AWS Networking and Architecture Solutions

Questions and Answers

Which solution allows the product manager to access the Amazon CloudWatch dashboard while following the principle of least privilege?

Deploy a bastion server for accessing the dashboard remotely.

Share the dashboard from the CloudWatch console. (correct)

Create a direct link for the product manager to view the dashboard without an account.

Allow the product manager to create an AWS account for access.

What is the main role of the IAM user created for the product manager in this situation?

To grant permission for altering the AWS account settings.

To enable the execution of AWS Lambda functions.

To provide read-only access to CloudWatch metrics and dashboards. (correct)

To allow full administrative access to AWS services.

Which of the following actions does NOT follow the principle of least privilege when providing access to the product manager?

Sharing a direct link to the CloudWatch dashboard.

Creating a generic IAM user for all employees with broad access. (correct)

Deploying a bastion server with RDP credentials to access the dashboard.

Creating a specific IAM user for the product manager with limited permissions.

What is the purpose of attaching the CloudWatchReadOnlyAccess AWS managed policy to the IAM user?

To ensure the product manager can view CloudWatch metrics without making changes.

Which of the following is the least secure solution for granting access while still allowing the product manager to view the dashboard?

Providing the product manager with the current AWS root account credentials.

What architecture design maximizes resiliency and scalability for a modernized application?

Use EC2 instances managed by Amazon EventBridge based on compute nodes' load.

Which option provides the best solution for file lifecycle management for an SMB file server?

Utilize Amazon S3 Intelligent-Tiering for file storage management.

What configuration would not optimize the existing data storage for frequently accessed files?

Storing all files in an archive tier after one week.

To avoid future storage issues while maintaining low latency for the latest files, what should be implemented?

Introduce an automated tiering to S3 based on access frequency.

What is the main advantage of using Amazon SQS in the proposed architecture?

It allows for decoupling of jobs from the processing mechanisms.

What is a potential issue with configuring EC2 Auto Scaling based solely on scheduled scaling?

It can lead to under-provisioning during unexpected load surges.

Which configuration would not effectively increase available storage space for the SMB file server?

Setting up a secondary backup on-premises.

In which scenario would you prefer to choose Auto Scaling based on queue size instead of server load?

When there are predictable traffic patterns with off-peak intervals.

Which action will ensure that the Lambda function ingests all data in the future?

Create an Amazon Simple Queue Service (Amazon SQS) queue and subscribe it to the SNS topic.

What is the recommended way to monitor the upload of files containing personally identifiable information (PII)?

Use Amazon Macie to scan the objects in the bucket.

Which combination of actions should a solutions architect take to reduce manual remediation after detecting PII?

Use Amazon Simple Notification Service (SNS) for alerting.

Which method would provide the least development effort to alert administrators about files containing PII?

Trigger notifications using Amazon SNS after scanning with Amazon Macie.

What should a solutions architect implement to ensure files larger than 200 GB are handled efficiently when uploaded?

Use Amazon S3 for direct uploads and notify once completed.

If a solutions architect wants to improve data reliability when ingesting data from stores, which action is likely to help?

Use Amazon SQS to queue incoming data.

What should a solutions architect consider to automate the removal of PII while minimizing development efforts?

Employ Amazon Macie for detection and alerting.

To ensure optimal performance for the Lambda function, what configuration should be avoided?

Decreasing allocated CPU and memory resources.

What solution allows an EC2 instance in a VPC to access an S3 bucket without internet connectivity?

Create a gateway VPC endpoint to the S3 bucket.

What configuration allows both EC2 instances to access the same set of user-uploaded documents?

Copy the data so both EBS volumes contain all the documents.

Which approach would help eliminate document visibility discrepancies across EC2 instances?

Configure the Application Load Balancer to direct a user to the server with the documents.

What is the main purpose of creating an instance profile on Amazon EC2 regarding S3 access?

To grant S3 access permissions to the EC2 instance.

Which service can be used to streamline the processing of logs stored in S3 while maintaining availability?

Amazon CloudWatch Logs.

Which method would enable updates to documents stored across two separate EBS volumes?

Use Amazon EFS to share files between instances.

What is a key benefit of placing EC2 instances behind an Application Load Balancer?

Automatic scaling based on traffic.

What does creating an Amazon API Gateway API with a private link accomplish?

Provides a secure and private connection to access AWS services.

What is the main requirement for the company's accounting records in relation to deletion?

No one can delete the records during the entire 10-year period.

Which Amazon S3 storage solution provides maximum resiliency for long-term storage?

