AWS Certified Solutions Architect – Professional ( Advanced Architecting on AWS ) Quiz Questions and Answers

Your company is hosting a web application on AWS. According to the architectural best practices, the application must be highly available, scalable, cost-effective, high-performance, and should require minimal human intervention. You have deployed the web servers and database servers in the public and private subnet of the VPC respectively. While testing the application via web browser, you noticed that the application is not accessible. Which of the following two configuration settings can help you to tackle this issue? Choose any two options where each one will provide an independent solution to tackle the issue.

Answer :
  • Place all your web servers behind ELB. Configure a Route53 ALIAS-Record to point to the ELB DNS name.
  • Assign EIP's to all web servers. Configure a Route53 A-Record set with all EIPs with health checks and DNS failover.

Explanation :

Option A is incorrect because (a) NAT instance is ideally used to route traffic froOption A is incorrect because (a) NAT instance is ideally used to route traffic from a private subnet to the internet via a public subnet, (b) NAT instance is not managed by AWS and requires to be configured and maintained by the user; hence, adding to the overhead, and (c) if not scaled, can cause performance bottleneck. NAT Gateway is a preferred option over NAT instances. Option B is recommending us to use AWS CloudFront and configure the distributions Origin to the web server and then use a AWS Route 53 ‘CNAME’ for the CloudFront Distribution. Even though CloudFront is highly available and is accessible to the Internet, it would work better if the Origin for the AWS CloudFront Distribution was pointed to an AWS ELB rather than to the Web Server itself. Since the Origin would only be a Web Server, if this server goes offline for a period of time, the web site would become unavailable the content is not cached at the Edge location or if the TTL for the content expires. So, Option B is incorrect as well. Option C is CORRECT. Because, (a) if the web servers are behind an ELB, the load on the web servers will be uniformly distributed. Hence, if any of the web servers goes offline or becomes non-responsive, the traffic would be routed to other online web servers; making the application highly available, and (b) You can use Route53 to set the ALIAS record that points to the ELB endpoint.m a private subnet to the internet via a public subnet, (b) NAT instance is not managed by AWS and requires to be configured and maintained by the user; hence, adding to the overhead, and (c) if not scaled, can cause performance bottleneck. NAT Gateway is a preferred option over NAT instances. Option B is recommending us to use AWS CloudFront and configure the distributions Origin to the web server and then use a AWS Route 53 ‘CNAME’ for the CloudFront Distribution. Even though CloudFront is highly available and is accessible to the Internet, it would work better if the Origin for the AWS CloudFront Distribution was pointed to an AWS ELB rather than to the Web Server itself. Option D is CORRECT. Because in Route53, you can either resolve the DNS query via creating an ALIAS record pointing to the ELB endpoint or an A record pointing to the IP Addresses of the application. As the EIPs are static (will not be changed) and can be assigned to new web servers if any of the web servers becomes offline, the EIPs can be used in the A record. The health check would ensure that Route53 checks the health of the record set before the failover to other web servers.

You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well-architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and a flood of superfluous requests for accessing the resources. You suspect that someone is attempting to gain unauthorized access. Which approach provides cost-effective scalable mitigation to this kind of attack?

Answer :
  • Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group.

Explanation :

In such scenarios where you are designing a solution to prevent the DDoS attack (indicated by the flood of superfluous request for accessing the resources and suspicious activity) , always think of using Web Access Firewall (WAF). AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Option A is incorrect because, although this option could work, the setup is very complex and it is not a cost effective solution. Option B is incorrect because, (a) even though blocking certain IPs will mitigate the risk, the attacker could maneuver the IP address and circumvent the IP check by NACL, and (b) it does not prevent the attack from the new source of threat. Option C is CORRECT because (a) WAF Tiers acts as the first line of defense, it filters out the known sources of attack and blocks common attack patterns, such as SQL injection or cross-site scripting, (b) the ELB of the application is not exposed to the attack, and most importantly (c) this pattern - known as "WAF Sandwich" pattern - has WAF layer with EC2 instances are placed between two ELBs - one that faces the web, receives all the traffic, and sends them to WAF layer to filter out the malicious requests, and sends the filtered non-malicious requests, another ELB - which receives the non-malicious requests and send them to the EC2 instances for processing. See the image below: Option D is incorrect because there is no such thing as Advanced Protocol Filtering feature for ELB.

An AWS customer runs a public blogging website. The site users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication, this drops to no updates after 6 months. The customer wants to use CloudFront to improve his user’s load times. Which of the following recommendations would you make to the customer?

