AWS Solution Architecture Professional Practice Questionsroot
1.Company A has hired you to assist with the migration of an interactive website that allows registered users to rate local restaurants. Updates to the ratings are displayed on the home page, and ratings are updated in real time. Althoughthe website is not very popular today, the company anticipates that it willgrow rapidly over the next few weeks. Theywant the site to be highly available. The current architecture consists of a single Windows Server 2008 R2 web server and a MySQL database running on Linux. Both reside inside an on-premises hypervisor.
What would be the most efficient way to transfer the application to AWS, ensuring performance and high-availability?
- Use AWS VM Import/Export to create an Amazon Elastic Compute Cloud (EC2) Amazon Machine Image (AMI) of the web server. Configure Auto Scaling to launch two web servers in us-west-1a and two in us-est-1b. Launch a Multi-AZ MySQL Amazon Relational Database Service (RDS) instance in us-west-1b. Import the data into Amazon RDS from the latest MySQL backup. Use Amazon Route_53 to create a hosted zone and point an A record to the elastic load balancer
- Export web files to an Amazon S3 bucket in us-west-1. Run the website directly out of Amazon S3. Launch a multi-AZ MySQL Amazon RDS instance in us-west-1a. Import the data into Amazon RDS from the latest MySQL backup. Use Route 53 and create an alias record pointing to the elastic load balancer
- Use AWS VM Import/Export to create an Amazon EC2 AMI of the web server. Configure auto-scaling to launch two web servers in us-west-1a and two in us-west-1b. Launch a multi-AZ MySQL Amazon RDS instance in us-west-1a. Import the data into Amazon RDS from the latest MySQL backup. Create an elastic load balancer to front your web servers. Use Amazon Route 53 and create an A record pointing to the elastic load balancer
- Launch two Windows Server 2008 R2 instances in us-west-1b and two in Us-west-1a. Copy the web files from on premises web server to each Amazon EC2 web server, using Amazon S3 as the repository. Launch a multi-AZ MySQL Amazon RDS instance in us-west-2a. Import the data into Amazon RDS from the latest MySQL backup. Create an elastic load balancer to front your web servers. Use Route 53 and create an alias record pointing to the elastic load balancer.
2. A marketing research company has developed a tracking system that collects user behavior during web marketing
campaigns on behalf of their customers all over the world.
The tracking system consists of an auto-scaled group of Amazon Elastic Compute Cloud (EC2) instances
behind an elastic load balancer (ELB), and the collected data is stored in Amazon DynamoDB.
After the campaign is terminated, the tracking system is torn down and the data is moved to Amazon Redshift,
where it is aggregated, analyzed and used to generate detailed reports.
The company wants to be able to instantiate new tracking systems in any region without any manual intervention and therefore adopted AWS CloudFormation.
What needs to be done to make sure that the AWS CloudFormation template works in every AWS region?
Choose 2 answers
- Avoid using DeletionPolicies for EBS snapshots
- The names of the Amazon DynamoDB tables must be different in every target region
- Use the built-in Mappings and FindInMap functions of AWS CloudFormation to refer to the AMI ID set in the ImageId attribute of the Auto Scaling::LaunchConfiguration resource
- IAM users with the right to start AWS CloudFormation stacks must be defined for every target region.
- Use the built-in function of AWS CloudFormation to set the AvailabilityZone attribute of the ELB resource
3. A development team that is currently doing a nightly six-hour build which is lengthening over time on-premises with a large and mostly underutilized server would like to transition to a continuous integration model of development on AWS with multiple builds triggered within the same day. However, they areare concerned about cost, security, and how to integrate with existing on-premises applications such as their LDAP and email servers which cannot move off-premises. The development environment needs a source code repository, a project management system with a MySQL database, resources for performing the builds, and a storage location for QA to pick up builds from. What AWS services combination would you recommend to meet the development team’s requirements?
- A Bastion host Amazon Elastic Compute Cloud (EC2) instance running a VPN server for access from on-premises, Amazon EC2 for the source code repository with attached Amazon Elastic Block Store (EBS) volumes, Amazon EC2 and Amazon Relational Database Service (RDS) MySQL for the project management system, EIPs for the source code repository and project management system, Amazon Simple Queue Service (SQS) for a build queue, An Auto Scaling group of Amazon EC2 instances for performing builds, and Amazon Simple Email Service for sending the build output
- An AWS Storage Gateway for connecting on-premises software applications with cloud-based storage securely, Amazon EC2 for the source code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, Amazon Simple Notification Service (SNS) for a notification-initiated build, An Auto Scaling group of Amazon EC2 instances for performing builds, and Amazon S3 for the build output.
- An AWS Storage Gateway for connecting on-premises software applications with cloud-based storage securely, Amazon EC2 for the source code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, Amazon SQS for a build queue, An Amazon Elastic MapReduce (EMR) cluster of Amazon EC2 instances for performing builds, and Amazon CloudFront for the build output.
