A company has Amazon EC2 instances in multiple AWS Regions. The instances all store and retrieve confidential data from the same Amazon S3 bucket. The company wants to improve the security of its current architecture.
The company wants to ensure that only the Amazon EC2 instances within its VPC can access the S3 bucket.
The company must block all other access to the bucket.
Which solution will meet this requirement?
A. Use IAM policies to restrict access to the S3 bucket. B. Use server-side encryption (SSE) to encrypt data in the S3 bucket at rest. Store the encryption key on the EC2 instances. C. Create a VPC endpoint for Amazon S3. Configure an S3 bucket policy to allow connections only from the endpoint. D. Use AWS Key Management Service (AWS KMS) with customer-managed keys to encrypt the data before sending the data to the S3 bucket.
C. Create a VPC endpoint for Amazon S3. Configure an S3 bucket policy to allow connections only from the endpoint.
Explanation
Creating aVPC endpointfor S3 and configuring abucket policyto allow access only from the endpoint ensures that only EC2 instances within the VPC can access the S3 bucket. This solutionimproves security by restricting access at the network level without the need for public internet access.
Option A (IAM policies): IAM policies alone cannot restrict access based on the network location.
Option B and D (Encryption): Encryption secures data at rest but does not restrict network access to the bucket.
References:
Amazon S3 VPC Endpoints
Question 1382:
A company has an application that runs on Amazon EC2 instances in a private subnet. The application needs to process sensitive information from an Amazon S3 bucket. The application must not use the internet to connect to the S3 bucket.
Which solution will meet these requirements?
A. Configure an internet gateway. Update the S3 bucket policy to allow access from the internet gateway. Update the application to use the new internet gateway. B. Configure a VPN connection. Update the S3 bucket policy to allow access from the VPN connection. Update the application to use the new VPN connection. C. Configure a NAT gateway. Update the S3 bucket policy to allow access from the NAT gateway. Update the application to use the new NAT gateway. D. Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint.
D. Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint.
Question 1383:
A company has applications that run in an organization in AWS Organizations. The company outsources operational support of the applications. The company needs to provide access for the external support engineers without compromising security. The external support engineers need access to the AWS Management Console. The external support engineers also need operating system access to the company's fleet ofAmazon EC2 instances that run Amazon Linux in private subnets.
Which solution will meet these requirements MOST securely?
A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions. B. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local IAM user credentials in each AWS account to the external support engineers for console access. C. Confirm that all instances have a security group that allows SSH access only from the external support engineers' source IP address ranges. Provide local IAM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances. D. Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers' IP address ranges. Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account IAM user credentials to the engineers for console access.
A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
Question 1384:
A company's website hosted on Amazon EC2 instances processes classified data stored in Amazon S3.
Due to security concerns, the company requires a private and secure connection between its EC2 resources and Amazon S3.
Which solution meets these requirements?
A. Set up S3 bucket policies to allow access from a VPC endpoint. B. Set up an IAM policy to grant read-write access to the S3 bucket. C. Set up a NAT gateway to access resources outside the private subnet. D. Set up an access key ID and a secret access key to access the S3 bucket.
A. Set up S3 bucket policies to allow access from a VPC endpoint.
Question 1385:
A company has implemented a self-managed DNS service on AWS. The solution consists of the following:
1. Amazon EC2 instances in different AWS Regions
2. Endpoints of a standard accelerator in AWS Global Accelerator The company wants to protect the solution against DDoS attacks.
What should a solutions architect do to meet this requirement?
A. Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect. B. Subscribe to AWS Shield Advanced. Add the EC2 instances as resources to protect. C. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the accelerator. D. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the EC2 instances.
A. Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.
Question 1386:
A company has a single AWS account. The company runs workloads on Amazon EC2 instances in multiple VPCs in one AWS Region. The company also runs workloads in an on-premises data center that connects to the company's AWS account by using AWS Direct Connect.
The company needs all EC2 instances in the VPCs to resolve DNS queries for the internal.example.com domain to the authoritative DNS server that is located in the on-premises data center. The solution must use private communication between the VPCs and the on-premises network. All route tables, network ACLs, and security groups are configured correctly between AWS and the on-premises data center.
Which combination of actions will meet these requirements? (Choose Three.)
