A company runs a web application on Amazon EC2 instances in an Auto Scaling group that has a target group. The company designed the application to work with session affinity (sticky sessions) for a better user experience.
The application must be available publicly over the internet as an endpoint. A WAF must be applied to the endpoint for additional security. Session affinity (sticky sessions) must be configured on the endpoint.
Which combination of steps will meet these requirements? (Choose two.)
A. Create a public Network Load Balancer. Specify the application target group. B. Create a Gateway Load Balancer. Specify the application target group. C. Create a public Application Load Balancer. Specify the application target group. D. Create a second target group. Add Elastic IP addresses to the EC2 instances. E. Create a web ACL in AWS WAF. Associate the web ACL with the endpoint
C. Create a public Application Load Balancer. Specify the application target group. E. Create a web ACL in AWS WAF. Associate the web ACL with the endpoint
Question 702:
A company that has multiple AWS accounts maintains an on-premises Microsoft Active Directory. The company needs a solution to implement Single Sign-On for its employees. The company wants to use AWS IAM Identity Center. The solution must meet the following requirements: Allow users to access AWS accounts and third-party applications by using existing Active Directory credentials. Enforce multi-factor authentication (MFA) to access AWS accounts. Centrally manage permissions to access AWS accounts and applications.
Which solution will meet these requirements?
A. Create an IAM identity provider for Active Directory in each AWS account. Ensure that Active Directory users and groups access AWS accounts directly through IAM roles. Use IAM Identity Center to enforce MFA in each account for all users. B. Use AWS Directory Service to create a new AWS Managed Microsoft AD Active Directory. Configure IAM Identity Center in each account to use the new AWS Managed Microsoft AD Active Directory as the identity source. Use IAM Identity Center to enforce MFA for all users. C. Use IAM Identity Center with the existing Active Directory as the identity source. Enforce MFA for all users. Use AWS Organizations and Active Directory groups to manage access permissions for AWS accounts and application access. D. Use AWS Lambda functions to periodically synchronize Active Directory users and groups with IAM users and groups in each AWS account. Use IAM roles and policies to manage application access. Create a second Lambda function to enforce MFA.
C. Use IAM Identity Center with the existing Active Directory as the identity source. Enforce MFA for all users. Use AWS Organizations and Active Directory groups to manage access permissions for AWS accounts and application access.
Explanation
Option A: IAM identity provider:Does not support centralized management across multiple accounts.
Option B: AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.
Option C: IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.
Option D: Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.
References:
AWS IAM Identity Center
Question 703:
A company wants to migrate a visual search application from an on-premises environment to AWS. The application uses NFS storage to cache images. The image cache is currently a few terabytes in size. The company needs to migrate to a cost-effective cloud alternative.
Which solution will meet these requirements in the MOST cost-effective way?
A. Use an Amazon ElastiCache (Memcached) cluster as the image cache. Set the cache TTL according to the required image lifetime in the cache. B. Use compute-optimized Amazon EC2 instances with instance store volumes as the image cache. Recycle EC2 instances for cache invalidation. C. Use an Amazon EFS One Zone file system as the image cache. Configure the application to use the EFS mount target. D. Use Amazon S3 Express One Zone to store the images. Store the S3 object URLs in an Amazon DynamoDB table. Use DynamoDB TTL to invalidate image cache entries.
C. Use an Amazon EFS One Zone file system as the image cache. Configure the application to use the EFS mount target.
Explanation
The correct answer is C because the existing application uses NFS storage for an image cache that is a few terabytes in size, and the company wants the most cost-effective cloud alternative Amazon EFS One.
Zone is a managed file storage service that supports the NFS protocol, which allows the application to continue using a familiar file-based interface with minimal architectural change. Because this is a cache, not primary durable data, storing it in a One Zone file system is a cost-optimized choice compared with a Regional EFS deployment.
Amazon EFS is designed for shared file storage and can scale to multiple terabytes automatically. It avoids the operational overhead of managing EC2 instances and local disks for cache storage. It is also better aligned than object storage for workloads that already expect direct NFS semantics. The application can mount the EFS file system and use it as the cache backend without redesigning around object APIs or in-memory caching models.
Option A is incorrect because ElastiCache Memcached is an in-memory cache and is typically much more expensive for multi-terabyte cache data than file storage.
Option B is incorrect because using EC2 instance store volumes creates significant management overhead and the cache would be lost whenever instances are terminated or replaced.
Option D is incorrect because Amazon S3 Express One Zone is object storage, not NFS storage, and would require application redesign and additional metadata management in DynamoDB.
AWS storage guidance recommends matching file-based workloads to managed file services. For a large NFS-based cache Amazon EFS One Zone, is the most cost-effective and operationally simple solution.
Question 704:
A company wants to create a long-term storage solution that will allow users to upload terabytes of images and videos. The company will use the images and videos to train machine learning (ML) models. The storage solution must be scalable and cost-optimized.