- A VPC with a VPN Gateway back to their on-premises servers, Amazon EC2 for the source-code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, SQS for a build queue, An Auto Scaling group of EC2 instances for performing builds, and S3 for the build output
4. A large enterprise wants to adopt CloudFormation to automate administrative tasks and implement the security principles of least priviledge and separation of duties. They have identified the following roles with the corresponding tasks in the company:
• network administrators: create, modify and delete VPCs, subnets, NACLs, routing tables, and security groups
• application operators: deploy complete application stacks (ELB, Auto-Scaling groups, RDS) whereas all resources must be deployed in the VPCs managed by the network administrators
Both groups must maintain their own CloudFormation templates and should be able to create, update and delete only their own CloudFormation stacks.
The company has followed your advice to create two IAM groups, one for applications and one for networks. Both IAM groups are attached to IAM policies that grant rights to perform the necessary task of each group as well as the creation, update and deletion of CloudFormation stacks.
Given setup and requirements, which statements represent valid design considerations?
Choose 2 answers
- Network stack updates will fail upon attempts to delete a subnet with EC2 instances
- Restricting the launch of EC2 instances into VPCs requires resource level permissions in the IAM policy of the application group
- Nesting network stacks within application stacks simplifies management and debugging, but requires resource level permissions in the IAM policy of the network group
- Unless resource level permissions are used on the cloudformation:DeleteStack action, network administrators could tear down application stacks
- The application stack cannot be deleted before all network stacks are deleted
5. To enable end-to-end HTTPS connections from the userˈs browser to the origin via CloudFront, which of the following options would be valid?
Choose 2 answers
- Use a self signed certificate in the origin and CloudFront default certificate in CloudFront
- Use the CloudFront default certificate in both the origin and CloudFront
- Use third-party CA certificate in the origin and CloudFront default certificate in CloudFront
- Use third-party CA certificate in both the origin and CloudFront
- Use a self signed certificate in both the origin and CloudFront
6. A customer is runningan application in US-West (Northern California) region and wants to setup disaster recovery failover to the Asian Pacific (Singapore) region.The customer isinterested in achieving a low Recovery Point Objective (RPO) foran Amazon Relational DatabaseService(RDS) multi-AZ MySQL database instance. Which approach is best suited to this need?
- Synchronous replication
- Asynchronous replication
- Route53 health checks
- Copying of RDS incremental snapshots
7. A document storage company is deploying their application to AWS and changing their business model to support both Free Tier and Premium Tier users. The Premium Tier users will be allowed to store up to 200GB of data and Free Tier customers will be allowed to store only 5GB. The customer expects that billions of files will be stored. All users need to be alerted when approaching 75 percent quota utilization and again at 90 percent quota use.
To support the Free Tier and Premium Tier users, how should they architect their application?
- The company should utilize an Amazon Simple Workflow Service activity worker that updates the userˈs used data counter in Amazon DynamoDB. The Activity Worker will use Simple Email Service to send an email if the counter increases above the appropriate thresholds.
- The company should deploy an Amazon Relational Database Service (RDS) relational database with a stored objects table that has a row for each stored object along with the size of each object. The upload server will query the aggregate consumption of the user in question (by first determining the files stored by the user, and then querying the stored objects table for respective file sizes) and send an email via Amazon Simple Email Service if the thresholds are breached.
- The company should write both the content length and the username of the files owner as S3 metadata for the object. They should then create a a file watcher to iterate over each object and aggregate the size for each user and send a notification via Amazon Simple Queue Service to an emailing service if the storage threshold is exceeded
- The company should create two separate Amazon Simple Storage Service buckets, one for data storage for Free Tier Users, and another for data storage for Premium Tier users. An Amazon Simple Workflow Service activity worker will query all objects for a given user based on the bucket the data is stored in and aggregate storage. The activity worker will notify the user via Amazon Simple Notification Service when necessary.
8. A public archives organization is about to move a pilot application they are running on AWS into production. You have been hired to analyze their application architecture and give cost-saving recommendations. The application displays scanned historical documents.
What are your recommendations?
Choose 3 answers
- Deploy an Amazon CloudFront distribution in front of the Amazon S3 tiles bucket
- Increase the size (width/height) of the individual tiles at the maximum zoom level
- Store the maximum zoom level in the low cost Amazon S3 Glacier option and only retrieve the most frequently access tiles as they are requested by users.
- Use Amazon S3 Reduced Redundancy Storage for each zoom level.
- Decrease the size (width/height) of the individual tiles at the maximum zoom level.
9. Your multi-national customer wants to rewrite a website portal to “take advantage of AWS best practices”. Other information that you have for this large Enterprise customer is as follows:
• Part of the portal is an employee-only section, and authentication must be against the corporate Active Directory.
• You used a web analytics website to discover that on average there were 140,000 visitors per month over the past year, a peak of 187,000 unique visitors last month, and a minimum of 109,000 unique visitors two months ago. You have no information about what percentage of these visitors represents employees who signed into the portal.
• The web analytics website also revealed that traffic breakdown is 40 percent South America, 50 percent North America, and 10 percent other.
• The customer’s primary data center is located in Sao Paulo Brazil.
• Their chief technology officer believes that response time for logging in to the employee portal is a primary metric, because employees complain that the current website is too slow in this regard.
