QUESTION 41
A company has a platform that consists of an on-premises single-node Kubernetes cluster. The cluster uses Windows-based and Linux-based file storage as shared storage. The company wants to migrate its platform to AWS. The cluster has multiple containerized applications that are continuously scanned for operating system vulnerabilities and programming language package vulnerabilities. The company needs a highly available solution that supports monitoring, logging, and multiprotocol shared storage. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)
A. Replace the existing Kubernetes cluster with a single-node Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is managed by AWS. Install Prometheus and Grafana on the EKS cluster by using public Docker images. Store the application Docker images in Amazon Elastic Container Registry (Amazon ECR). Enable ECR enhanced scanning.
B. Replace the existing Kubernetes cluster with a multi-node Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is managed by AWS. Set up Amazon Managed Service for Prometheus and Amazon Managed Grafana for monitoring. Store the application Docker images in Amazon Elastic Container Registry (Amazon ECR). Enable ECR enhanced scanning.
C. Replace the existing Kubernetes cluster with a multi-node Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is managed by AWS. Install open source versions of Prometheus and Grafana on Amazon EC2 instances. Store the application Docker images in Amazon Elastic Container Registry (Amazon ECR). Enable ECR enhanced scanning.
D. Provision an Amazon FSx for Windows File Server file share and an Amazon Elastic File System (Amazon EFS) file system. Mount the file share and the file system on the containers launched on the Amazon Elastic Kubernetes Service (Amazon EKS) cluster as persistent volumes.
E. Provision an Amazon FSx for NetApp ONTAP file system. Mount the file system on the containers launched on the Amazon Elastic Kubemnes Service (Amazon EKS) cluster as a persistent volume.
Correct Answer: BE
QUESTION 42
A company uses Amazon EC2 instances to run business-critical applications. Software that is running on the EC2 instances recently caused Amazon GuardDuty to generate the Pen Test:S3/KaliLinux finding for some of the company’s environments. The company wants to prevent this software from running again. The company is using AWS Organizations to manage its AWS accounts. What should a solutions architect do to meet these requirements?
A. Configure Amazon Inspector to check the EC2 instances for the forbidden software and to send an Amazon Simple Notification Service (Amazon SNS) notification when the software is identified. Create an AWS Lambda function that stops the EC2 instances and notifies the company. Subscribe the Lambda function to the SNS topic.
B. Create a centralized Amazon EventBridge bus to receive GuardDuty events from all accounts. Configure an EventBridge rule to invoke an AWS Lambda function when the GuardDuty event is generated. Configure the Lambda function to stop the EC2 instances and notify the company.
C. Configure an SCP to prevent the software from being installed. Apply the SCP to the root OU for the organization.
D. Create a library of approved EC2 AMIs. Create a catalog in AWS Service Catalog to deploy the AMIs for the organization. Update IAM policies to allow EC2 instances to be created only with Service Catalog AMIs.
Correct Answer: B
QUESTION 43
A company wants to migrate its website to AWS. The website uses containers that are deployed in an on-premises, self-managed Kubernetes cluster. All data for the website is stored in an on-premises PostgreSQL database. The company has decided to migrate the on-premises Kubernetes cluster to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cluster will use EKS managed node groups with a static number of nodes. The company will also migrate the on-premises database to an Amazon RDS for PostgreSQL database. A solutions architect needs to estimate the total cost of ownership (TCO) for this workload before the migration. Which solution will provide the required TCO information?
A. Request access to Migration Evaluator. Run the Migration Evaluator Collector and import the data. Configure a scenario. Export a Quick Insights report from Migration Evaluator.
B. Launch AWS Database Migration Service (AWS DMS) for the on-premises database. Generate an assessment report. Create an estimate in AWS Pricing Calculator for the costs of the EKS migration.
C. Initialize AWS Application Migration Service. Add the on-premises servers as source servers. Launch a test instance. Output a TCO report from Application Migration Service.
D. Access the AWS Cloud Economics Center webpage to assess the AWS Cloud Value Framework. Create an AWS Cost and Usage report from the Cloud Value Framework.
