A security audit reveals that Amazon EC2 instances are not being patched regularly. A solutions architect needs to provide a solution that will run regular security scans across a large fleet of EC2 instances. The solution should also patch the EC2 instances on a regular schedule and provide a report of each instance's patch status.
Which solution will meet these requirements?
A. Set up Amazon Macie to scan the EC2 instances for software vulnerabilities. Set up a cron job on each EC2 instance to patch the instance on a regular schedule. B. Turn on Amazon GuardDuty in the account. Configure GuardDuty to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Session Manager to patch the EC2 instances on a regular schedule. C. Set up Amazon Detective to scan the EC2 instances for software vulnerabilities. Set up an Amazon EventBridge scheduled rule to patch the EC2 instances on a regular schedule. D. Turn on Amazon Inspector in the account. Configure Amazon Inspector to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Patch Manager to patch the EC2 instances on a regular schedule.
D. Turn on Amazon Inspector in the account. Configure Amazon Inspector to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Patch Manager to patch the EC2 instances on a regular schedule.
Question 402:
A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account. The company needs to grant the vendor access to the company's
AWS account.
Which solution will meet these requirements MOST securely?
A. Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires. B. Create an IAM user in the company's account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires. C. Create an IAM group in the company's account. Add the automated tool's IAM user from the vendor account to the group. Attach the appropriate IAM policies to the group for the permissions that the vendor requires. D. Create an IAM user in the company's account that has a permission boundary that allows the vendor's account. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.
A. Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.
Question 403:
A company needs a data encryption solution for a machine learning (ML) process. The solution must use an AWS managed service. The ML process currently reads a large number of objects in Amazon S3 that are encrypted by a customer-managed AWS KMS key. The current process incurs significant costs because of excessive calls to AWS Key Management Service (AWS KMS) to decrypt S3 objects. The company wants to reduce the costs of API calls to decrypt S3 objects.
Which solution will meet these requirements?
A. Switch from a customer managed KMS key to an AWS managed KMS key. B. Remove the AWS KMS encryption from the S3 bucket. Use a bucket policy to encrypt the data instead. C. Recreate the KMS key in AWS CloudHSM. D. Use S3 Bucket Keys to perform server-side encryption with AWS KMS keys (SSE-KMS) to encrypt and decrypt objects from Amazon S3.
D. Use S3 Bucket Keys to perform server-side encryption with AWS KMS keys (SSE-KMS) to encrypt and decrypt objects from Amazon S3.
Explanation
Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D -- enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.
References:
Amazon S3 User Guide -- Using S3 Bucket Keys for SSE-KMS?AWS KMS Developer Guide -- Cost optimization for KMS encryption
Question 404:
A company runs its application on an Oracle database. The company plans to quickly migrate to AWS because of limited resources for the database, backup administration, and data center maintenance. The application uses third-party database features that require privileged access.
Which solution will help the company migrate the database to AWS MOST cost-effectively?
A. Migrate the database to Amazon RDS for Oracle. Replace third-party features with cloud services. B. Migrate the database to Amazon RDS Custom for Oracle. Customize the database settings to support third-party features. C. Migrate the database to an Amazon EC2 Amazon Machine Image (AMI) for Oracle. Customize the database settings to support third-party features. D. Migrate the database to Amazon RDS for PostgreSQL by rewriting the application code to remove dependency on Oracle APEX.
B. Migrate the database to Amazon RDS Custom for Oracle. Customize the database settings to support third-party features.
Question 405:
A company wants to run an in-memory database for a latency-sensitive application that runs on Amazon EC2 instances. The application processes more than 100,000 transactions each minute and requires high network throughput. A solutions architect needs to provide a cost-effective network design that minimizes data transfer charges.
Which solution meets these requirements?
A. Launch all EC2 instances in the same Availability Zone within the same AWS Region. Specify a placement group with cluster strategy when launching EC2 instances. B. Launch all EC2 instances in different Availability Zones within the same AWS Region. Specify a placement group with partition strategy when launching EC2 instances. C. Deploy an Auto Scaling group to launch EC2 instances in different Availability Zones based on a network utilization target. D. Deploy an Auto Scaling group with a step scaling policy to launch EC2 instances in different Availability Zones.
A. Launch all EC2 instances in the same Availability Zone within the same AWS Region. Specify a placement group with cluster strategy when launching EC2 instances.
