Amazon Amazon Certifications SAA-C03 Questions & Answers

• Question 481:

  A social media company runs its application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. The application has more than a billion images stored in an Amazon S3 bucket and processes thousands of images each second. The company wants to resize the images dynamically and serve appropriate formats to clients.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Install an external image management library on an EC2 instance. Use the image management library to process the images.

  B. Create a CloudFront origin request policy. Use the policy to automatically resize images and to serve the appropriate format based on the User-Agent HTTP header in the request.

  C. Use a Lambda@Edge function with an external image management library. Associate the Lambda@Edge function with the CloudFront behaviors that serve the images.

  D. Create a CloudFront response headers policy. Use the policy to automatically resize images and to serve the appropriate format based on the User-Agent HTTP header in the request.

  Correct Answer: C

  Lambda@Edge is a service that allows you to run Lambda functions at CloudFront edge locations. It can be used to modify requests and responses that flow through CloudFront. CloudFront origin request policy is a policy that controls the values (URL query strings, HTTP headers, and cookies) that are included in requests that CloudFront sends to the origin. It can be used to collect additional information at the origin or to customize the origin response. CloudFront response headers policy is a policy that specifies the HTTP headers that CloudFront removes or adds in responses that it sends to viewers. It can be used to add security or custom headers to responses. Based on these definitions, the solution that will meet the requirements with the least operational overhead is:

  C. Use a Lambda@Edge function with an external image management library. Associate the Lambda@Edge function with the CloudFront behaviors that serve the images. This solution would allow the application to use a Lambda@Edge function to resize the images dynamically and serve appropriate formats to clients based on the User-Agent HTTP header in the request. The Lambda@Edge function would run at the edge locations, reducing latency and load on the origin. The application code would only need to include an external image management library that can perform image manipulation tasks1.

• Question 482:

  An ecommerce company stores terabytes of customer data in the AWS Cloud. The data contains personally identifiable information (Pll). The company wants to use the data in three applications. Only one of the applications needs to process

  the Pll. The Pll must be removed before the other two applications process the data.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Store the data in an Amazon DynamoDB table. Create a proxy application layer to intercept and process the data that each application requests.

  B. Store the data in an Amazon S3 bucket. Process and transform the data by using S3 Object Lambda before returning the data to the requesting application.

  C. Process the data and store the transformed data in three separate Amazon S3 buckets so that each application has its own custom dataset. Point each application to its respective S3 bucket.

  D. Process the data and store the transformed data in three separate Amazon DynamoDB tables so that each application has its own custom dataset. Point each application to its respective DynamoDB table.

  Correct Answer: B

  https://aws.amazon.com/blogs/aws/introducing-amazon-s3-object-lambdause-your-code-to-process-data-as-it-is-being-retrieved-from-s3/S3 Object Lambda is a new feature of Amazon S3 that enables customers to add their own code to process data retrieved from S3 before returning it to the application. By using S3 Object Lambda, the data can be processed and transformed in real-time, without the need to store multiple copies of the data in separate S3 buckets or DynamoDB tables. In this case, the Pll can be removed from the data by the code added to S3 Object Lambda before returning the data to the two applications that do not need to process Pll. The one application that requires Pll can be pointed to the original S3 bucket where the Pll is still stored. Using S3 Object Lambda is the simplest and most cost-effective solution, as it eliminates the need to maintain multiple copies of the same data in different buckets or tables, which can result in additional storage costs and operational overhead.

• Question 483:

  A company has multiple AWS accounts that use consolidated billing. The company runs several active high performance Amazon RDS for Oracle On-Demand DB instances for 90 days. The company's finance team has access to AWS

  Trusted Advisor in the consolidated billing account and all other AWS accounts.

  The finance team needs to use the appropriate AWS account to access the Trusted Advisor check recommendations for RDS. The finance team must review the appropriate Trusted Advisor check to reduce RDS costs.

  Which combination of steps should the finance team take to meet these requirements? (Select TWO.)

  A. Use the Trusted Advisor recommendations from the account where the RDS instances are running.

  B. Use the Trusted Advisor recommendations from the consolidated billing account to see all RDS instance checks at the same time.

  C. Review the Trusted Advisor check for Amazon RDS Reserved Instance Optimization.

  D. Review the Trusted Advisor check for Amazon RDS Idle DB Instances.

  E. Review the Trusted Advisor check for Amazon Redshift Reserved Node Optimization.

  Correct Answer: BD

  https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#amazon-rds-idle-dbs-instances

• Question 484:

  A solutions architect needs to optimize storage costs. The solutions architect must identify any Amazon S3 buckets that are no longer being accessed or are rarely accessed. Which solution will accomplish this goal with the LEAST operational overhead?

  A. Analyze bucket access patterns by using the S3 Storage Lens dashboard for advanced activity metrics.

  B. Analyze bucket access patterns by using the S3 dashboard in the AWS Management Console.

  C. Turn on the Amazon CloudWatch BucketSizeBytes metric for buckets. Analyze bucket access patterns by using the metrics data with Amazon Athena.

  D. Turn on AWS CloudTrail for S3 object monitoring. Analyze bucket access patterns by using CloudTrail logs that are integrated with Amazon CloudWatch Logs.

