Amazon Amazon Certifications SAA-C02 Questions & Answers

• Question 1:

  A company has application running on Amazon EC2 instances in a VPC. One of the applications needs to call an Amazon S3 API to store and read objects. The company's security policies restrict any internet-bound traffic from the

  applications.

  Which action will fulfill these requirements and maintain security?

  A. Configure an S3 interface endpoint.

  B. Configure an S3 gateway endpoint.

  C. Create an S3 bucket in a private subnet.

  D. Create an S3 bucket in the same Region as the EC2 instance.

  Correct Answer: B

• Question 2:

  A company is planning to migrate a business-critical dataset to Amazon S3. The current solution design uses a single S3 bucket in the us-east-1 Region with versioning enabled to store the dataset. The company's disaster recovery policy states that all data multiple AWS Regions.

  How should a solutions architect design the S3 solution?

  A. Create an additional S3 bucket in another Region and configure cross-Region replication.

  B. Create an additional S3 bucket in another Region and configure cross-origin resource sharing (CORS).

  C. Create an additional S3 bucket with versioning in another Region and configure cross-Region replication.

  D. Create an additional S3 bucket with versioning in another Region and configure cross-origin resource (CORS).

  Correct Answer: C

  Object Versioning Use Amazon S3 Versioning to keep multiple versions of an object in one bucket. For example, you could store my-image.jpg (version 111111) and my-image.jpg (version 222222) in a single bucket. S3 Versioning protects you from the consequences of unintended overwrites and deletions. You can also use it to archive objects so that you have access to previous versions. You must explicitly enable S3 Versioning on your bucket. By default, S3 Versioning is disabled. Regardless of whether you have enabled Versioning, each object in your bucket has a version ID. If you have not enabled Versioning, Amazon S3 sets the value of the version ID to null. If S3 Versioning is enabled, Amazon S3 assigns a version ID value for the object. This value distinguishes it from other versions of the same key. Enabling and suspending versioning is done at the bucket level. When you enable versioning on an existing bucket, objects that are already stored in the bucket are unchanged. The version IDs (null), contents, and permissions remain the same. After you enable S3 Versioning for a bucket, each object that is added to the bucket gets a version ID, which distinguishes it from other versions of the same key. Cross-origin resource sharing (CORS) Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources. https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

• Question 3:

  A company is migrating a three-tier application to AWS. The application requires a MySQL database. In the past, the application users reported poor application performance when creating new entries. These performance issues were

  caused by users generating different real-time reports from the application duringworking hours.

  Which solution will improve the performance of the application when it is moved to AWS?

  A. Import the data into an Amazon DynamoDB table with provisioned capacity. Refactor the application to use DynamoDB for reports.

  B. Create the database on a compute optimized Amazon EC2 instance. Ensure compute resources exceed the on-premises database.

  C. Create an Amazon Aurora MySQL Multi-AZ DB cluster with multiple read replicas. Configure the application reader endpoint for reports.

  D. Create an Amazon Aurora MySQL Multi-AZ DB cluster. Configure the application to use the backup instance of the cluster as an endpoint for the reports.

  Correct Answer: D

  Amazon RDS Read Replicas Now Support Multi-AZ Deployments Starting today, Amazon RDS Read Replicas for MySQL and MariaDB now support Multi-AZ deployments. Combining Read Replicas with Multi-AZ enables you to build a resilient disaster recovery strategy and simplify your database engine upgrade process. Amazon RDS Read Replicas enable you to create one or more read-only copies of your database instance within the same AWS Region or in a different AWS Region. Updates made to the source database are then asynchronously copied to your Read Replicas. In addition to providing scalability for read-heavy workloads, Read Replicas can be promoted to become a standalone database instance when needed.

