Download SAP-C01 Cram 2021

NEW QUESTION 1
A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large, important documents within the application with the following requirements:
The data must be highly durable and available.
The data must always be encrypted at rest and in transit.
The encryption key must be managed by the company and rotated periodically. Which of the following solutions should the Solutions Architect recommend?

• A. Deploy the storage gateway to AWS in file gateway mod
• B. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
• C. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
• D. Use Amazon DynamoDB with SSL to connect to DynamoD
• E. Use an AWS KMS key to encrypt DynamoDB objects at rest.
• F. Deploy instances with Amazon EBS volumes attached to store this dat
• G. Use EBS volume encryption using an AWS KMS key to encrypt the data.

Answer: B

Explanation:
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-y

NEW QUESTION 2
A Solutions Architect is designing a network solution for a company that has applications running in a data center in Northern Virginia. The applications in the company’s data center require predictable performance to applications running in a virtual private cloud (VPC) located in us-east-1, and a secondary VPC in us-west-2 within the same account. The company data center is collocated in an AWS Direct Connect facility that serves the us-est-1 region. The company has already ordered an AWS Direct Connect connection and a cross-connect has been established.
Which solution will meet the requirements at the LOWEST cost?

• A. Provision a Direct Connect gateway and attach the virtual private (VGW) for the VPC in us-east-1 and the VGW for the VPC in us-west-2. Create a private VIF on the Direct Connect connection and associate it to the Direct Connect gateway.
• B. Create private VIFs on the Direct Connect connection for each of the company’s VPCs in the us-est-1 and us-west-2 region
• C. Configure the company’s data center router to connect directly with the VPCs in those regions via the private VIFs.
• D. Deploy a transit VPC solution using Amazon EC2-based router instances in the us-east-1 region.Establish IPsec VPN tunnels between the transit routers and virtual private gateways (VGWs) located in the us-east-1 and us-west-2 regions, which are attached to the company’s VPCs in those region
• E. Create a public VIF on the Direct Connect connection and establish IPsec VPN tunnels over the public VIF between the transit routers and the company’s data center router.
• F. Order a second Direct Connect connection to a Direct Connect facility with connectivity to theus-west-2 regio
• G. Work with partner to establish a network extension link over dark fiber from the Direct Connect facility to the company’s data cente
• H. Establish private VIFs on the Direct Connect connections for each of the company’s VPCs in the respective region
• I. Configure the company’s data center router to connect directly with the VPCs in those regions via the private VIFs.

Answer: A

Explanation:
https://aws.amazon.com/blogs/aws/new-aws-direct-connect-gateway-inter-region-vpc-access/

NEW QUESTION 3
A company receives clickstream data files to Amazon S3 every five minutes. A Python script runs as a cron job once a day on an Amazon EC2 instance to process each file and load it into a database hosted on Amazon RDS. The cron job takes 15 to 30 minutes to process 24 hours of data. The data consumers ask for the data be available as soon as possible.
Which solution would accomplish the desired outcome?

• A. Increase the size of the instance to speed up processing and update the schedule to run once an hour.
• B. Convert the cron job to an AWS Lambda function and trigger this new function using a cron job on an EC2 instance.
• C. Convert the cron job to an AWS Lambda function and schedule it to run once an hour using Amazon CloudWatch events.
• D. Create an AWS Lambda function that runs when a file is delivered to Amazon S3 using S3 event notifications.

Answer: D

Explanation:
https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html

NEW QUESTION 4
An enterprise runs 103 line-of-business applications on virtual machines in an on-premises data center. Many of the applications are simple PHP, Java, or Ruby web applications, are no longer actively developed, and serve little traffic.
Which approach should be used to migrate these applications to AWS with the LOWEST infrastructure costs ?

• A. Deploy the applications to single-instance AWS Elastic Beanstalk environments without a load balancer.
• B. Use AWS SMS to create AMIs for each virtual machine and run them in Amazon EC2.
• C. Convert each application to a Docker image and deploy to a small Amazon ECS cluster behind an Application Load Balancer.
• D. Use VM Import/Export to create AMIs for each virtual machine and run them in single-instance AWS Elastic Beanstalk environments by configuring a custom image.

