QUESTION 61
A company creates an organization in AWS Organizations. The company creates organizational units (OUs) for production and non-production environments. The company does not want to allow accounts that are in the non-production OU to create GPU-enabled P5 Amazon EC2 instances. However, the company does want to allow accounts in the production OU to use this type of EC2 instance. Which solution will meet these requirements?
A. Create an AI services opt-out policy. Attach the policy to the non-production OU.
B. Create a service control policy (SCP) to deny the use of P5 EC2 instances. Attach the policy to the non-production OU.
C. Create an AI services opt-out policy. Attach the policy to the root of the organization and to the non-production OU.
D. Create a service control policy (SCP) to allow the use of P5 EC2 instances. Attach the policy to the production OU.
Correct Answer: B
QUESTION 62
A company has offices in multiple countries. The company has a separate AWS account for each office. The company uses an organization in AWS Organizations to manage all the accounts. Each office has an allocated budget that is set by company leadership. The company needs a solution to monitor account costs and automatically review service consumption when an account reaches a spending threshold. The solution must not immediately disable resources when an account reaches a spending threshold. The solution must detect budget overruns as soon as possible. Which solution will meet these requirements?
A. Create service control policies (SCPs) that define a budget threshold. Use AWS Budgets to apply the SCPs to all accounts.
B. Use AWS Budgets to set budget thresholds. Use AWS Budgets actions to define a workflow to manually review accounts that overspend.
C. Use AWS Budgets to set budget thresholds. Use AWS Budgets actions to immediately restrict the accounts that overspend
D. Set up AWS Budgets in the organization management account. Create budget reports every day to track individual account spending.
Correct Answer: B
QUESTION 63
A company hosts an application on AWS that stores files that users need to access. The application uses two Amazon EC2 instance. One instance is in Availability Zone A, and the second instance is in Availability Zone B. Both instances use Amazon Elastic Block Store (Amazon EBS) volumes. Users must be able to access the files at any time without delay. Users report that the two instances occasionally contain different versions of the same file. Users occasionally receive HTTP 404 errors when they try to download files. The company must address the customer issues. The company cannot make changes to the application code. Which solution will meet these requirements in the MOST
operationally efficient way?
A. Run the robocopy command on one of the EC2 instances on a schedule to copy files from the Availability Zone A instance to the Availability Zone B instance.
B. Configure the application to store the files on both EBS volumes each time a user writes or updates a file.
C. Mount an Amazon Elastic File System (Amazon EFS) file system to the EC2 instances. Copy the files from the EBS volumes to the EFS file system. Configure the application to store files in the EFS file system.
D. Create an EC2 instance profile that allows the instance in Availability Zone A to access the S3 bucket. Re-associate the instance profile to the instance in Availability Zone B when needed.
Correct Answer: C
QUESTION 64
A company operates an online photo-sharing service and stores data in AWS Account A in a centralized Amazon S3 bucket. The company wants to grant a second AWS account named Account B access to the centralized S3 bucket. The company owns Account B. Which solution will meet this requirement?
A. Enable S3 Transfer Acceleration to provide Account B access to the centralized S3 bucket in Account A.
B. Enable cross-Region replication between Account A and Account B to share the S3 bucket data.
C. Use Amazon CloudFront to distribute the S3 bucket contents. Grant Account B access the bucket contents through a signed URL.
D. Create a bucket policy that grants Account B permission to access the centralized S3 bucket in Account A.
Correct Answer: D
QUESTION 65
A development team at a company is creating an AWS Lambda function that must use a sensitive variable string. The company must ensure that all sensitive data is securely stored within the company’s AWS account. The company must prevent users from viewing the string in plain text. Which solution will meet these requirements?
A. Add the string as a Lambda environment variable. Reference the variable in the function code. Use an IAM policy to control access to the code. Attach the IAM policy to the IAM group that is assigned to the development team.