Correct Answer: A
QUESTION 44
A software as a service (SaaS) company provides a media software solution to customers. The solution is hosted on 50 VPCs across various AWS Regions and AWS accounts. One of the VPCs is designated as a management VPC. The compute resources in the VPCs work independently. The company has developed a new feature that requires all 50 VPCs to be able to communicate with each other. The new feature also requires one-way access from each customer’s VPC to the company’s management VPC. The management VPC hosts a compute resource that validates licenses for the media software solution. The number of VPCs that the company will use to host the solution will continue to increase as the solution grows. Which combination of steps will provide the required VPC connectivity with the LEAST operational overhead? (Select TWO.)
A. Create a transit gateway. Attach all the company’s VPCs and relevant subnets to the transit gateway.
B. Create VPC peering connections between all the company’s VPCs.
C. Create a Network Load Balancer (NLB) that points to the compute resource for license validation. Create an AWS PrivateLink endpoint service that is available to each customer’s VPC. Associate the endpoint service with the NLB.
D. Create a VPN appliance in each customer’s VPC. Connect the company’s management VPC to each customer’s VPC by using AWS Site-to-Site VPN.
E. Create a VPC peering connection between the company’s management VPC and each customer’s VPC.
Correct Answer: AC
QUESTION 45
A global company runs an analytics application on Amazon EC2 for computing. The company uses Amazon Elastic Block Store (Amazon EBS) as primary storage for raw and processed data. Users manually upload raw data daily to Amazon EC2 by using SSH from a local on-premises storage computer. The analytics application processes the data and a user manually uploads the data to Amazon S3 for long-term storage. The company wants to containerize the processing logic and migrate the processing logic to Amazon Elastic Kubernetes Service (Amazon EKS). The company needs an automated solution to upload and move the processed data. The solution must have multiprotocol support and be usable from the EKS cluster. Which solution meets these requirements with the LEAST operational effort?
A. Use AWS DataSync to copy raw data to Amazon Elastic File System (Amazon EFS). Mount Amazon EFS on Amazon EKS as a volume. Use AWS Transfer for SFTP to copy processed data from Amazon EFS to Amazon S3.
B. Use AWS DataSync to copy raw data to Amazon FS for Lustre. Mount FSx for Lustre on Amazon EKS as a volume. Use DataSync to copy processed data from FSx for Lustre to Amazon S3.
C. Use AWS DataSync to copy raw data to Amazon FSx for NetApp ONTAP. Mount FSx for NetApp ONTAP on Amazon EKS as a volume. Use DataSync to copy processed data from FSx for NetApp ONTAP to Amazon S3.
D. Use AWS DataSync to copy raw data to Amazon FSx for NetApp ONTAP. Mount FSx for NetApp ONTAP on Amazon EKS as a volume. Use AWS Transfer for SFTP to copy processed data from FSx for NetApp ONTAP to Amazon S3.
Correct Answer: C
QUESTION 46
A company wants to back up its on-premises intranet application to the AWS Cloud. The company wants to use AWS Elastic Disaster Recovery for the backup solution. The company requires that replication traffic must travel across a private dedicated connection. The application must not be accessible from the public internet. The solution cannot consume more than 75% of the available bandwidth between the on-premises network and AWS. Which combination of steps will meet these requirements? (Select THREE.)
A. Create a VPC that has at least two private subnets, two NAT gateways, and a virtual private gateway.
B. Create a VPC that has at least two public subnets, a virtual private gateway, and an internet gateway.
C. Create an AWS Site-to-Site VPN connection between the on-premises network and the target AWS network. Configure Quality of Service (QoS) to ensure that the backup does not exceed 75% of the available bandwidth.
D. Create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network.
E. Configure the replication servers to use private IP addresses for data replication. Configure throttling on the replication instances so that the Elastic Disaster Recovery server bandwidth does not exceed 75% of the available bandwidth.
F. Configure the recovery instance’s private IP address to match the source server’s private IP address. Configure throttling on the recovery instances so that the total bandwidth the recovery instances consume does not exceed 75% of the available bandwidth.
