Certification : AWS Certified Solutions Architect Associate Practice Exams Set 3

You are working as a Solutions Architect for a government project in which they are building an online portal to allow people to pay their taxes and claim their tax refunds online. Due to the confidentiality of data, the security policy requires that the application hosted in EC2 encrypts the data first before writing it to the disk for storage.   

In this scenario, which service would you use to meet this requirement?


Options are :

  • Security Token Service
  • EBS encryption
  • Elastic File System (EFS)
  • AWS KMS API (Correct)

Answer : AWS KMS API

You are working as a Solutions Architect in a new startup that provides storage for high-quality photos which are infrequently accessed by the users. To make the architecture cost-effective, you designed the cloud service to use an S3 One Zone-Infrequent Access (S3 One Zone-IA) storage type for free users and an S3 Standard-Infrequent Access (S3 Standard-IA) storage type for premium users. When your manager found out about this, he asked you about the trade-offs of using S3 One Zone-IA instead of the S3 Standard-IA. 

What will you say to your manager? (Choose 2)


Options are :

  • Unlike other Amazon object storage classes, which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ. (Correct)
  • Storing data in S3 One Zone-IA costs less than storing it in S3 Standard-IA. (Correct)
  • Storing data in S3 One Zone-IA costs more than storing it in S3 Standard-IA but provides more durability.
  • Unlike other Amazon object storage classes, which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in two AZs only. Hence the name, One Zone-IA since the data replication is skipped in one Availability Zone.
  • S3 One Zone-IA offers lower durability and low throughput compared with Amazon S3 Standard and S3 Standard-IA which is why it has a low per GB storage price and per GB retrieval fee.

Answer : Unlike other Amazon object storage classes, which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ. Storing data in S3 One Zone-IA costs less than storing it in S3 Standard-IA.

A Docker application, which is running on an Amazon ECS cluster behind a load balancer, is heavily using DynamoDB. You are instructed to improve the database performance by distributing the workload evenly and using the provisioned throughput efficiently.   

Which of the following would you consider to implement for your DynamoDB table?


Options are :

  • Reduce the number of partition keys in the DynamoDB table.
  • Use partition keys with high-cardinality attributes, which have a large number of distinct values for each item. (Correct)
  • Use partition keys with low-cardinality attributes, which have a few number of distinct values for each item.
  • Avoid using a composite primary key, which is composed of a partition key and a sort key.

Answer : Use partition keys with high-cardinality attributes, which have a large number of distinct values for each item.

You are designing a banking portal which uses Amazon ElastiCache for Redis as its distributed session management component. Since the other Cloud Engineers in your department have access to your ElastiCache cluster, you have to secure the session data in the portal by requiring them to enter a password before they are granted permission to execute Redis commands.   

As the Solutions Architect, which of the following should you do to meet the above requirement?


Options are :

  • Set up an IAM Policy and MFA which requires the Cloud Engineers to enter their IAM credentials and token before they can access the ElastiCache cluster.
  • Set up a Redis replication group and enable the AtRestEncryptionEnabled parameter.
  • Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled. (Correct)
  • Enable the in-transit encryption for Redis replication groups.

Answer : Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled.

You have identified a series of DDoS attacks while monitoring your VPC. As the Solutions Architect, you are responsible in fortifying your current cloud infrastructure to protect the data of your clients. 

Which of the following is the most suitable solution to mitigate these kinds of attacks?


Options are :

  • Use AWS Shield to detect and mitigate DDoS attacks. (Correct)
  • Using the AWS Firewall Manager, set up a security layer that will prevent SYN floods, UDP reflection attacks and other DDoS attacks.
  • Set up a web application firewall using AWS WAF to filter, monitor, and block HTTP traffic.
  • A combination of Security Groups and Network Access Control Lists to only allow authorized traffic to access your VPC.

Answer : Use AWS Shield to detect and mitigate DDoS attacks.

A VPC has a non-default public subnet which has four On-Demand EC2 instances that can be accessed over the Internet. Using the AWS CLI, you launched a fifth instance that uses the same subnet, Amazon Machine Image (AMI), and security group which are being used by the other instances. Upon testing, you are not able to access the new instance.   

