazon Aurora and EC2 Auto Scaling.
• The architecture should ensure scalability and a consistent user experience.
• Enabling Auto Scaling for Aurora writers and using an Application Load Balancer with round-robin routing is one suggested solution for effective scaling.

HTTP Header Management for Older Devices

• Applications accessed by various consumer devices require AWS migration while retaining support for older devices that don't handle certain HTTP headers.
• Solutions include creating Amazon API Gateway to modify responses based on User-Agent headers, or configuring CloudFront distributions to manage problematic headers.

S3 Bucket Access Across AWS Accounts

• A retail company’s stored files in S3 need access for an IAM user from a business partner’s AWS account.
• Access requirements can be met by updating the S3 bucket policy and possibly enabling cross-origin resource sharing (CORS).

Refactoring to Microservices on AWS

• A traditional web application on EC2 needs restructuring into microservices with serverless architecture.
• Cost-effective solutions include utilizing Amazon ECS with Fargate launch type and setting up separate Application Load Balancers for production and testing environments.

Multi-Tier Application Recovery

• A multi-tier web application in a primary AWS Region relies on an Amazon RDS Multi-AZ DB instance with a read replica.
• To meet recovery time objectives (RTO) of under 15 minutes, failover strategies using AWS Lambda and Route 53 health checks to monitor and redirect traffic are proposed.

Infrastructure Health and Automatic Recovery

• A critical application on a single EC2 instance with additional services requires robust health and recovery mechanisms.
• Implementing an Elastic Load Balancer with Auto Scaling, along with configuring the RDS for Multi-AZ deployments and creating an ElastiCache replication group, enhances infrastructure resilience and reduces downtime.

E-commerce Application Management

• The company's e-commerce application demonstrates use cases for AWS infrastructure management, particularly with resilience and customer experience considerations.### Application Load Balancer and Custom Error Handling
• Amazon EC2 instances operate behind an Application Load Balancer (ALB) along with an Amazon RDS database backend.
• Static content is cached via Amazon CloudFront, and public zones are hosted using Amazon Route 53.
• ALB occasionally encounters a 502 Bad Gateway error due to malformed HTTP headers.
• A custom error page is required to replace the standard ALB error page with minimal operational overhead.
• Options include creating an S3 bucket for static webpage hosting, configuring CloudFront for custom error responses, and using CloudWatch for monitoring ALB health.

AWS Organizations and Network Sharing

• AWS Organizations is used for managing multiple AWS accounts, with a dedicated infrastructure account maintaining a VPC.
• Individual accounts can create resources within subnets but cannot manage their own networks.
• Key actions to share a common network include creating a transit gateway and setting up AWS Resource Access Manager for resource sharing.

Secure Connectivity for SaaS Applications

• A third-party SaaS application runs within a VPC, and privacy-sensitive policies require no internet traversal for API calls.
• A solution involves using AWS PrivateLink for secure, private connectivity to the SaaS application while ensuring least privilege access.

Patching Systems Across Environments

• A patching process is needed across on-premises servers and EC2 instances to generate compliance reports effectively.
• AWS Systems Manager is the recommended tool for managing patches and generating reports rather than using disparate methods.

Logging from Auto Scaling Groups

• To prevent missing log files during EC2 instance termination in an Auto Scaling group, implement an Auto Scaling lifecycle hook.
• Create an AWS Systems Manager document to copy log files to an S3 bucket before instance termination using a dictated lifecycle transition.

Route 53 DNS Resolution Issues

• Issues arise when a CNAME record set in a private hosted zone for Account A is not resolvable in Account B where the application runs.
• Solutions involve creating authorization for the private hosted zone association across AWS accounts or deploying a separate private hosted zone in Account B.

Cost-Efficient Web Application Deployment

• An application hosting videos on EBS volumes behind an ALB faces buffering and timeout challenges due to increased traffic.
• The optimal solution is configuring Amazon CloudFront distribution to serve all site contents, ensuring scalability and performance improvements.