S3 Glacier Deep Archive

What feature should be used to prevent deletion of the records for 10 years?

S3 Object Lock in compliance mode

After how long should the records be transitioned to S3 Glacier Deep Archive according to the requirements?

After 1 year

What is the purpose of the S3 Lifecycle policy in this scenario?

To automatically transition records to another storage class over time.

Which storage class would NOT be suitable for the company's requirement of keeping records accessible for 1 year?

S3 Glacier Deep Archive

What happens to the records after the 10-year retention period under the proposed solution?

They remain in S3 Glacier Deep Archive indefinitely.

Which option best meets the requirement to prevent record deletion after 1 year?

Implement S3 Object Lock in compliance mode for 10 years.

Study Notes

VPC Endpoint for Private Network Connectivity

• An application running on an EC2 instance in a VPC needs to access an S3 bucket without internet connectivity
• The solution is to create a gateway VPC endpoint to the S3 bucket

Duplicated EC2 Instances and EBS Volumes with Load Balancer

• A web application hosted on AWS using two EC2 instances and EBS volumes in different Availability Zones behind an Application Load Balancer experiences an issue where users see only a subset of their documents, never all at once.
• The proposed solution is to copy the data from both EBS volumes to Amazon EFS (Elastic File System) and modify the application to save new documents to EFS, ensuring users see all their documents.

Modernizing Legacy Architecture with Scalability and Resiliency

• A company is modernizing their application with a primary server coordinating jobs across multiple compute nodes.
• The solution is to implement both the primary server and compute nodes with EC2 instances managed in an Auto Scaling group.
• Configure AWS CloudTrail as a destination for the jobs and configure EC2 Auto Scaling based on the load on the primary server.

Increasing Storage Space with Low Latency Access for Recently Accessed Files

• A company is running an SMB file server storing large files frequently accessed for the first few days after creation, and the files are rarely accessed after 7 days.
• The total data size is increasing and approaching the company's storage capacity.
• The solutions architect wants to increase available storage space without losing low-latency access to the most recently accessed files.
• The solution is to use an Amazon S3 bucket for file storage along with an Amazon S3 Lifecycle policy to move files to a less expensive storage tier after 7 days when access is infrequent. This ensures low-latency access to recently accessed files while optimizing for cost on older, less accessed files.

Providing Access to CloudWatch Dashboard to a User Without AWS Account

• A company is launching a new application and wants to provide access to the CloudWatch dashboard to a user who does not have an AWS account.
• The principle of least privilege should be followed.
• The solution is to create an IAM user specifically for the user, attach the CloudWatchReadOnlyAccess AWS managed policy to the user, and share the login credentials and the browser URL of the dashboard with the user.

Ensuring Lambda Function Ingests All Data From an SNS Topic

• A Lambda function is triggered by an SNS topic, but not ingesting all data.
• Two solutions are required:
  • Create an Amazon SQS queue and subscribe it to the SNS topic, making the Lambda function read from the SQS queue.
  • Increase provisioned throughput for the Lambda function to handle the incoming data volume.

Automating Remediation for Personally Identifiable Information (PII) in Files Uploaded via SFTP

• A company is receiving files uploaded via SFTP, some containing PII, and wants to automate the process of detecting and remediating PII in these files.
• The solution is to utilize an AWS Lambda function and trigger it when objects are loaded into the S3 bucket. The Lambda function should implement custom scanning algorithms to detect PII and use Amazon SNS to notify administrators if PII is found.

Storing Accounting Records in Amazon S3 with Long-Term Retention and Deletion Prevention

• A company needs to store accounting records in Amazon S3 with immediate access for 1 year followed by archiving for 9 years, ensuring no deletion is possible by anyone, including administrative or root users.
• The solution is to use an S3 Lifecycle policy to transition the records from S3 Standard to S3 Glacier Deep Archive after 1 year. Use S3 Object Lock in compliance mode for a period of 10 years, preventing deletion even by administrative users.

Synchronizing Windows File Shares between Amazon EC2 Instances

• A company runs multiple Windows workloads on AWS, with employees using Windows file shares hosted on two Amazon EC2 instances.
• The file shares need to synchronize data and maintain duplicate copies.
• The solution is to use a dedicated file server (like Amazon WorkSpaces) for synchronization and utilize centralized user authentication and authorization.

Description

This quiz covers essential solutions for AWS networking and application architecture. It includes topics like VPC endpoints for S3 access, managing EC2 instances with Load Balancers, and modernizing legacy systems for scalability and resiliency. Test your knowledge on these critical AWS concepts.