A. Create an Amazon Route 53 inbound endpoint in all the workload VPCs. B. Create an Amazon Route 53 outbound endpoint in one of the workload VPCs. C. Create an Amazon Route 53 Resolver rule with the Forward type configured to forward queries for internal.example.com to the on-premises DNS server. D. Create an Amazon Route 53 Resolver rule with the System type configured to forward queries for internal.example.com to the on-premises DNS server. E. Associate the Amazon Route 53 Resolver rule with all the workload VPCs. F. Associate the Amazon Route 53 Resolver rule with the workload VPC with the new Route 53 endpoint.
B. Create an Amazon Route 53 outbound endpoint in one of the workload VPCs. C. Create an Amazon Route 53 Resolver rule with the Forward type configured to forward queries for internal.example.com to the on-premises DNS server. E. Associate the Amazon Route 53 Resolver rule with all the workload VPCs.
Explanation
To enable DNS resolution from AWS VPCs to on-premises DNS servers over Direct Connect or VPN, AWS recommends using Amazon Route 53 Resolver with outbound endpoints. An outbound endpoint allows DNS queries originating in the VPC to be forwarded to a customer-managed DNS server (e.g., on-prem). Next, a forwarding rule (Forward type) must be created to forward DNS queries for the custom domain internal.example.com to the on-premises DNS IP addresses.
This rule defines what domain names are forwarded and to which DNS servers.
Finally, the rule must be associated with all workload VPCs to allow those VPCs to use the rule. There is no need to deploy endpoints in every VPC -- one outbound endpoint is sufficient and can be shared across VPCs via rule association.
References:
Route 53 Resolver Endpoints
Best practices for hybrid DNS resolution
Question 1387:
A company wants to use an API to translate text from one language to another. The API must receive an HTTP header value and pass the value to an embedded library. The API translates documents in 6 minutes. The API requires a custom authorization mechanism.
Which solution will meet these requirements?
A. Configure an Amazon API Gateway REST API with AWS_PROXY integration to synchronously call an AWS Lambda function to perform translations. B. Configure an AWS Lambda function with a Lambda function URL to synchronously call a second function to perform translations. C. Configure an Amazon API Gateway REST API with AWS_PROXY integration to asynchronously call an AWS Lambda function to perform translations. D. Configure an Amazon API Gateway REST API with HTTP PROXY integration to synchronously call a web endpoint that is hosted on an EC2 instance.
A. Configure an Amazon API Gateway REST API with AWS_PROXY integration to synchronously call an AWS Lambda function to perform translations.
Explanation
TheAWS_PROXY integration with Amazon API Gatewayallows the API to invoke a Lambda function synchronously, making it a suitable solution for the custom authorization mechanism and text translation use case.
Synchronous Invocation: The API Gateway REST API with AWS_PROXY integration enables synchronous processing of HTTP requests and responses, which is required for document translation.
Custom Authorization: API Gateway supports custom authorizers for fine-grained access control.
Lambda Function Execution: Although Lambda's execution time limit is 15 minutes, this is sufficient for the 6-minute document translation requirement.
Why other options are not correct:
Option B: Introducing a Lambda function URL to invoke another Lambda function unnecessarily complicates the architecture.Not efficient.
Option D: Hosting the API on an EC2 instance increases operational overhead. HTTP PROXY integration does not add significant benefits here.Not cost-effective or efficient.
References:
API Gateway Lambda Proxy Integration:AWS Documentation - Proxy Integration Custom Authorization in API Gateway:AWS Documentation - Custom Authorization
Question 1388:
A company uses AWS WAF to protect its web applications. A solutions architect configures a web ACL that uses several rules, including a rule that inspects the HTTP request body for malicious content.
The solutions architect notices that the web ACL is not inspecting large HTTP POST requests properly. As a result, suspicious activities are not being detected. Some large HTTP POST requests are more than 8
MB in size.
The solutions architect must ensure that the web ACL inspects the large HTTP POST requests properly.
Which solution will meet this requirement?
A. Create two custom AWS WAF rules. Configure one rule to block all oversized requests. Configure the second rule with a higher priority to allow large requests from legitimate hosts. B. Enable AWS Shield Advanced. Reconfigure the web ACL to block oversized requests by using Shield Advanced. C. Verify that the Content-Type header is correctly set in the HTTP requests that AWS WAF rules inspect. D. Create an AWS Lambda function to preprocess the large requests before AWS rules inspect the requests.
A. Create two custom AWS WAF rules. Configure one rule to block all oversized requests. Configure the second rule with a higher priority to allow large requests from legitimate hosts.
