A company is relocating its data center and wants to securely transfer 50 TB of data to AWS within 2 weeks. The existing data center has a Site-to-Site VPN connection to AWS that is 90% utilized.
Which AWS service should a solutions architect use to meet these requirements?
A. AWS DataSync with a VPC endpoint B. AWS Direct Connect C. AWS Snowball Edge Storage Optimized D. AWS Storage Gateway
C. AWS Snowball Edge Storage Optimized
Question 212:
A company uses a set of Amazon EC2 instances to host a website. The website uses an Amazon S3 bucket to store images and media files.
The company wants to automate website infrastructure creation to deploy the website to multiple AWS Regions. The company also wants to provide the EC2 instances access to the S3 bucket so the instances can store and access data by using AWS Identity and Access Management (IAM).
Which solution will meet these requirements MOST securely?
A. Create an AWS Cloud Format ion template for the web server EC2 instances. Save an IAM access key in the UserData section of the AWS;:EC2::lnstance entity in the CloudFormation template. B. Create a file that contains an IAM secret access key and access key ID. Store the file in a new S3 bucket. Create an AWS CloudFormation template. In the template, create a parameter to specify the location of the S3 object that contains the access key and access key ID. C. Create an IAM role and an IAM access policy that allows the web server EC2 instances to access the S3 bucket. Create an AWS CloudFormation template for the web server EC2 instances that contains an IAM instance profile entity that references the IAM role and the IAM access policy. D. Create a script that retrieves an IAM secret access key and access key ID from IAM and stores them on the web server EC2 instances. Include the script in the UserData section of the AWS::EC2::lnstance entity in an AWS CloudFormation template.
C. Create an IAM role and an IAM access policy that allows the web server EC2 instances to access the S3 bucket. Create an AWS CloudFormation template for the web server EC2 instances that contains an IAM instance profile entity that references the IAM role and the IAM access policy.
Explanation
The most secure solution for allowing EC2 instances to access an S3 bucket is by usingIAM roles. An IAM role can be created with an access policy that grants the required permissions (e.g., to read and write to the S3 bucket). The IAM role is then associated with the EC2 instances through anIAM instance profile.
By associating the role with the instances, the EC2 instances can securely assume the role and receive temporary credentials via the instance metadata service. This avoids the need to store credentials (such as access keys) on the instances or within the application, enhancing security and reducing the risk of credentials being exposed.
AWS CloudFormation can be used to automate the creation of the entire infrastructure, including EC2 instances, IAM roles, and associated policies.
References:
IAM Roles for EC2 Instancesoutlines the use of IAM roles for secure access to AWS services.
AWS CloudFormation User Guidedetails how to create and manage resources using CloudFormation templates.
Why the other options are incorrect: Option
A. Save IAM access key in UserData: This is insecure because it involves storing long-term credentials in the instance user data, which can be exposed. Option
B. Store access keys in S3: This is also insecure, as it involves managing and distributing long-term credentials, which should be avoided.
Option D. Retrieve access keys via a script: This approach is unnecessarily complex and less secure than using IAM roles, which provide temporary credentials automatically.
Question 213:
A company runs a mobile game app on AWS. The app stores data for every user session. The data updates frequently during a gaming session. The app stores up to 256 KB for each session. Sessions can last up to 48 hours. The company wants to automate the deletion of expired session data. The company
must be able to restore all session data automatically if necessary.
Which solution will meet these requirements?
A. Use an Amazon DynamoDB table to store the session data. Enable point-in-time recovery (PITR) and TTL for the table. Select the corresponding attribute for TTL in the session data. B. Use an Amazon MemoryDB table to store the session data. Enable point-in-time recovery (PITR) and TTL for the table. Select the corresponding attribute for TTL in the session data. C. Store session data in an Amazon S3 bucket. Use the S3 Standard storage class. Enable S3 Versioning for the bucket. Create an S3 Lifecycle configuration to expire objects after 48 hours. D. Store session data in an Amazon S3 bucket. Use the S3 Intelligent-Tiering storage class. Enable S3 Versioning for the bucket. Create an S3 Lifecycle configuration to expire objects after 48 hours.
A. Use an Amazon DynamoDB table to store the session data. Enable point-in-time recovery (PITR) and TTL for the table. Select the corresponding attribute for TTL in the session data.
