Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1321:

  A company has an e-commerce site. The site is designed as a distributed web application hosted in multiple AWS accounts under one AWS Organizations organization. The web application is comprised of multiple microservices. All microservices expose their AWS services either through Amazon CloudFront distributions or public Application Load Balancers (ALBs). The company wants to protect public endpoints from malicious attacks and monitor security configurations.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use AWS WAF to protect the public endpoints. Use AWS Firewall Manager from a dedicated security account to manage rules in AWS WAF. Use AWS Config rules to monitor the Regional and global WAF configurations.
  B. Use AWS WAF to protect the public endpoints. Apply AWS WAF rules in each account. Use AWS Config rules and AWS Security Hub to monitor the WAF configurations of the ALBs and the CloudFront distributions.
  C. Use AWS WAF to protect the public endpoints. Use AWS Firewall Manager from a dedicated security account to manage the rules in AWS WAF. Use Amazon Inspector and AWS Security Hub to monitor the WAF configurations of the ALBs and the CloudFront distributions.
  D. Use AWS Shield Advanced to protect the public endpoints. Use AWS Config rules to monitor the Shield Advanced configuration for each account.
  A. Use AWS WAF to protect the public endpoints. Use AWS Firewall Manager from a dedicated security account to manage rules in AWS WAF. Use AWS Config rules to monitor the Regional and global WAF configurations.

  ---

  Explanation

  Key Requirements:

  Protect public endpoints (CloudFront distributions and ALBs) from malicious attacks.

  Centralized management across multiple accounts in an organization.

  Ability to monitor security configurations effectively.

  Minimize operational overhead.

  Analysis of Options Option A:

  AWS WAF: Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

  AWS Firewall Manager: Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

  AWS Config: Monitors compliance by using rules that check regional and global WAF configurations.

  Ensures that security configurations align with organizational policies.

  Operational Overhead: Centralized management and automated monitoring reduce the operational burden.

  Correct Approach: Meets all requirements with the least overhead.

  Option B:

  This approach involves applying WAF rules in each account manually.

  While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

  Incorrect Approach: Higher overhead compared to centralized management with AWS Firewall Manager.

  Option C:

  Similar to Option A but includes Amazon Inspector, which is not designed for monitoring WAF configurations.

  AWS Security Hub is appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

  Incorrect Approach: Adds unnecessary complexity and does not focus on monitoring WAF specifically.

  Option D:

  AWS Shield Advanced: Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

  AWS Config: Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

  Incorrect Approach: Does not address the need for WAF or centralized rule management.

  Why Option A is Correct

  Protection:

  AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

  Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

  Centralized Management:

  AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

  Monitoring:

  AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

  Operational Overhead:

  Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

  References:

  AWS WAF Documentation

  AWS Firewall Manager Documentation

  AWS Config Best Practices

  AWS Organizations Documentation

• Question 1322:

  A company is launching an application on AWS. The application uses an Application Load Balancer (ALB) to direct traffic to at least two Amazon EC2 instances in a single target group. The instances are in an Auto Scaling group for each environment. The company requires a development environment and a production environment. The production environment will have periods of high traffic.

  Which solution will configure the development environment MOST cost-effectively?

  A. Reconfigure the target group in the development environment to have only one EC2 instance as a target.
  B. Change the ALB balancing algorithm to least outstanding requests.
  C. Reduce the size of the EC2 instances in both environments.
  D. Reduce the maximum number of EC2 instances in the development environment's Auto Scaling group.
  D. Reduce the maximum number of EC2 instances in the development environment's Auto Scaling group.

• Question 1323:

  A company has a legacy mainframe system that can retrieve data only from systems that provide synchronous RESTful APIs. A developer at the company creates a new web service to calculate stock prices. The new web service takes 3 minutes on average to process each request. The developer must integrate the new web service with the legacy mainframe system.

  Which solution will meet these requirements?

