Amazon Amazon Certifications SAA-C03 Questions & Answers

• Question 671:

  An ecommerce company runs an application in the AWS Cloud that is integrated with an on-premises warehouse solution. The company uses Amazon Simple Notification Service (Amazon SNS) to send order messages to an on-premises

  HTTPS endpoint so the warehouse application can process the orders. The local data center team has detected that some of the order messages were not received.

  A solutions architect needs to retain messages that are not delivered and analyze the messages for up to 14 days.

  Which solution will meet these requirements with the LEAST development effort?

  A. Configure an Amazon SNS dead letter queue that has an Amazon Kinesis Data Stream target with a retention period of 14 days.

  B. Add an Amazon Simple Queue Service (Amazon SQS) queue with a retention period of 14 days between the application and Amazon SNS.

  C. Configure an Amazon SNS dead letter queue that has an Amazon Simple Queue Service (Amazon SQS) target with a retention period of 14 days.

  D. Configure an Amazon SNS dead letter queue that has an Amazon DynamoDB target with a TTL attribute set for a retention period of 14 days.

  Correct Answer: C

  The message retention period in Amazon SQS can be set between 1 minute and 14 days (the default is 4 days). Therefore, you can configure your SQS DLQ to retain undelivered SNS messages for 14 days. This will enable you to analyze undelivered messages with the least development effort.

• Question 672:

  A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts. According to the company's finance team, the billing information on the member accounts must not be accessible to anyone, including the root user of the member accounts.

  Which solution will meet these requirements?

  A. Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.

  B. Attach an identity-based policy to deny access to the billing information to all users, including the root user.

  C. Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).

  D. Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

  Correct Answer: C

  Service Control Policies (SCP): SCPs are an integral part of AWS Organizations and allow you to set fine-grained permissions on the organizational units (OUs) within your AWS Organization. SCPs provide central control over the maximum permissions that can be granted to member accounts, including the root user.

  Denying Access to Billing Information: By creating an SCP and attaching it to the root OU, you can explicitly deny access to billing information for all accounts within the organization. SCPs can be used to restrict access to various AWS services and actions, including billing-related services.

  Granular Control: SCPs enable you to define specific permissions and restrictions at the organizational unit level. By denying access to billing information at the root OU, you can ensure that no member accounts, including root users, have access to the billing information.

• Question 673:

  A company wants to move from many standalone AWS accounts to a consolidated, multi-account architecture. The company plans to create many new AWS accounts for different business units. The company needs to authenticate access to these AWS accounts by using a centralized corporate directory service.

  Which combination of actions should a solutions architect recommend to meet these requirements? (Choose two.)

  A. Create a new organization in AWS Organizations with all features turned on. Create the new AWS accounts in the organization.

  B. Set up an Amazon Cognito identity pool. Configure AWS IAM Identity Center (AWS Single Sign-On) to accept Amazon Cognito authentication.

  C. Configure a service control policy (SCP) to manage the AWS accounts. Add AWS IAM Identity Center (AWS Single Sign-On) to AWS Directory Service.

  D. Create a new organization in AWS Organizations. Configure the organization's authentication mechanism to use AWS Directory Service directly.

  E. Set up AWS IAM Identity Center (AWS Single Sign-On) in the organization. Configure IAM Identity Center, and integrate it with the company's corporate directory service.

  Correct Answer: AE

  A. By creating a new organization in AWS Organizations, you can establish a consolidated multi-account architecture. This allows you to create and manage multiple AWS accounts for different business units under a single organization.

  E. Setting up AWS IAM Identity Center (AWS Single Sign-On) within the organization enables you to integrate it with the company's corporate directory service. This integration allows for centralized authentication, where users can sign in using their corporate credentials and access the AWS accounts within the organization.

  Together, these actions create a centralized, multi-account architecture that leverages AWS Organizations for account management and AWS IAM Identity Center (AWS Single Sign-On) for authentication and access control.

• Question 674:

  A company is looking for a solution that can store video archives in AWS from old news footage. The company needs to minimize costs and will rarely need to restore these files. When the files are needed, they must be available in a maximum of five minutes.

  What is the MOST cost-effective solution?

  A. Store the video archives in Amazon S3 Glacier and use Expedited retrievals.

  B. Store the video archives in Amazon S3 Glacier and use Standard retrievals.

  C. Store the video archives in Amazon S3 Standard-Infrequent Access (S3 Standard-IA).

  D. Store the video archives in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA).

  Correct Answer: A

  By choosing Expedited retrievals in Amazon S3 Glacier, you can reduce the retrieval time to minutes, making it suitable for scenarios where quick access is required. Expedited retrievals come with a higher cost per retrieval compared to standard retrievals but provide faster access to your archived data.