Explanation
Amazon DynamoDB supports TTL (Time To Live) for automated, scheduled deletion of expired items. It also offers point-in-time recovery (PITR) to restore the table to any second within the retention window (typically up to 35 days), providing full data durability and protection. DynamoDB can efficiently handle frequent updates and offers predictable performance. MemoryDB is an in-memory store, not designed for durable recovery. S3 with lifecycle policies does not handle updates as efficiently for small, frequent writes and is not as optimal for session data.
References:
" DynamoDB supports TTL for automated expiration and deletion of items and PITR for continuous backups and restoration of data. " Source: AWS Certified Solutions Architect?Official Study Guide, DynamoDB section.
Question 214:
A company has an internal application that runs on Amazon EC2 instances in an Auto Scaling group. The EC2 instances are compute optimized and use Amazon Elastic Block Store (Amazon EBS) volumes.
The company wants to identify cost optimizations across the EC2 instances, the Auto Scaling group, and the EBS volumes.
Which solution will meet these requirements with the MOST operational efficiency?
A. Create a new AWS Cost and Usage Report. Search the report for cost recommendations for the EC2 instances the Auto Scaling group, and the EBS volumes. B. Create new Amazon CloudWatch billing alerts. Check the alert statuses for cost recommendations for the EC2 instances, the Auto Scaling group, and the EBS volumes. C. Configure AWS Compute Optimizer for cost recommendations for the EC2 instances, the Auto Scaling group and the EBS volumes. D. Configure AWS Compute Optimizer for cost recommendations for the EC2 instances. Create a new AWS Cost and Usage Report. Search the report for cost recommendations for the Auto Scaling group and the EBS volumes.
C. Configure AWS Compute Optimizer for cost recommendations for the EC2 instances, the Auto Scaling group and the EBS volumes.
Question 215:
A global ecommerce company uses a monolithic architecture. The company needs a solution to manage the increasing volume of product data. The solution must be scalable and have a modular service architecture. The company needs to maintain its structured database schemas. The company also needs a storage solution to store product data and product images.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use an Amazon EC2 instance in an Auto Scaling group to deploy a containerized application. Use an Application Load Balancer to distribute web traffic. Use an Amazon RDS DB instance to store product data and product images. B. Use AWS Lambda functions to manage the existing monolithic application. Use Amazon DynamoDB to store product data and product images. Use Amazon Simple Notification Service (Amazon SNS) for event-driven communication between the Lambda functions. C. Use Amazon Elastic Kubernetes Service (Amazon EKS) with an Amazon EC2 deployment to deploy a containerized application. Use an Amazon Aurora cluster to store the product data. Use AWS Step Functions to manage workflows. Store the product images in Amazon S3 Glacier Deep Archive. D. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate to deploy a containerized application. Use Amazon RDS with a Multi-AZ deployment to store the product data. Store the product images in an Amazon S3 bucket.
D. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate to deploy a containerized application. Use Amazon RDS with a Multi-AZ deployment to store the product data. Store the product images in an Amazon S3 bucket.
Question 216:
A company needs a solution to give customers the ability to upload encrypted files to a directory in an Amazon S3 bucket by using SFTP. After customers upload files, the solution must automatically decrypt the files and move them to a second directory within the same S3 bucket for downstream processing.
The solution must not require authentication services. The solution must fully automate all post-upload operations and require minimal ongoing operational overhead.
Which solution will meet these requirements? (Choose Three.)
A. Use AWS Transfer Family with the SFTP protocol. Configure the S3 bucket as the home directory for uploaded files. B. Use an S3 event notification to invoke an AWS Lambda function that moves uploaded files between folders. C. Use an AWS Transfer Family workflow and a DECRYPT action to decrypt uploaded files. D. Tag incoming S3 objects. Periodically query objects by using an external script that runs in a container. E. Use an AWS Transfer Family workflow and a COPY action to move files to a new directory within the S3 bucket after decryption. F. Use an AWS Batch job to poll the S3 bucket and run a decryption script on new files.
A. Use AWS Transfer Family with the SFTP protocol. Configure the S3 bucket as the home directory for uploaded files. C. Use an AWS Transfer Family workflow and a DECRYPT action to decrypt uploaded files. E. Use an AWS Transfer Family workflow and a COPY action to move files to a new directory within the S3 bucket after decryption.
