A company wants to use AWS Direct Connect to connect the company's on-premises networks to the AWS Cloud. The company runs several VPCs in a single AWS Region. The company plans to expand its VPC fleet to include hundreds of VPCs.
A solutions architect needs to simplify and scale the company's network infrastructure to accommodate future VPCs.
Which service or resource will meet these requirements?
A. VPC endpoints B. AWS Transit Gateway C. Amazon Route 53 D. AWS Secrets Manager
B. AWS Transit Gateway
Explanation
AWS Transit Gateway is purpose-built for large-scale, hub-and-spoke network architectures. It simplifies connectivity between multiple VPCs and on-premises environments, which is ideal for managing hundreds of VPCs.
"AWS Transit Gateway enables you to connect your VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships."
-- Transit Gateway Documentation Features:
Scales to thousands of VPCs.
Integrates with AWS Direct Connect via Direct Connect Gateway.
Centralized routing control.
Incorrect Options:
Option A: VPC endpoints are for private access to AWS services--not VPC-to-VPC connectivity.
Option C: Route 53 is DNS, not a network transport layer.
Option D: Secrets Manager is for secret storage, not networking.
References:
AWS Transit Gateway Overview
Transit Gateway Scaling
Question 952:
A company wants to use a data lake that is hosted on Amazon S3 to provide analytics services for historical data. The data lake consists of 800 tables but is expected to grow to thousands of tables. More than 50 departments use the tables, and each department has hundreds of users. Different departments need access to specific tables and columns.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an IAM role for each department. Use AWS Lake Formation based access control to grant each IAM role access to specific tables and columns. Use Amazon Athena to analyze the data. B. Create an Amazon Redshift cluster for each department. Use AWS Glue to ingest into the Redshift cluster only the tables and columns that are relevant to that department. Create Redshift database users. Grant the users access to the relevant department's Redshift cluster. Use Amazon Redshift to analyze the data. C. Create an IAM role for each department. Use AWS Lake Formation tag-based access control to grant each IAM role access to only the relevant resources. Create LF-tags that are attached to tables and columns. Use Amazon Athena to analyze the data. D. Create an Amazon EMR cluster for each department. Configure an IAM service role for each EMR cluster to access relevant S3 files. For each department's users, create an IAM role that provides access to the relevant EMR cluster. Use Amazon EMR to analyze the data.
C. Create an IAM role for each department. Use AWS Lake Formation tag-based access control to grant each IAM role access to only the relevant resources. Create LF-tags that are attached to tables and columns. Use Amazon Athena to analyze the data.
Explanation
The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.
AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.
Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.
Other options:
Option A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.
Option B & Option D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.
References:
AWS Certified Solutions Architect?Official Study Guide, Chapter on Data Lakes and Access Control.
Question 953:
A company has a multi-tier application deployed on several Amazon EC2 instances in an Auto Scaling group. An Amazon RDS for Oracle instance is the application' s data layer that uses Oracle-specific PL/ SQL functions. Traffic to the application has been steadily increasing. This is causing the EC2 instances to become overloaded and the RDS instance to run out of storage. The Auto Scaling group does not have any scaling metrics and defines the minimum healthy instance count only. The company predicts that traffic will continue to increase at a steady but unpredictable rate before leveling off.
What should a solutions architect do to ensure the system can automatically scale for the increased traffic? (Choose two.)
A. Configure storage Auto Scaling on the RDS for Oracle instance. B. Migrate the database to Amazon Aurora to use Auto Scaling storage. C. Configure an alarm on the RDS for Oracle instance for low free storage space. D. Configure the Auto Scaling group to use the average CPU as the scaling metric. E. Configure the Auto Scaling group to use the average free memory as the scaling metric.
A. Configure storage Auto Scaling on the RDS for Oracle instance. D. Configure the Auto Scaling group to use the average CPU as the scaling metric.
Question 954:
A company is enhancing the security of its AWS environment, where the company stores a significant amount of sensitive customer data. The company needs a solution that automatically identifies and classifies sensitive data that is stored in multiple Amazon S3 buckets. The solution must automatically respond to data breaches and alert the company's security team through email immediately when noncompliant data is found.