Answer: A

Explanation:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-types.html

NEW QUESTION 5
A company's data center is connected to the AWS Cloud over a minimally used 10-Gbps AWS Direct Connect connection with a private virtual interface to its virtual private cloud {VPC) The company internet connection is 200 Mbps and the company has a 150-TB dataset that is created each Friday The data must be transferred and available in Amazon S3 on Monday morning
Which is the LEAST expensive way to meet the requirements while allowing for data transfer growth?

• A. Order two 80-GB AWS Snowball appliances Offload the data to the appliances and ship them to AWS AWS will copy the data from the Snowball appliances to Amazon S3
• B. Create a VPC endpoint for Amazon S3 Copy the data to Amazon S3 by using the VPC endpoint forcing the transfer to use the Direct Connect connection
• C. Create a VPC endpoint for Amazon S3 Set up a reverse proxy farm behind a Classic Load Balancer in the VPC Copy the data to Amazon S3 using the proxy
• D. Create a public virtual interface on a Direct Connect connection and copy the data to Amazon S3 over the connection

Answer: D

NEW QUESTION 6
During a security audit of a Service team's application a Solutions Architect discovers that a username and password tor an Amazon RDS database and a set of AWSIAM user credentials can be viewed in the AWS Lambda function code. The Lambda function uses the username and password to run queries on the database and it uses the I AM credentials to call AWS services in a separate management account.
The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code The management account and the Service team's account are in separate AWS Organizations organizational units (OUs)
Which combination of changes should the Solutions Architect make to improve the solution's security? (Select TWO)

• A. Configure Lambda to assume a tole in the management account with appropriate access to AWS
• B. Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation
• C. Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials
• D. Use an SCP on the management accounts OU to prevent IAM users from accessing resources m the Service team's account
• E. Enable AWS Shield Advanced on the management account to shield sensitive resources from unauthorized IAM access

Answer: BD

NEW QUESTION 7
A company’s CISO has asked a Solutions Architect to re-engineer the company’s current CI/CD practices to make sure patch deployments to its applications can happen as quickly as possible with minimal downtime if vulnerabilities are discovered. The company must also be able to quickly roll back a change in case of errors. The web application is deployed in a fleet of Amazon EC2 instances behind an Application Load Balancer. The company is currently using GitHub to host the application source code and has configured an AWS CodeBuild project to build the application. The company also intends to use AWS CodePipeLine to trigger builds form GitHub commits using the existing CodeBuild project.
What CI/CD configuration meets all of the requirements?

• A. Configure CodePipeline with a deploy stage using AWS CodeDeploy configured for in-place deploymen
• B. Monitor the newly deployed code, and if there are any issues, push another code update.
• C. Configure CodePipeline with a deploy stage using AWS CodeDeploy configure for blue/green deployment
• D. Monitor the new deployed code and if there are any issues, trigger a manual rollback using CodeDeploy.
• E. Configure CodePipeline with a deploy stage using AWS CloudFormation to create a pipeline for test and production stack
• F. Monitor the newly deployed cod and if there are any issues push another code update.
• G. Configure the CodePipeline with a deploy stage using AWS OpsWorks and in-place deployments.Monitor the newly deployed code and if there are any issues, push another code update.

Answer: B

NEW QUESTION 8
During an audit a Security team discovered that a Development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository The Security team wants to automatically find and remediate instances of this security vulnerability
Which solution will ensure that the credentials are appropriately secured automatically?

• A. Run a script rightly using AWS Systems Manager Run Command to search (or credentials on thedevelopment instances It found, use AWS Secrets Manager to rotate the credentials
• B. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit If credentials are found generate new credentials and store them in AWS KMS
• C. Configure Amazon Macie to scan for credentials in CodeCommit repositories If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user
• D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials lf credentials are found, disable them in AWS IAM and notify the user

Answer: C

NEW QUESTION 9
A company wants to replace its call system with a solution built using AWS managed services. The company call center would like the solution to receive calls, create contact flows, and scale to handle growth projections. The call center would also like the solution to use deep learning capabilities to recognize the intent of the callers and handle basic tasks, reducing the need to speak an agent. The solution should also be able to query business applications and provide relevant information back to calls as requested.
Which services should the Solution Architect use to build this solution? (Choose three.)

