A company runs its workloads on Amazon Elastic Container Service (Amazon ECS). The container images that the ECS task definition uses need to be scanned for Common Vulnerabilities and Exposures (CVEs).
New container images that are created also need to be scanned.
Which solution will meet these requirements with the FEWEST changes to the workloads?
A. Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository. Enable scan on push for ECR basic scanning. B. Store the container images in an Amazon S3 bucket. Use Amazon Macie to scan the images. C. Migrate the workloads to Amazon EKS. Use ECR enhanced scanning. D. Store the container images in S3 and trigger Amazon Inspector scans with Lambda.
A. Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository. Enable scan on push for ECR basic scanning.
Explanation
The requirement is to scan container images for CVEs with the fewest changes to existing ECS workloads.
Amazon ECS integrates natively with Amazon Elastic Container Registry (ECR), making ECR the natural place to implement vulnerability scanning without modifying the orchestration platform.
Option A meets the requirement most efficiently. ECR provides built-in vulnerability scanning that can be enabled using scan on push, ensuring that every new image uploaded to the repository is automatically scanned for known CVEs. This capability requires no changes to ECS task definitions beyond referencing ECR images, which is typically already the case. Scan results are maintained by AWS and can be reviewed centrally, providing ongoing security visibility.
Option C introduces a major architectural change by migrating to EKS, which violates the "fewest changes" requirement. Options B and D misuse services: Amazon Macie is designed for sensitive data discovery in S3, not container image vulnerability scanning, and storing images in S3 breaks container-native workflows. Lambda-driven Inspector scans for container images are not required when ECR already provides integrated scanning.
Therefore, A is the optimal solution because it leverages native ECSCR integration, requires minimal operational changes, and provides automated CVE scanning aligned with AWS container security best practices.
Question 632:
A company uses Amazon Redshift to store structured data and Amazon S3 to store unstructured data. The company wants to analyze the stored data and create business intelligence reports. The company needs a data visualization solution that is compatible with Amazon Redshift and Amazon S3.
Which solution will meet these requirements?
A. Use Amazon Redshift query editor v2 to analyze data stored in Amazon Redshift. Use Amazon Athena to analyze data stored in Amazon S3. Use Amazon QuickSight to access Amazon Redshift and Athena, visualize the data analyses, and create business intelligence reports. B. Use Amazon Redshift Serverless to analyze data stored in Amazon Redshift. Use Amazon S3 Object Lambda to analyze data stored in Amazon S3. Use Amazon Managed Grafana to access Amazon Redshift and Object Lambda, visualize the data analyses, and create business intelligence reports. C. Use Amazon Redshift Spectrum to analyze data stored in Amazon Redshift. Use Amazon Athena to analyze data stored in Amazon S3. Use Amazon QuickSight to access Amazon Redshift and Athena, visualize the data analyses, and create business intelligence reports. D. Use Amazon OpenSearch Service to analyze data stored in Amazon Redshift and Amazon S3. Use Amazon Managed Grafana to access OpenSearch Service, visualize the data analyses, and create business intelligence reports.
C. Use Amazon Redshift Spectrum to analyze data stored in Amazon Redshift. Use Amazon Athena to analyze data stored in Amazon S3. Use Amazon QuickSight to access Amazon Redshift and Athena, visualize the data analyses, and create business intelligence reports.
Explanation
Amazon Redshift Spectrum to query S3 data directly from Redshift.
Amazon Athena for ad-hoc analysis of S3 data.
Amazon QuickSight for unified visualization from multiple data sources. "Redshift Spectrum enables you to run queries against exabytes of data in Amazon S3 without having to load or transform the data."
"QuickSight supports both Amazon Redshift and Amazon Athena as data sources."
-- Redshift Spectrum
-- Amazon QuickSight Supported Data Sources
This architecture allows scalable querying and visualization with minimum ETL overhead, ideal for BI dashboards.
Incorrect Options:
Option A: The query editor is not a BI tool.