B. Add the string as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS-Parameters-and-Secrets-Lambda-Extension AWS managed Lambda layer extension to call the variable from the code.
C. Add the string as a parameter in the function code. Use an IAM policy to control access to the code. Create a new IAM role that has the new IAM policy attached. Assign the new IAM role to each IAM user that is responsible for maintaining the function.
D. Add the string as a String parameter in AWS Systems Manager Parameter Store. Create a custom Lambda layer extension to call the variable from the code.
Correct Answer: B
QUESTION 66
A financial services company needs to migrate an on-premises MySQL database workload to AWS. The database requires consistent low-latency performance with a baseline of 32,000 IOPS to process transactions. Which solution will meet these requirements?
A. Migrate the database to an Amazon S3 bucket. Enable S3 Transfer Acceleration.
B. Migrate the data to a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) Express volume.
C. Migrate the data to an Amazon Elastic File System (Amazon EFS) Standard file system.
D. Migrate the data to a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume.
Correct Answer: B
QUESTION 67
A company wants to migrate hundreds of gigabytes of unstructured data from an on-premises location to an Amazon S3 bucket. The company has a 100-Mbps internet connection on premises. The company needs to encrypt the data in transit to the S3 bucket. The company will store new data directly in Amazon S3. Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Database Migration Service (AWS DMS) to synchronize the on-premises data to a destination S3 bucket.
B. Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket.
C. Use an AWS Snowball Edge device to migrate the data to an S3 bucket. Use an AWS CloudHSM key to encrypt the data on the Snowball Edge device.
D. Set up an AWS Direct Connect connection between the on-premises location and AWS. Use the s3 cp command to move the data directly to an S3 bucket.
Correct Answer: B
QUESTION 68
A company runs a production application on a fleet of Amazon EC2 instances. The application reads messages from an Amazon Simple Queue Service (Amazon SQS) queue and processes the messages in parallel. The message volume is unpredictable and highly variable. The company must ensure that the application continually processes messages without any downtime. Which solution will meet these requirements MOST cost-effectively?
A. Use only Spot Instances to handle the maximum capacity required.
B. Use only Reserved Instances to handle the maximum capacity required.
C. Use Reserved Instances to handle the baseline capacity. Use Spot Instances to provide additional capacity when required.
D. Use Reserved Instances in an EC2 Auto Scaling group to handle the minimum capacity. Configure an auto scaling policy that is based on the SQS queue backlog.
Correct Answer: C
QUESTION 69
A global company runs its workloads on AWS. The company’s application uses Amazon S3 buckets across AWS Regions for sensitive data storage and analysis. The company stores millions of objects in multiple S3 buckets daily. The company wants to identify all S3 buckets that are not versioning-enabled. Which solution will meet these requirements?
A. Set up an AWS CloudTrail event that has a rule to identify all S3 buckets that are not versioning-enabled across Regions.
B. Use Amazon S3 Storage Lens to identify all S3 buckets that are not versioning enabled across Regions.
C. Enable IAM Access Analyzer for S3 to identify all S3 buckets that are not versioning-enabled across Regions.
D. Create an S3 Multi-Region Access Point to identify all S3 buckets that are not versioning-enabled across Regions.
Correct Answer: B
QUESTION 70
A healthcare company needs to encrypt patient data that is stored in an Amazon RDS for PostgreSQL DB instance to comply with regulations. The company must ensure that only specific IAM roles can manage the encryption keys and decrypt the data. Which solution will meet these requirements with the LEAST operational overhead?
A. Enable RDS encryption with AWS managed keys (aws/rds). Update the DB instance to restrict access based on a service-linked role.
B. Enable RDS encryption with a customer-managed AWS KMS key. Configure a key policy that allows only specific IAM roles to use and manage the key.
C. Create a custom encryption method at the application layer. Store the encryption keys in an Amazon S3 bucket. Configure a bucket policy to control access to the keys.