When you present your proposed application architecture to the customer, which of the following should you propose as part of the architecture?
Choose 3 answers
- A three-subnet VPC, with an AD controller in the AWS region. The AWS AD controller will be part of the primary AD controller’s forest, and will synchronize with the corporate controller over a dedicated pipe to the corporate data center
- Do not use Amazon CloudFront, because the employees who log in to the portal have unique (private) session data that should not be cached in a content delivery network.
- A three-subnet VPC, with all AD calls traversing a dedicated pipe to the corporate data center
- Establish the AWS presence in the US-EAST region, with a dedicated pipe to the corporate data center.
- Establish the AWS presence in multiple regions: SA-EAST, and also US-EAST, with a dedicated pipe from both SA-EAST and US-EAST to the corporate data center – and also a dedicated connection between regions. Replicate data as needed between the regions. Use a geo load balancer to determine which region is primary for a given user.
- Use Amazon CloudFront to cache pages for users at the nearest edge location.
10. For a 3-tier, customer facing, inclement weather site utilizing a MySQL database running in a Region which has two AZs (Availability Zone), which architecture provides fault tolerance within the Region for the application that minimally requires 6 web tier servers and 6 application tier servers running in the web and application tiers and one MySQL database?
- A web tier deployed in 2 AZs with 6 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (Elastic Load Balancer), and an application tier deployed in 2 AZs with 6 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB, and a Multi-AZ RDS (Relational Database Service) deployment
- A web tier deployed in 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (Elastic Load Balancer), and an application tier deployed in 2 AZs with 3 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB, and a Multi-AZ RDS (Relational Database Service) deployment.
- A web tier deployed in 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (Elastic Load Balancer), and an application tier deployed in 2 AZs with 6 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB, and one RDS (Relational Database Service) instance deployed with read replicas in the other AZ.
- A web tier deployed in 1 AZ with 6 EC2 (Elastic Compute Cloud) instances inside an Auto Scaling Group behind an ELB (Elastic Load Balancer), and an application tier deployed in the same AZ with 6 EC2 instances inside an Auto Scaling Group behind an ELB, and a Multi-AZ RDS (Relational Database Service) deployment, with 6 stopped web tier EC2 instances and 6 stopped application tier EC2 instances all in the other AZ ready to be started if any of the running instances in the first AZ fails.
11. A gaming company adopted AWS CloudFormation to automate load-testing of their games. They have created an AWS CloudFormation template for each gaming environment and one for the load-testing stack. The load-testing stack creates an Amazon Relational Database Service (RDS) Postgres database and two web servers running on Amazon Elastic Compute Cloud (EC2) that send HTTP requests, measure response times, and write the results into the database. A test run usually takes between 15 and 30 minutes. Once the tests are done, the AWS CloudFormation stacks are torn down immediately. The test results written to the Amazon RDS database must remain accessible for visualization and analysis.
Select possible solutions that allow access to the test results after the AWS CloudFormation load-testing stack is deleted.
Choose 2 answers
- Define an update policy to prevent deletion of the Amazon RDS database after the AWS CloudFormation stack is deleted.
- Define a deletion policy of type Snapshot for the Amazon RDS resource to assure that the RDS database can be restored after the AWS CloudFormation stack is deleted.
- Define automated backups with a backup retention period of 30 days for the Amazon RDS database and perform point-in-time recovery of the database after the AWS CloudFormation stack is deleted.
- Define an Amazon RDS Read-Replica in the load-testing AWS CloudFormation stack and define a dependency relation between master and replica via the DependsOn attribute
- Define a deletion policy of type Retain for the Amazon RDS resource to assure that the RDS database is not deleted with the AWS CloudFormation stack.
12. You are an architect for a news-sharing mobile application. Anywhere in the world, your users can see local news on topics they choose. They can post pictures and videos from inside the application.
Since the application is being used on a mobile phone, connection stability is required for uploading content, and delivery should be quick.
Content is accessed a lot in the first minutes after it has been posted, but is quickly replaced by new content before disappearing. The local nature of the news means that 90 percent of the uploaded content is then read locally (less than a hundred kilometers from where it was posted).
What solution will optimize the user experience when users upload and view content (by minimizing page load times and minimizing upload times)?
- Upload and store the content in a central Amazon Simple Storage Service (S3) bucket, and use an Amazon CloudFront Distribution for content delivery.
- Upload and store the content in an Amazon Simple Storage Service (S3) bucket in the region closest to the user, and use multiple Amazon CloudFront distributions for content delivery
- Upload the content to an Amazon Elastic Compute Cloud (EC2) instance in the region closest to the user, send the content to a central Amazon Simple Storage Service (S3) bucket, and use an Amazon CloudFront distribution for content delivery.
- Use an Amazon CloudFront distribution for uploading the content to a central Amazon Simple Storage Service (S3) bucket and for content delivery.
13. A customer is deploying an SSL enabled Web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entited to login to Instances as well as making API calls and the security officers who will maintain and have exclusive access to the applicationˈs X.509 certificate that contains the private key.