Options B, D: Grafana is better for time-series data, not structured analytics or BI reports.
References:
Redshift Spectrum
Amazon QuickSight Integration
Question 633:
A company's application uses Network Load Balancers, Auto Scaling groups, Amazon EC2 instances, and databases that are deployed in an Amazon VPC. The company wants to capture information about traffic to and from the network interfaces in near real time in its Amazon VPC. The company wants to send the information to Amazon OpenSearch Service for analysis.
Which solution will meet these requirements?
A. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Streams to stream the logs from the log group to OpenSearch Service. B. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Firehose to stream the logs from the log group to OpenSearch Service. C. Create a trail in AWS CloudTrail. Configure VPC Flow Logs to send the log data to the trail. Use Amazon Kinesis Data Streams to stream the logs from the trail to OpenSearch Service. D. Create a trail in AWS CloudTrail. Configure VPC Flow Logs to send the log data to the trail. Use Amazon Kinesis Data Firehose to stream the logs from the trail to OpenSearch Service.
B. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Firehose to stream the logs from the log group to OpenSearch Service.
Question 634:
A company needs to create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host a digital media streaming application. The EKS cluster will use a managed node group that is backed by Amazon Elastic Block Store (Amazon EBS) volumes for storage. The company must encrypt all data at rest by using a customer managed key that is stored in AWS Key Management Service (AWS KMS).
Which combination of actions will meet this requirement with the LEAST operational overhead? (Choose two.)
A. Use a Kubernetes plugin that uses the customer managed key to perform data encryption. B. After creation of the EKS cluster, locate the EBS volumes. Enable encryption by using the customer managed key. C. Enable EBS encryption by default in the AWS Region where the EKS cluster will be created. Select the customer managed key as the default key. D. Create the EKS cluster. Create an IAM role that has a policy that grants permission to the customer managed key. Associate the role with the EKS cluster. E. Store the customer managed key as a Kubernetes secret in the EKS cluster. Use the customer managed key to encrypt the EBS volumes.
C. Enable EBS encryption by default in the AWS Region where the EKS cluster will be created. Select the customer managed key as the default key. D. Create the EKS cluster. Create an IAM role that has a policy that grants permission to the customer managed key. Associate the role with the EKS cluster.
Question 635:
A company runs multiple applications in multiple AWS accounts within the same organization in AWS Organizations. A content management system (CMS) runs on Amazon EC2 instances in a VPC. The CMS needs to access shared files from an Amazon Elastic File System (Amazon EFS) file system that is deployed in a separate AWS account. The EFS account is in a separate VPC.
Which solution will meet this requirement?
A. Mount the EFS file system on the EC2 instances by using the EFS Elastic IP address. B. Enable VPC sharing between the two accounts. Use the EFS mount helper to mount the file system on the EC2 instances. Redeploy the EFS file system in a shared subnet. C. Configure AWS Systems Manager Run Command to mount the EFS file system on the EC2 instances. D. Install the amazon-efs-utils package on the EC2 instances. Add the mount target in the efs-config file. Mount the EFS file system by using the EFS access point.
D. Install the amazon-efs-utils package on the EC2 instances. Add the mount target in the efs-config file. Mount the EFS file system by using the EFS access point.
Explanation
To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.
Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.
VPC sharing doesn't support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.
Question 636:
A company wants to use NAT gateways in its AWS environment. The company's Amazon EC2 instances in private subnets must be able to connect to the public internet through the NAT gateways.
Which solution will meet these requirements?
A. Create public NAT gateways in the same private subnets as the EC2 instances. B. Create private NAT gateways in the same private subnets as the EC2 instances. C. Create public NAT gateways in public subnets in the same VPCs as the EC2 instances. D. Create private NAT gateways in public subnets in the same VPCs as the EC2 instances.