D. Enable RDS encryption at rest with the default AWS KMS key. Control access to the RDS DB instance by using a security group that allows access only for specific IAM roles.
Correct Answer: B
QUESTION 71
A company is migrating a legacy application to AWS. The company wants to deploy the application on Amazon EC2 instances and use an Amazon RDS for SQL Server database as the backend. The application relies on SQL queries and scripts. The company must protect the application from SQL injection attacks. Which solution will meet this requirement?
A. Enable AWS Shield Standard. Include the EC2 instances that host the application as protected resources.
B. Implement AWS WAF. Create rules that filter and block SQL injection attempts.
C. Enable AWS Shield Advanced. Add the EC2 instances that host the application as protected resources.
D. Enforce encryption in transit by using TLS for all SQL queries between clients and AWS services.
Correct Answer: B
QUESTION 72
A company is migrating its order processing system to the AWS Cloud. The order processing system must use exact message ordering, a highly available architecture, and loosely coupled components. Which solution will meet these requirements?
A. Ingest the orders in an Amazon Simple Queue Service (Amazon SQS) standard queue. Use Amazon EC2 Spot Instances to process the orders.
B. Push the orders to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe an AWS Lambda function to the SNS topic to process the orders.
C. Push the orders to a stream in Amazon Kinesis Data Streams. Use Amazon EC2 Spot Instances to process the orders.
D. Ingest the orders in an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Invoke an AWS Lambda function to process the orders.
Correct Answer: D
QUESTION 73
A company provides a three-tier web application to its customers. Each customer has an AWS account in which the application is deployed, and these accounts are members of the company’s organization in AWS Organizations. To protect its customers’ AWS accounts and applications, the company wants to monitor them for unusual and unexpected behavior. The company needs to analyze and monitor customer VPC Flow Logs, AWS CloudTrail logs, and DNS logs. What should a solutions architect do to meet these requirements?
A. Designate an account in the organization as the AWS Shield administrator account. Enable Shield and Shield logs in every account, and invite the accounts to join the Shield administrator account. Analyze Shield findings in the Shield administrator account.
B. Designate an account in the organization as the Amazon GuardDuty administrator account. Enable GuardDuty in every account, and invite the accounts to join the GuardDuty administrator account. Analyze GuardDuty findings in the GuardDuty administrator account.
C. Designate an account in the organization as the AWS WAF administrator account. Enable AWS WAF and AWS WAF logs in every account, and invite the accounts to join the AWS WAF administrator account. Analyze AWS WAF logs in the AWS WAF administrator account.
D. Designate an account in the organization as the AWS Resource Access Manager (AWS RAM) administrator account. Enable AWS RAM in every account, and invite the accounts to join the AWS RAM administrator account. Analyze AWS RAM logs in the AWS RAM administrator account.
Correct Answer: B
QUESTION 74
A company has applications that are deployed in multiple AWS Regions. The applications use an architecture that is based on Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), and Amazon DynamoDB. The company lacks a mechanism for centralized data backup. A solutions architect must
centralize data backup with the least possible operational effort. What should the solutions architect do to meet these requirements?
A. Tag all resources by project. Use AWS Systems Manager to set up snapshots by project and set DynamoDB incremental backups.
B. Tag all resources by project. Create backup plans in AWS Backup to back up the data by tag name according to each project’s needs.
C. Tag all resources by project. Create an AWS Lambda function to run on schedule and take snapshots of each EC2 instance, EBS volume, and EFS file system by project. Configure the function to invoke DynamoDB on-demand backup.
D. Use AWS CloudFormation to create a template for every new project so that all resources can be recreated at any time. Set the template to take daily snapshots of each EC2 instance, EBS volume, and EFS file system. Set the template to use DynamoDB on-demand backup for daily backups.
Correct Answer: B
QUESTION 75
A data science team requires storage for nightly log processing. The size and number of logs is unknown and will persist for 24 hours only. What is the MOST cost-effective solution?