Which configuration option could satisfy the above requirement?
- Configure the web servers to retrieve the certificate upon boot from an CloudHSM that is managed by the security officers.
- Configure system permissions on the web servers to restrict access to the certificate only to the authorized security officers.
- Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
- Upload the certificate on an S3 bucket owned by the security officers and accessible only by the EC2 Role of the web servers.
14. You are designing security inside your VPC. You are considering the options for establishing separate security zones, and enforcing network traffic rules across the different zones to limit which instances can communicate.
How would you accomplish these requirements?
Choose 2 answers
- Configure multiple subnets in your VPC, one for each zone. Configure routing within your VPC in such a way that each subnet only has routes to other subnets with which it needs to communicate, and doesnˈt have routes to subnets with which it shouldnˈt be able to communicate.
- Configure your instances to use pre-set IP addresses with an IP address range for every security zone. Configure NACLs to explicitly allow or deny communication between the different IP address ranges, as required for interzone communication.
- Configure a security group for every zone. Configure a default allow all rule. Configure explicit deny rules for the zones that shouldnˈt be able to communicate with one another
- Configure a security group for every zone. Configure allow rules only between zones that need to be able to communicate with one another. Use the implicit deny all rule to block any other traffic.
15. Your company currently has a highly available web application running in production. The application’s web front-end utilizes an Elastic Load Balancerand Auto Scaling across three Availability Zones.During peak load, your web servers operate at 90% utilization and leverage a combination of Heavy Utilization Reserved Instances for steady state load and On-Demand and Spot Instances for peak load. You are tasked with designing a cost effective architecture to allow the application to recover quickly in the event that an Availability Zoneis unavailable during peak load.
Which option provides the most cost effective high availability architectural design for this application?
- Continue to run your web front-end at 90% utilization, but leverage a high bid price strategy to cover the loss of any of the other Availability Zones during peak load.
- Increase use of spot instances to cost effectively scale the web front-end across all Availability Zones to lower aggregate utilization levels that will allow an Availability Zone to fail during peak load without affecting the application’s availability.
- Increase Auto Scaling capacity and scaling thresholds to allow the web front-end to cost effectively scale across all Availability Zones to lower aggregate utilization levels that will allow an Availability Zone to fail during peak load without affecting the application’s availability.
- Continue to run your web front-end at 90% utilization, but purchase an appropriate number of light utilization RIs in each Availability Zone to cover the loss of any of the other Availability Zones during peak load.
16. An Enterprise customer is starting their migration to the cloud, their main reason for migrating is agility, and they want to make their internal Microsoft Active Directory available to any applications running on AWS; this is so internal users only have to remember one set of credentials and as a central point of user control for leavers and joiners. How could they make their Active Directory secure, and highly available, with minimal on-premises infrastructure changes, in the most cost and time-efficient way?
Choose the most appropriate:
- Using Amazon Elastic Compute Cloud (EC2), they could create a DMZ using a security group; within the security group they could provision two smaller Amazon EC2 instances that are running Openswan for resilient IPSEC tunnels, and two larger instances that are domain controllers; they would use multiple Availability Zones
- Using VPC, they could create an extension to their data center and make use of resilient hardware IPSEC tunnels; they could then have two domain controller instances that are joined to their existing domain and reside within different subnets, in different Availability Zones.
- Within the customerˈs existing infrastructure, they could provision new hardware to run Active Directory Federation Services; this would present Active Directory as a SAML2 endpoint on the internet; any new application on AWS could be written to authenticate using SAML2.
- The customer could create a stand-alone VPC with its own Active Directory Domain Controllers; two domain controller instances could be configured, one in each Availability Zone; new applications would authenticate with those domain controllers.
17. An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and confidential data that is stored on Amazon S3.
The customers security policy requires that the all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team.
In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system.
Which of the following configurations will support these requirements:
- Configure the web application to authenticate end-users against the centralized access management system. Have the web application provision trusted users STS tokens entitling the download of approved data directly from Amazon S3.
- Encrypt the data on Amazon S3 using a CloudHSM that is operated by the separate security team. Configure the web application to integrate with the CloudHSM for decrypting approved data access operations for trusted end-users.
- Configure the web application to authenticate end-users against the centralized access management system using SAML. Have the end-users authenticate to IAM using their SAML token and download the approved data directly from Amazon S3.
- Have the separate security team create an IAM Role that is entitled to access the data on Amazon S3. Have the web application team provision their instances with this Role while denying their IAM users access to the data on Amazon S3.
18. You have been asked to design network connectivity between your existing data centers and AWS. Your application’s EC2 instances must be able to connect to existing backend resources located in your data center. Network traffic between AWS and your data centers will start small, but ramp up to 10s of GB per second over the course of several months. The success of your application is dependent upon getting to market quickly. Which of the following design options will allow you to meet your objectives?