  A. Deploy an Amazon API Gateway REST API. Integrate the REST API with an AWS Lambda function. Configure the legacy mainframe to use the REST API endpoint.
  B. Deploy an Amazon API Gateway HTTP API. Integrate the HTTP API with an AWS Lambda function. Configure the legacy mainframe to use the HTTP API endpoint.
  C. Deploy an Amazon API Gateway WebSocket API. Integrate the WebSocket API with an AWS Lambda function. Configure the legacy mainframe to use the WebSocket API endpoint.
  D. Configure a URL for an AWS Lambda function. Configure the legacy mainframe to use the Lambda function URL endpoint.
  A. Deploy an Amazon API Gateway REST API. Integrate the REST API with an AWS Lambda function. Configure the legacy mainframe to use the REST API endpoint.

  ---

  Explanation

  The correct answer is A because the legacy mainframe requires a synchronous RESTful API and the new service takes approximately 3 minutes to complete each request. Among the choices, Amazon API Gateway REST API is the appropriate option for exposing a synchronous REST endpoint to the mainframe. API Gateway REST APIs support longer integration timeouts than HTTP APIs, which makes them more suitable for workloads that take an extended time to process. The REST API can invoke an AWS Lambda function to execute the stock price calculation and return the result synchronously.

  Option B is incorrect because API Gateway HTTP APIs have a shorter integration timeout and are not the best fit for a request that takes around 3 minutes.

  Option C is incorrect because WebSocket APIs are not RESTful and do not meet the requirement for synchronous REST-based integration with the mainframe.

  Option D is incorrect because Lambda function URLs do not provide the same API management features and are not the best choice for a long-running synchronous enterprise integration requirement of this kind.

  AWS design guidance favors API Gateway when exposing managed APIs to external consumers. In this case, the REST API option best matches the requirement for synchronous RESTful access while supporting the longer processing duration. It also provides a managed front door for authentication, throttling, and operational control if the company needs those features later.

  One note of honesty: some exam versions treat the REST API timeout detail as the deciding factor here.

  That is the key reason REST API is preferred over HTTP API for this question.

• Question 1324:

  A solutions architect needs to connect a company's corporate network to its VPC to allow on-premises access to its AWS resources. The solution must provide encryption of all traffic between the corporate network and the VPC at the network layer and the session layer. The solution also must provide security controls to prevent unrestricted access between AWS and the on-premises systems.

  Which solution meets these requirements?

  A. Configure AWS Direct Connect to connect to the VPC. Configure the VPC route tables to allow and deny traffic between AWS and on premises as required.
  B. Create an IAM policy to allow access to the AWS Management Console only from a defined set of corporate IP addresses. Restrict user access based on job responsibility by using an IAM policy and roles.
  C. Configure AWS Site-to-Site VPN to connect to the VPConfigure route table entries to direct traffic from on premises to the VPConfigure instance security groups and network ACLs to allow only required traffic from on premises.
  D. Configure AWS Transit Gateway to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.
  C. Configure AWS Site-to-Site VPN to connect to the VPConfigure route table entries to direct traffic from on premises to the VPConfigure instance security groups and network ACLs to allow only required traffic from on premises.

• Question 1325:

  A company runs an on-premises application that is powered by a MySQL database. The company is migrating the application to AWS to increase the application's elasticity and availability. The current architecture shows heavy read activity on the database during times of normal operation. Every 4 hours, the company's development team pulls a full export of the production database to populate a database in the staging environment. During this period, users experience unacceptable application latency. The development team is unable to use the staging environment until the procedure completes.

  A solutions architect must recommend replacement architecture that alleviates the application latency issue. The replacement architecture also must give the development team the ability to continue using the staging environment without delay.

  Which solution meets these requirements?

  A. Use Amazon Aurora MySQL with Multi-AZ Aurora Replicas for production. Populate the staging database by implementing a backup and restore process that uses the mysqldump utility.
  B. Use Amazon Aurora MySQL with Multi-AZ Aurora Replicas for production. Use database cloning to create the staging database on-demand.
  C. Use Amazon RDS for MySQL with a Multi-AZ deployment and read replicas for production. Use the standby instance for the staging database.
  D. Use Amazon RDS for MySQL with a Multi-AZ deployment and read replicas for production. Populate the staging database by implementing a backup and restore process that uses the mysqldump utility.
  B. Use Amazon Aurora MySQL with Multi-AZ Aurora Replicas for production. Use database cloning to create the staging database on-demand.