A. Amazon S3 Glacier Deep Archive
B. Amazon S3 Standard
C. Amazon S3 Intelligent-Tiering
D. Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)
Correct Answer: B
QUESTION 76
A company runs Amazon EC2 instances as web servers. Peak traffic load occurs on the web server at two consistent times each day. The web servers are idle for the remainder of the day. A solutions architect needs to manage the web servers and maintain fault tolerance. Which solution will meet these requirements in the MOST cost-effective way?
A. Use an EC2 Auto Scaling group to scale the instances based on demand.
B. Purchase Reserved Instances to ensure peak capacity at all times.
C. Use a cron job to stop the EC2 instances when the traffic demand is low.
D. Use a script to vertically scale the EC2 instances during peak traffic demand
Correct Answer: A
QUESTION 77
A company hosts a two-tier website that runs on Amazon EC2 instances. The website has a database that runs on Amazon RDS for MySQL. All users are required to log in to the website to see their own customized pages. The website typically experiences low traffic. Occasionally, the website experiences sudden increases in traffic and becomes unresponsive. During these increases in traffic, the database experiences a heavy write load. A solutions architect must improve the website’s availability without changing the application code. What should the solutions architect do to meet these requirements?
A. Create an Amazon ElastiCache (Redis OSS) cluster. Configure the application to cache common database queries in the ElastiCache cluster.
B. Create an Auto Scaling group. Configure Amazon CloudWatch alarms to scale the number of EC2 instances based on the percentage of CPU in use during the traffic increases.
C. Create an Amazon CloudFront distribution that points to the EC2 instances as the origin. Enable caching of dynamic content, and configure a write throttle from the EC2 instances to the RDS database.
D. Migrate the database to an Amazon Aurora Serverless cluster. Set the maximum Aurora capacity units (ACUs) to a value high enough to respond to the traffic increases. Configure the EC2 instances to connect to the Aurora database.
Correct Answer: D
QUESTION 78
A company is developing an AI-powered application that uses an Amazon API Gateway REST API and a large language model (LLM). The API uses rate limiting and a custom authorizer. Users report that the application is often unresponsive. The company discovered that the LLM processing can take a long time to finish, which causes the API calls to time out and fail. The company wants to resolve the problem with the fewest changes to the existing architecture. Which solution will meet these requirements?
A. Replace the REST API with an Amazon Simple Queue Service (Amazon SQS) queue.
B. Increase the API Gateway integration timeout quota.
C. Replace the REST API with an Application Load Balancer.
D. Split the LLM response into smaller chunks that finish sooner.
Correct Answer: B
QUESTION 79
A trucking company is deploying an application that will track the GPS coordinates of all the company’s trucks. The company needs a solution that will generate real-time statistics based on metadata lookups with high read throughput and microsecond latency. The database must be fault tolerant and must minimize operational overhead and development effort. Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)
A. Use Amazon DynamoDB as the database.
B. Use Amazon Aurora MySQL as the database.
C. Use Amazon RDS for MySQL as the database.
D. Use Amazon ElastiCache as the caching layer.
E. Use Amazon DynamoDB Accelerator (DAX) as the caching layer.
Correct Answer: AE
QUESTION 80
A company is building an application. The application is composed of multiple microservices that communicate over HTTP. To comply with disaster recovery requirements, the company must deploy the application across multiple AWS Regions. The application must maintain high availability and automatic fault recovery. Which solution will meet these requirements?
A. Deploy all microservices on a single large Amazon EC2 instance in one Region to simplify communication and reduce latency.
B. Use AWS Fargate to run each microservice in separate containers. Deploy the containers across multiple Availability Zones in a single Region behind an Application Load Balancer.
C. Use Amazon Route 53 with latency-based routing. Deploy the microservices on Amazon EC2 instances in multiple Regions behind Application Load Balancers.
D. Implement each microservice by using AWS Lambda functions. Expose the microservices by using an Amazon API Gateway REST API.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.