AWS Certified Solutions Architect Associate(SAA C03)

The AWS Certified Solutions Architect Associate(SAA C03) were last updated on today.

Viewing page 9 out of 198 pages.
Viewing questions 41-45 out of 990 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #41 Topic 1

A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs ta share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots. What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?

A Make the encrypted AMI and snapshots publicly available. Modify the key policy to allow the MSP Partner's AWS account to use the key.
B Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
C Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to trust a new KMS key that is owned by the MSP Partner for encryption.
D Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS account, Encrypt the S3 bucket with a new KMS key that is owned by the MSP Partner. Copy and launch the AMI in the MSP Partner's AWS account.

Suggested Answer: B
NOTE: Answer is :B
Explanation :Option B is the most secure way to share an AMI. It strikes a balance between security and functionality. It only shares the AMI with the MSP Partner's AWS account, reducing access to the AMI, and thus enhancing the security. It also modifies the key policy to allow the MSP Partner's AWS account to use the key, which ensures the MSP Partner can access and use the AMI securely.

Question #42 Topic 1

A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

A Replace the current security group of the bastion host with one that only allows inbound access from the application instances.
B Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.
C Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.
D Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.
E Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.

Suggested Answer: CD
NOTE: -

Question #43 Topic 1

A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate. What should a solutions architect recommend to meet this requirement?

A Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
B Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
C Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
D Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).

Suggested Answer: B
NOTE: Answer is :B
Explanation :AWS Config allows for the identification of resources that are noncompliant with desired configurations, including certificates expiring within 30 days, and with EventBridge or CloudWatch Events, a custom alert could then be set up to send a notification via Amazon SNS. This approach meets the requirement to alert the security team 30 days before the certificate expires.

Question #44 Topic 1

A company needs to store data in Amazon S3 and must prevent the data from being changed. The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects. Only specific users in the company's AWS account can have the ability 10 delete the objects. What should a solutions architect do to meet these requirements?

A Create an S3 Glacier vault. Apply a write-once, read-many (WORM) vault lock policy to the objects.
B Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket’s default retention mode for new objects.
C Create an S3 bucket. Use AWS CloudTrail to track any S3 API events that modify the objects. Upon notification, restore the modified objects from any backup versions that the company has.
D Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.

Suggested Answer: D
NOTE: -

Question #45 Topic 1

A company wants to reduce the cost of its existing three-tier web architecture. The web, application, and database servers are running on Amazon EC2 instances for the development, test, and production environments. The EC2 instances average 30% CPU utilization during peak hours and 10% CPU utilization during non-peak hours. The production EC2 instances run 24 hours a day. The development and test EC2 instances run for at least 8 hours each day. The company plans to implement automation to stop the development and test EC2 instances when they are not in use. Which EC2 instance purchasing solution will meet the company's requirements MOST cost-effectively?

A Use Spot Instances for the production EC2 instances. Use Reserved Instances for the development and test EC2 instances.
B Use Reserved Instances for the production EC2 instances. Use On-Demand Instances for the development and test EC2 instances.
C Use Spot blocks for the production EC2 instances. Use Reserved Instances for the development and test EC2 instances.
D Use On-Demand Instances for the production EC2 instances. Use Spot blocks for the development and test EC2 instances.

Suggested Answer: B
NOTE: Answer is :B
Explanation :Reserved Instances provide a significant discount compared to On-Demand Instance pricing and provide a capacity reservation when used in a specific Availability Zone. This would be the most suitable and cost effective solution for production EC2 instances that run 24 hours a day. For the development and test instances which only run for 8 hours a day, On-Demand Instances would be a cost effective solution as you pay for compute capacity by the hour with no long term commitments.