AWS Certified Solutions Architect – Professional ( Advanced Architecting on AWS ) Quiz Questions and Answers

You require the ability to analyze a large amount of data, which is stored on Amazon S3 using Amazon Elastic Map Reduce. You are using the cc2 8x large Instance type, whose CPUs are mostly idle during processing. Which of the below would be the most cost-efficient way to reduce the runtime of the job?

Answer :
  • Use smaller instances that have higher aggregate I/O performance.

Your company has HQ in Tokyo and branch offices all over the world and is using logistics software with a multi-regional deployment on AWS in Japan, Europe, and the USA. The logistic software has a 3-tier architecture and currently uses MySQL 5.6 for data persistence. Each region has deployed its database in the HQ region. You run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices. This batch process must be completed as fast as possible to quickly optimize logistics. How do you build the database architecture to meet the requirements?

Answer :
  • For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region.

An AWS customer runs a public blogging website. The site users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication. This drops to no updates after 6 months. The customer wants to use CloudFront to improve his user's load times. Which of the following recommendations would you make to the customer?

Answer :
  • Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry's location in S3 according to the month it was uploaded to be used with CloudFront behaviors.

You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well-architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and a flood of superfluous requests for accessing the resources. You suspect that someone is attempting to gain unauthorized access. Which approach provides cost-effective scalable mitigation to this kind of attack?

Answer :
  • Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group.

You currently operate a web application in the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2, IAM, and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of the solutions below would you recommend?

Answer :
  • Create a new CloudTrail trail with one new S3 bucket to store the logs and with the option that applies trail to all regions selected. Use IAM roles, S3 bucket policies, and Multi-Factor Authentication (MFA) to delete on the S3 bucket that stores your logs.

An enterprise wants to use a 3rd party SaaS application hosted by another AWS account. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following options would meet all of these conditions?

Answer :
  • Create an IAM role for cross-account access that allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the Internet for product updates. The depots and distributions are accessible via the third party via their URLs. You want to explicitly deny any other outbound connections from your VPC instances to hosts on the internet. Which of the following options would you consider?

Answer :
  • Place all EC2 instances that do not require direct access to the internet in private subnets so their egress traffic can be directed to a web proxy server in the public subnet and enforce URL-based rules for outbound access. Remove default routes.

An administrator is using Amazon CloudFormation to deploy a three-tier web application that consists of a web tier and an application tier that will utilize Amazon DynamoDB for storage. While creating the CloudFormation template, which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

Answer :
  • Create an IAM Role that has the required permission to read and write from the required DynamoDB table, add the role to the instance profile and associate the instance profile with the application instance.

An AWS customer is deploying an application that is composed of an auto-scaling group of EC2 Instances. The customer's security policy requires that every outbound connection from these instances to any other service within the customer's Virtual Private Cloud must be authenticated using a unique X.509 certificate that contains the specific instance ID. In addition, an X.509 certificate must be designed by the AWS Key Management Service (KMS) to be trusted for authentication. Which of the following configurations will support these requirements?

Answer :
  • Configure the AutoScaling group to send an SNS notification of the launch of a new instance to the AWS Certificate Manager. Create a signed certificate using AWS Certificate Manager (ACM).

Your company has recently extended its data center into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don’t want to create new IAM users for each member and make those users sign in again to the AWS Management Console. Which option below will meet the needs of your NOC members?

Answer :
  • Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.