  Correct Answer: A

  S3 Storage Lens is a fully managed S3 storage analytics solution that provides a comprehensive view of object storage usage, activity trends, and recommendations to optimize costs. Storage Lens allows you to analyze object access patterns across all of your S3 buckets and generate detailed metrics and reports.

• Question 485:

  A group requires permissions to list an Amazon S3 bucket and delete objects from that bucket An administrator has created the following 1AM policy to provide access to the bucket and applied that policy to the group. The group is not able to delete objects in the bucket. The company follows least-privilege access rules.

  

  Which statement should a solutions architect add to the policy to correct bucket access?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

• Question 486:

  A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet.

  Which capability should the solutions architect use to meet the compliance requirements?

  A. AWS Key Management Service (AWS KMS)

  B. VPC endpoint

  C. Private subnet

  D. Virtual private gateway

  Correct Answer: B

  A VPC endpoint enables you to privately access AWS services without requiring internet gateways, NAT gateways, VPN connections, or AWS Direct Connect connections. It allows you to connect your VPC directly to supported AWS services, such as Amazon S3, over a private connection within the AWS network.

  By creating a VPC endpoint for Amazon S3, the traffic between your EC2 instances and S3 will stay within the AWS network and won't traverse the public internet. This provides a more secure and compliant solution, as the data transfer remains within the private network boundaries.

  https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html

• Question 487:

  A hospital needs to store patient records in an Amazon S3 bucket. The hospital's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption

  key for data at rest.

  Which solution will meet these requirements?

  A. Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use serverside encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.

  B. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSES3). Assign the compliance team to manage the SSE-S3 keys.

  C. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.

  D. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.

  Correct Answer: C

  it allows the compliance team to manage the KMS keys used for server-side encryption, thereby providing the necessary control over the encryption keys. Additionally, the use of the "aws:SecureTransport" condition on the bucket policy ensures that all connections to the S3 bucket are encrypted in transit.

• Question 488:

  A company is using Amazon Route 53 latency-based routing to route requests to its UDP-based application for users around the world. The application is hosted on redundant servers in the company's on-premises data centers in the United States. Asia, and Europe. The company's compliance requirements state that the application must be hosted on premises The company wants to improve the performance and availability of the application

  What should a solutions architect do to meet these requirements?

  A. A Configure three Network Load Balancers (NLBs) in the three AWS Regions to address the on-premises endpoints Create an accelerator by using AWS Global Accelerator, and register the NLBs as its endpoints. Provide access to the application by using a CNAME that points to the accelerator DNS

  B. Configure three Application Load Balancers (ALBs) in the three AWS Regions to address the on-premises endpoints. Create an accelerator by using AWS Global Accelerator and register the ALBs as its endpoints Provide access to the application by using a CNAME that points to the accelerator DNS

  C. Configure three Network Load Balancers (NLBs) in the three AWS Regions to address the on-premises endpoints In Route 53. create a latency-based record that points to the three NLBs. and use it as an origin for an Amazon CloudFront distribution Provide access to the application by using a CNAME that points to the CloudFront DNS

  D. Configure three Application Load Balancers (ALBs) in the three AWS Regions to address the on-premises endpoints In Route 53 create a latency-based record that points to the three ALBs and use it as an origin for an Amazon CloudFront distribution-Provide access to the application by using a CNAME that points to the CloudFront DNS

  Correct Answer: A

  C - D: Cloudfront don't support UDP/TCP

  B: Global accelerator don't support ALB

• Question 489:

  A company has a three-tier environment on AWS that ingests sensor data from its users' devices The traffic flows through a Network Load Balancer (NIB) then to Amazon EC2 instances for the web tier and finally to EC2 instances for the application tier that makes database calls.

  What should a solutions architect do to improve the security of data in transit to the web tier?

  A. Configure a TLS listener and add the server certificate on the NLB

  B. Configure AWS Shield Advanced and enable AWS WAF on the NLB

  C. Change the load balancer to an Application Load Balancer and attach AWS WAF to it

  D. Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances using AWS Key Management Service (AWS KMS)

  Correct Answer: A

• Question 490:

  A company is designing the network for an online multi-player game. The game uses the UDP networking protocol and will be deployed in eight AWS Regions. The network architecture needs to minimize latency and packet loss to give end

  users a high-quality gaming experience.

  Which solution will meet these requirements?

  A. Set up a transit gateway in each Region. Create inter-Region peering attachments between each transit gateway.

  B. Set up AWS Global Accelerator with UDP listeners and endpoint groups in each Region.

  C. Set up Amazon CloudFront with UDP turned on. Configure an origin in each Region.

  D. Set up a VPC peering mesh between each Region. Turn on UDP for each VPC.

  Correct Answer: B

  The best solution for this situation is option B, setting up AWS Global Accelerator with UDP listeners and endpoint groups in each Region. AWS Global Accelerator is a networking service that improves the availability and performance of internet applications by routing user requests to the nearest AWS Region [1]. It also improves the performance of UDP applications by providing faster, more reliable data transfers with lower latency and fewer packet losses. By setting up UDP listeners and endpoint groups in each Region, Global Accelerator will route traffic to the nearest Region for faster response times and a better user experience.