AWS Solutions Architect Practice Exam

Questions and Answers

What should a solutions architect do to prevent unauthorized configuration changes in Amazon S3 buckets?

• Turn on AWS Config with the appropriate rules. (correct)
• Turn on Amazon S3 server access logging.
• Turn on Amazon Inspector with the appropriate assessment template.
• Turn on AWS Trusted Advisor with the appropriate checks.

Which solution allows a product manager without an AWS account to access an Amazon CloudWatch dashboard while adhering to the principle of least privilege?

• Create an IAM user for the product manager and attach the CloudWatchReadOnlyAccess policy. (correct)
• Use an IAM user with a ViewOnlyAccess policy to grant access.
• Share the dashboard link via the CloudWatch console directly.
• Deploy a bastion server to provide temporary access to the dashboard.

In a company using AWS Organizations, what is a recommended solution for implementing single sign-on (SSO) across multiple AWS accounts?

• Leverage AWS Directory Service for centralized authentication.
• Use AWS Single Sign-On to manage access across all accounts. (correct)
• Implement Amazon Cognito for user management across accounts.
• Configure IAM roles in each account for SSO access.

Which of the following is NOT a function of AWS Config?

Assessing the security vulnerabilities of AWS resources. (A)

What is a potential disadvantage of sharing an Amazon CloudWatch dashboard link directly with a product manager?

It may expose sensitive metrics to unauthorized users. (A)

Which AWS service can help ensure monitoring for unauthorized changes specifically in S3 bucket configurations?

AWS Config. (A)

What should be considered when creating an IAM user for accessing CloudWatch dashboard metrics?

The IAM user should have permissions that align with the principle of least privilege. (C)

What is a potential benefit of enabling Amazon S3 server access logging?

It tracks the sources accessing the S3 bucket. (D)

What is the most cost-effective way to avoid Regional data transfer charges for EC2 instances accessing Amazon S3?

Deploy a gateway VPC endpoint for Amazon S3. (D)

Which combination of actions can ensure a Lambda function ingests all data in the future despite network connectivity issues?

Create an Amazon Simple Queue Service (Amazon SQS) queue, and subscribe it to the SNS topic. (B), Modify the Lambda function to read from an Amazon Simple Queue Service (Amazon SQS) queue. (C)

What should be configured to send events about completed uploads to an S3 bucket using Amazon CloudWatch?

Use an Amazon SNS topic as the target for CloudWatch Container Insights. (D)

How can a company improve the reliability of its data ingestion workflow using AWS components?

Implement SQS to queue messages during connectivity issues. (C)

Which architectural change would minimize downtime of a Lambda function caused by network issues?

Create an SQS queue that the Lambda function reads from during failures. (A)

What is the role of the NAT gateway in the context of EC2 instances accessing S3?

It acts as a connection point for private EC2 instances accessing public resources. (C)

Why might a company choose to replace a NAT gateway with a NAT instance?

To lower operational costs and improve performance. (C)

In an application where stores upload transaction data via SFTP, which service would be vital for processing and analyzing the uploaded data?

Amazon EMR for large-scale data processing. (B)

What is the most appropriate AWS DynamoDB capacity mode to handle traffic spikes quickly?

Create a DynamoDB table in on-demand capacity mode. (D)

How should a solutions architect securely share an AMI backed by EBS snapshots with an MSP Partner's AWS account?

Share the AMI with the MSP Partner’s AWS account and modify the key policy to allow their account to use the key. (C)

What design should a solutions architect use to ensure a stateless processor application runs in parallel and can scale based on job demand?

Create an Amazon SNS topic to send jobs, an AMI for the processor application, and an Auto Scaling group with a launch configuration. (C)

Which option allows a solutions architect to use a customer managed key for encrypting EBS snapshots when sharing an AMI?

Adjust the key policy to permit the MSP Partner's AWS account to access the key. (B)

In the context of an AWS application architecture, what does it mean for the application to be loosely coupled?

Application components can operate independently and communicate through well-defined interfaces. (A)

What is one of the key benefits of using an Amazon SQS queue for job management in an AWS architecture?

It provides durability of job items even when workers are temporarily offline. (C)

Why might a solutions architect choose to implement Auto Scaling for a serverless architecture on AWS?

To automatically add or remove instances based on actual traffic demands. (B)

What role does a global secondary index (GSI) play in a DynamoDB table?

It allows for alternative query patterns on the data without altering the original table structure. (B)

What is the purpose of configuring an S3 Lifecycle policy for storing uploaded documents?

To ensure documents are archived periodically to save costs. (B)

How can the web servers securely connect to the Amazon RDS MySQL Multi-AZ DB instance while ensuring credentials are rotated frequently?

By storing credentials in AWS Secrets Manager and granting necessary IAM permissions. (D)

What solution can be implemented to prevent data loss during database upgrades for Lambda functions?

