AWS Certified Solutions Architect Associate Exam dumps with Complete Explanation-Part2

Muhammad Hassan Saeed
18 min readSep 4, 2023

Question#9

A company is running an SMB file server in its data center. The file server stores large files that are accessed frequently for the first few days after the files are created. After 7 days the files are rarely accessed.
The total data size is increasing and is close to the company’s total storage capacity. A solutions architect must increase the company’s available storage space without losing low-latency access to the most recently accessed files. The solutions architect must also provide file lifecycle management to avoid future storage issues.
Which solution will meet these requirements?

  • A. Use AWS DataSync to copy data that is older than 7 days from the SMB file server to AWS.
  • B. Create an Amazon S3 File Gateway to extend the company’s storage space. Create an S3 Lifecycle policy to transition the data to S3 Glacier Deep Archive after 7 days.
  • C. Create an Amazon FSx for Windows File Server file system to extend the company’s storage space.
  • D. Install a utility on each user’s computer to access Amazon S3. Create an S3 Lifecycle policy to transition the data to S3 Glacier Flexible Retrieval after 7 days.

Reference/Arguments:

Amazon S3 File Gateway provides a seamless way to extend storage capacity while still allowing low-latency access to frequently accessed files. It allows you to present an S3 bucket as a Network File System (NFS) or Server Message Block (SMB) share, making it compatible with existing file server setups.

Option A (Using AWS DataSync) and Option C (Creating an Amazon FSx for Windows File Server file system) do not address the need to transition data to lower-cost storage tiers after 7 days. They might help with extending storage capacity but do not provide a built-in mechanism for cost optimization.

Option D (Installing a utility on each user’s computer to access Amazon S3) is not practical for managing large volumes of data in a corporate environment. It would require significant user involvement and does not provide centralized management and control over data storage and lifecycle.

Question#10

A company is building an ecommerce web application on AWS. The application sends information about new orders to an Amazon API Gateway REST API to process. The company wants to ensure that orders are processed in the order that they are received.
Which solution will meet these requirements?

  • A. Use an API Gateway integration to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when the application receives an order. Subscribe an AWS Lambda function to the topic to perform processing.
  • B. Use an API Gateway integration to send a message to an Amazon Simple Queue Service (Amazon SQS) FIFO queue when the application receives an order. Configure the SQS FIFO queue to invoke an AWS Lambda function for processing.
  • C. Use an API Gateway authorizer to block any requests while the application processes an order.
  • D. Use an API Gateway integration to send a message to an Amazon Simple Queue Service (Amazon SQS) standard queue when the application receives an order. Configure the SQS standard queue to invoke an AWS Lambda function for processing.

Reference/Arguments:

FIFO (First-In-First-Out) queues have all the capabilities of the standard queues, but are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can’t be tolerated.

Option A (Using Amazon SNS) and Option D (Using Amazon SQS standard queue) could work but do not guarantee strict ordering of messages. Amazon SNS does not guarantee the order of message delivery, and while Amazon SQS standard queues can preserve order to some extent, they don’t provide the same level of ordering guarantees as FIFO queues.

Option C (Using an API Gateway authorizer to block requests) is not a suitable solution for processing orders in a specific order. It focuses on authorization and blocking requests based on user access, which is unrelated to the requirement of processing orders sequentially.

Question#11

A company has an application that runs on Amazon EC2 instances and uses an Amazon Aurora database. The EC2 instances connect to the database by using user names and passwords that are stored locally in a file. The company wants to minimize the operational overhead of credential management.
What should a solutions architect do to accomplish this goal?

  • A. Use AWS Secrets Manager. Turn on automatic rotation.
  • B. Use AWS Systems Manager Parameter Store. Turn on automatic rotation.
  • C. Create an Amazon S3 bucket to store objects that are encrypted with an AWS Key Management Service (AWS KMS) encryption key. Migrate the credential file to the S3 bucket. Point the application to the S3 bucket.
  • D. Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume for each EC2 instance. Attach the new EBS volume to each EC2 instance. Migrate the credential file to the new EBS volume. Point the application to the new EBS volume.

Reference/Arguments:

Aws Secret Manager meant for RDS Integration

Amazon Aurora integrates with Secrets Manager to manage master user passwords for your DB clusters.Aurora rotates database credentials regularly, without requiring application changes.

Option A, Systems Manager Parameter Store does not include automatic rotation and would need to be customized. Although Advanced Parameters in Parameter Store do allow you to specify an expiration and expiration notification policy, for more information see Assigning parameter policies.