- Quickly submit a DirectConnect request to provision a 1 Gbps cross connect between your data center and VPC, then increase the number or size of your DirectConnect connections as needed
- Quickly create an internal ELB for your backend applications, submit a DirectConnect request to provision a 1 Gbps cross connect between your data center and VPC, then increase the number or size of your DirectConnect connections as needed
- Allocate EIPs and an Internet Gateway for your VPC instances to use for quick, temporary access to your backend applications, then provision a VPN connection between a VPC and existing on-premises equipment.
- Provision a VPN connection between a VPC and existing on-premises equipment, submit a DirectConnect partner request to provision cross connects between your data center and the DirectConnect location, then cut over from the VPN connection to one or more DirectConnect connections as needed.
19. You have an application running on an EC2 instance which will allow users to download files from a private S3 bucket using a pre-signed URL. Before generating the URL, the application should verify the existence of the file in S3.
How should the application use AWS credentials to access the S3 bucket securely?
- Create an IAM user for the application with permissions that allow list access to the S3 bucket; launch the instance as the IAM user, and retrieve the IAM user’s credentials from the EC2 instance user data.
- Create an IAM role for EC2 that allows list access to objects in the S3 bucket; launch the instance with the role, and retrieve the role’s credentials from the EC2 instance metadata
- Use the AWS account access keys; the application retrieves the credentials from the source code of the application.
- Create an IAM user for the application with permissions that allow list access to the S3 bucket; the application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
20. A startup deploys its photo-sharing site in a VPC. An elastic load balancer distributes web traffic across two subnets. The load balancer session stickiness is configured to use the AWS-generated session cookie, with a session TTL of 5 minutes. The web server Auto Scaling group is configured as min-size=4, max-size=4.
The startup is preparing for a public launch, by running load-testing software installed on a single Amazon Elastic Compute Cloud (EC2) instance running in us-west-2a. After 60 minutes of load-testing, the web server logs show the following:
| # of HTTP requests | # of HTTP requests |
WEBSERVER LOGS | from load-tester | from private beta users |
| webserver #1 (subnet in us-west-2a): | 19,210 | 434 |
| webserver #2 (subnet in us-west-2a): | 21,790 | 490 |
| webserver #3 (subnet in us-west-2b): | 0 | 410 |
| webserver #4 (subnet in us-west-2b): | 0 | 428 |
Which recommendations can help ensure that load-testing HTTP requests are evenly distributed across the four webservers?
Choose 2 answers
- Launch and run the load-tester Amazon EC2 instance from us-east-1 instead.
- Use a third-party load-testing service which offers globally distributed test clients.
- Configure Elastic Load Balancing and Auto Scaling to distribute across us-west-2a and us-west-2b.
- Configure Elastic Load Balancing session stickiness to use the app-specific session cookie
- Re-configure the load-testing software to re-resolve DNS for each web request.
21. To meet regulatory requirements, a pharmaceuticals company needs to archive data after a drug trial test is concluded. Each drug trial test may generate up to several thousands of files, with compressed file sizes ranging from 1 byte to 100MB. Once archived, data rarely needs to be restored, and on the rare occasion when restoration is needed, the company has 24 hours to restore specific filesthat bmatchcertain metadata. Searches must be possible by numeric file ID, drug name, participant names, date ranges, and other metadata.
Which is the most cost-effective architectural approachthat can meet the requirements?
- Store individual compressed files and search metadata in Amazon Simple Storage Service (S3). Create a lifecycle rule to move the data to Amazon Glacier, after a certain number of days. When restoring data, query the Amazon S3 bucket for files matching the search criteria, and retrieve the file to S3 reduced redundancy in order to move it back to S3 Standard class.
- Store individual files in Amazon Glacier, using the file ID as the archive name. When restoring data, query the Amazon Glacier vault for files matching the search criteria.
- First, compress and then concatenate all files for a completed drug trial test into a single Amazon Glacier archive. Store the associated byte ranges for the compressed files along with other search metadata in an Amazon RDS database with regular snapshotting. When restoring data, query the RDS database for files that match the search criteria, and create restored files from the retrieved byte ranges
- Store individual files in Amazon S3, and store search metadata in an Amazon Relational Database Service (RDS) multi-AZ database. Create a lifecycle rule to move the data to Amazon Glacier after a certain number of days. When restoring data, query the Amazon RDS database for files matching the search criteria, and move the files matching the search criteria back to S3 Standard class.
- Store individual files in Amazon Glacier, and store the search metadata in an Amazon RDS multi-AZ database. When restoring data, query the Amazon RDS database for files matching the search criteria, and retrieve the archive name that matches the file ID returned from the database query.
22. You have been asked to virtually extend two existing data centers into AWS to support a highly available application that depends on existing, on-premises resources located in multiple data centers and static content that is served from an Amazon Simple Storage Service (S3) bucket. Your design currently includes a dual-tunnel VPN connection between your CGW and VGW. Which component of your architecture represents a potential single point of failure that you should consider changing to make the solution more highly available?
- Add another CGW in a different data center and create another dual-tunnel VPN connection
- Add a second VGW in a different Availability Zone, and a CGW in a different data center, and create another dual-tunnel.