Correct Answer: CDE
QUESTION 47
A company wants to modernize its custom application that runs on AWS. The application uses Docker containers on Amazon EC2 instances. The application also uses a highly transactional MySQL database that requires custom MySQL plugins. The database is hosted in its own container. The new architecture must provide high availability and must minimize redevelopment work on the application. Which solution will meet these requirements?
A. Deploy an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host the application and the database. Set up an Amazon FSx for NetApp ONTAP Multi-AZ file system. Deploy a Container Storage Interface (CSI) driver to connect Amazon EKS to the storage.
B. Deploy an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host the application. Export the MySQL database to Amazon S3 as .csv files. Create an AWS Lambda function behind an Amazon API Gateway API to serve the data from the files.
C. Continue to run the application containers by using Docker on EC2 instances. Migrate the MySQL database from its container to Amazon Aurora MySQL.
D. Deploy an Amazon Elastic Container Service (Amazon ECS) cluster to host the application. Migrate the database to Amazon Redshift.
Correct Answer: C
QUESTION 48
A company has accounts in an organization in AWS Organizations. The organization has all features enabled. The company stores secrets in AWS Secrets Manager in a central AWS account (Account A). The secrets have resource policies that allow read-only access to IAM roles in an account outside the organization (Account B). A few privileged users in accounts in the organization have access to the secrets by using IAM roles. Because of a security incident, the company needs to revoke all access to the secrets in Account A. Which solution will meet these requirements?
A. Create an SCP to explicitly deny the secretsmanager:GetSecretValue action for all resources. Attach the SCP to Account A.
B. Modify the resource policies of the secrets in Account A to explicitly deny the secretsmanager:GetSecretValue action to all principals.
C. Deploy a VPC endpoint for Secrets Manager in Account A. Update the VPC endpoint policy to explicitly deny the secretsmanager:GetSecretValue action to all principals.
D. Modify the IAM role inline policies in Account B to explicitly deny the secretsmanager:GetSecretValue action for all secrets in Account A.
Correct Answer: A
QUESTION 49
A company hosts an application on AWS. The application uses AWS Lambda functions that are invoked by an Amazon API Gateway API. The company has an Amazon CloudFront distribution that uses the API Gateway API as its origin. The CloudFront distribution serves web requests to customers worldwide. During testing, users experienced slow responses from the application APIs. The company discovered that requests from different AS Regions contained inconsistent query parameters with mixed-case letters, which caused increased cache misses and more requests to reach the Lambda functions. The company wants to ensure that the API consistently provides responses with minimal latency. Which solution will meet these requirements?
A. Create a new Lambda function to sort incoming request query parameters alphabetically and convert the parameters to lowercase. Configure the CloudFront distribution to use the Lambda@Edge function type. Configure the Lambda function to invoke on origin request.
B. Create a CloudFront function to sort incoming request query parameters alphabetically and convert the parameters to lowercase. Configure the CloudFront distribution to use the CloudFront Functions function type. Configure the CloudFront function to invoke on viewer request.
C. Configure the API Gateway API to use mapping templates to sort incoming request query parameters alphabetically and convert the parameters to lowercase before Lambda processes the request.
D. Configure the API Gateway API to use a Lambda authorizer to sort incoming request query parameters alphabetically and convert the parameters to lowercase before Lambda processes the request.
Correct Answer: B
QUESTION 50
A company had a third-party audit of its AWS environment. The auditor identified secrets in developer documentation and found secrets that were hardcoded into AWS CloudFormation templates throughout the environment. The auditor also identified security groups that allowed inbound traffic from the internet and outbound traffic to all destinations on the internet. A solutions architect must design a solution that will encrypt all secrets and rotate the secrets every 90 days. Additionally, the solutions architect must configure the security groups to prevent resources from being accessible from the internet. Which solution will meet these requirements?
A. Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.
B. Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Access these items by using the AWS CLI or AWS APIs. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.
C. Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.
D. Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Reference the items in other templates by using Systems Manager dynamic references. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.
Correct Answer: A
QUESTION 51
A company has an internal service that is deployed in a VPC in the company’s main AWS account. Other applications are deployed in different VPCs in separate AWS accounts. The applications need to access the internal service by using an API. The internal service cannot be exposed to the public internet. Which solution will meet these requirements?