• A. Amazon Rekognition to identity who is calling.
• B. Amazon Connect to create a cloud-based contact center.
• C. Amazon Alexa for Business to build conversational interface.
• D. AWS Lambda to integrate with internal systems.
• E. Amazon Lex to recognize the intent of the caller.
• F. Amazon SQS to add incoming callers to a queue.

Answer: BDE

NEW QUESTION 10
A company needs to run a software package that has a license that must be run on the same physical host for the duration of its use. The software package is only going to be used for 90 days. The company requires patching and restarting of all instances every 30 days.
How can these requirements be met using AWS?

• A. Run a dedicated instance with auto-placement disabled.
• B. Run the instance on a dedicated host with Host Affinity set to Host.
• C. Run an On-Demand instance with a Reserved Instance to ensure consistent placement.
• D. Run the instance on a licensed host with termination set for 90 days.

Answer: B

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html

NEW QUESTION 11
A large company has increased its utilization of AWS over time in an unmanaged way. As such, they have a large number of independent AWS accounts across different business units, projects, and environments. The company has created a Cloud Center of Excellence team, which is responsible for managing all aspects of the AWS Cloud, including their AWS accounts.
Which of the following should the Cloud Center of Excellence team do to BEST address their requirements in a centralized way? (Select two.)

• A. Control all AWS account root user credential
• B. Assign AWS IAM users in the account of each user who needs to access AWS resource
• C. Follow the policy of least privilege in assigning permissions to each user.
• D. Tag all AWS resources with details about the business unit, project, and environmen
• E. Send all AWS Cost and Usage reports to a central Amazon S3 bucket, and use tools such as Amazon Athena and Amazon QuickSight to collect billing details by business unit.
• F. Use the AWS Marketplace to choose and deploy a Cost Management too
• G. Tag all AWS resources with details about the business unit, project, and environmen
• H. Send all AWS Cost and Usage reports for the AWS accounts to this tool for analysis.
• I. Set up AWS Organization
• J. Enable consolidated billing, and link all existing AWS accounts to a master billing accoun
• K. Tag all AWS resources with details about the business unit, project and environmen
• L. Analyze Cost and Usage reports using tools such as Amazon Athena and Amazon QuickSight to collect billing details by business unit.
• M. Using a master AWS account, create IAM users within the master accoun
• N. Define IAM roles in the other AWS accounts, which cover each of the required functions in the accoun
• O. Follow the policy of least privilege in assigning permissions to each role, then enable the IAM users to assume the roles that they need to use.

Answer: DE

NEW QUESTION 12
A finance company is running its business-critical application on current-generation Linux EC2 instances. The application includes a self-managed MySQL database performing heavy I/O operations. The application is working fine to handle a moderate amount of traffic during the month. However, it slows down during the final three days of each month due to month-end reporting, even though the company is using Elastic Load Balancers and Auto Scaling within its infrastructure to meet the increased demand.
Which of the following actions would allow the database to handle the month-end load with the LEAST impact on performance?

• A. Pre-warming Elastic Load Balancers, using a bigger instance type, changing all Amazon EBS volumesto GP2 volumes.
• B. Performing a one-time migration of the database cluster to Amazon RDS, and creating several additional read replicas to handle the load during end of month.
• C. Using Amazon CloudWatch with AWS Lambda to change the type, size, or IOPS of Amazon EBS volumes in the cluster based on a specific CloudWatch metric.
• D. Replacing all existing Amazon EBS volumes with new PIOPS volumes that have the maximum available storage size and I/O per second by taking snapshots before the end of the month and reverting back afterwards.

Answer: B

NEW QUESTION 13
A Solution Architect is designing a deployment strategy for an application tier and gas the following requirements.
* The application code will need a 500 HB static dataset to be present before application startup.
* The application tier be able to scale Up and down based on demand with as little startup time as possible.
* The development team should be able to update the code multiple times each day.
* Critical operating system (OS) patches must be installed within 48 hours of being released. Which deployment strategy meets these requirements?

