A new employee has joined a company as a deployment engineer. The deployment engineer will be using AWS CloudFormation templates to create multiple AWS resources. A solutions architect wants the deployment engineer to perform job activities while following the principle of least privilege.
Which combination of actions should the solutions architect take to accomplish this goal? (Choose two.)
A. Have the deployment engineer use AWS account root user credentials for performing AWS CloudFormation stack operations. B. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers IAM policy attached. C. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the AdministratorAccess IAM policy attached. D. Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only. E. Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.
D. Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only. E. Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.
Question 982:
A company runs a Java-based job on an Amazon EC2 instance. The job runs every hour and takes 10 seconds to run. The job runs on a scheduled interval and consumes 1 GB of memory. The CPU utilization of the instance is low except for short surges during which the job uses the maximum CPU available. The company wants to optimize the costs to run the job.
Which solution will meet these requirements?
A. Use AWS App2Container (A2C) to containerize the job. Run the job as an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate with 0.5 virtual CPU (vCPU) and 1 GB of memory. B. Copy the code into an AWS Lambda function that has 1 GB of memory. Create an Amazon EventBridge scheduled rule to run the code each hour. C. Use AWS App2Container (A2C) to containerize the job. Install the container in the existing Amazon Machine Image (AMI). Ensure that the schedule stops the container when the task finishes. D. Configure the existing schedule to stop the EC2 instance at the completion of the job and restart the EC2 instance when the next job starts.
B. Copy the code into an AWS Lambda function that has 1 GB of memory. Create an Amazon EventBridge scheduled rule to run the code each hour.
Question 983:
A solutions architect needs to design the architecture for an application that a vendor provides as a Docker container image. The container needs 50 GB of storage available for temporary files. The infrastructure must be serverless.
Which solution meets these requirements with the LEAST operational overhead?
A. Create an AWS Lambda function that uses the Docker container image with an Amazon S3 mounted volume that has more than 50 GB of space. B. Create an AWS Lambda function that uses the Docker container image with an Amazon Elastic Block Store (Amazon EBS) volume that has more than 50 GB of space. C. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the AWS Fargate launch type. Create a task definition for the container image with an Amazon Elastic File System (Amazon EFS) volume. Create a service with that task definition. D. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the Amazon EC2 launch type with an Amazon Elastic Block Store (Amazon EBS) volume that has more than 50 GB of space. Create a task definition for the container image. Create a service with that task definition.
C. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the AWS Fargate launch type. Create a task definition for the container image with an Amazon Elastic File System (Amazon EFS) volume. Create a service with that task definition.
Question 984:
A company has an AWS account used for software engineering. The AWS account has access to the company's on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic routes to the virtual private gateway. A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company's data center.
Which solution will meet these requirements?
A. Configure the Lambda function to run in the VPC with the appropriate security group. B. Set up a VPN connection from AWS to the data center. Route the traffic from the Lambda function through the VPN. C. Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect. D. Create an Elastic IP address. Configure the Lambda function to send traffic through the Elastic IP address without an elastic network interface.
A. Configure the Lambda function to run in the VPC with the appropriate security group.
Question 985:
A company is designing a website that displays stock market prices to users. The company wants to use Amazon ElastiCache (Redis OSS) for the data caching layer. The company needs to ensure that the website's data caching layer can automatically fail over to another node if necessary.
Which solution will meet these requirements?
A. Enable read replicas in ElastiCache (Redis OSS). Promote the read replica when necessary. B. Enable Multi-AZ in ElastiCache (Redis OSS). Fail over to a second node when necessary. C. Export a backup of the ElastiCache (Redis OSS) cache to an Amazon S3 bucket. Restore the cache to a second cluster when necessary. D. Export a backup of the ElastiCache (Redis OSS) cache by using AWS Backup. Restore the cache to a second cluster when necessary.
B. Enable Multi-AZ in ElastiCache (Redis OSS). Fail over to a second node when necessary.
Explanation
For high availability, Amazon ElastiCache for Redis supports Multi-AZ with automatic failover, which provides primary and replica nodes in different Availability Zones. If the primary node fails, Redis automatically promotes a replica to primary.
From AWS Documentation:
"When you enable Multi-AZ with automatic failover, Amazon ElastiCache automatically detects failures and promotes a read replica to primary with minimal downtime." (Source: Amazon ElastiCache for Redis User Guide)
Why B is correct:
Multi-AZ provides automatic failover and data replication.
Ensures continuous availability and protects against node or AZ failures.
Fully managed with no manual intervention needed.
Why others are incorrect:
Option A: Manual promotion is not automatic.
Option C & Option D: Restoring from backup is slow and meant for disaster recovery, not failover.
References:
Amazon ElastiCache for Redis User Guide?"High Availability with Multi-AZ"
AWS Well-Architected Framework?Reliability Pillar
Question 986:
A company is moving its data and applications to AWS during a multiyear migration project. The company wants to securely access data on Amazon S3 from the company's AWS Region and from the company's on-premises location. The data must not traverse the internet. The company has established an AWS Direct Connect connection between its Region and its on-premises location.