A. Create an Amazon API Gateway private REST API. Create a network ACL for the applications in the separate AWS accounts. Allow outbound traffic on port 443 to the IP address range that is associated with the VPC in the main AWS account.
B. Create an Amazon API Gateway public REST API. Create a network ACL in the main AWS account VPC. Allow inbound traffic on port 443 from the IP address ranges of the VPCs in the separate AWS accounts.
C. Create an Amazon API Gateway private REST API. Create interface VPC endpoints for API Gateway in each separate AWS account. Add a resource policy to the private REST API to allow access from the VPC endpoints that were created in the separate accounts.
D. Create an Amazon API Gateway public REST API. Create a gateway VPC endpoint for API Gateway in the main AWS account. Attach a resource policy to the public REST API that grants access to the VPC endpoint that was created in the main AWS account.
Correct Answer: C
QUESTION 52
A solutions architect is designing a network for a new cloud deployment. Each account will need autonomy to modify route tables and make changes. Centralized and controlled egress internet connectivity is also needed. The cloud footprint is expected to grow to thousands of AWS accounts. Which architecture will meet these requirements?
A. A centralized transit VPC with a VPN connection to a standalone VPC in each account. Outbound internet traffic will be controlled by firewall appliances.
B. A centralized shared VPC with a subnet for each account. Outbound internet traffic will be controlled through a fleet of proxy servers.
C. A shared services VPC to host central assets to include a fleet of firewalls with a route to the internet. Each spoke VPC will peer to the central VPC.
D. A shared transit gateway to which each VPC will be attached. Outbound internet access will route through a fleet of VPN-attached firewalls.
Correct Answer: D
QUESTION 53
A company has a multi-tenant software as a service (SaaS) solution that uses Amazon EC2, Amazon RDS, and Amazon S3. Each SaaS platform customer has dedicated EC2 instances and RDS instances. Each customer also has a separate S3 bucket. The company wants to use AWS Cost Explorer for visibility into each customer’s monthly and daily costs. Which solution will meet these requirements with the LEAST operational overhead?
A. Enable resource-level data at daily granularity in the Cost Explorer cost management preferences. Create a cost category in AWS Billing and Cost Management for each customer by using the customer’s resource IDs. Use Cost Explorer to graph the costs. Group the costs by the customer cost category.
B. Tag each EC2, RDS, and S3 resource with a customer key and a value equal to the customer identifier. Add customer as a user-defined cost allocation tag. Use Cost Explorer to graph the costs. Group the costs by the customer tag.
C. Create a resource group for each customer by using the customer identifier. Create a cost category in AWS Billing and Cost Management for each customer identifier resource group. Create an AWS Cost and Usage Report for each cost category.
D. Create a pricing configuration for each customer with a pricing rule for Amazon EC2, Amazon RDS, and Amazon S3 in AWS Billing Conductor. Create a billing group for each customer. Associate each billing group with the pricing configuration. Configure an AWS Cost and Usage Report for each billing group.
Correct Answer: B
QUESTION 54
A company runs multiple production workloads on AWS. The company wants to automate the process of collecting evidence of regulations compliance from various data sources. The company also wants to create an assessment report based on the collected evidence. The assessment report must be emailed to the compliance team. The company wants the assessment report to be based on standard frameworks and some custom frameworks defined by the company. Which solution will meet these requirements?
A. Enable AWS Audit Manager. Create an assessment report and deliver the report to an Amazon S3 bucket. Configure the S3 bucket to send event notifications when new assessment reports are uploaded. Create an AWS Lambda function that is invoked by the event notifications to process the new assessment reports. Deliver the report to the compliance team by using Amazon Simple Email Service (Amazon SES).
B. Set up AWS Config to create an event based on collected evidence. Store the event as a message in an Amazon Simple Queue Service (Amazon SQS) queue. Create an AWS Lambda function that runs when a new message is delivered to the SQS queue. Configure the Lambda function to process the message and send a notification to the compliance team by using Amazon Simple Notification Service (Amazon SNS).