  Amazon RDS Multi-AZ deployments provide enhanced availability for database instances within a single AWS Region. With Multi-AZ, your data is synchronously replicated to a standby in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS performs an automatic failover to the standby, minimizing disruption to your applications. You can now use Read Replicas with Multi-AZ as part of a disaster recovery (DR) strategy for your production databases. A well-designed and tested DR plan is critical for maintaining business continuity after a disaster. A Read Replica in a different region than the source database can be used as a standby database and promoted to become the new production database in case of a regional disruption. You can also combine Read Replicas with Multi-AZ for your database engine upgrade process. You can create a Read Replica of your production database instance and upgrade it to a new database engine version. When the upgrade is complete, you can stop applications, promote the Read Replica to a standalone database instance, and switch over your applications. Since the database instance is already a Multi-AZ deployment, no additional steps are needed. Overview of Amazon RDS Read Replicas Deploying one or more read replicas for a given source DB instance might make sense in a variety of scenarios, including the following: Scaling beyond the compute or I/O capacity of a single DB instance for read-heavy database workloads. You can direct this excess read traffic to one or more read replicas. Serving read traffic while the source DB instance is unavailable. In some cases, your source DB instance might not be able to take I/O requests, for example due to I/O suspension for backups or scheduled maintenance. In these cases, you can direct read traffic to your read replicas. For this use case, keep in mind that the data on the read replica might be "stale" because the source DB instance is unavailable.

  Business reporting or data warehousing scenarios where you might want business reporting queries to run against a read replica, rather than your primary, production DB instance. Implementing disaster recovery. You can promote a read replica to a standalone instance as a disaster recovery solution if the source DB instance fails.

  https://aws.amazon.com/about-aws/whats-new/2018/01/amazon-rds-read-replicas-now-support- multi-az-deployments/ https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html

• Question 4:

  A company wants to host a scalable web application on AWS. The application will be accessed by users from different geographic regions of the world. Application users will be able to download and upload unique data up to gigabytes in size. The development team wants a cost-effective solution to minimize upload and download latency and maximize performance.

  What should a solutions architect do to accomplish this?

  A. Use Amazon S3 with Transfer Acceleration to host the application.

  B. Use Amazon S3 with CacheControl headers to host the application.

  C. Use Amazon EC2 with Auto Scaling and Amazon CloudFront to host the application

  D. Use Amazon EC2 with Auto Scaling and Amazon ElastiCache to host the application.

  Correct Answer: C

• Question 5:

  A company captures clickstream data from multiple websites and analyzes it using batch processing. The data is loaded nightly into Amazon Redshift and is consumed by business analysts. The company wants to move towards near-realtime data processing for timely insights. The solution should process the streaming data with minimal effort and operational overhead. Which combination of AWS services are MOST cost-effective for this solution? (Choose two.)

  A. Amazon EC2

  B. AWS Lambda

  C. Amazon Kinesis Data Streams

  D. Amazon Kinesis Data Firehose

  E. Amazon Kinesis Data Analytics

  Correct Answer: BD

  Kinesis Data Streams and Kinesis Client Library (KCL) -Data from the data source can be continuously captured and streamed in near real-time using Kinesis Data Streams. With the Kinesis Client Library (KCL), you can build your own application that can preprocess the streaming data as they arrive and emit the data for generating incremental views and downstream analysis. Kinesis Data Analytics This service provides the easiest way to process the data that is streaming through Kinesis Data Stream or Kinesis Data Firehose using SQL. This enables customers to gain actionable insight in near real-time from the incremental stream before storing it in Amazon S3.

  

  https://d1.awsstatic.com/whitepapers/lambda-architecure-on-for-batch-aws.pdf

• Question 6:

  A Solutions Architect must design a web application that will be hosted on AWS, allowing users to purchase access to premium, shared content that is stored in an S3 bucket. Upon payment, content will be available for download for 14 days before the user is denied access Which of the following would be the LEAST complicated implementation?

  A. Use an Amazon CloudFront distribution with an origin access identity (OAI) Configure the distribution with an Amazon S3 origin to provide access to the file through signed URL's Design a Lambda function to remove data that is older than 14 days.

  B. Use an S3 bucket and provide direct access to the tile Design the application to track purchases in a DynamoDH table Configure a Lambda function to remove data that is older than 14 days based on a query to Amazon DynamoDB

  C. Use an Amazon CloudFront distribution with an OAI Configure the distribution with an Amazon S3 origin to provide access to the file through signed URLs Design the application to sot an expiration of 14 days for the URL

  D. Use an Amazon CloudFront distribution with an OAI Configure the distribution with an Amazon S3 origin to provide access to the file through signed URLs Design the application to set an expiration of 60 minutes for the URL and recreate the URL as necessary

  Correct Answer: C

• Question 7:

  A company currently operates a web application backed by an Amazon RDS MySQL database It has automated backups that are run daily and are not encrypted A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed The company will make at least one encrypted backup before destroying the old backups What should be done to enable encryption for future backups''

  A. Enable default encryption for the Amazon S3 bucket where backups are stored

  B. Modify the backup section of the database configuration to toggle the Enable encryption check box

  C. Create a snapshot of the database Copy it to an encrypted snapshot Restore the database from the encrypted snapshot

  D. Enable an encrypted read replica on RDS for MySQL Promote the encrypted read replica to primary Remove the original database instance

  Correct Answer: C

  However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance DB instances that are encrypted can't be modified to disable encryption. You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance. Encrypted read replicas must be encrypted with the same key as the source DB instance when both are in the same AWS Region. You can't restore an unencrypted backup or snapshot to an encrypted DB instance. To copy an encrypted snapshot from one AWS Region to another, you must specify the KMS key identifier of the destination AWS Region. This is because KMS encryption keys are specific to the AWS Region that they are created in.

  https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

• Question 8:

  A company is managing health records on-premises. The company must keep these records indefinitely, disable any modifications to the records once they are stored, and granularly audit access at all levels. The chief technology officer (CTO) is concerned because there are already millions of records not being used by any application, and the current infrastructure is running out of space The CTO has requested a solutions architect design a solution to move existing data and support future records

  Which services can the solutions architect recommend to meet these requirements'?

  A. Use AWS DataSync to move existing data to AWS. Use Amazon S3 to store existing and new data Enable Amazon S3 object lock and enable AWS CloudTrail with data events.

  B. Use AWS Storage Gateway to move existing data to AWS Use Amazon S3 to store existing and new data. Enable Amazon S3 object lock and enable AWS CloudTrail with management events.

  C. Use AWS DataSync to move existing data to AWS Use Amazon S3 to store existing and new data Enable Amazon S3 object lock and enable AWS CloudTrail with management events.

  D. Use AWS Storage Gateway to move existing data to AWS Use Amazon Elastic Block Store (Amazon EBS) to store existing and new data Enable Amazon S3 object lock and enable Amazon S3 server access logging

  Correct Answer: A

• Question 9:

  A company hosts a static website within an Amazon S3 bucket. A solutions architect needs to ensure that data can be recovered in case of accidental deletion. Which action will accomplish this?

  A. Enable Amazon S3 versioning

  B. Enable Amazon S3 Intelligent-Tiering.

  C. Enable an Amazon S3 lifecycle policy

  D. Enable Amazon S3 cross-Region replication.

  Correct Answer: A

  Data can be recover if versioning enable, also it provide a extra protection like file delete,MFA delete. MFA Delete only works for CLI or API interaction, not in the AWS Management Console. Also, you cannot make version DELETE actions with MFA using IAM user credentials. You must use your root AWS account. https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/ Object Versioning Use Amazon S3 Versioning to keep multiple versions of an object in one bucket. For example, you could store my-image.jpg (version 111111) and my-image.jpg (version 222222) in a single bucket. S3 Versioning protects you from the consequences of unintended overwrites and deletions. You can also use it to archive objects so that you have access to previous versions. You must explicitly enable S3 Versioning on your bucket. By default, S3 Versioning is disabled. Regardless of whether you have enabled Versioning, each object in your bucket has a version ID. If you have not enabled Versioning, Amazon S3 sets the value of the version ID to null. If S3 Versioning is enabled, Amazon S3 assigns a version ID value for the object. This value distinguishes it from other versions of the same key. https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html

• Question 10:

  A company has an application that calls AWS Lambda functions. A recent code review found database credentials stored in the source code. The database credentials needs to be removed from the Lambda source code. The credentials must then be securely stored and rotated on a on-going basis to meet security policy requirements.

  What should a solutions architect recommend meet these requirements?

  A. Store the password in AWS CloudHSM Associate the Lambda function with a role that can retrieve the password from CloudHSM given its key ID

  B. Store the password in AWS Secrets Manager . A associate the Lambda function with a role that can retrieve the password from secrets Manager given its secret ID.

  C. Move the database password to an environment variable associated with the Lambda function Retrieve the password from the environment variable upon execution

  D. Store the password in AWS Key Management Service (AWS KMS) Associate the Lambda function with a role that can retrieve the password from AWS KMS given its key ID

  Correct Answer: B