Answer :
  • Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry’s location in S3 according to the month it was uploaded to be used with CloudFront behaviors.

Explanation :

The scenario here is that (a) blogs have high access/updates rate in the first 3 months of their creation, (b) this rate drops after 6 months. The main architectural consideration is that the user's load time of the blog needs to be improved. This question is based on making the best use of CloudFront's Cache Behavior. You need to understand two things about CloudFront for such scenario: (1) CloudFront is a service that is designed to give geographically distributed users the fast access to the content by maintaining the content in the cache that is maintained at multiple edge locations, and (2) using the cache-behavior of CloudFront, you can control the origin and path of the content, time to live (TTL), and control the user access using trusted signers. In this scenario, you need to control the content based on the time period at which the blog is published. i.e. when a blog is published, you need to cache the update for first 3 months, so that it can be quickly accessed by the users, and after six months from the update, the content can be removed from the cache, as it is rarely accessed. Also, you need to make sure that the content is only accessed by the CloudFront. Option A is incorrect because maintaining two separate buckets is not going to improve the load time for the users. Option B is incorrect as the location-wise distribution is not going to improve the load time for the users. Option C is CORRECT because it (a) the content is only accessed by CloudFront, and (b) if the content is partitioned at the origin based on the month it was uploaded, you can control the cache behavior accordingly, and keep only the latest updated content in the CloudFront cache, so that it can be accessed with fast load-time; hence, improving the performance. Option D is incorrect. The scenario states that the customer is running a public access blogging website. So there is no need to restrict viewer access.

A large real-estate brokerage is exploring the option of adding a cost-effective location-based alert to their existing mobile application. The application backend infrastructure currently runs on AWS. Users who opt into this service will receive alerts on their mobile devices regarding real-estate offers in proximity to their location. For the alerts to be relevant, delivery time needs to be in the low minute count. The existing mobile app has 5 million users across the US. Which of the following architectural suggestions would you make to the customer?

Answer :
  • The mobile application will send the device location using SQS. EC2 instances will retrieve the relevant offers from DynamoDB. AWS Mobile Push will be used to send offers to the mobile application.

Explanation :

The scenario has following architectural considerations: (1) the users should get notifications about the real estate in the area near to their location, (2) only subscribed users should get the notification, (3) the notification delivery should be fast, (4) the architecture should be scalable, and (5) it should be cost effective. When the question has considerations for scalability, always think about DynamoDB as it is the most recommended database solution to handle huge amount of data/records. For automated notifications, always think about SNS. Option A is incorrect because (a) setting up EC2 instances and ELB to handle 5 millions users will not be cost effective, and (b) sending the notifications via mobile earners/device providers as alerts is neither feasible nor cost effective (certainly not as cost effective as SNS). Option B is incorrect because (a) setting up EC2 instances and ELB to handle 5 millions users will not be cost effective, (b) receiving location via Direct Connect and carrier connection is not cost effective, also it does not deal with subscriptions, and (c) sending the notifications via mobile carriers as alerts is not cost effective (certainly not as cost effective as SNS). Option C is CORRECT because (a) SQS is a highly scalable, cost effective solution for carrying out utility tasks such as holding the location of millions of users, (b) it uses highly scalable DynamoDB, and (c) it uses the cost effective AWS SNS Mobile Push service to send push notification messages directly to apps on mobile devices. Option D is incorrect because AWS SNS Mobile Push service to used for sending push notification messages to the mobile devices, not to get the location of the mobile devices.

Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high-resolution MP4 format. Your workforce is distributed globally, often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise, and if required, you may need to pay for a consultant. How would you implement the most cost-efficient architecture without compromising the high availability and quality of video delivery?

Answer :
  • Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. Use S3 to host videos. Use CloudFront to serve HLS transcoded videos from S3.

Explanation :

There are four most important design considerations here: (a) video transcoding expertise, (b) global distribution of the content, (c) cost-effective solution, and (d) no compromise with the high availability and quality of the video delivery. Amazon Elastic Transcoder is a media transcoding service in the cloud. It is designed to be a highly scalable, easy to use and a cost-effective way for developers and businesses to convert (or “transcode”) media files from their source format into versions that will playback on various devices like smartphones, tablets, and PCs. Option A is CORRECT because (a) it uses Amazon Elastic Transcoder that converts from MP4 to HLS, (b) S3 Object Lifecycle Management reduces the cost by archiving the files to Glacier, and (c) CloudFront - which is a highly available service - enables the global delivery of the video without compromising the video delivery speed or quality. Option B is incorrect because (a) it necessitates the overhead of infrastructure provisioning. i.e deploying of EC2 instances, auto scaling, SQS queue / pipeline, (b) setting up of EC2 instances to handle global delivery of content is not a cost efficient solution. Option C is incorrect because the use of EBS snapshots is not a cost effective solution compared to S3 Object Lifecycle Management. Option D is incorrect because (a) it necessitates the overhead of infrastructure provisioning. i.e deploying of EC2 instances, auto scaling, SQS queue / pipeline, (b) setting up of EC2 instances to handle global delivery of content is not a cost efficient solution, and (d) the use of EBS snapshots is not a cost effective solution compared to S3 Object Lifecycle Management.