Direct Connect Redundancy and Expansion

• A single AWS Direct Connect connection needs redundancy and the capability to connect to multiple regions.
• Provision a Direct Connect gateway, allowing connection expansion through new private virtual interfaces.

Re-architecting Serverless Applications

• A serverless application architecture comprising CloudFront, API Gateway, and Lambda requires efficient deployment processes.
• Utilizing AWS SAM with CodeDeploy enables gradual traffic shifting and rollback capabilities, improving deployment efficiency and error detection.

CloudFormation for Efficient Version Management

• Deploying nested AWS CloudFormation stacks allows efficient management of application code and rollback through change sets.
• If errors are detected in a new Lambda version, reverting to a previous version can be managed through the CloudFormation framework.### API Gateway and CloudFront Adjustments
• Change CloudFront origin to a new API Gateway endpoint and monitor for errors.
• If errors are detected, revert the CloudFront origin to the previous API Gateway endpoint.

Document Storage Solution

• Requirement: Store archived documents accessible only through a corporate VPN, not public.
• Solution options:
  • Amazon S3 with S3 One Zone-IA for infrequent access with a private endpoint.
  • Amazon EC2 with EFS One Zone-IA for archived data, secured for private network access.
  • Amazon EC2 with EBS cold HDD (sc1) volume, secured for private network access.
  • Amazon S3 with S3 Glacier Deep Archive for long-term, low-cost storage, accessible through a private endpoint.

Authentication with Active Directory

• Existing on-premises Active Directory for user authentication needs integration with AWS accounts.
• Solution options:
  • Configure AWS IAM Identity Center (AWS SSO) with SAML 2.0 and SCIM v2.0 for user provisioning and attribute-based access control.
  • Use IAM roles and identity providers (SAML or OIDC) for federated access with Active Directory mappings.

API Error Management

• Increase in errors during PUT requests from specific clients impacting API reputation.
• Recommendation:
  • Implement client-side retry logic with exponential backoff for error handling.
  • API throttling at the API Gateway level to manage overload and handle response codes (e.g., 429).

Data Management for EC2 based Applications

• Need to reduce costs for a data-intensive application using a shared file system.
• Recommendations:
  • Migrate data to Amazon S3, then utilize Amazon FSx for Lustre with lazy loading for job durations.
  • Amazon EBS with Multi-Attach for shared storage usage during jobs.

High Availability Service Deployment

• Requirement for a highly available TCP service with a static DNS accessible name.
• Options:
  • Create Amazon EC2 instances with Elastic IPs, configured behind a Network Load Balancer (NLB).
  • Create an ECS cluster with public IPs behind an NLB, managing DNS records accordingly.

Cloud Migration for Data Analytics

• Transition from a 12-server on-premises analytics platform to AWS EC2 with high availability requirements.
• Cost-effective options:
  • Distribution across Availability Zones with a mix of On-Demand and Spot Instances.
  • Capacity Reservations to maintain SLAs for scheduled jobs.

Security Enhancements for Database Credentials

• Upcoming application version necessitates stronger password security and automatic rotation.
• Suggested resources for CloudFormation:
  • Use AWS Secrets Manager with an associated Lambda function for automated password rotations every 90 days.

Serverless API Access to DynamoDB

• Requirement for a serverless architecture to access DynamoDB publicly via HTTPS.
• Solutions:
  • Utilize Amazon API Gateway REST or HTTP APIs directly integrated with DynamoDB.
  • Consider Lambda functions invoked by API Gateway for data retrieval.

Domain Management for URL Redirection

• Need to redirect multiple registered domains to specific URLs using a JSON document.
• Low operational effort steps:
  • Develop Lambda function for URL redirection based on JSON lookups.
  • Configure an Application Load Balancer for incoming redirections.
  • Use Amazon API Gateway with custom domains for handling requests.

Description

Prepare for the AWS Certified Solutions Architect - Professional SAP-C02 exam with this free quiz containing expert-verified questions and answers. This resource is designed to help you enhance your knowledge and improve your chances for success in the certification exam. Test your skills and understanding of key AWS solutions architecture concepts.