Which solution will meet these requirements?
A. Create gateway endpoints for Amazon S3. Use the gateway endpoints to securely access the data from the Region and the on-premises location. B. Create a gateway in AWS Transit Gateway to access Amazon S3 securely from the Region and the on-premises location. C. Create interface endpoints for Amazon S3. Use the interface endpoints to securely access the data from the Region and the on-premises location. D. Use an AWS Key Management Service (AWS KMS) key to access the data securely from the Region and the on-premises location.
C. Create interface endpoints for Amazon S3. Use the interface endpoints to securely access the data from the Region and the on-premises location.
Question 987:
A retail company runs its application on AWS. The application uses Amazon EC2 for web servers, Amazon RDS for database services, and Amazon CloudFront for global content distribution.
The company needs a solution to mitigate DDoS attacks.
Which solution will meet this requirement?
A. Implement AWS WAF custom rules to limit the length of query requests. Configure CloudFront to work with AWS WAF. B. Enable AWS Shield Advanced. Configure CloudFront to work with Shield Advanced. C. Use Amazon Inspector to scan the EC2 instances. Enable Amazon GuardDuty. D. Enable Amazon Macie. Configure CloudFront Origin Shield.
B. Enable AWS Shield Advanced. Configure CloudFront to work with Shield Advanced.
Explanation
AWS Shield Advanced provides advanced DDoS protection for AWS workloads, including EC2, CloudFront, and RDS. When integrated with CloudFront, Shield Advanced offers comprehensive detection and mitigation against large and sophisticated DDoS attacks, along with 24x7 access to the AWS DDoS Response Team (DRT). AWS WAF provides application-level protection, but for complete DDoS mitigation, Shield Advanced is the recommended solution.
Reference Extract from AWS Documentation /
Study Guide:
" AWS Shield Advanced provides expanded DDoS attack protection for applications running on AWS. It offers always-on detection and automatic inline mitigations that minimize application downtime and latency."
Source: AWS Certified Solutions Architect?Official Study Guide, Security and DDoS Protection section.
Question 988:
A solutions architect is building an Amazon S3 data lake for a company. The company uses Amazon Kinesis Data Firehose to ingest customer personally identifiable information (PII) and transactional data in near real-time to an S3 bucket.
The company needs to mask all PII data before storing thedata in the data lake.
Which solution will meet these requirements?
A. Create an AWS Lambda function to detect and mask PII. Invoke the function from Kinesis Data Firehose. B. Use Amazon Macie to scan the S3 bucket. Configure Macie to detect and mask PII. C. Enable server-side encryption (SSE) on the S3 bucket. D. Create an AWS Lambda function that integrates with AWS CloudHSM. Configure the function to detect and mask PII.
A. Create an AWS Lambda function to detect and mask PII. Invoke the function from Kinesis Data Firehose.
Explanation
Using a Lambda function as part of the Kinesis Data Firehose pipeline allows for real-time detection and masking of PII before data is written to S3. This ensures that PII is never stored in its raw form in the data lake.
Option B:Amazon Macie can scan and classify data but does not provide in-line PII masking for data ingestion.
Option C:Server-side encryption secures data but does not mask PII.
Option D:CloudHSM is unnecessary for PII masking and adds complexity without addressing the requirements.
References:
Using Lambda with Kinesis Data Firehose
Question 989:
A company hosts an internal serverless application on AWS by using Amazon API Gateway and AWS Lambda. The company's employees report issues with high latency when they begin using the application each day. The company wants to reduce latency.
Which solution will meet these requirements?
A. Increase the API Gateway throttling limit. B. Set up a scheduled scaling to increase Lambda provisioned concurrency before employees begin to use the application each day. C. Create an Amazon CloudWatch alarm to initiate a Lambda function as a target for the alarm at the beginning of each day. D. Increase the Lambda function memory.
B. Set up a scheduled scaling to increase Lambda provisioned concurrency before employees begin to use the application each day.
Question 990:
A company has a data ingestion workflow that includes the following components:
An Amazon Simple Notification Service (Amazon SNS) topic that receives notifications about new data deliveries.
An AWS Lambda function that processes and stores the data.
The ingestion workflow occasionally fails because of network connectivity issues.
When failure occurs, the corresponding data is not ingested unless the company manually reruns the job.
What should a solutions architect do to ensure that all notifications are eventually processed?
A. Configure the Lambda function for deployment across multiple Availability Zones. B. Modify the Lambda function's configuration to increase the CPU and memory allocations for the function. C. Configure the SNS topic's retry strategy to increase both the number of retries and the wait time between retries. D. Configure an Amazon Simple Queue Service (Amazon SQS) queue as the on-failure destination. Modify the Lambda function to process messages in the queue.
D. Configure an Amazon Simple Queue Service (Amazon SQS) queue as the on-failure destination. Modify the Lambda function to process messages in the queue.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.