You have a periodic Image analysis application that gets some files. The input stream analyzes them and for each file, it writes some data to an output stream to several files. The number of files in input per day is high and concentrated in a few hours of the day. Currently, you have a server on EC2 with a large EBS volume that hosts the input data and the results. It takes almost 20 hours per day to complete the process. What services could be used to reduce the elaboration time and improve the availability of the solution?

Answer :
  • Use S3 to store I/O files. Use SQS to distribute elaboration commands to a group of hosts working in parallel. Then use Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue.

Explanation :

The scenario in this question is that (a) there any EC2 instances that need to process high number of input files, (b) currently the processing takes 20 hrs a day, which needs to be reduced, (c) the availability needs to be improved. Looking at all the option, it appears that there are two choices to be made. (1) between S3 and EBO with PIOPS, and (2) between SQS and SNS. First, let's see whether we should choose S3 or EBS with PIOPS. It appears that all the options have auto-scaling in common. i.e. there will be multiple EC2 instances working in parallel on the input data. This should reduce the overall elaboration time, satisfying one of the requirements. Since a single EBS volume cannot be attached to multiple instances, using EBS volume seems an illogical choice. Moreover, S3 provides high availability, which satisfies the other requirement. Second, SQS is a great option to do the autonomous tasks and can queue the service requests and can be scaled to meet the high demand. SNS is a mere notification service and would not hold the tasks. Hence, SQS is certainly the correct choice. Option A is CORRECT because, as mentioned above, it provides high availability, and can store the massive amount of data. Auto-scaling of EC2 instances reduces the overall processing time and SQS helps distributing the commands/tasks to the group of EC2 instances. Option B is incorrect because, as mentioned above, neither EBS nor SNS is a valid choice in this scenario. Option C is incorrect because, as mentioned above, SNS is not a valid choice in this scenario. Option D is incorrect because, as mentioned above, EBS is not a valid choice in this scenario.

You are designing an intrusion detection prevention (IDS/IPS) solution for a customer's web application in a single VPC. You are considering the options for implementing IDS/IPS protection for traffic coming from the Internet. Which of the following options would you consider? Choose 2 options.

Answer :
  • Implement IDS/IPS agents on each Instance running In VPC
  • Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Explanation :

The main responsibility of Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) is to (a) detect the vulnerabilities in your EC2 instances, (b) protect your EC2 instances from attacks, and (c) respond to intrusion or attacks against your EC2 instances. The IDS is an appliance that is installed on the EC2 instances that continuously monitors the VPC environment to see if any malicious activity is happening and alerts the system administration if such activity is detected. IPS, on the other hand, is an appliance that is installed on the EC2 instances that monitors and analyzes the incoming and outgoing network traffic for any malicious activities and prevents the malicious requests from reaching to the instances in the VPC. This scenario is asking you how you can setup IDS/IPS in your VPC. There are few well known ways: (a) install the IDS/IPS agents on the EC2 instances of the VPC, so that the activities of that instance can be monitored, (b) set up IDS/IPS on a proxy server/NAT through which the network traffic is flowing, or (c) setup a Security-VPC that contains EC2 instances with IDS/IPS capability and peer that VPC with your VPC and always accept the traffic from Security-VPC only. Option A is CORRECT because it implements the IDS/IPS agents on each EC2 instances in the VPC. Option B is incorrect because promiscuous mode is not supported by AWS. Option C is incorrect because ELB with SSL is does not have the intrusion detection/prevention capability. Option D is CORRECT because a reverse proxy server through which the traffic from instances inside VPC flows outside of it, has the IDS/IPS agent installed.

You are implementing a URL whitelisting system for a company that wants to restrict outbound HTTPS connections to specific domains from their EC2-hosted applications. You deploy a single EC2 instance running proxy software and configure it to accept traffic from all subnets and EC2 instances in the VPC. You configure the proxy to only pass through traffic to domains that you define in its whitelist configuration. You have a nightly maintenance window or 10 minutes where all instances fetch new software updates. Each update is about 200MB in size and there are 500 instances in the VPC that routinely fetch updates. After a few days you notice that some machines are failing to successfully download some, but not all of their updates within the maintenance window. The download URLs used for these updates are correctly listed in the proxy’s whitelist configuration and you can access them manually using a web browser on the instances. What might be happening? Choose 2 answers.