• A. Use AWS Manager to create a new AMI with the updated OS patches . Update the Auto Scaling group to use the patches AMI and replace existing unpatche
• B. Use AWS CodeDeploy to push the application code to the instance
• C. Store the static data in Amazon EFS.
• D. Use AWS System Manager to create a new AMI with upload OS patche
• E. Update the Auto Scaling group to use the patches AMI and replace existing unpatches and the application code as a batch job every nigh
• F. Store the static data in Amazon EFS.
• G. Use an Amazon provided AMI for the OS Configure an Auto Scaling group set to a static instance coun
• H. Configure an Amazon EC2 data script to download the data from Amazon S3 install OS patches with AWS system Manager when they are release
• I. Use Codedeploy to push the application code to the instances.
• J. Use an Amazon provided AMI for the OS Configure an Auto Scaling group Configure an Amazon EC2 user data script to download the data from Amazon S3. Replace existing instances after eachAmazon-provided AMI releas
• K. Use AWS CodeDeploy to push the application code to the instances.

Answer: C

NEW QUESTION 14
A Solutions Architect must establish a patching plan for a large mixed fleet of Windows and Linux servers. The patching plan must be implemented securely, be audit ready, and comply with the company’s business requirements.
Which option will meet these requirements with MINIMAL effort?

• A. Install and use an OS-native patching service to manage the update frequency and release approval for all instance
• B. Use AWS Config to verify the OS state on each instance and report on any patch compliance issues.
• C. Use AWS Systems Manager on all instances to manage patchin
• D. Test patches outside of production and then deploy during a maintenance window with the appropriate approval.
• E. Use AWS OpsWorks for Chef Automate to run a set of scripts that will iterate through all instances of a given typ
• F. Issue the appropriate OS command to get and install updates on each instance, including any required restarts during the maintenance window.
• G. Migrate all applications to AWS OpsWorks and use OpsWorks automatic patching support to keep the OS up-to-date following the initial installatio
• H. Use AWS Config to provide audit and compliance reporting.

Answer: B

Explanation:
Only Systems Manager can patch both OS effectively on AWS and on premise.

NEW QUESTION 15
A company with multiple accounts is currently using a configuration that does not meet the following security governance policies
• Prevent ingress from port 22 to any Amazon EC2 instance
• Require billing and application tags for resources
• Encrypt all Amazon EBS volumes
A Solutions Architect wants to provide preventive and detective controls including notifications about a specific resource, if there are policy deviations.
Which solution should the Solutions Architect implement?

• A. Create an AWS CodeCommit repository containing policy-compliant AWS Cloud Formation templates.Create an AWS Service Catalog portfolio Import the Cloud Formation templates by attaching the CodeCommit repository to the portfolio Restrict users across all accounts to items from the AWSService Catalog portfolio Use AWS Config managed rules to detect deviations from the policie
• B. Configure an Amazon CloudWatch Events rule for deviations, and associate a CloudWatch alarm to send notifications when the TriggeredRules metric is greater than zero.
• C. Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account Restrict users across all accounts lo AWS Service Catalog products Share a compliant portfolio to other accounts Use AWS Config managed rules to detect deviations from the policies Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs
• D. Implement policy-compliant AWS Cloud Formation templates for each account and ensure that all provisioning is completed by Cloud Formation Configure Amazon Inspector to perform regular checks against resources Perform policy validation and write the assessment output to Amazon CloudWatch Log
• E. Create a CloudWatch Logs metric filter to increment a metric when a deviation occurs Configure a CloudWatch alarm to send notifications when the configured metric is greater than zero
• F. Restrict users and enforce least privilege access using AWS I A
• G. Consolidate all AWS CloudTrail logs into a single account Send the CloudTrail logs to Amazon Elasticsearch Service (Amazon ES). Implement monitoring alerting, and reporting using the Kibana dashboard in Amazon ES and with Amazon SNS.

Answer: C

NEW QUESTION 16
What combination of steps could a Solutions Architect take to protect a web workload running on Amazon EC2 from DDoS and application layer attacks? (Select two.)

• A. Put the EC2 instances behind a Network Load Balancer and configure AWS WAF on it.
• B. Migrate the DNS to Amazon Route 53 and use AWS Shield
• C. Put the EC2 instances in an Auto Scaling group and configure AWS WAF on it.
• D. Create and use an Amazon CloudFront distribution and configure AWS WAF on it.
• E. Create and use an internet gateway in the VPC and use AWS Shield.