Explanation
AWS WAF has limits on how much of an HTTP request body it can inspect. When requests exceed the inspectable size, AWS WAF treats the body as oversize relative to the configured inspection limits, which can lead to rules not evaluating the entire body content. If suspicious payloads are embedded beyond the inspected portion of a large POST request (for example, > 8 MB), WAF cannot reliably detect them purely through body inspection rules.
Given this constraint, the most effective way to "ensure" proper protection is to implement an oversize handling strategy using AWS WAF rule logic: block oversized requests by default and then explicitly allow oversized requests only from known legitimate sources. Option A accomplishes this by adding a rule that blocks oversize requests (so attackers cannot bypass inspection by sending very large bodies) and a higher-priority allow rule to permit large requests from trusted hosts (for example, specific known partners, internal CIDRs, or authenticated upstream systems). This design reduces the attack surface and provides deterministic behavior for requests that cannot be fully inspected.
Option B is incorrect because Shield Advanced is for DDoS protection and does not extend WAF's request-body inspection size.
Option C is unrelated: Content-Type can influence application parsing, but it will not overcome WAF body-size inspection limitations.
Option D is not a practical fit for AWS WAF inspection because WAF evaluates requests at the edge/service layer; it does not natively "call Lambda to rewrite the request body" before WAF evaluates it. Any preprocessing would require a different architectural pattern (such as handling uploads out-of-band), which is beyond the scope and would add operational complexity.
Therefore, A is the correct approach: implement explicit oversized request handling by blocking by default and allowing only vetted large requests.
Question 1389:
A healthcare provider is planning to store patient data on AWS as PDF files. To comply with regulations, the company must encrypt the data and store the files in multiple locations. The data must be available for immediate access from any environment.
Which solution will meet these requirements?
A. Store the files in an Amazon S3 bucket. Use the Standard storage class. Enable server-side encryption with Amazon S3 managed keys (SSE-S3) on the bucket. Configure cross-Region replication on the bucket. B. Store the files in an Amazon Elastic File System (Amazon EFS) volume. Use an AWS KMS managed key to encrypt the EFS volume. Use AWS DataSync to replicate the EFS volume to a second AWS Region. C. Store the files in an Amazon Elastic Block Store (Amazon EBS) volume. Configure AWS Backup to back up the volume on a regular schedule. Use an AWS KMS key to encrypt the backups. D. Store the files in an Amazon S3 bucket. Use the S3 Glacier Flexible Retrieval storage class. Ensure that all PDF files are encrypted by using client-side encryption before the files are uploaded. Configure cross-Region replication on the bucket.
A. Store the files in an Amazon S3 bucket. Use the Standard storage class. Enable server-side encryption with Amazon S3 managed keys (SSE-S3) on the bucket. Configure cross-Region replication on the bucket.
Explanation
AmazonS3 with the Standard storage classis the best solution:
Encryption: SSE-S3 ensures server-side encryption of the data, meeting compliance requirements.
Immediate access: The Standard storage class provides low-latency and high-throughput access to data.
Multi-location storage: Cross-Region replication ensures data is stored in multiple AWS Regions for redundancy.
Why other options are not correct:
Option B: Amazon EFS is more costly and suited for file systems rather than object storage.Not cost-effective.
Option C: Amazon EBS is block storage and not optimized for object storage like PDFs. Backup schedules do not ensure immediate availability.Not suitable.
Option D: S3 Glacier Flexible Retrieval is designed for archival, not immediate access.Does not meet access requirements.
References:
Amazon S3 Standard Storage:AWS Documentation - S3 Storage Classes
A company wants to securely exchange data between its software as a service (SaaS) application Salesforce account and Amazon S3. The company must encrypt the data at rest by using AWS Key Management Service (AWS KMS) customer managed keys (CMKs). The company must also encrypt the data in transit. The company has enabled API access for the Salesforce account.
Which solution will meet these requirements?
A. Create AWS Lambda functions to transfer the data securely from Salesforce to Amazon S3. B. Create an AWS Step Functions workflow. Define the task to transfer the data securely from Salesforce to Amazon S3. C. Create Amazon AppFlow flows to transfer the data securely from Salesforce to Amazon S3. D. Create a custom connector for Salesforce to transfer the data securely from Salesforce to Amazon S3.
C. Create Amazon AppFlow flows to transfer the data securely from Salesforce to Amazon S3.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.