Explanation
The correct answers are A, C, and E because the company needs a fully managed solution for SFTP uploads to Amazon S3, followed by automatic decryption and movement of files to another directory with minimal operational overhead AWS Transfer Family. is the best fit because it provides a managed SFTP endpoint directly integrated with Amazon S3. Configuring the S3 bucket as the home directory enables customers to upload files without the company needing to manage its own file transfer servers.
The requirement to avoid separate authentication services and minimize operational work is well served by native AWS Transfer Family workflows. A workflow can automatically run post-upload steps on files as they arrive. The DECRYPT action is specifically designed to decrypt uploaded encrypted files as part of the managed workflow. After decryption, the COPY action can place the processed file into the second directory in the same S3 bucket for downstream processing.
Option B is less appropriate because using S3 events and Lambda adds custom orchestration where a native Transfer Family workflow already handles the need more simply.
Option D is incorrect because polling with an external script introduces unnecessary infrastructure and operational overhead.
Option F is also incorrect because AWS Batch polling and custom decryption logic is far more complex than a managed file-transfer workflow.
AWS best practices favor managed services and native workflow features to reduce custom code and infrastructure management. Therefore, the best solution is to use AWS Transfer Family for SFTP uploads, along with Transfer Family workflow DECRYPT and COPY actions to automate the full post-upload process.
Question 217:
A company has a popular gaming platform running on AWS. The application is sensitive to latency because latency can impact the user experience and introduce unfair advantages to some players. The application is deployed in every AWS Region. It runs on Amazon EC2 instances that are part of Auto Scaling groups configured behind Application Load Balancers (ALBs). A solutions architect needs to implement a mechanism to monitor the health of the application and redirect traffic to healthy endpoints.
Which solution meets these requirements?
A. Configure an accelerator in AWS Global Accelerator. Add a listener for the port that the application listens on, and attach it to a Regional endpoint in each Region. Add the ALB as the endpoint. B. Create an Amazon CloudFront distribution and specify the ALB as the origin server. Configure the cache behavior to use origin cache headers. Use AWS Lambda functions to optimize the traffic. C. Create an Amazon CloudFront distribution and specify Amazon S3 as the origin server. Configure the cache behavior to use origin cache headers. Use AWS Lambda functions to optimize the traffic. D. Configure an Amazon DynamoDB database to serve as the data store for the application. Create a DynamoDB Accelerator (DAX) cluster to act as the in-memory cache for DynamoDB hosting the application data.
A. Configure an accelerator in AWS Global Accelerator. Add a listener for the port that the application listens on, and attach it to a Regional endpoint in each Region. Add the ALB as the endpoint.
Question 218:
A solutions architect is designing the architecture for a two-tier web application. The web application consists of an internet-facing Application Load Balancer (ALB) that forwards traffic to an Auto Scaling group of Amazon EC2 instances.
The EC2 instances must be able to access an Amazon RDS database. The company does not want to rely solely on security groups or network ACLs. Only the minimum resources that are necessary should be routable from the internet.
Which network design meets these requirements?
A. Place the ALB, EC2 instances, and RDS database in private subnets. B. Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets. C. Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets. D. Place the ALB outside the VPC. Place the EC2 instances and RDS database in private subnets.
B. Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.
Explanation
The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.
References:
" Internet-facing ALBs should be placed in public subnets
EC2 instances and RDS databases should be in private subnets to restrict direct internet access. " Source: AWS Certified Solutions Architect?Official Study
Guide, Network Security and Design section.
Question 219:
A media company uses an Amazon CloudFront distribution to deliver content over the internet. The company wants only premium customers to have access to the media streams and file content. The company stores all content in an Amazon S3 bucket. The company also delivers content on demand to customers for a specific purpose, such as movie rentals or music downloads.
Which solution will meet these requirements?
A. Generate and provide S3 signed cookies to premium customers. B. Generate and provide CloudFront signed URLs to premium customers. C. Use origin access control (OAC) to limit the access of non-premium customers. D. Generate and activate field-level encryption to block non-premium customers.
B. Generate and provide CloudFront signed URLs to premium customers.
Question 220:
A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances.
Which solution will meet these requirements?
A. Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPN connection between the company and the VPC. B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC. C. Set up an AWS Transit Gateway connection from the VPC to the S3 buckets. Create an AWS Site-to-Site VPN connection between the company and the VPC. D. Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxy EC2 instances to fetch S3 data and feed the application instances.
B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.