Amazon Amazon Certifications SAA-C02 Questions & Answers

• Question 21:

  A company is hosting a web application on AWS using a single Amazon EC2 instance that stores user- uploaded documents in an Amazon EBS volume For better scalability and availability the company duplicated the architecture and created a second EC2 instance and EBS volume in another Availability Zone: placing both behind an Application Load Balancer After completing this change users reported that each time they refreshed the website they could see one subset of their documents or the other but never all of the documents at the same time

  What should a solutions architect propose to ensure users see all of their documents at once?

  A. Copy the data so both EBS volumes contain all the documents

  B. Configure the Application Load Balancer to direct a user to the server with the documents

  C. Copy the data from both EBS volumes to Amazon EFS Modify the application to save new documents to Amazon EFS

  D. Configure the Application Load Balancer to send the request to both servers Return each document from the correct server

  Correct Answer: C

  https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html#how-it-works-ec2

  Amazon EFS provides file storage in the AWS Cloud. With Amazon EFS, you can create a file system, mount the file system on an Amazon EC2 instance, and then read and write data to and from your file system. You can mount an Amazon EFS file system in your VPC, through the Network File System versions 4.0 and 4.1 (NFSv4) protocol. We recommend using a current generation Linux NFSv4.1 client, such as those found in the latest Amazon Linux, Redhat, and Ubuntu AMIs, in conjunction with the Amazon EFS Mount Helper. For instructions, see Using the amazon-efs-utils Tools. For a list of Amazon EC2 Linux Amazon Machine Images (AMIs) that support this protocol, see NFS Support. For some AMIs, you'll need to install an NFS client to mount your file system on your Amazon EC2 instance. For instructions, see Installing the NFS Client. You can access your Amazon EFS file system concurrently from multiple NFS clients, so applications that scale beyond a single connection can access a file system. Amazon EC2 instances running in multiple Availability Zones within the same AWS Region can access the file system, so that many users can access and share a common data source. How Amazon EFS Works with Amazon EC2

  

  https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html#how-it-works-ec2

• Question 22:

  A data science team requires storage for nightly log processing. The size and number of logs is unknown and will persist for 24 hours only What is the MOST cost-effective solution?

  A. Amazon S3 Glacier

  B. Amazon S3 Standard

  C. Amazon S3 intelligent-Tiering

  D. Amazon S3 One Zone-Infrequent Access {S3 One Zone-IA)

  Correct Answer: B

• Question 23:

  A solutions architect is designing a two-tier web application The application consists of a public- facing web tier hosted on Amazon EC2 in public subnets The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet Security is a high priority for the company How should security groups be configured in this situation? (Select TWO )

  A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0 0 0 0/0

  B. Configure the security group for the web tier to allow outbound traffic on port 443 from 0 0 0 0/0

  C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier

  D. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier

  E. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier

  Correct Answer: AC

  "Security groups create an outbound rule for every inbound rule." Not completely right. Statefull does NOT mean that if you create an inbound (or outbound) rule, it will create an outbound (or inbound) rule. What it does mean is: suppose you create an inbound rule on port 443 for the X ip. When a request enters on port 443 from X ip, it will allow traffic out for that request in the port 443. However, if you look at the outbound rules, there will not be any outbound rule on port 443 unless explicitly create it. In ACLs, which are stateless, you would have to create an inbound rule to allow incoming requests and an outbound rule to allow your application responds to those incoming requests.

  https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGro upRules

• Question 24:

  A company's application is running on Amazon EC2 instances m a single Region in the event of a disaster a solutions architect needs to ensure that the resources can also be deployed to a second Region Which combination of actions should the solutions architect take to accomplish this? (Select TWO)

  A. Detach a volume on an EC2 instance and copy it to Amazon S3

  B. Launch a new EC2 instance from an Amazon Machine image (AMI) in a new Region

  C. Launch a new EC2 instance in a new Region and copy a volume from Amazon S3 to the new instance

  D. Copy an Amazon Machine Image (AMI) of an EC2 instance and specify a different Region for the destination

  E. Copy an Amazon Elastic Block Store (Amazon EBS) volume from Amazon S3 and launch an EC2 instance in the destination Region using that EBS volume