Which solution will meet these requirements?
A. Use Amazon GuardDuty. Configure an AWS Lambda function to route alerts to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the SNS topic. B. Use Amazon GuardDuty. Configure an AWS Lambda function to route alerts to an Amazon Simple Queue Service (Amazon SQS) queue. Configure a second Lambda function to periodically poll the SQS queue and to send emails to the security team by using Amazon Simple Email Service (Amazon SES). C. Use Amazon Macie. Integrate Amazon EventBridge with Macie, and configure EventBridge to send alerts to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the SNS topic. D. Use Amazon Macie. Integrate Amazon EventBridge with Macie, and configure EventBridge to route alerts to an Amazon Simple Queue Service (Amazon SQS) queue. Configure an AWS Lambda function to periodically poll the SQS queue and to send alerts to the security team by using Amazon Simple Email Service (Amazon SES).
C. Use Amazon Macie. Integrate Amazon EventBridge with Macie, and configure EventBridge to send alerts to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the SNS topic.
Explanation
Option A & Option B, GuardDuty: Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets. Option C, Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.
Option D, Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.
References:
Amazon Macie,Amazon EventBridge
Question 955:
A global company runs its applications in multiple AWS accounts in AWS Organizations. The company's applications use multipart uploads to upload data to multiple Amazon S3 buckets across AWS Regions.
The company wants to report on incomplete multipart uploads for cost compliance purposes.
Which solution will meet these requirements with the LEAST operational overhead?
A. Configure AWS Config with a rule to report the incomplete multipart upload object count. B. Create a service control policy (SCP) to report the incomplete multipart upload object count. C. Configure S3 Storage Lens to report the incomplete multipart upload object count. D. Create an S3 Multi-Region Access Point to report the incomplete multipart upload object count.
C. Configure S3 Storage Lens to report the incomplete multipart upload object count.
Question 956:
A company has an application that ingests incoming messages. Dozens of other applications and microservices then quickly consume these messages. The number of messages varies drastically and sometimes increases suddenly to 100,000 each second. The company wants to decouple the solution and increase scalability.
Which solution meets these requirements?
A. Persist the messages to Amazon Kinesis Data Analytics. Configure the consumer applications to read and process the messages. B. Deploy the ingestion application on Amazon EC2 instances in an Auto Scaling group to scale the number of EC2 instances based on CPU metrics. C. Write the messages to Amazon Kinesis Data Streams with a single shard. Use an AWS Lambda function to preprocess messages and store them in Amazon DynamoDB. Configure the consumer applications to read from DynamoDB to process the messages. D. Publish the messages to an Amazon Simple Notification Service (Amazon SNS) topic with multiple Amazon Simple Queue Service (Amazon SOS) subscriptions. Configure the consumer applications to process the messages from the queues.
D. Publish the messages to an Amazon Simple Notification Service (Amazon SNS) topic with multiple Amazon Simple Queue Service (Amazon SOS) subscriptions. Configure the consumer applications to process the messages from the queues.
Question 957:
A company recently launched a new application for its customers. The application runs on multiple Amazon EC2 instances across two Availability Zones. End users use TCP to communicate with the application.
The application must be highly available and must automatically scale as the number of users increases.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)
A. Add a Network Load Balancer in front of the EC2 instances. B. Configure an Auto Scaling group for the EC2 instances. C. Add an Application Load Balancer in front of the EC2 instances. D. Manually add more EC2 instances for the application. E. Add a Gateway Load Balancer in front of the EC2 instances.
A. Add a Network Load Balancer in front of the EC2 instances. B. Configure an Auto Scaling group for the EC2 instances.
Question 958:
A company has an on-premises SFTP file transfer solution. The company is migrating to the AWS Cloud to scale the file transfer solution and to optimize costs by using Amazon S3. The company's employees will use their credentials for the on-premises Microsoft Active Directory (AD) to access the new solution. The company wants to keep the current authentication and file access mechanisms.
