A company recently migrated its entire IT environment to the AWS Cloud. The company discovers that users are provisioning oversized Amazon EC2 instances and modifying security group rules without using the appropriate change control process. A solutions architect must devise a strategy to track and audit these inventory and configuration changes.
Which actions should the solutions architect take to meet these requirements? (Choose two.)
A. Enable AWS CloudTrail and use it for auditing. B. Use data lifecycle policies for the Amazon EC2 instances. C. Enable AWS Trusted Advisor and reference the security dashboard. D. Enable AWS Config and create rules for auditing and compliance purposes. E. Restore previous resource configurations with an AWS CloudFormation template.
A. Enable AWS CloudTrail and use it for auditing. D. Enable AWS Config and create rules for auditing and compliance purposes.
Question 1252:
A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses.
Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)
A. Use AWS Shield Advanced to stop the DDoS attack. B. Configure Amazon GuardDuty to automatically block the attackers. C. Configure the website to use Amazon CloudFront for both static and dynamic content. D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs. E. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.
A. Use AWS Shield Advanced to stop the DDoS attack. C. Configure the website to use Amazon CloudFront for both static and dynamic content.
Question 1253:
A company uses Amazon S3 as its data lake. The company has a new partner that must use SFTP to upload data files.
A solutions architect needs to implement a highly available SFTP solution that minimizes operational overhead.
Which solution will meet these requirements?
A. Use AWS Transfer Family to configure an SFTP-enabled server with a publicly accessible endpoint. Choose the S3 data lake as the destination. B. Use Amazon S3 File Gateway as an SFTP server. Expose the S3 File Gateway endpoint URL to the new partner. Share the S3 File Gateway endpoint with the new partner. C. Launch an Amazon EC2 instance in a private subnet in a VPInstruct the new partner to upload files to the EC2 instance by using a VPN. Run a cron job script, on the EC2 instance to upload files to the S3 data lake. D. Launch Amazon EC2 instances in a private subnet in a VPC. Place a Network Load Balancer (NLB) in front of the EC2 instances. Create an SFTP listener port for the NLB. Share the NLB hostname with the new partner. Run a cron job script on the EC2 instances to upload files to the S3 data lake.
A. Use AWS Transfer Family to configure an SFTP-enabled server with a publicly accessible endpoint. Choose the S3 data lake as the destination.
Question 1254:
A company is developing a serverless web application that gives users the ability to interact with real-time analytics from online games. The data from the games must be streamed in real time. The company needs a durable, low-latency database option for user data. The company does not know how many users will use the application. Any design considerations must provide response times of single-digit milliseconds as the application scales.
Which combination of AWS services will meet these requirements? (Choose Two.)
A. Amazon CloudFront B. Amazon DynamoDB C. Amazon Kinesis D. Amazon RDS E. AWS Global Accelerator
B. Amazon DynamoDB C. Amazon Kinesis
Explanation
Amazon Kinesis allows real-time ingestion of game events at scale, while Amazon DynamoDB provides millisecond-latency access to user data, automatically scaling with demand. This combination ensures real-time processing and fast data retrieval without managing infrastructure.
References:
AWS Documentation?Real-Time Processing with Kinesis and Low-Latency Databases with DynamoDB
Question 1255:
An ecommerce company uses Amazon Route 53 as its DNS provider. The company hosts its website on premises and in the AWS Cloud. The company's on-premises data center is near the us-west-1 Region.
The company uses the eu-central-1 Region to host the website. The company wants to minimize load time for the website as much as possible.
Which solution will meet these requirements?
A. Set up a geolocation routing policy. Send the traffic that is near us-west-1 to the on-premises data center. Send the traffic that is near eu-central-1 to eu-central-1. B. Set up a simple routing policy that routes all traffic that is near eu-central-1 to eu-central-1 and routes all traffic that is near the on-premises datacenter to the on-premises data center. C. Set up a latency routing policy. Associate the policy with us-west-1. D. Set up a weighted routing policy. Split the traffic evenly between eu-central-1 and the on-premises data center.
A. Set up a geolocation routing policy. Send the traffic that is near us-west-1 to the on-premises data center. Send the traffic that is near eu-central-1 to eu-central-1.
Question 1256:
A company's application is running on Amazon EC2 instances within an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Based on the application's history, the company anticipates a spike in traffic during a holiday each year. A solutions architect must design a strategy to ensure that the Auto Scaling group proactively increases capacity to minimize any performance impact on application users.
Which solution will meet these requirements?
A. Create an Amazon CloudWatch alarm to scale up the EC2 instances when CPU utilization exceeds 90%. B. Create a recurring scheduled action to scale up the Auto Scaling group before the expected period of peak demand. C. Increase the minimum and maximum number of EC2 instances in the Auto Scaling group during the peak demand period. D. Configure an Amazon Simple Notification Service (Amazon SNS) notification to send alerts when there are autoscaling:EC2_INSTANCE_LAUNCH events.
B. Create a recurring scheduled action to scale up the Auto Scaling group before the expected period of peak demand.
Question 1257:
A company is developing a monolithic Microsoft Windows-based application that will run on Amazon EC2 instances. The application will run long data-processing jobs that must not be interrupted. The company has modeled expected usage growth for the next 3 years. The company wants to optimize costs for the EC2 instances during the 3-year growth period.
Which solution will meet these requirements?