C. Create public NAT gateways in public subnets in the same VPCs as the EC2 instances.
Question 637:
A company uses a Microsoft SQL Server database. The applications currently connect using SQL Server protocols. The company wants to migrate to Amazon Aurora PostgreSQL with minimal changes to application code.
Which combination of steps will meet these requirements? (Choose Two.)
A. Use AWS SCT to rewrite SQL queries in the applications. B. Enable Babelfish on Aurora PostgreSQL to run SQL Server queries. C. Migrate the database schema and data using AWS SCT and AWS DMS. D. Use Amazon RDS Proxy to connect the applications to Aurora PostgreSQL. E. Use AWS DMS to rewrite SQL queries in the applications.
B. Enable Babelfish on Aurora PostgreSQL to run SQL Server queries. C. Migrate the database schema and data using AWS SCT and AWS DMS.
Explanation
Amazon Aurora PostgreSQL with Babelfish allows Aurora to understand SQL Server T-SQL and the SQL Server wire protocol. This enables applications to continue using SQL Server drivers, minimizing code changes (Option B). Migration of schema and data is performed using AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) (Option C), which is the AWS-recommended migration pattern for heterogeneous database migrations. AWS DMS (Option E) does not rewrite application SQL.
RDS Proxy (Option D) does not translate SQL Server protocols. Option A requires rewriting application queries, which contradicts the "minimal changes" requirement.
Question 638:
A finance company has a web application that generates credit reports for customers. The company hosts the frontend of the web application on a fleet of Amazon EC2 instances that is associated with an Application Load Balancer (ALB).
The application generates reports by running queries on an Amazon RDS for SQL Server database.
The company recently discovered that malicious traffic from around the world is abusing the application by submitting unnecessary requests. The malicious traffic is consuming significant compute resources. The company needs to address the malicious traffic.
Which solution will meet this requirement?
A. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Update the web ACL to block IP addresses that are associated with malicious traffic. B. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Use the AWS WAF Bot Control managed rule feature. C. Set up AWS Shield to protect the ALB and the database. D. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Configure the AWS WAF IP reputation rule.
B. Use AWS WAF to create a web ACL. Associate the web ACL with the ALB. Use the AWS WAF Bot Control managed rule feature.
Explanation
TheAWS WAF Bot Control managed ruleis designed to automatically detect and mitigate bot traffic. This feature is particularly useful for addressing malicious traffic and conserving compute resources by filtering unnecessary requests at the ALB level.
Option A:Blocking IP addresses manually introduces significant operational overhead and is not scalable against dynamic, worldwide malicious traffic.
Option C:AWS Shield provides DDoS protection, but the scenario does not describe a DDoS attack. WAF is better suited for managing application-layer threats like bot traffic.
Option D:The AWS WAF IP reputation rule helps block traffic from known bad IPs but may not address bot traffic effectively.
References:
AWS WAF Bot Control AWS WAF Managed Rules
Question 639:
A company runs a three-tier web application in a VPC across multiple Availability Zones. Amazon EC2 instances run in an Auto Scaling group for the application tier.
The company needs to make an automated scaling plan that will analyze each resource's daily and weekly historical workload trends. The configuration must scale resources appropriately according to both the forecast and live changes in utilization.
Which scaling strategy should a solutions architect recommend to meet these requirements?
A. Implement dynamic scaling with step scaling based on average CPU utilization from the EC2 instances. B. Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking C. Create an automated scheduled scaling action based on the traffic patterns of the web application. D. Set up a simple scaling policy. Increase the cooldown period based on the EC2 instance startup time.
B. Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking
Question 640:
An application runs on Amazon EC2 instances across multiple Availability Zonas. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?
A. Use a simple scaling policy to dynamically scale the Auto Scaling group. B. Use a target tracking policy to dynamically scale the Auto Scaling group. C. Use an AWS Lambda function ta update the desired Auto Scaling group capacity. D. Use scheduled scaling actions to scale up and scale down the Auto Scaling group.
B. Use a target tracking policy to dynamically scale the Auto Scaling group.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.