Answer: BD

Explanation:
References: https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/

NEW QUESTION 17
A large company experienced a drastic increase in its monthly AWS spend. This is after Developers accidentally launched Amazon EC2 instances in unexpected regions. The company has established practices around least privileges for Developers and controls access to on-premises resources using Active Directory groups. The company now wants to control costs by restricting the level of access that Developers have to the AWS Management Console without impacting their productivity. The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region.
How can this company achieve these new security requirements while minimizing the administrative burden on the Operations team?

• A. Set up SAML-based authentication tied to an IAM role that has an AdministrativeAccess managed policy attached to i
• B. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.
• C. Create an IAM user for each Developer and add them to the developer IAM group that has the PowerUserAccess managed policy attached to i
• D. Attach a customer managed policy that allows the Developers access to Amazon EC2 only in the required region.
• E. Set up SAML-based authentication tied to an IAM role that has a PowerUserAccess managed policy and a customer managed policy that deny all the Developers access to any AWS services except AWS Service Catalo
• F. Within AWS Service Catalog, create a product containing only the EC2 resources in the approved region.
• G. Set up SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to i
• H. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.

Answer: D

Explanation:
The tricks here are: - SAML for AD federation and authentication - PowerUserAccess vs AdministrativeAccess. (PowerUSer has less privilege, which is the required once for developers). Admin, has more rights. The description of "PowerUser access" given by AWS is “Provides full access to AWS services and resources, but does not allow management of Users and groups.”

NEW QUESTION 18
A company manages more than 200 separate internet-facing web applications. All of the applications are deployed to AWS in a single AWS Region The fully qualified domain names (FQDNs) of all of the applications are made available through HTTPS using Application Load Balancers (ALBs). The ALBs are configured to use public SSL/TLS certificates.
A Solutions Architect needs to migrate the web applications to a multi-region architecture. All HTTPS services should continue to work without interruption.
Which approach meets these requirements?

• A. Request a certificate for each FQDN using AWS KM
• B. Associate the certificates with the ALBs in the primary AWS Regio
• C. Enable cross-region availability in AWS KMS for the certificates and associate the certificates with the ALBs in the secondary AWS Region.
• D. Generate the key pairs and certificate requests for each FQDN using AWS KM
• E. Associate the certificates with the ALBs in both the primary and secondary AWS Regions.
• F. Request a certificate for each FQDN using AWS Certificate Manage
• G. Associate the certificates with the ALBs in both the primary and secondary AWS Regions.
• H. Request certificates for each FQDN in both the primary and secondary AWS Regions using AWS Certificate Manage
• I. Associate the certificates with the corresponding ALBs in each AWS Region.

Answer: D

Explanation:
https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
Certificates in ACM are regional resources. To use a certificate with Elastic Load Balancing for the same fully qualified domain name (FQDN) or set of FQDNs in more than one AWS region, you must request or import a certificate for each region. For certificates provided by ACM, this means you must revalidate each domain name in the certificate for each region. You cannot copy a certificate between regions.

NEW QUESTION 19
An enterprise company is using a multi-account AWS strategy There are separate accounts tor development staging and production workloads To control costs and improve governance the following requirements have been defined:
• The company must be able to calculate the AWS costs tor each project
• The company must be able to calculate the AWS costs tor each environment development staging and production
• Commonly deployed IT services must be centrally managed
• Business units can deploy pre-approved IT services only
• Usage of AWS resources in the development account must be limited
Which combination of actions should be taken to meet these requirements? (Select THREE )

• A. Apply environment, cost center, and application name tags to all taggable resources
• B. Configure custom budgets and define thresholds using Cost Explorer
• C. Configure AWS Trusted Advisor to obtain weekly emails with cost-saving estimates
• D. Create a portfolio for each business unit and add products to the portfolios using AWS CloudFormation in AWS Service Catalog
• E. Configure a billing alarm in Amazon CloudWatch.
• F. Configure SCPs in AWS Organizations to allow services available using AWS