Which of the following is the most suitable solution to solve this problem?


Options are :

  • Include the fifth EC2 instance to the Placement Group of the other four EC2 instances and enable Enhanced Networking.
  • Set up a NAT gateway to allow access to the fifth EC2 instance.
  • Configure the routing table for the public subnet to explicitly include the fifth EC2 instance.
  • Associate an Elastic IP address to the fifth EC2 instance. (Correct)

Answer : Associate an Elastic IP address to the fifth EC2 instance.

Your manager has asked you to deploy a mobile application that can collect votes for a popular singing competition. Millions of users from around the world will submit votes using their mobile phones. These votes must be collected and stored in a highly scalable and highly available data store which will be queried for real-time ranking.

Which of the following combination of services should you use to meet this requirement?


Options are :

  • Amazon DynamoDB and AWS AppSync (Correct)
  • Amazon Redshift and AWS Mobile Hub
  • Amazon Relational Database Service (RDS) and Amazon MQ
  • Amazon Aurora and Amazon Cognito

Answer : Amazon DynamoDB and AWS AppSync

You were recently promoted to a technical lead role in your DevOps team. Your company has an existing VPC which is quite un-



utilized for the past few months. The business manager instructed you to integrate your on-premises data center and your VPC. You explained the list of tasks that you'll be doing and mentioned about a Virtual Private Network (VPN) connection. The business manager is not tech-savvy but he is interested to know what a VPN is and its benefits.

What is one of the major advantages of having a VPN in AWS?


Options are :

  • Security is automatically managed by AWS.
  • You can connect your AWS cloud resources to on-premises data centers using VPN connections. (Correct)
  • You can provision unlimited number of Amazon S3 and Glacier resources.
  • None of the above

Answer : You can connect your AWS cloud resources to on-premises data centers using VPN connections.

You are the Solutions Architect for your company's AWS account of approximately 300 IAM users. They have a new company policy that will change the access of 100 of the IAM users to have a particular sort of access to Amazon S3 buckets.

What will you do to avoid the time-consuming task of applying the policy at the individual user?


Options are :

  • Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group. (Correct)
  • Create a new policy and apply it to multiple IAM users using a shell script.
  • Create a new S3 bucket access policy with unlimited access for each IAM user.
  • Create a new IAM role and add each user to the IAM role.

Answer : Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group.

You are a Solutions Architect for a global news company. You are configuring a fleet of EC2 instances in a subnet which currently is in a VPC with an Internet gateway attached. All of these EC2 instances can be accessed from the Internet. You then launch another subnet and launch an EC2 instance in it, however you are not able to access the EC2 instance from the Internet.   

What could be the possible reasons for this issue? (Choose 2)


Options are :

  • The Amazon EC2 instance does not have a public IP address associated with it. (Correct)
  • The Amazon EC2 instance is not a member of the same Auto Scaling group.
  • The Amazon EC2 instance is running in an Availability Zone that does not support Internet access.
  • The route table is not configured properly to send traffic from the EC2 instance to the Internet through the Internet gateway. (Correct)
  • The route table is not configured properly to send traffic from the EC2 instance to the Internet through the customer gateway (CGW).

Answer : The Amazon EC2 instance does not have a public IP address associated with it. The route table is not configured properly to send traffic from the EC2 instance to the Internet through the Internet gateway.

You are working for a data analytics company as a Software Engineer, which has a client that is setting up an innovative checkout-free grocery store. You developed a monitoring application that uses smart sensors to collect the items that your customers are getting from the grocery’s refrigerators and shelves then automatically maps it to their accounts. To know more about the buying behavior of your customers, you want to analyze the items that are constantly being bought and store the results in S3 for durable storage.   

What service can you use to easily capture, transform, and load streaming data into Amazon S3, Amazon Elasticsearch Service, and Splunk? 