- No changes are necessary: the network architecture is currently highly available
- Add another VGW in a different Availability Zone and create another dual-tunnel VPN connection
23. Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You donˈt want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console. Which option below will meet the needs for your NOC members
- Use Web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
- Use your on-premises SAML 2.0-compliant identity provider (IdP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.
- Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
- Use your on-premises SAML 2.0-compliant identity provider (IdP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
24. A media production company wants to deliver high-definition raw video material for preproduction and dubbing to customers all around the world. They would like to use Amazon CloudFront for their scenario, and they require the ability to limit downloads per customer and video file to a configurable number. A CloudFront download distribution with TTL = 0 was already setup to make sure all client HTTP requests hit an authentication backend on Amazon Elastic Compute Cloud (EC2)/Amazon Relational Database Service (RDS) first, which is responsible for restricting the number of downloads. Content is stored in Amazon Simple Storage Service (S3) and configured to be accessible only via CloudFront.
What else needs to be done to achieve an architecture that meets the requirements?
Choose 2 answers
- Enable CloudFront logging into an Amazon S3 bucket, leverage Amazon Elastic MapReduce (EMR) to analyze CloudFront logs to determine the number of downloads per customer, and return the content S3 URL unless the download limit is reached.
- Enable CloudFront logging into an Amazon S3 bucket, let the authentication backend determine the number of downloads per customer by parsing those logs, and return the content S3 URL unless the download limit is reached
- Enable URL parameter forwarding, let the authentication backend count the number of downloads per customer in Amazon RDS, and return the content S3 URL unless the download limit is reached
- Configure a list of trusted signers, let the authentication backend count the number of download requests per customer in Amazon RDS, and return a dynamically signed URL unless the download limit is reached.
- Enable URL parameter forwarding, let the authentication backend count the number of downloads per customer in Amazon RDS, and invalidate the CloudFront distribution as soon as the download limit is reached.
25. Your customer is implementing a video on-demand streaming platform on AWS. The requirements are; support for multiple devices such as iOS, Android, and PC as client devices, using a standard client player, using streaming technology (not download,) and scalable architecture with cost effectiveness.
Which architecture meets the requirements?
- Store the video contents to Amazon Simple Storage Service (S3) as an origin server. Configure the Amazon CloudFront distribution with a streaming option to stream the video contents
- Store the video contents to Amazon S3 as an origin server. Configure the Amazon CloudFront distribution with a download option to stream the video contents.
- Launch a streaming server on Amazon Elastic Compute Cloud (EC2) (for example, Adobe Media Server), and store the video contents as an origin server. Configure the Amazon CloudFront distribution with a download option to stream the video contents.
- Launch a streaming server on Amazon EC2(for example, Adobe Media Server), and store the video contents as an origin server. Launch and configure the required amount of streaming servers on Amazon EC2 as an edge server to stream the video contents.
26. A research scientist is planning for the one-time launch of an Elastic MapReduce cluster and is encouraged by her manager to minimize costs. The cluster is designed to ingest 200TB of genomics data with a total of 100 Amazon Elastic Compute Cloud (EC2) instances and is expected to run for around four hours. The resulting data set must be stored temporarily until archived into an Amazon Relational Database Service (RDS) Oracle instance.
Which option will help save the mostmoney while meeting requirements?
- Deploy on-demand master, core and task nodes and store ingest and output files in Amazon Simple Storage Service (S3) Reduced Redundancy Storage (RRS).
- Store the ingest files in Amazon S3 RRS and store the output files in S3. Deploy Reserved Instances for the master, and core nodes and on-demand for the task nodes.
- Store ingest and output files in Amazon S3. Deploy on-demand for the master, and core nodes and spot for the task nodes.
- Optimize by deploying a combination of on-demand, RI, and spot-pricing models for the master, core, and task nodes. Store ingest and output files in Amazon S3 with a lifecycle policy that archives them to Amazon Glacier.
27. Your social media monitoring application uses a Python app running on AWS Elastic Beanstalk to inject tweets, Facebook updates and RSS feeds into an Amazon Kinesis stream. A second AWS Elastic Beanstalk app generates key performance indicators into an AmazonDynamoDB table and powers a dashboard application.
What is the most efficient option to prevent any data loss for this application?
- Add a second Amazon Kinesis stream in another Availability Zone and use AWS data pipeline to replicate data across Kinesis streams.
- Add a third AWS Elastic Beanstalk app that uses the Amazon Kinesis S3 connector to archive data from Amazon Kinesis into Amazon S3.
- Use AWS Data Pipeline to replicate your DynamoDB tables into another region.
- Use the second AWS Elastic Beanstalk app to store a backup of Kinesis data onto Amazon Elastic Block Store (EBS), and then create snapshots from your Amazon EBS volumes.
28. You tried to integrate two subsystems (front-end and back-end) with an HTTP interface to one large system. These subsystems don’t store any state inside. All state is stored in an Amazon DynamoDB table. You have launched each of these two subsystems from a separate AMI.
Black box testing has shown that these servers have stopped running and are issuing malformed requests that do not meet HTTP specifications from the client. Your developers have discover and fixed this issue, and you deploy the fix to the two subsystems as soon as possible without service disruption.