• Question 675:

  A company is designing a containerized application that will use Amazon Elastic Container Service (Amazon ECS). The application needs to access a shared file system that is highly durable and can recover data to another AWS Region with

  a recovery point objective (RPO) of 8 hours. The file system needs to provide a mount target m each Availability Zone within a Region.

  A solutions architect wants to use AWS Backup to manage the replication to another Region.

  Which solution will meet these requirements?

  A. Amazon FSx for Windows File Server with a Multi-AZ deployment

  B. Amazon FSx for NetApp ONTAP with a Multi-AZ deployment

  C. Amazon Elastic File System (Amazon EFS) with the Standard storage class

  D. Amazon FSx for OpenZFS

  Correct Answer: C

  AWS Backup can manage replication of EFS to another region as mentioned below https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html

  EFS Replication can replicate your file system data to another Region or within the same Region without requiring additional infrastructure or a custom process. Amazon EFS Replication automatically and transparently replicates your data to a second file system in a Region or AZ of your choice. You can use the Amazon EFS console, AWS CLI, and APIs to activate replication on an existing file system. EFS Replication is continual and provides a recovery point objective (RPO) and a recovery time objective (RTO) of minutes, helping you meet your compliance and business continuity goals.

• Question 676:

  A company is expecting rapid growth in the near future. A solutions architect needs to configure existing users and grant permissions to new users on AWS. The solutions architect has decided to create IAM groups. The solutions architect will add the new users to IAM groups based on department.

  Which additional action is the MOST secure way to grant permissions to the new users?

  A. Apply service control policies (SCPs) to manage access permissions

  B. Create IAM roles that have least privilege permission. Attach the roles to the IAM groups

  C. Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups

  D. Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions

  Correct Answer: C

  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html Attaching a policy to an IAM user group

• Question 677:

  A group requires permissions to list an Amazon S3 bucket and delete objects from that bucket. An administrator has created the following IAM policy to provide access to the bucket and applied that policy to the group. The group is not able to delete objects in the bucket. The company follows least-privilege access rules.

  

  Which statement should a solutions architect add to the policy to correct bucket access?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

• Question 678:

  A law firm needs to share information with the public. The information includes hundreds of files that must be publicly readable. Modifications or deletions of the files by anyone before a designated future date are prohibited. Which solution will meet these requirements in the MOST secure way?

  A. Upload all files to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM permissions to any AWS principals that access the S3 bucket until the designated date.

  B. Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in accordance with the designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket policy to allow read-only access to the objects.

  C. Create a new Amazon S3 bucket with S3 Versioning enabled. Configure an event trigger to run an AWS Lambda function in case of object modification or deletion. Configure the Lambda function to replace the objects with the original versions from a private S3 bucket.

  D. Upload all files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that contains the files. Use S3 Object Lock with a retention period in accordance with the designated date. Grant read-only IAM permissions to any AWS principals that access the S3 bucket.

  Correct Answer: B

  https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

• Question 679:

  A company is making a prototype of the infrastructure for its new website by manually provisioning the necessary infrastructure. This infrastructure includes an Auto Scaling group, an Application Load Balancer and an Amazon RDS database. After the configuration has been thoroughly validated, the company wants the capability to immediately deploy the infrastructure for development and production use in two Availability Zones in an automated fashion.

  What should a solutions architect recommend to meet these requirements?

  A. Use AWS Systems Manager to replicate and provision the prototype infrastructure in two Availability Zones

  B. Define the infrastructure as a template by using the prototype infrastructure as a guide. Deploy the infrastructure with AWS CloudFormation.

  C. Use AWS Config to record the inventory of resources that are used in the prototype infrastructure. Use AWS Config to deploy the prototype infrastructure into two Availability Zones.

  D. Use AWS Elastic Beanstalk and configure it to use an automated reference to the prototype infrastructure to automatically deploy new environments in two Availability Zones.

  Correct Answer: B

• Question 680:

  A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet. Which capability should the solutions architect use to meet the compliance requirements?

  A. AWS Key Management Service (AWS KMS)

  B. VPC endpoint

  C. Private subnet

  D. Virtual private gateway

  Correct Answer: B

  A VPC endpoint enables you to privately access AWS services without requiring internet gateways, NAT gateways, VPN connections, or AWS Direct Connect connections. It allows you to connect your VPC directly to supported AWS services, such as Amazon S3, over a private connection within the AWS network.

  By creating a VPC endpoint for Amazon S3, the traffic between your EC2 instances and S3 will stay within the AWS network and won't traverse the public internet. This provides a more secure and compliant solution, as the data transfer remains within the private network boundaries.