Answer :
  • You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for all instances to download their updates in time.
  • You are running the proxy on an appropriate-size EC2 instance in a private subnet, and its network throughput is being throttled by a NAT instance running on a t2.micro EC2 instance.

Explanation :

This scenario contains following main points: (1) there is a single EC2 instance running proxy software that either itself acts as or connects to a NAT instance. The NAT instances are not AWS managed, they are user managed; so, it may become the bottleneck, (2) there is a whitelist maintained so that limited outside access is given to the instances inside VPC, (3) the URLs in the whitelist are correctly maintained, so whitelist is not an issue, (4) only some machines are having download problems with some updates. i.e. some updates are successful on some machines. This indicates that there is no setup issue, but most-likely it is the proxy instance that is a bottleneck and under-performing or inconsistently performing. As the proxy instance is not part of any auto-scaling group, it's size must be definitely the issue. Option A is CORRECT because due to limited size of proxy instance, it's network throughput might not be sufficient to provide service to all the VPC instances (as only some of the instances are not able to download the updates). Option B is incorrect because limited storage on the proxy instance should not cause other instances any problems in downloading the updates. Option C is incorrect because proxy instances are supposed to be in public subnet, but allocation of EIPs should not cause any issues for other instances in the VPC. Option D is CORRECT because undersized NAT instance can be a bottleneck and can cause other instances suffer from insufficient network throughput.

A read-only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically. Which AWS services should be used to meet these requirements?

Answer :
  • Stateless instances for the web and application tier that are in an auto-scaling group, synchronized using Elasticache Memcached and monitored with CloudWatch. RDS configured with reading replicas for the backend.

Explanation :

The scenario asks for 2 things: (1) a performance improving solution for read heavy web tier and database tier. Hint: Always see if any of the options contain caching solution such as ElastiCache, CloudFront, or Read Replicas, and (2) whether to use stateless or stateful instances. Stateful instances are not suitable for distributed systems, as they retain the state or connection between client and web server, database remains engaged as long as the session is active. Hence, it increases the load on the server as well as database. Stateless instances, however are distributed and easy to scale in/scale out. Hence, the stateless application tend to improve the performance of a distributed application. Option A is CORRECT because (a) it uses stateless instances, (b) the web server uses ElastiCache for read operations, (c) it uses CloudWatch which monitors the fluctuations in the traffic and notifies to auto-scaling group to scale in/scale out accordingly, and (d) it uses read replicas for RDS to handle the read heavy workload. Option B is incorrect because (a) it uses stateful instances, and (b) it does not use any caching mechanism for web and application tier. Option C is incorrect because (a) it uses stateful instances, (b) it does not use any caching mechanism for web and application tier, and (c) multi-AZ RDS does not improve read performance. Option D is incorrect because multi-AZ RDS does not improve read performance.

You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient. Which of the following options would you consider for configuring the webserver infrastructure? Choose any 2 options from the list given below, each one being an independent solution to the scenario.

Answer :
  • Configure ELB with TCP listeners on TCP/443 and place the Web servers behind it.
  • Configure your web servers with EIP’s. Place the web servers in a Route53 Record Set and configure health checks against all web servers.

Explanation :

This scenario requires you to setup the web servers in such a way that the HTTPS clients must be authenticated by the client-side certificate (not the server side certificate). There are two ways of architecting this - with ELB and without ELB. (a) With ELB, if you use HTTPS listener, you have to deploy the server side certificate - which is not desired. So, you need to use the TCP listener so that the HTTPS client requests do not terminate at the ELB, they just pass through ELB and terminate at the web server instances. (b) Alternatively, without ELB, you can directly use the web server to communicate with the clients, or set up a Route53 Record Set with the public IP address of the web server(s) such that the client requests would be directly routed to the web server(s). Option A is CORRECT because it uses the TCP (443) listener so that the HTTPS client requests do not terminate at the ELB, they just pass through the ELB and terminate at the web server instances. Option B is CORRECT because it uses Route53 Record Set with the public IP address of the web server(s) such that the client requests would be directly routed to the web server(s). Option C is incorrect because if you use HTTPS listener, you must deploy an SSL/TLS certificate on your load balancer, i.e. authentication via the client certificate is not currently supported. Option D is incorrect because this setting is currently not supported.