What are the most effective options to deploy the fixes?
Choose 3 answers
- Use VPC.
- Use AWS OpsWorks auto healing for both the front-end and back-end instance pair
- Use Elastic Load Balancing in front of the front-end subsystem and Auto Scaling to keep the specified number of instances
- Use Elastic Load Balancing in front of the back-end subsystem and Auto Scaling to keep specified number of instances.
- Use Amazon CloudFront which accesses the front-end server when origin fetch
- Use Amazon Simple Queue Service SQS between the front-end and back-end subsystems
29. When deploying a highly available 2-tier web application on AWS, which combination of AWS Services meets the requirements?
1. AWS Direct Connect
2.Amazon Route 53
3.AWS Storage Gateway
4.Elastic Load Balancing
8.AWS Cloud Trail
- 2,4,5 and 6
- 3,4,5 and 8
- 1,2,5 and 6
- 1 through 8
- 1,3,5 and 7
30. Your customer needs to create an application to allow contractors to upload videos to Amazon Simple Storage Service (S3) so they can be transcoded into a different format. She creates AWS Identity and Access Management (IAM) users for her application developers, and in just one week, they have the application hosted on a fleet of Amazon Elastic Compute Cloud (EC2) instances. The attached IAM role is assigned to the instances. As expected, a contractor who authenticates to the application is given a pre-signed URL that points to the location for video upload. However, contractors are reporting that they cannot upload their videos. Which of the following are valid reasons for this behavior?
Choose 2 answers
- The IAM role does not explicitly grant permission to upload the object
- The contractorsˈ accounts have not been granted “write” access to the S3 bucket.
- The application is not using valid security credentials to generate the pre-signed URL.
- The developers do not have access to upload objects to the S3 bucket
- The S3 bucket still has the associated default permissions
- The pre-signed URL has expired.
Your company runs a complex customer relations management system that consists of around 10 different software components all backed by the same Amazon Relational Database Service (RDS) database. You adopted AWS OpsWorks to simplify management and deployment of that application and created an AWS OpsWorks stack with layers for each of the individual components.
An internal security policy requires that all instances should run on the latest Amazon Linux AMI and that instances must be replaced within one month after the latest Amazon Linux AMI has been released. AMI replacements should be done without incurring application downtime or capacity problems. You decide to write a script to be run as soon as a new Amazon Linux AMI is released.
Which solutions support the security policy and meet your requirements?
Choose 2 answers
- Create a new stack and layers with identical configuration, add instances with the latest Amazon Linux AMI specified as a custom AMI to the new layers, switch DNS to the new stack, and tear down the old stack
- Identify all Amazon Elastic Compute Cloud (EC2) instances of your AWS OpsWorks stack, stop each instance, replace the AMI ID property with the ID of the latest Amazon Linux AMI ID, and restart the instance. To avoid down time, make sure not more than one instance is stopped at the same time.
- Specify the latest Amazon Linux AMI as a custom AMI at the stack level, terminate instances of the stack and let AWS OpsWorks launch new instances with the new AMI.
- Add new instances with the latest Amazon Linux AMI specified as a custom AMI to all AWS OpsWorks layers of your stack, and terminate the old ones.
- Assign a custom recipe to each layer which replaces the underlying AMI. Use AWS OpsWorks life-cycle events to incrementally execute this custom recipe and update the instances with the new AMI.
32. A utility company is building an application that stores data coming from more than 10,000 sensors. Each sensor has a unique ID and will send a datapoint (approximately 1 KB) every 10 minutes throughout the day. Each datapoint contains the information coming from the sensor as well as a timestamp. This company would like to query information coming from a particular sensor for the past week very rapidly and would like to delete all data that is older thanfour weeks. Using Amazon DynamoDB for its scalability and rapidity, how would you implement this in the most cost-effective way?
- One table for each week, with a primary key that is the concatenation of the sensor ID and the timestamp
- One table for each week, with a primary key that is the sensor ID, and a hash key that is the timestamp
- One table, with a primary key that is the concatenation of the sensor ID and the timestamp
- One table, with a primary key that is the sensor ID, and a hash key that is the timestamp
33. Your company sells consumer devices and needs to record the first activation of all sold devices. Devices are not activated until the information is written on a persistent database. Activation data is very important for your company and must be analyzed daily with a MapReduce job. The execution time of the data analysis process must be less than three hours per day.
Devices are usually sold evenly during the year, but when a new device model is out, there is a predictable peak in activations, that is, for a few days there are 10 times or even 100 times more activations than in the average day.
Which of the following databases and analysis framework would you implement to better optimize costs and performance for this workload?
- Amazon Relational Database Service and Amazon Elastic MapReduce with Spot Instances
- Amazon DynamoDB and Amazon Elastic MapReduce with Spot Instances
- Amazon Relational Database Service and Amazon Elastic MapReduce with Reserved Instances
- Amazon DynamoDB and Amazon Elastic MapReduce with Reserved Instances
34. You are moving an existing traditional system to AWS, and during the migration discover that there is a master server which is a single point of failure. Having examined the implementation of the master server you realise there is not enough time during migration to re-engineer it to be highly available, though you do discover that it stores its state in a local MySQL database.