  Correct Answer: BD

  Cross Region EC2 AMI Copy

  We know that you want to build applications that span AWS Regions and we're working to provide you with the services and features needed to do so. We started out by launching the EBS Snapshot Copy feature late last year. This feature

  gave you the ability to copy a snapshot from Region to Region with just a couple of clicks. In addition, last month we made a significant reduction (26% to 83%) in the cost of transferring data between AWS Regions, making it less expensive

  to operate in more than one AWS region.

  Today we are introducing a new feature: Amazon Machine Image (AMI) Copy. AMI Copy enables you to easily copy your Amazon Machine Images between AWS Regions. AMI Copy helps enable several key scenarios including:

  Simple and Consistent Multi-Region Deployment ?You can copy an AMI from one region to another, enabling you to easily launch consistent instances based on the same AMI into different regions. Scalability You can more easily design and

  build world-scale applications that meet the needs of your users, regardless of their location.

  Performance

  You can increase performance by distributing your application and locating critical components of your application in closer proximity to your users. You can also take advantage of region-specific features such as instance types or other AWS

  services. Even Higher Availability You can design and deploy applications across AWS regions, to increase availability.

  Once the new AMI is in an Available state the copy is complete.

  https://aws.amazon.com/blogs/aws/ec2-ami-copy-between-regions/

• Question 25:

  A company runs an application on a group of Amazon Linux EC2 instances The application writes log files using standard API calls For compliance reasons, all log files must be retained indefinitely and will be analyzed by a reporting tool that must access all files concurrently Which storage service should a solutions architect use to provide the MOST cost-effective solution?

  A. Amazon EBS

  B. Amazon EFS

  C. Amazon EC2 instance store

  D. Amazon S3

  Correct Answer: D

  Amazon S3 Requests to Amazon S3 can be authenticated or anonymous. Authenticated access requires credentials that AWS can use to authenticate your requests. When making REST API calls directly from your code, you create a signature using valid credentials and include the signature in your request. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry- leading scalability, data availability, security, and performance. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides easy-to-use management features so you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world. https://aws.amazon.com/s3/

• Question 26:

  Organizers for a global event want to put daily reports online as static HTML pages The pages are expected to generate millions of views from users around the world The files are stored in an Amazon S3 bucket A solutions architect has been asked to design an efficient and effective solution Which action should the solutions architect take to accomplish this?

  A. Generate presigned URLs for the files

  B. Use cross-Region replication to all Regions

  C. Use the geoproximity feature of Amazon Route 53

  D. Use Amazon CloudFront with the S3 bucket as its origin

  Correct Answer: D

  Using Amazon S3 Origins, MediaPackage Channels, and Custom Origins for Web Distributions Using Amazon S3 Buckets for Your Origin When you use Amazon S3 as an origin for your distribution, you place any objects that you want

  CloudFront to deliver in an Amazon S3 bucket. You can use any method that is supported by Amazon S3 to get your objects into Amazon S3, for example, the Amazon S3 console or API, or a third-party tool. You can create a hierarchy in

  your bucket to store the objects, just as you would with any other Amazon S3 bucket.

  Using an existing Amazon S3 bucket as your CloudFront origin server doesn't change the bucket in any way; you can still use it as you normally would to store and access Amazon S3 objects at the standard Amazon S3 price. You incur

  regular Amazon S3 charges for storing the objects in the bucket. Using Amazon S3 Buckets Configured as Website Endpoints for Your Origin You can set up an Amazon S3 bucket that is configured as a website endpoint as custom origin

  with CloudFront.

  When you configure your CloudFront distribution, for the origin, enter the Amazon S3 static website hosting endpoint for your bucket. This value appears in the Amazon S3 console, on the Properties tab, in the Static website hosting pane.