Option C, (Storing credentials in an S3 bucket) is not recommended for storing sensitive credentials, as it doesn’t provide the same level of security and access control as dedicated secret management services like Parameter Store or Secrets Manager.

Option D, (Creating encrypted EBS volumes) is not a recommended solution for storing credentials. While EBS volumes can be encrypted and used for various purposes, they are not designed for managing and rotating sensitive credentials, and this approach doesn’t offer the same level of centralized control and automation as using a dedicated secret management service like Parameter Store.

Console View of Aws Secret Manager

Question#12

A global company hosts its web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The web application has static data and dynamic data. The company stores its static data in an Amazon S3 bucket. The company wants to improve performance and reduce latency for the static data and dynamic data. The company is using its own domain name registered with Amazon Route 53.
What should a solutions architect do to meet these requirements?

  • A. Create an Amazon CloudFront distribution that has the S3 bucket and the ALB as origins. Configure Route 53 to route traffic to the CloudFront distribution.
  • B. Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint Configure Route 53 to route traffic to the CloudFront distribution.
  • C. Create an Amazon CloudFront distribution that has the S3 bucket as an origin. Create an AWS Global Accelerator standard accelerator that has the ALB and the CloudFront distribution as endpoints. Create a custom domain name that points to the accelerator DNS name. Use the custom domain name as an endpoint for the web application.
  • D. Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint. Create two domain names. Point one domain name to the CloudFront DNS name for dynamic content. Point the other domain name to the accelerator DNS name for static content. Use the domain names as endpoints for the web application.

Reference/Arguments:

CloudFront speeds up content delivery by leveraging its global network of data centers, known as edge locations, to reduce delivery time by caching your content close to your end users.CloudFront can be used to deliver your entire website or application, including dynamic, static, streaming, and interactive content.

Other options are related to Global Accelerator which is best for non-http use cases such as Tcp/Udp “ Global Accelerator terminates TCP connections from clients at AWS edge locations and, almost concurrently, establishes a new TCP connection with your endpoints. This gives clients faster response times (lower latency) and increased throughput

Question#13

A company performs monthly maintenance on its AWS infrastructure. During these maintenance activities, the company needs to rotate the credentials for its Amazon RDS for MySQL databases across multiple AWS Regions.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule.
  • B. Store the credentials as secrets in AWS Systems Manager by creating a secure string parameter. Use multi-Region secret replication for the required Regions. Configure Systems Manager to rotate the secrets on a schedule.
  • C. Store the credentials in an Amazon S3 bucket that has server-side encryption (SSE) enabled. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function to rotate the credentials.
  • D. Encrypt the credentials as secrets by using AWS Key Management Service (AWS KMS) multi-Region customer managed keys. Store the secrets in an Amazon DynamoDB global table. Use an AWS Lambda function to retrieve the secrets from DynamoDB. Use the RDS API to rotate the secrets.

Reference/Arguments:

Aws Secret Manager is meant for Rds Integration as we discuss in Question#11 . “If you turn on rotation for your primary secret, Secrets Manager rotates the secret in the primary Region, and the new secret value propagates to all of the associated replica secrets

Arguments about others:

Option B (AWS Systems Manager) could also be a viable choice, but Secrets Manager is better suited for managing secrets like database credentials.

Option C (Amazon S3 and AWS Lambda) would require more custom development to implement and manage credential rotation.

Option D (AWS KMS, DynamoDB, and Lambda) involves more manual configuration and management compared to Secrets Manager, which is purpose-built for secret management and rotation.

Question#14

A company recently migrated to AWS and wants to implement a solution to protect the traffic that flows in and out of the production VPC. The company had an inspection server in its on-premises data center. The inspection server performed specific operations such as traffic flow inspection and traffic filtering. The company wants to have the same functionalities in the AWS Cloud.
Which solution will meet these requirements?

  • A. Use Amazon GuardDuty for traffic inspection and traffic filtering in the production VPC.
  • B. Use Traffic Mirroring to mirror traffic from the production VPC for traffic inspection and filtering.
  • C. Use AWS Network Firewall to create the required rules for traffic inspection and traffic filtering for the production VPC.
  • D. Use AWS Firewall Manager to create the required rules for traffic inspection and traffic filtering for the production VPC.

Reference/Arguments:

An AWS Network Firewall firewall connects a firewall policy, which defines network traffic monitoring and filtering behavior, to the VPC that you want to protect.

Arguments about others:

Option A (Guard Duty) Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts . Not provide filtering on Production Vpc

Option B (Traffic Mirroring) Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface . So Why we need to Copy Network Traffic Instead of Filtering.