• Question 1326:

  A company runs a public three-tier web application in a VPC. The application runs on Amazon EC2 instances across multiple Availability Zones. The EC2 instances that run in private subnets need to communicate with a license server over the internet. The company needs a managed solution that minimizes operational maintenance.

  Which solution meets these requirements?

  A. Provision a NAT instance in a public subnet. Modify each private subnet's route table with a default route that points to the NAT instance.
  B. Provision a NAT instance in a private subnet. Modify each private subnet's route table with a default route that points to the NAT instance.
  C. Provision a NAT gateway in a public subnet. Modify each private subnet's route table with a default route that points to the NAT gateway.
  D. Provision a NAT gateway in a private subnet. Modify each private subnet's route table with a default route that points to the NAT gateway.
  C. Provision a NAT gateway in a public subnet. Modify each private subnet's route table with a default route that points to the NAT gateway.

• Question 1327:

  A company needs to connect several VPCs in the us-east-1 Region that span hundreds of AWS accounts.

  The company's networking team has its own AWS account to manage the cloud network.

  What is the MOST operationally efficient solution to connect the VPCs?

  A. Set up VPC peering connections between each VPC. Update each associated subnet's route table
  B. Configure a NAT gateway and an internet gateway in each VPC to connect each VPC through the internet
  C. Create an AWS Transit Gateway in the networking team's AWS account. Configure static routes from each VPC.
  D. Deploy VPN gateways in each VPC. Create a transit VPC in the networking team's AWS account to connect to each VPC.
  C. Create an AWS Transit Gateway in the networking team's AWS account. Configure static routes from each VPC.

• Question 1328:

  An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental exposure of the objects in the S3 buckets to the public. All S3 objects in the entire AWS account need to remain private.

  Which solution will meet these requirements?

  A. Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public.
  B. Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
  C. Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
  D. Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.
  D. Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.

• Question 1329:

  A solutions architect needs to design a solution for a high performance computing (HPC) workload. The solution must include multiple Amazon EC2 instances. Each EC2 instance requires 10 Gbps of bandwidth individually for single-flow traffic. The EC2 instances require an aggregate throughput of 100 Gbps of bandwidth across all EC2 instances. Communication between the EC2 instances must have low latency.

  Which solution will meet these requirements?

  A. Place the EC2 instances in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.
  B. Place the EC2 instances in multiple subnets in a single VPC. Configure a spread placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
  C. Place the EC2 instances in multiple VPCs. Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.
  D. Place the EC2 instances in multiple subnets across multiple Availability Zones. Configure a cluster placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
  A. Place the EC2 instances in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.

  ---

  Explanation

  HPC workloads require high-throughput, low-latency networking, especially for tightly-coupled applications like weather modeling, genomics, or real-time rendering.

  A cluster placement group places instances in the same Availability Zone and on physically connected hardware, reducing network latency and increasing throughput.

  Elastic Fabric Adapter (EFA) is a network device for EC2 instances that enables low-latency, high-throughput networking using OS-bypass technology, ideal for tightly-coupled HPC applications.

  Each instance can support single-flow 10 Gbps bandwidth using EFA, and collectively, the cluster can achieve up to 100 Gbps aggregate throughput when properly configured.

  This solution supports the Performance Efficiency and Resilience design principles and is a standard AWS-recommended pattern for HPC.

  References:

  EC2 Placement Groups Elastic Fabric Adapter Overview Best Practices for HPC on AWS

• Question 1330:

  An ecommerce company wants to use machine learning (ML) algorithms to build and train models. The company will use the models to visualize complex scenarios and to detect trends in customer data. The architecture team wants to integrate its ML models with a reporting platform to analyze the augmented data and use the data directly in its business intelligence dashboards.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use AWS Glue to create an ML transform to build and train models. Use Amazon OpenSearch Service to visualize the data.
  B. Use Amazon SageMaker to build and train models. Use Amazon QuickSight to visualize the data.
  C. Use a pre-built ML Amazon Machine Image (AMI) from the AWS Marketplace to build and train models. Use Amazon OpenSearch Service to visualize the data.
  D. Use Amazon QuickSight to build and train models by using calculated fields. Use Amazon QuickSight to visualize the data.
  B. Use Amazon SageMaker to build and train models. Use Amazon QuickSight to visualize the data.