Which solution will meet these requirements with the LEAST operational overhead?
A. Configure an S3 File Gateway. Create SMB file shares on the file gateway that use the existing Active Directory to authenticate. B. Configure an Auto Scaling group with Amazon EC2 instances to run an SFTP solution. Configure the group to scale up at 60% CPU utilization. C. Create an AWS Transfer Family server with SFTP endpoints. Choose the AWS Directory Service option as the identity provider. Use AD Connector to connect the on-premises Active Directory. D. Create an AWS Transfer Family SFTP endpoint. Configure the endpoint to use the AWS Directory Service option as the identity provider to connect to the existing Active Directory.
C. Create an AWS Transfer Family server with SFTP endpoints. Choose the AWS Directory Service option as the identity provider. Use AD Connector to connect the on-premises Active Directory.
Question 959:
A company is building new learning management applications on AWS. The company is using Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 to host the applications. The company must ensure that container images are secure. Company administrators must receive notifications of any security vulnerabilities in the images.
Which combination of solutions will meet these requirements? (Choose Two.)
A. Modify the ECS cluster properties to use privileged mode. Enable host-based logging. B. Use the AWS Config conformance pack for Amazon ECS. Use AWS Config to notify administrators if any security vulnerabilities are detected. C. Configure AWS WAF to invoke an Amazon CloudWatch alarm when a new security vulnerability is detected. D. Use Amazon Inspector to scan container images in Amazon Elastic Container Registry (Amazon ECR). E. Use AWS Systems Manager Parameter Store to encrypt container images.
B. Use the AWS Config conformance pack for Amazon ECS. Use AWS Config to notify administrators if any security vulnerabilities are detected. D. Use Amazon Inspector to scan container images in Amazon Elastic Container Registry (Amazon ECR).
Explanation
To ensure container images are secure and to notify administrators about vulnerabilities, the solution needs (1) a vulnerability scanning capability for container images and (2) a notification mechanism that alerts when findings occur. Amazon Inspector provides automated security assessments and can scan container images stored in Amazon ECR to identify software vulnerabilities and unintended network exposure patterns, producing findings that can be acted upon.
Therefore, Option D addresses the core requirement of detecting vulnerabilities in container images.
To notify administrators with minimal custom work, AWS Config can help by evaluating resources against desired configurations and integrating with notifications through AWS services (for example, via Amazon SNS using Config rules/ conformance packs). Using the AWS Config conformance pack for Amazon ECS helps establish a managed set of compliance checks aligned to ECS-related best practices. While Inspector is the system that detects vulnerabilities, Config can be used to enforce and monitor governance controls around the container environment and can trigger notifications when noncompliance is detected.
In exam patterns, pairing an Inspector detection capability with a managed governance/notification framework like Config is a common "two-part" answer.
The other options do not meet the requirement: Option A (privileged mode) can increase risk rather than improve image security; logging does not equal vulnerability detection.
Option C is unrelated because AWS WAF protects web applications at the edge and does not scan container images for CVEs.
Option E is incorrect because Parameter Store stores configuration data and secrets; it does not encrypt container images (ECR encryption at rest is handled by AWS-managed mechanisms and KMS integration, not Parameter Store).
So
Option D provides scanning and Option B supports managed compliance/notification controls with low operational overhead.
Question 960:
A company collects 10 GB of telemetry data daily from various machines. The company stores the data in an Amazon S3 bucket in a source data account. The company has hired several consulting agencies to use this data for analysis. Each agency needs read access to the data for its analysts. The company must share the data from the source data account by choosing a solution that maximizes security and operational efficiency.
Which solution will meet these requirements?
A. Configure S3 global tables to replicate data for each agency. B. Make the S3 bucket public for a limited time. Inform only the agencies. C. Configure cross-account access for the S3 bucket to the accounts that the agencies own. D. Set up an IAM user for each analyst in the source data account. Grant each user access to the S3 bucket.
C. Configure cross-account access for the S3 bucket to the accounts that the agencies own.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.