Option D (Firewall Manager) Use AWS Firewall Manager to centrally configure and manage Network Firewall resources across your accounts and applications in AWS Organizations. Not work in our Case.

Question#15

A company runs an ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales based on CPU utilization metrics. The ecommerce application stores the transaction data in a MySQL 8.0 database that is hosted on a large EC2 instance.
The database’s performance degrades quickly as application load increases. The application handles more read requests than write transactions. The company wants a solution that will automatically scale the database to meet the demand of unpredictable read workloads while maintaining high availability.
Which solution will meet these requirements?

  • A. Use Amazon Redshift with a single node for leader and compute functionality.
  • B. Use Amazon RDS with a Single-AZ deployment Configure Amazon RDS to add reader instances in a different Availability Zone.
  • C. Use Amazon Aurora with a Multi-AZ deployment. Configure Aurora Auto Scaling with Aurora Replicas.
  • D. Use Amazon ElastiCache for Memcached with EC2 Spot Instances.

Reference/Arguments:

Aurora Replicas have two main purposes. You can issue queries to them to scale the read operations for your application.Aurora can spread the load for read-only connections across as many Aurora Replicas as you have in the cluster. Aurora Replicas also help to increase availability

You can Configure Aurora Auto Scaling for unpredictable workload and automatic scalibility.

Console View of Aurora Auto Scaling Configuration

Question#16

A company hosts a data lake on AWS. The data lake consists of data in Amazon S3 and Amazon RDS for PostgreSQL. The company needs a reporting solution that provides data visualization and includes all the data sources within the data lake. Only the company’s management team should have full access to all the visualizations. The rest of the company should have only limited access.
Which solution will meet these requirements?

  • A. Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate IAM roles.
  • B. Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate users and groups.
  • C. Create an AWS Glue table and crawler for the data in Amazon S3. Create an AWS Glue extract, transform, and load (ETL) job to produce reports. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.
  • D. Create an AWS Glue table and crawler for the data in Amazon S3. Use Amazon Athena Federated Query to access data within Amazon RDS for PostgreSQL. Generate reports by using Amazon Athena. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.

Reference/Arguments:

With Amazon QuickSight, you can quickly embed interactive dashboards and visualizations into your applications without needing to build your own analytics capabilities

Credit to Aws team for Pic

You can share it with users & Groups

https://docs.aws.amazon.com/quicksight/latest/user/share-a-dashboard-grant-access-users.html

Arguments about others:

Option A increase complexity with sharing dashboards with specific roles while Option B is to just add users and groups to quicksight

Option C and option D involve using AWS Glue and Athena, which are more focused on data processing and querying rather than providing visualizations and dashboards. These options don’t provide an out-of-the-box solution for creating and sharing visualizations with the desired access control.

Question#17

A company is implementing a new business application. The application runs on two Amazon EC2 instances and uses an Amazon S3 bucket for document storage. A solutions architect needs to ensure that the EC2 instances can access the S3 bucket.
What should the solutions architect do to meet this requirement?

  • A. Create an IAM role that grants access to the S3 bucket. Attach the role to the EC2 instances.
  • B. Create an IAM policy that grants access to the S3 bucket. Attach the policy to the EC2 instances.
  • C. Create an IAM group that grants access to the S3 bucket. Attach the group to the EC2 instances.
  • D. Create an IAM user that grants access to the S3 bucket. Attach the user account to the EC2 instances.

Reference/Arguments:

An IAM role is an AWS resource that allows you to delegate access to AWS resources and services. You can create an IAM role that grants access to the S3 bucket and then attach the role to the EC2 instances. This will allow the EC2 instances to access the S3 bucket and the documents stored within it.

Arguments about others:

Option B is incorrect because an IAM policy is used to define permissions for an IAM user or group, not for an EC2 instance.

Option C is incorrect because an IAM group is used to group together IAM users and policies, not to grant access to resources.

Option D is incorrect because an IAM user is used to represent a person or service that interacts with AWS resources, not to grant access to resources

Question#18

An application development team is designing a microservice that will convert large images to smaller, compressed images. When a user uploads an image through the web interface, the microservice should store the image in an Amazon S3 bucket, process and compress the image with an AWS Lambda function, and store the image in its compressed form in a different S3 bucket.
A solutions architect needs to design a solution that uses durable, stateless components to process the images automatically.
Which combination of actions will meet these requirements? (Choose two.)