A. Purchase a Compute Savings Plan with a 3-year commitment. Adjust the hourly commit-ment based on the plan recommendations. B. Purchase an EC2 Instance Savings Plan with a 3-year commitment. Adjust the hourly commitment based on the plan recommendations. C. Purchase a Compute Savings Plan with a 1-year commitment. Renew the purchase and adjust the capacity each year as necessary. D. Deploy the application on EC2 Spot Instances. Use an Auto Scaling group with a minimum size of 1 to ensure that the application is always running.
A. Purchase a Compute Savings Plan with a 3-year commitment. Adjust the hourly commit-ment based on the plan recommendations.
Explanation
For steady, predictable EC2 usage with potential changes in instance families over time, AWS recommends Savings Plans. Compute Savings Plans "apply to any EC2 instance regardless of region, instance family, operating system, or tenancy," and also apply to AWS Fargate and AWS Lambda, delivering the most flexibility over a multi-year horizon. A 3-year term provides the highest discount among Savings Plans for long-lived workloads. EC2 Instance Savings Plans are limited to a chosen instance family in a region; as needs evolve (e.g., size or family changes), discounts may not fully apply. Spot Instances are not appropriate for long, interruption-sensitive jobs because Spot capacity can be reclaimed with short notice. Therefore, a Compute Savings Plan (3-year) best matches cost optimization with flexibility for growth and changes.
References:
AWS Cost Management -- Savings Plans (Compute vs. EC2 Instance), EC2 purchasing options guidance, Well-Architected Cost Optimization (choose pricing models to match workload).
Question 1258:
A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.
Which solution will allow the node to join the cluster?
A. Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role. B. Create interface VPC endpoints to allow nodes to access the control plane. C. Recreate nodes in the public subnet. Restrict security groups for EC2 nodes. D. Allow outbound traffic in the security group of the nodes.
B. Create interface VPC endpoints to allow nodes to access the control plane.
Question 1259:
A company wants to deploy an AWS Lambda function that will read and write objects to Amazon S3 bucket. The Lambda function must be connected to the company's VPC. The company must deploy the Lambda function only to private subnets in the VPC. The Lambda function must not be allowed to access the internet.
Which solutions will meet these requirements? (Choose Two.)
A. Create a private NAT gateway to access the S3 bucket. B. Attach an Elastic IP address to the NAT gateway. C. Create a gateway VPC endpoint for the S3 bucket. D. Create an interface VPC endpoint for the S3 bucket. E. Create a public NAT gateway to access the S3 bucket.
C. Create a gateway VPC endpoint for the S3 bucket. D. Create an interface VPC endpoint for the S3 bucket.
Question 1260:
A company has deployed a non-production Amazon EC2 instance by using an Amazon Linux AMI in a private subnet. The company wants to allow a group of developers to connect to the EC2 instance remotely by using SSH without exposing the EC2 instance to the internet. The developers must be able to connect to the EC2 instance through the AWS Management Console.
Which solution will meet these requirements?
A. Create a VPC endpoint for AWS Systems Manager in the same subnet as the EC2 instance. Allow inbound access from the endpoint security group to the EC2 instance security group on port 22. Create an IAM role for the EC2 instance and attach the AmazonSSMManagedInstanceCore policy. B. Create an EC2 Instance Connect Endpoint in the same subnet as the EC2 instance. Attach a security group to the endpoint that allows inbound connections on port 443. Assign the AmazonEC2InstanceConnect IAM managed policy to the group of developers. C. Create an EC2 Instance Connect Endpoint in the same subnet as the EC2 instance. Attach a security group to the endpoint that allows inbound connections on port 22. Assign the AmazonEC2InstanceConnect IAM managed policy to the group of developers. D. Create a VPC endpoint for AWS Systems Manager in the same subnet as the EC2 instance. Allow inbound access from the endpoint security group to the EC2 instance security group on port 443. Create an IAM role for the EC2 instance and attach the AmazonSSMReadOnlyAccess policy.
B. Create an EC2 Instance Connect Endpoint in the same subnet as the EC2 instance. Attach a security group to the endpoint that allows inbound connections on port 443. Assign the AmazonEC2InstanceConnect IAM managed policy to the group of developers.
Explanation
The requirements specify SSH access, no internet exposure, and connection through the AWS Management Console. The AWS-native solution designed specifically for this use case is EC2 Instance Connect Endpoint (EICE).
Option B correctly implements this approach. EC2 Instance Connect Endpoint enables secure SSH access to EC2 instances in private subnets without requiring a bastion host, public IP address, or inbound internet access. Developers authenticate through the AWS Management Console, and the connection is established over HTTPS (port 443), which is why the security group must allow inbound traffic on port 443.
The AmazonEC2InstanceConnect IAM managed policy grants developers permission to push temporary SSH keys to the instance, ensuring short-lived, auditable access that aligns with AWS security best practices. This approach significantly reduces attack surface and operational complexity.
Option A and D incorrectly attempt to use AWS Systems Manager for SSH access on port 22. Systems Manager Session Manager does not use SSH and operates over port 443 without opening inbound ports.
Option C is incorrect because EC2 Instance Connect Endpoint does not accept inbound connections on port 22; SSH traffic is tunneled through the endpoint using HTTPS. Therefore, B is the correct solution because it provides secure, console-based SSH access to private EC2 instances with minimal infrastructure and maximum security.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.