Options are :

  • Amazon Kinesis Data Firehose (Correct)
  • Amazon Kinesis
  • Amazon Redshift
  • Amazon Macie

Answer : Amazon Kinesis Data Firehose

A large financial company has recently adopted a hybrid cloud architecture to integrate their on-premises data center and their AWS Cloud. Your manager has instructed you to create a new VPC network topology which must support all Internet-facing web applications as well as the internally-facing applications that is accessed by employees only over VPN. To ensure high-availability and fault tolerance, both of their Internet-facing and internally-facing financial applications must be able to leverage at least two AZs for high availability.

What is the minimum number of subnets that you must create within your VPC to accommodate these requirements?


Options are :

  • 1 subnet
  • 2 subnets
  • 3 subnets
  • 4 subnets (Correct)

Answer : 4 subnets

A manufacturing company has EC2 instances running in AWS. The EC2 instances are configured with Auto Scaling. There are a lot of requests being lost because of too much load on the servers. The Auto Scaling is launching new EC2 instances to take the load accordingly yet, there are still some requests that are being lost.

Which of the following is the most cost-effective solution to avoid losing recently submitted requests?


Options are :

  • Use an SQS queue to decouple the application components (Correct)
  • Keep one extra Spot EC2 instance always ready in case a spike occurs.
  • Use larger instances for your application
  • Pre-warm your Elastic Load Balancer

Answer : Use an SQS queue to decouple the application components

You have an On-Demand EC2 instance located in a subnet in AWS which hosts a web application. The security group attached to this EC2 instance has the following Inbound Rules:

?

The Route table attached to the VPC is shown below. You can establish an SSH connection into the EC2 instance from the internet. However, you are not able to connect to the web server using your Chrome browser.
?

Which of the below steps would resolve the issue?


Options are :

  • In the Security Group, add an Inbound HTTP rule. (Correct)
  • In the Security Group, remove the SSH rule.
  • In the Route table, add this new route entry: 0.0.0.0 -> igw-b51618cc
  • In the Route table, add this new route entry: 10.0.0.0/27 -> local

Answer : In the Security Group, add an Inbound HTTP rule.

You are working for a startup as its AWS Chief Architect. You are currently assigned on a project that develops an online registration platform for events, which uses Simple Workflow for complete control of your orchestration logic. A decider ingests the customer name, address, contact number, and email address while the activity workers update the customer with the status of their online application status via email. Recently, you were having problems with your online registration platform which was solved by checking the decision task of your workflow.   

In SWF, what is the purpose of a decision task?


Options are :

  • It defines all the activities in the workflow.
  • It tells the decider the state of the workflow execution. (Correct)
  • It tells the worker to perform a function.
  • It represents a single task in the workflow.

Answer : It tells the decider the state of the workflow execution.

You are a Solutions Architect in your company where you are tasked to set up a cloud infrastructure. In the planning, it was discussed that you will need two EC2 instances which should continuously run for three years. The CPU utilization of the EC2 instances is also expected to be stable and predictable.

Which is the most cost-efficient Amazon EC2 Pricing type that is most appropriate for this scenario?


Options are :

  • Reserved Instances (Correct)
  • On-Demand instances
  • Spot instances
  • Dedicated Hosts

Answer : Reserved Instances

You are working as a Solutions Architect for an aerospace manufacturer which heavily uses AWS. They are running a cluster of multi-tier applications that spans multiple servers for your wind simulation model and how it affects your state-of-the-art wing design. Currently, you are experiencing a slowdown in your applications and upon further investigation, it was discovered that it is due to latency issues.   

Which of the following EC2 features should you use to optimize performance for a compute cluster that requires low network latency? 


Options are :

  • Multiple Availability Zones
  • AWS Direct Connect
  • EC2 Dedicated Instances
  • Placement Groups (Correct)

Answer : Placement Groups

You installed sensors to track the number of visitors that goes to the park. The data is sent everyday to an Amazon Kinesis stream with default settings for processing, in which a consumer is configured to process the data every other day. You noticed that your S3 bucket is not receiving all of the data that is being sent to the Kinesis stream. You checked the sensors if they are properly sending the data to Amazon Kinesis and verified that the data is indeed sent everyday.

What could be the reason for this?