C. Enable Amazon GuardDuty. Create an assessment report and deliver the report to an Amazon S3 bucket. Create an AWS Lambda function that runs when a new report is delivered to the S3 bucket. Configure the Lambda function to process the report and send a notification to the compliance team by using Amazon Simple Notification Service (Amazon SNS).
D. Enable AWS Trusted Advisor to create an assessment report based on collected evidence. Store the assessment report in an Amazon S3 bucket. Schedule an AWS Lambda function to check the S3 bucket twice each day and to send the report to the compliance team by using Amazon Simple Email Service (Amazon SES) when the report is available.
Correct Answer: A
QUESTION 55
A company has an application that stores data in a single Amazon S3 bucket. The company must keep all data in the S3 bucket for 1 year. The company’s security team is concerned that an attacker could gain access to the AWS account by using leaked credentials. The attacker could then maliciously delete objects from the S3 bucket. Which solution will meet these requirements?
A. Create a new AWS account for the security team. In the security team account, create an S3 bucket that has S3 Versioning and S3 Object Lock enabled. Set the default retention period to 1 year. Use AWS DataSync to copy all data from the existing S3 bucket to the new S3 bucket.
B. Set up AWS Control Tower mandatory controls for every AWS account. Enable the s3-bucket-versioning-enabled AWS Config managed rule on the existing S3 bucket. Add an S3 Lifecycle rule to delete objects after 1 year.
C. Explicitly deny bucket creation for all IAM users and IAM roles except for an AWS Service Catalog launch constraint role. Create a Service Catalog product for the creation of the S3 bucket. Configure a default retention period of 1 year. Authorize users to launch the product when users need to create an S3 bucket.
D. Enable Amazon GuardDuty with the S3 Protection feature for the account. Enable S3 Versioning on the existing S3 bucket. Add an S3 Lifecycle rule to delete objects after 1 year.
Correct Answer: A
QUESTION 56
A company is transitioning some of its applications to AWS. The company has already set up a central AWS network account in an AWS Region and established an AWS Direct Connect connection. The company expects to have hundreds of AWS workload accounts and VPCs soon. The corporate network must be able to access resources on AWS seamlessly and communicate with all the workload VPCs. The company also wants to route traffic from its workloads to the internet through the company’s on-premises data center. Which combination of steps will meet these requirements? (Select THREE.)
A. In the central network account, set up a Direct Connect gateway. Create a virtual private gateway for each workload account. Create an association proposal between the Direct Connect gateway and each workload account’s virtual private gateway.
B. In the central network account, provision a Direct Connect gateway and a transit gateway. Establish connectivity between the Direct Connect gateway and the transit gateway by associating the transit gateway with the Direct Connect gateway through a transit VIF.
C. In the central network account, create an internet gateway. Configure route table rules to direct internet traffic through the internet gateway.
D. Share the transit gateway with the workload accounts. Attach VPCs to the transit gateway.
E. Establish VPC peering connections between all the workload VPCs and the central network account. Configure route tables in the workload VPCs to route internet traffic to the central network account.
F. Provision private subnets exclusively. Configure route tables on the subnets and gateway to route traffic destined for non AWS resources to the on-premises data center.
Correct Answer: BDF
QUESTION 57
A company runs an ecommerce website on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The container images are stored in Amazon Elastic Container Registry (Amazon ECR). The website stores data in an Amazon Aurora MySQL DB cluster. The ALB uses an HTTPS listener with a public SSL certificate that is saved in AWS Certificate Manager (ACM). The website domain is registered with Amazon Route 53. The company wants to duplicate this setup in a second AWS Region in an active-active configuration. The website can tolerate minor latency for data replication between Regions. The company has already deployed an ECS cluster with an ALB in the secondary Region. The ECS cluster is registered for geolocation routing with Route 53. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)
A. Request a new ACM certificate for the company website in the secondary Region. Configure the ALB in the secondary Region with an HTTPS listener. Set the new ACM certificate as the default certificate.
B. Share the ACM certificate with the secondary Region by using AWS Resource Access Manager (AWS RAM). Configure the ALB in the secondary Region with an HTTPS listener. Set the shared ACM certificate as the default certificate.