Question 406:
A company needs to provide a team of contractors with temporary access to the company's AWS resources for a short-term project. The contractors need different levels of access to AWS services. The company needs to revoke permissions for all the contractors when the project is finished.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS IAM to create a user account for each contractor. Attach policies that define access levels for the contractors to the user accounts. Manually deactivate the accounts when the project is finished. B. Use AWS Security Token Service (AWS STS) to generate temporary credentials for the contractors. Provide the contractors access based on predefined roles. Set the access to automatically expire when the project is finished. C. Configure AWS Config rules to monitor the contractors' access patterns. Use AWS Config rules to automatically revoke permissions that are not in use or that are too permissive. D. Use AWS CloudTrail and custom Amazon EventBridge triggers to audit the contractors' actions. Adjust the permissions for each contractor based on activity logs.
B. Use AWS Security Token Service (AWS STS) to generate temporary credentials for the contractors. Provide the contractors access based on predefined roles. Set the access to automatically expire when the project is finished.
Explanation
AWS STS issues temporary credentials with automatically expiring permissions based on IAM roles. This eliminates the need to manually manage or deactivate IAM users.
"You can use AWS STS to grant temporary security credentials that automatically expire after a specified duration."
-- Temporary Security Credentials
This is the least operational overhead and follows AWS best practices for short-term access.
Question 407:
A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should.be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?
A. Configure a CloudFront signed URL. B. Configure a CloudFront signed cookie. C. Configure a CloudFront field-level encryption profile. D. Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy.
C. Configure a CloudFront field-level encryption profile.
Question 408:
A company hosts its order processing system on AWS. The architecture consists of a frontend and a backend. The frontend includes an Application Load Balancer (ALB) and Amazon EC2 instances in an Auto Scaling group. The backend includes an EC2 instance and an Amazon RDS MySQL database.
To prevent incomplete or lost orders, the company wants to ensure that order states are always preserved.
The company wants to ensure that every order will eventually be processed, even after an outage or pause. Every order must be processed exactly once.
Which solution will meet these requirements?
A. Create an Auto Scaling group and an ALB for the backend. Create a read replica for the RDS database in a second Availability Zone. Update the backend RDS endpoint. B. Create an Auto Scaling group and an ALB for the backend. Create an Amazon RDS proxy in front of the RDS database. Update the backend EC2 instance to use the Amazon RDS proxy endpoint. C. Create an Auto Scaling group for the backend. Configure the backend EC2 instances to consume messages from an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Configure a dead-letter queue (DLQ) for the SQS queue. D. Create an AWS Lambda function to replace the backend EC2 instance. Subscribe the func-tion to an Amazon Simple Notification Service (Amazon SNS) topic. Configure the frontend to send orders to the SNS topic.
C. Create an Auto Scaling group for the backend. Configure the backend EC2 instances to consume messages from an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Configure a dead-letter queue (DLQ) for the SQS queue.
Explanation
Use SQS FIFO to durably persist orders, guarantee order processing semantics, and decouple producers / consumers. FIFO queues provide "exactly-once processing" with message deduplication and "preserve message order." Visibility timeouts and retries ensure messages are "processed eventually" without being lost; failed messages go to a DLQ for later reprocessing. This pattern aligns with Well-Architected reliability guidance to "queue work to protect against overload and failures" and to ensure "durable, idempotent processing" with retry and backoff. ALB/RDS Proxy/read replicas (A, B) improve availability/connection management but do not guarantee durable handoff or exactly-once processing. SNS (D) is pub/sub and does not provide FIFO semantics in this option, nor a DLQ per subscription for exactly-once. Therefore, frontends write orders to an SQS FIFO queue; backend workers in an Auto Scaling group consume, process idempotently, and use a DLQ for poison messages to meet "no lost orders," "eventual processing," and "exactly-once" requirements.
A company is looking for a solution that can store video archives in AWS from old news footage. The company needs to minimize costs and will rarely need to restore these files. When the files are needed, they must be available in a maximum of five minutes.
What is the MOST cost-effective solution?
A. Store the video archives in Amazon S3 Glacier and use Expedited retrievals. B. Store the video archives in Amazon S3 Glacier and use Standard retrievals. C. Store the video archives in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). D. Store the video archives in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA).
A. Store the video archives in Amazon S3 Glacier and use Expedited retrievals.
Question 410:
A company is migrating its on-premises PostgreSQL database to Amazon Aurora PostgreSQL. The on-premises database must remain online and accessible during the migration. The Aurora database must remain synchronized with the on-premises database.
Which combination of actions must a solutions architect take to meet these requirements? (Choose two.)
A. Create an ongoing replication task. B. Create a database backup of the on-premises database. C. Create an AWS Database Migration Service (AWS DMS) replication server. D. Convert the database schema by using the AWS Schema Conversion Tool (AWS SCT). E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor the database synchronization.
A. Create an ongoing replication task. C. Create an AWS Database Migration Service (AWS DMS) replication server.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.