Options are :

  • There is a problem in the sensors. They probably had some intermittent connection hence, the data is not sent to the stream.
  • By default, Amazon S3 stores the data for 1 day and moves it to Amazon Glacier.
  • Your AWS account was hacked and someone has deleted some data in your Kinesis stream.
  • By default, the data records are only accessible for 24 hours from the time they are added to a Kinesis stream. (Correct)

Answer : By default, the data records are only accessible for 24 hours from the time they are added to a Kinesis stream.

You are automating the creation of EC2 instances in your VPC. Hence, you wrote a python script to trigger the Amazon EC2 API to request 50 EC2 instances in a single Availability Zone. However, you noticed that after 20 successful requests, subsequent requests failed.

What could be a reason for this issue and how would you resolve it?


Options are :

  • There was an issue with the Amazon EC2 API. Just resend the requests and these will be provisioned successfully.
  • By default, AWS allows you to provision a maximum of 20 instances per region. Select a different region and retry the failed request.
  • By default, AWS allows you to provision a maximum of 20 instances per Availability Zone. Select a different Availability Zone and retry the failed request.
  • There is a soft limit of 20 instances per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved. (Correct)

Answer : There is a soft limit of 20 instances per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved.

You are working as an IT Consultant for a large investment bank that generates large financial datasets with millions of rows. The data must be stored in a columnar fashion to reduce the number of disk I/O requests and reduce the amount of data needed to load from the disk. The bank has an existing third-party business intelligence application which will connect to the storage service and then generate daily and monthly financial reports for its clients around the globe. 

In this scenario, which is the best storage service to use to meet the requirement?


Options are :

  • Amazon Redshift (Correct)
  • Amazon RDS
  • Amazon Aurora
  • DynamoDB

Answer : Amazon Redshift

A global online sports betting company has its popular web application hosted in AWS. They are planning to develop a new online portal for their new business venture and they hired you to implement the cloud architecture for a new online portal that will accept bets globally for world sports. You started to design the system with a relational database that runs on a single EC2 instance, which requires a single EBS volume that can support up to 30,000 IOPS.   

In this scenario, which Amazon EBS volume type can you use that will meet the performance requirements of this new online portal?


Options are :

  • EBS Provisioned IOPS SSD (Correct)
  • EBS Throughput Optimized HDD
  • EBS General Purpose SSD
  • EBS Cold HDD

Answer : EBS Provisioned IOPS SSD

A large insurance company has an AWS account that contains three VPCs (DEV, UAT and PROD) in the same region. UAT is peered to both PROD and DEV using a VPC peering connection. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market.

Which of the following options helps the company accomplish this?


Options are :

  • Create a new VPC peering connection between PROD and DEV with the appropriate routes. (Correct)
  • Create a new entry to PROD in the DEV route table using the VPC peering connection as the target.
  • Change the DEV and PROD VPCs to have overlapping CIDR blocks to be able to connect them.
  • Do nothing. Since these two VPCs are already connected via UAT, they already have a connection to each other.

Answer : Create a new VPC peering connection between PROD and DEV with the appropriate routes.

You are working for an insurance firm as their Senior Solutions Architect. The firm has an application which processes thousands of customer data stored in an Amazon MySQL database with Multi-AZ deployments configuration for high availability in case of downtime. For the past few days, you noticed an increasing trend of read and write operations, which is increasing the latency of the queries to your database. You are planning to use the standby database instance to balance the read and write operations from the primary instance. 

When running your primary Amazon RDS Instance as a Multi-AZ deployment, can you use the standby instance for read and write operations? 


Options are :

  • Yes
  • Only with Microsoft SQL Server-based RDS
  • Only for Oracle RDS instances
  • No (Correct)

Answer : No

A music company is storing data on Amazon Simple Storage Service (S3). The company’s security policy requires that data are encrypted at rest. Which of the following methods can achieve this? (Choose 2)


Options are :

  • Use SSL to encrypt the data while in transit to Amazon S3.
  • Use Amazon S3 server-side encryption with customer-provided keys. (Correct)
  • Use Amazon S3 bucket policies to restrict access to the data at rest.
  • Use Amazon S3 server-side encryption with EC2 key pair.
  • Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key. (Correct)

Answer : Use Amazon S3 server-side encryption with customer-provided keys. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.