In order to minimize down-time you select RDS to replace the local database and configure master to use it, what steps would best allow you to create aself-healing architecture:
- Replicate the local database into a RDS Read Replica. Place the master node into a multi-AZ auto-scaling group with a minimum of one and a maximum of one with health checks.
- Migrate the local database into a multi-AZ RDS database. Place the master node into a Cross-Zone ELB with a minimum of one and a maximum of one with health checks.
- Replicate the local database into a RDS Read Replica. Place the master node into a Cross-Zone ELB with a minimum of one and a maximum of one with health checks.
- Migrate the local database into a multi-AZ RDS database. Place the master node into a multi-AZ auto-scaling group with a minimum of one and a maximum of one with health checks.
35. A customer is in the process of deploying multiple applications to AWS that are owned and operated by different development teams. Each development team maintains the authorization ofits users independently from other teams.
The customerˈs information security team would like to be able to delegate user authorization to the individual development teams but independently apply restrictions to the users permissions based on factors such as the userˈs device and location . For example, the information security team would like to grant read-only permissions to a user who is defined by the development team as read/write whenever the user is authenticating from outside the corporate network.
What steps can the information security team take to implement this capability?
- Operate an authentication service that generates AWS Security Token Service (STS) tokens with IAM policies from application-defined IAM roles.
- Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy.
- Enable federation with the internal LDAP directory and grant the application teams permissions to modify users.
- Configure IAM policies that restrict modification of the application IAM roles only to the information security team.
36. You are designing a file-sharing service. This service will have millions of files in it. Revenue for the service will come from fees based on how much storage a user is using. You also want to store metadata on each file, such as title, description and whether the object is public or private. How do you achieve all of these goals in a way that is economical and can scale to millions of users?
- Store all files in Amazon Simple Storage Service (S3). Create a bucket for each user. Store metadata in the filename of each object, and access it with LIST commands against the S3 API.
- Store all files in Amazon S3. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
- Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Use a database running in Amazon Relational Database Service (RDS) to store the metadata.
- Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
37. Your company has been contracted to develop and operate a website that tracks NBA basketball statistics. Statistical data to derive reports like “best game-winning shots from the regular season” and more frequently built reports like “top shots of the game” need to be stored durably for repeated lookup. Leveraging social media techniques, NBA fans submit and vote on new report types from the existing data set so the system needs to accommodate variability in data queries and new static reportsmust begenerated and posted daily. Initial research in the design phase indicates that there will be over 3 million report queries on game day by end users and other applications that use this application as a data source. It is expected that this system will gain in popularity over time and reach peaks of 10-15 million report queries of the system on game days. Select the answer that will allow your application to best meet these requirements while minimizing costs.
- Launch a multi-AZ MySQL Amazon Relational Database Service (RDS) Read Replica connected to your multi AZ master database and generate reports by querying the Read Replica. Perform a daily table cleanup.
- Generate reports from a multi-AZ MySQL Amazon RDS deployment and have an offline task put reports in Amazon Simple Storage Service (S3) and use CloudFront to cache the content. Use a TTL to expire objects daily.
- Implement a multi-AZ MySQL RDS deployment and have the application generate reports from Amazon ElastiCache for in-memory performance results. Utilize the default expire parameter for items in the cache.
- Query a multi-AZ MySQL RDS instance and store the results in a DynamoDB table. Generate reports from the DynamoDB table. Remove stale tables daily.
38. Youˈve been tasked with moving an ecommerce web application from a customerˈs datacenter into a VPC. The application must be fault tolerant and well as highly scalable. Moreover, the customer is adamant that service interruptions not affect the user experience. As you near launch, you discover that the application currently uses multicast to share session state between web servers. In order to handle session state within the VPC, you choose to:
- Store session state in Amazon ElastiCache for Redis
- Enable session stickiness via Elastic Load Balancing
- Create a mesh VPN between instances and allow multicast on it.
- Store session state in Amazon Relational Database Service
39. Your application is leveraging IAM Roles for EC2 for accessing objects stored in S3. Which two of the following IAM policies control access to your S3 objects?
Choose 2 answers
- An IAM trust policy allows the EC2 instance to assume an EC2 instance role
- An IAM access policy allows the EC2 role to access S3 objects
- An IAM bucket policy allows the EC2 role to access S3 objects
- An IAM trust policy allows applications running on the EC2 instance to assume an EC2 role
- An IAM trust policy allows applications running on the EC2 instance to access S3 objects
40. You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture.
Which alternatives should you consider?
Choose 2 answers
- Configure ELB with an EIP. Place all your Web servers behind ELB. Configure a Route53 A record that points to the EIP.
- Place all your Web servers behind ELB. Configure a Route53 CNAME to point to the ELB DNS name.
- Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers. Configure a Route53 CNAME record to your CloudFront distribution.
- Configure a NAT instance in your VPC. Create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT Instance public IP address.
- Assign EIPs to all Web servers. Configure a Route53 record set with all EIPs, with health checks and DNS failover.