Use an Amazon RDS proxy to manage database connections. (D)

What is a primary benefit of using S3 Versioning for document storage?

It allows for recovery of previous document states. (D)

What is a potential risk of storing database user credentials on the web server file system?

Credentials may become easily accessible if the server is compromised. (A)

Which option is not a valid method for facilitating secure database access from web servers?

Utilizing plain text files in an S3 bucket. (A)

What strategy can be adopted to enhance the reliability of data storage during database maintenance periods?

Implement message queuing to temporarily store customer data. (D)

Why should AWS IAM permissions be configured for accessing secure credentials?

To ensure only specific users can view the credentials. (A)

What is the primary function of the Lambda function created in the customer data scenario?

To poll the Amazon SQS FIFO queue and store data in the database (D)

Which configuration would help minimize data transfer costs when sharing S3 bucket data with a European marketing firm?

Set up S3 Cross-Region Replication to the firm's S3 bucket (A)

What is the best way to prevent accidental deletion of confidential audit documents in an S3 bucket?

Enable the versioning and MFA Delete features on the S3 bucket (D)

If the SQL database performance is inadequate during script execution, what could be a potential solution?

Schedule script execution during non-peak business hours (A)

What feature should be enabled on the S3 bucket to ensure that previous versions of deleted files can be recovered?

S3 Versioning (D)

When configuring access to the S3 bucket, which principle should be followed to enhance security?

Implement least privilege access for audit team IAM users (A)

Which method pairs well with S3 Intelligent-Tiering for efficient storage management?

Enabling lifecycle policies to transition data (C)

What is a major benefit of using the Amazon Simple Queue Service (SQS) FIFO queue for customer data?

Guarantees that messages are processed exactly once and in the exact order they are sent (A)

Study Notes

AWS Solutions Architect Practice Exams - Questions

• A company using AWS S3 buckets wants to ensure unauthorized configuration changes don't occur. To achieve this, they should enable AWS Config with appropriate rules.
• A company needs to allow a product manager without an AWS account to access an Amazon CloudWatch dashboard. Creating an IAM user specifically for the product manager, attaching the CloudWatchReadOnlyAccess managed policy, and sharing the dashboard URL with the product manager is the best solution adhering to least privilege.
• For an application deployed across different AWS accounts managed by AWS Organizations, the recommended SSO solution is to use AWS Organizations to manage user credentials and policies for all accounts.
• A company running an image-processing application in a single VPC across multiple Availability Zones, using a single NAT gateway for S3 communication faces data transfer costs. The most cost-effective way to avoid regional data transfer charges is to deploy a gateway VPC endpoint for Amazon S3.
• To ensure an ingestion workflow that includes an SNS topic and Lambda function can handle occasional network connectivity issues, implement the following:
  • Create an Amazon SQS queue and subscribe it to the SNS topic.
  • Modify the Lambda function to read from the SQS queue.
• A company's marketing application using SFTP for data upload needs to handle traffic spikes efficiently. Using a DynamoDB table in on-demand capacity mode provides flexibility and adapts to quick traffic changes.
• To securely share an encrypted AMI with an MSP Partner's AWS account, the solutions architect should modify the launchPermission property of the AMI to share it with the MSP Partner's account. Additionally, they should modify the KMS key policy to grant access to the MSP Partner's account for using the key.
• For a stateless processor application that needs to handle jobs in parallel, a loosely coupled design with durable job storage is required. The best solution is to create an Amazon SNS topic to send jobs, use an Auto Scaling group with an AMI for the processor application, and store the uploaded documents in an Amazon S3 bucket with a Lifecycle policy for periodic archiving.
• A company wants to securely connect multiple web servers to an Amazon RDS MySQL Multi-AZ DB instance while frequently rotating user credentials. The recommended solution is to store the database user credentials in AWS Secrets Manager and grant the web servers necessary IAM permissions to access Secrets Manager.
• To handle database upgrade events where Lambda functions fail to connect to an Aurora MySQL database, the recommended solution is to provision an Amazon RDS proxy between the Lambda functions and the database. This allows the Lambda functions to continue connecting through the proxy, ensuring database connectivity during upgrades.
• A company wants to minimize data transfer costs when sharing 3TB of data with a European marketing firm using S3 buckets. Using S3 Cross-Region Replication from the company's S3 bucket to one of the marketing firm's S3 buckets is the most cost-effective solution for data transfer between regions.
• To secure confidential audit documents in an S3 bucket, where accidental deletion is a concern, enabling versioning and MFA Delete features on the S3 bucket is the recommended solution.
• A company's SQL database used for storing movie data suffers from performance issues during script execution. The recommended solution is to configure the script to execute outside business hours, avoiding impact on development tasks during peak times.

Description

This quiz covers essential concepts for AWS Solutions Architect certification, focusing on best practices for S3, IAM, and AWS Organizations. Test your knowledge on how to manage configurations, user access, and effective resource usage in AWS environments.