You are working for an investment bank as their IT Consultant. You are working with their IT team to handle the launch of their digital wallet system. The applications will run on multiple EBS-backed EC2 instances which will store the logs, transactions, and billing statements of the user in an S3 bucket. Due to tight security and compliance requirements, you are exploring options on how to safely store sensitive data on the EBS volumes and S3.   

Which of the below options should be carried out on AWS when storing sensitive data? (Choose 2)


Options are :

  • Create an EBS Snapshot
  • Enable EBS Encryption (Correct)
  • Migrate the EC2 instances from the public to private subnet.
  • Enable Amazon S3 Server-Side and Client-Side Encryption (Correct)
  • Use AWS Shield and WAF

Answer : Enable EBS Encryption Enable Amazon S3 Server-Side and Client-Side Encryption

A document sharing website is using AWS as its cloud infrastructure. Free users can upload a total of 5 GB data while premium users can upload as much as 5 TB. Their application uploads the user files, which can have a max file size of 1 TB, to an S3 Bucket.

In this scenario, what is the best way for the application to upload the large files in S3?


Options are :

  • Use a single PUT request to upload the large file
  • Use Amazon Snowball
  • Use AWS Import/Export
  • Use Multipart Upload (Correct)

Answer : Use Multipart Upload

One of your clients wants to leverage on Amazon S3 and Amazon Glacier as part of their backup and archive infrastructure. They created a new S3 bucket called “tutorialsdojobackup”. To support this integration between AWS and their on-premises network, they decided to use a third-party software.

Which approach will limit the access of the third party software to the Amazon S3 bucket only and not to other AWS resources?


Options are :

  • Setup a custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive “tutorialsdojobackup”.
  • A custom S3 bucket policy limited to the Amazon S3 API in “tutorialsdojobackup”.
  • A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive “tutorialsdojobackup”.
  • In IAM, setup a custom user policy for the third party software that is limited to the Amazon S3 API in the "tutorialsdojobackup" bucket. (Correct)

Answer : In IAM, setup a custom user policy for the third party software that is limited to the Amazon S3 API in the "tutorialsdojobackup" bucket.

You are working for a Social Media Analytics company as its head data analyst. You want to collect gigabytes of data per second from websites and social media feeds to gain insights from data generated by its offerings and continuously improve the user experience. To meet this design requirement, you have developed an application hosted on an Auto Scaling group of Spot EC2 instances which processes the data and stores the results to DynamoDB and Redshift.   

Which AWS service can you use to collect and process large streams of data records in real time? 


Options are :

  • Amazon S3
  • Amazon Redshift
  • Amazon SWF
  • Amazon Kinesis Data Streams (Correct)

Answer : Amazon Kinesis Data Streams

You are working for a startup company that has resources deployed on the AWS Cloud. Your company is now going through a set of scheduled audits by an external auditing firm for compliance.   

Which of the following services available in AWS can be utilized to help ensure the right information are present for auditing purposes?


Options are :

  • AWS CloudTrail (Correct)
  • AWS VPC
  • AWS EC2
  • AWS Cloudwatch

Answer : AWS CloudTrail

You are working for a FinTech startup as their AWS Solutions Architect. You deployed an application on different EC2 instances with Elastic IP addresses attached for easy DNS resolution and configuration. These servers are only accessed from 8 AM to 6 PM and can be stopped from 6 PM to 8 AM for cost efficiency using Lambda with the script that automates this based on tags.   

Which of the following will occur when an EC2-VPC instance with an associated Elastic IP is stopped and started? (Choose 2) 


Options are :

  • The underlying host for the instance is possibly changed. (Correct)
  • The ENI (Elastic Network Interface) is detached.
  • All data on the attached instance-store devices will be lost. (Correct)
  • The Elastic IP address is disassociated with the instance.
  • There will be no changes.

Answer : The underlying host for the instance is possibly changed. All data on the attached instance-store devices will be lost.