  For example:

  http://bucket-name.s3-website-region.amazonaws.com

  For more information about specifying Amazon S3 static website endpoints, see Website endpoints in the Amazon Simple Storage Service Developer Guide. When you specify the bucket name in this format as your origin, you can use

  Amazon S3 redirects and Amazon S3 custom error documents. For more information about Amazon S3 features, see the Amazon S3 documentation. Using an Amazon S3 bucket as your CloudFront origin server doesn't change it in any way.

  You can still use it as you normally would and you incur regular Amazon S3 charges.

  https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCust omOrigins.html

• Question 27:

  A web application is deployed in the AWS Cloud It consists of a two-tier architecture that includes a web layer and a database layer The web server is vulnerable to cross-site scripting (XSS) attacks What should a solutions architect do to remediate the vulnerability?

  A. Create a Classic Load Balancer Put the web layer behind the load balancer and enable AWS WAF

  B. Create a Network Load Balancer Put the web layer behind the load balancer and enable AWS WAF

  C. Create an Application Load Balancer Put the web layer behind the load balancer and enable AWS WAF

  D. Create an Application Load Balancer Put the web layer behind the load balancer and use AWS Shield Standard

  Correct Answer: C

  Working with cross-site scripting match conditions Attackers sometimes insert scripts into web requests in an effort to exploit vulnerabilities in web applications. You can create one or more cross-site scripting match conditions to identify the parts of web requests, such as the URI or the query string, that you want AWS WAF Classic to inspect for possible malicious scripts. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious scripts. Web Application Firewall

  You can now use AWS WAF to protect your web applications on your Application Load Balancers. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

  https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-xss-conditions.html https://aws.amazon.com/elasticloadbalancing/features/

• Question 28:

  A company has a three-tier image-sharing application it uses an Amazon EC2 instance for the front- end layer, another for the backend tier, and a third for the MySQL database A solutions architect has been tasked with designing a solution

  that is highly available, and requires the least amount of changes to the application.

  Which solution meets these requirements?

  A. Use Amazon S3 to host the front-end layer and AWS Lambda functions for the backend layer Move the database to an Amazon DynamoDB table and use Amazon S3 to store and serve users' images

  B. Use load-balanced Multi-AZ AWS Elastic Beanstalk environments for the front-end and backend layers Move the database to an Amazon RDS instance with multiple read replicas to store and serve users' images.

  C. Use Amazon S3 to host the front-end layer and a fleet of Amazon EC2 instances in an Auto Scaling group for the backend layer Move the database to a memory optimized instance type to store and serve users' images

  D. Use load-balanced Multi-AZ AWS Elastic Beanstalk environments for the front-end and backend layers Move the database to an Amazon RDS instance with a Multi-AZ deployment Use Amazon S3 to store and serve users' images

  Correct Answer: D

• Question 29:

  A company has deployed an API in a VPC behind an internet-facing Application Load Balancer (ALB). An application that consumes the API as a client is deployed in a second account in private subnets behind a NAT gateway. When requests to the client application increase, the NAT gateway costs are higher than expected. A solutions architect has configured the ALB to be internal.

  Which combination of architectural changes will reduce the NAT gateway costs? (Select TWO )

  A. Configure a VPC peering connection between the two VPCs. Access the API using the private address

  B. Configure an AWS Direct Connect connection between the two VPCs. Access the API using the private address.

  C. Configure a ClassicLink connection for the API into the client VPC Access the API using the ClassicLink address.

  D. Configure a PrivateLink connection for the API into the client VPC. Access the API using the PrivateLink address.

  E. Configure an AWS Resource Access Manager connection between the two accounts Access the API using the private address

  Correct Answer: DE

• Question 30:

  A solutions architect is optimizing a website for an upcoming musical event Videos of the performances will be streamed in real time and then will be available on demand The event is expected to attract a global online audience Which service will improve the performance of both the real-time and on-demand streaming?

  A. Amazon CloudFront

  B. AWS Global Accelerator

  C. Amazon Route 53

  D. Amazon S3 Transfer Acceleration

  Correct Answer: A