  • A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the S3 bucket to send a notification to the SQS queue when an image is uploaded to the S3 bucket.
  • B. Configure the Lambda function to use the Amazon Simple Queue Service (Amazon SQS) queue as the invocation source. When the SQS message is successfully processed, delete the message in the queue.
  • C. Configure the Lambda function to monitor the S3 bucket for new uploads. When an uploaded image is detected, write the file name to a text file in memory and use the text file to keep track of the images that were processed.
  • D. Launch an Amazon EC2 instance to monitor an Amazon Simple Queue Service (Amazon SQS) queue. When items are added to the queue, log the file name in a text file on the EC2 instance and invoke the Lambda function.
  • E. Configure an Amazon EventBridge (Amazon CloudWatch Events) event to monitor the S3 bucket. When an image is uploaded, send an alert to an Amazon ample Notification Service (Amazon SNS) topic with the application owner’s email address for further processing

Reference/Arguments:

By configuring an SQS queue and setting up S3 bucket notifications to send messages to the SQS queue when an image is uploaded, you decouple the image processing workflow.

Lambda event source mappings support standard queues and first-in, first-out (FIFO) queues. With Amazon SQS, you can offload tasks from one component of your application by sending them to a queue and processing them asynchronously.

Arguments about Others:

Option C is not a recommended approach because using an in-memory text file to keep track of processed images is not a durable and scalable solution, and it doesn’t fit the requirement of stateless processing.

Option D suggests using an EC2 instance to monitor the SQS queue, which introduces additional complexity and operational overhead. AWS Lambda is a serverless compute service designed for such use cases, making it a more efficient choice.

Option E involves using Amazon EventBridge (CloudWatch Events) and Amazon SNS for monitoring and alerting but doesn’t provide the automatic image processing and compression required for the use case.

Question#19

A company has a three-tier web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create a Network Load Balancer in the public subnet of the application’s VPC to route the traffic to the appliance for packet inspection.
  • B. Create an Application Load Balancer in the public subnet of the application’s VPC to route the traffic to the appliance for packet inspection.
  • C. Deploy a transit gateway in the inspection VPConfigure route tables to route the incoming packets through the transit gateway.
  • D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

Reference/Arguments:

Gateway Load Balancer and virtual appliances are deployed into a centralized appliance VPC. Gateway Load Balancer endpoints are configured in spoke VPCs originating or receiving traffic from the Internet. This architecture allows you to perform inline inspection of traffic from multiple spoke VPCs in a simplified and scalable fashion while still centralizing your virtual appliances.

Arguments about others:

Option A (Network Load Balancer) and option B (Application Load Balancer) are not typically used for packet inspection or forwarding traffic to a third-party appliance. They are more suitable for load balancing traffic to application instances.

Option C (deploying a transit gateway) introduces additional complexity and overhead, which might not be necessary for a simple traffic inspection scenario.

Question#20

A company wants to improve its ability to clone large amounts of production data into a test environment in the same AWS Region. The data is stored in Amazon EC2 instances on Amazon Elastic Block Store (Amazon EBS) volumes. Modifications to the cloned data must not affect the production environment. The software that accesses this data requires consistently high I/O performance.
A solutions architect needs to minimize the time that is required to clone the production data into the test environment.
Which solution will meet these requirements?

  • A. Take EBS snapshots of the production EBS volumes. Restore the snapshots onto EC2 instance store volumes in the test environment.
  • B. Configure the production EBS volumes to use the EBS Multi-Attach feature. Take EBS snapshots of the production EBS volumes. Attach the production EBS volumes to the EC2 instances in the test environment.
  • C. Take EBS snapshots of the production EBS volumes. Create and initialize new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment before restoring the volumes from the production EBS snapshots.
  • D. Take EBS snapshots of the production EBS volumes. Turn on the EBS fast snapshot restore feature on the EBS snapshots. Restore the snapshots into new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment.

Reference/Arguments:

Amazon EBS fast snapshot restore (FSR) enables you to create a volume from a snapshot that is fully initialized at creation. This eliminates the latency of I/O operations on a block when it is accessed for the first time. Volumes that are created using fast snapshot restore instantly deliver all of their provisioned performance

Arguments about Others:

Option A (restoring snapshots onto EC2 instance store volumes) would not be ideal because instance store volumes are ephemeral, and any data stored on them would be lost when the instance is stopped or terminated.

Option B (using EBS Multi-Attach) can provide shared access to an EBS volume but might not be the most efficient way to clone data for a test environment.

Option C (creating and initializing new EBS volumes) adds unnecessary steps to the process and may not be as efficient as using fast snapshot restore.

Thanks for Reading !!

For Previous Part Follow link above:

--

--

Muhammad Hassan Saeed

Greetings! I'm a passionate AWS DevOps Engineer with hands-on Experience on Majority Devops Tools