Which solution will meet these requirements?
A. Provision an Amazon S3 bucket for users to upload images and videos. Copy the data from the S3 bucket to an Amazon FSx for Lustre file system to make the data available for ML model training. B. Provision an Amazon S3 bucket for users to upload images and videos. Configure the S3 bucket to make the data available to Amazon SageMaker AI training. Store the data in the S3 Intelligent-Tiering storage class. C. Configure an Amazon SageMaker AI notebook instance with 16 GB of storage. Create a custom application to allow users to upload images and videos directly to the notebook instance. D. Provision an Amazon S3 bucket for users to upload images and videos. Copy the data from the S3 bucket to an Amazon Elastic File System (Amazon EFS) file system to make the data available for ML model training.
B. Provision an Amazon S3 bucket for users to upload images and videos. Configure the S3 bucket to make the data available to Amazon SageMaker AI training. Store the data in the S3 Intelligent-Tiering storage class.
Explanation
Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.
Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.
Option A, Option D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.
Option C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.
References:
AWS Certified Solutions Architect?Official Study Guide, S3 for ML Data Storage.
Question 705:
A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload. A solutions architect must choose a connection solution that provides maximum resiliency.
Which solution meets these requirements?
A. Two AWS Direct Connect connections from the primary data center terminating at two Direct Connect locations on two separate devices B. A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on the same device C. Two AWS Direct Connect connections from each of the primary and secondary data centers terminating at two Direct Connect locations on two separate devices D. A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on two separate devices
C. Two AWS Direct Connect connections from each of the primary and secondary data centers terminating at two Direct Connect locations on two separate devices
Question 706:
A company hosts a database that runs on an Amazon RDS instance that is deployed to multiple Availability Zones. The company periodically runs a script against the database to report new entries that are added to the database. The script that runs against the database negatively affects the performance of a critical application. The company needs to improve application performance with minimal costs.
Which solution will meet these requirements with the LEAST operational overhead?
A. Add functionality to the script to identify the instance that has the fewest active connections. Configure the script to read from that instance to report the total new entries. B. Create a read replica of the database. Configure the script to query only the read replica to report the total new entries. C. Instruct the development team to manually export the new entries for the day in the database at the end of each day. D. Use Amazon ElastiCache to cache the common queries that the script runs against the database.
B. Create a read replica of the database. Configure the script to query only the read replica to report the total new entries.
Question 707:
A company maintains a searchable repository of items on its website. The data is stored in an Amazon RDS for MySQL database table that contains more than 10 million rows. The database has 2 TB of General Purpose SSD storage. There are millions of updates against this data every day through the company's website. The company has noticed that some insert operations are taking 10 seconds or longer. The company has determined that the database storage performance is the problem.
Which solution addresses this performance issue?
A. Change the storage type to Provisioned IOPS SSD. B. Change the DB instance to a memory optimized instance class. C. Change the DB instance to a burstable performance instance class. D. Enable Multi-AZ RDS read replicas with MySQL native asynchronous replication.
A. Change the storage type to Provisioned IOPS SSD.
Question 708:
A solutions architect is designing a disaster recovery (DR) strategy to provide Amazon EC2 capacity in a failover AWS Region. Business requirements state that the DR strategy must meet capacity in the failover Region.
Which solution will meet these requirements?
A. Purchase On-Demand Instances in the failover Region. B. Purchase an EC2 Savings Plan in the failover Region. C. Purchase regional Reserved Instances in the failover Region. D. Purchase a Capacity Reservation in the failover Region.
D. Purchase a Capacity Reservation in the failover Region.
Question 709:
A hospital needs to store patient records in an Amazon S3 bucket. The hospital's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption key for data at rest.
Which solution will meet these requirements?
A. Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys. B. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSE- S3). Assign the compliance team to manage the SSE-S3 keys. C. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys. D. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.
C. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
Question 710:
A company is performing a security review of its Amazon EMR API usage. The company's developers use an integrated development environment (IDE) that is hosted on Amazon EC2 instances. The IDE is configured to authenticate users to AWS by using access keys. Traffic between the company's EC2 instances and EMR cluster uses public IP addresses. A solutions architect needs to improve the company's overall security posture. The solutions architect needs to reduce the company's use of long-term credentials and to limit the amount of communication that uses public IP addresses.
Which combination of steps will MOST improve the security of the company's architecture? (Choose Two.)
A. Set up a gateway endpoint to the EMR cluster. B. Set up interface VPC endpoints to connect to the EMR cluster. C. Set up a private NAT gateway to connect to the EMR cluster. D. Set up IAM roles for the developers to use to connect to the Amazon EMR API. E. Set up AWS Systems Manager Parameter Store to store access keys for each developer.
B. Set up interface VPC endpoints to connect to the EMR cluster. D. Set up IAM roles for the developers to use to connect to the Amazon EMR API.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.