C. Create a VPC endpoint for Amazon ECR in the secondary Region. Configure Amazon EC2 instances to download container images from the primary Region.
D. Enable Cross-Region Replication for ECR repositories to the secondary Region. Re-push the existing images to ECR repositories with a new tag.
E. Configure an Aurora global database in the primary Region. Enable write forwarding to the secondary Region.
F. Use an Aurora DB cluster that has multiple writer instances in the primary Region. Create a secondary Aurora DB instance in the secondary Region. Enable cross-Region writes between the DB clusters.
Correct Answer: ADE
QUESTION 58
A company hosts a multi-tier data processing application that consists of a static web application fronted and APIs that are hosted on multiple Amazon EC2 instances. The application stores search data on a single-node Amazon OpenSearch Service cluster that runs on an EC2 instance. The application stores additional data in a PostgreSQL database that runs on another EC2 instance. An NGINX server that is hosted on an EC2 instance serves the web application. The company has experienced some support issues with the application and wants to modernize the application. Which solution meets these requirements with the LEAST operational overhead?
A. Create an Amazon Elastic Container Service (Amazon ECS) cluster that runs on AWS Fargate. Configure the ECS cluster to pull images from the Amazon Elastic Container Registry (Amazon ECR) public repositories for OpenSearch Service, PostgreSQL, and NGINX and from a private repository for the APIs.
B. Host the web application on Amazon CloudFront by using an Amazon S3 origin. Use OpenSearch Service to store the search data and migrate the PostgreSQL database to an Amazon Aurora PostgreSQL cluster. Run the APIs on AWS App Runner.
C. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that has a managed node group. Configure the EKS cluster to pull images from the Amazon Elastic Container Registry (Amazon ECR) public repositories for OpenSearch Service, PostgreSQL, and NGINX and from a private repository for the APIs.
D. Configure AWS App Runner to pull images from the Amazon Elastic Container Registry (Amazon ECR) public repositories for OpenSearch Service, PostgreSQL, and NGINX and from a private repository for the APIs. Deploy the images to App Runner.
Correct Answer: B
QUESTION 59
A company is developing a serverless application that runs in a VPC. The VPC has public and private IPv4 subnets across multiple Availability Zones. The application connects to the internet through multiple public NAT gateways and an internet gateway. The company must integrate the application with a new service from an external provider by using an AWS Lambda function. The external provider accepts requests from only public IPv4 addresses that are on an approved list. The company must provide connectivity details to the external provider before the application can start using the new service. Which solution will give the application the ability to access the new service?
A. Attach the Lambda function to the VPC by using the private subnets. Provide the Elastic IP addresses of the NAT gateways.
B. Deploy an egress-only internet gateway. Configure the Lambda function to use the internet gateway. Provide the Elastic IP address of the internet gateway.
C. Associate an Elastic IP address with the internet gateway. Configure the Lambda function to access the public subnets of the VPC. Provide the Elastic IP address of the internet gateway.
D. Configure the Lambda function with an Elastic Network Adapter (ENA). Create a Lambda layer to use the ENA driver. Provide the IP address of the ENA interface.
Correct Answer: A
QUESTION 60
A research company conducts mathematical simulations in the AWS Cloud. The simulations run on several hundred Amazon EC2 Linux instances. If a simulation encounters an issue, an engineer establishes an SSH connection to the affected EC2 instance. Company policy requires that each EC2 instance session is established with a unique SSH key and that all SSH connections are logged in AWS CloudTrail. Cloud Trail is enabled for the company’s account and the AWS Regions that the company uses. Which solution will meet these requirements?
A. Launch new EC2 instances. Generate an individual SSH key for each new EC2 instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy. Attach the IAM policy to the engineers’ IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.
B. Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy. Attach the IAM policy to the engineers* IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.
C. Launch new EC2 instances without setting up any SSH key for the new EC2 instances. Set up EC2 Instance Connect on each new EC2 instance. Create a new IAM policy. Attach the IAM policy to the engineers’ IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the EC2 instances by using Instance Connect from the AWS CLI.
D. Set up AWS Secrets Manager to store the EC2 SSH key. Create an AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function to automatically rotate the SSH key once daily. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.