Answer: CEF

NEW QUESTION 20
A company runs a video processing platform. Files are uploaded by users who connect to a web server, which stores them on an Amazon EFS share. This web server is running on a single Amazon EC2 instance. A different group of instances, running in an Auto Scaling group, scans the EFS share directory structure for new files to process and generates new videos (thumbnails, different resolution, compression, etc.) according to the instructions file, which is uploaded along with the video files. A different application running on a group of instances managed by an Auto Scaling group processes the video files and then deletes them from the EFS share. The results are stored in an S3 bucket. Links to the processed video files are emailed to the customer.
The company has recently discovered that as they add more instances to the Auto Scaling Group, many files are processed twice, so image processing speed is not improved. The maximum size of these video files is 2GB.
What should the Solutions Architect do to improve reliability and reduce the redundant processing of video files?

• A. Modify the web application to upload the video files directly to Amazon S3. Use Amazon CloudWatch Events to trigger an AWS Lambda function every time a file is uploaded, and have this Lambda function put a message into an Amazon SQS queu
• B. Modify the video processing application to read from SQS queue for new files and use the queue depth metric to scale instances in the video processing Auto Scaling group.
• C. Set up a cron job on the web server instance to synchronize the contents of the EFS share into Amazon S3. Trigger an AWS Lambda function every time a file is uploaded to process the video file and store the results in Amazon S3. Using Amazon CloudWatch Events trigger an Amazon SES job to send an email to the customer containing the link to the processed file.
• D. Rewrite the web application to run directly from Amazon S3 and use Amazon API Gateway to upload the video files to an S3 bucke
• E. Use an S3 trigger to run an AWS Lambda function each time a file is uploaded to process and store new video files in a different bucke
• F. Using CloudWatch Events, trigger an SES job to send an email to the customer containing the link to the processed file.
• G. Rewrite the web application to run from Amazon S3 and upload the video files to an S3 bucke
• H. Each time a new file is uploaded, trigger an AWS Lambda function to put a message in an SQS queue containing the link and the instruction
• I. Modify the video processing application to read from the SQS queue and the S3 bucke
• J. Use the queue depth metric to adjust the size of the Auto Scaling group for video processing instances.

Answer: A

NEW QUESTION 21
A company has an application that uses Amazon EC2 instances in an Auto Scaling group. The Quality Assurance (QA) department needs to launch a large number of short-lived environments to test the application. The application environments are currently launched by the Manager of the department using an AWS CloudFormation template. To launch the stack, the Manager uses a role with permission to use CloudFormation, EC2 and Auto Scaling APIs. The Manager wants to allow testers to launch their own environments, but does not want to grant broad permission to each user. Which set up would achieve these goals?

• A. Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to assume the Manager’s role and add a policy that restricts the permissions to the template and the resources it create
• B. Train users to launch the template from the CloudFormation console.
• C. Create an AWS Service Catalog product form the environment templat
• D. Add a launch constraint to the product with the existing rol
• E. Give users in the QA department permission to use AWS Service Catalog APIs onl
• F. Train users to launch the templates form the AWS Service Catalog console.
• G. Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to use CloudFormation and S3 APIs, with conditions that restrict the permission to the template and the resources it create
• H. Train users to launch the template form the CloudFormation console.
• I. Create an AWS Elastic Beanstalk application from the environment templat
• J. Give users in the QA department permission to use Elastic Beanstalk permissions onl
• K. Train users to launch Elastic beanstalk environments with the Elastic Beanstalk CLI, passing the existing role to the environment as a service role.

Answer: B

Explanation:
https://aws.amazon.com/blogs/mt/how-to-launch-secure-and-governed-aws-resources-with-aws-cloudformation-

NEW QUESTION 22
A company is designing a new highly available web application on AWS. The application requires consistent and reliable connectivity from the application servers in AWS to a backend REST API hosted in the company’s on-premises environment. The backend connection between AWS and on-premises will be routed over an AWS Direct Connect connection through a private virtual interface. Amazon Route 53 will be used to manage private DNS records for the application to resolve the IP address on the backend REST API.
Which design would provide a reliable connection to the backend API?

• A. Implement at least two backend endpoints for the backend REST API, and use Route 53 health checks to monitor the availability of each backend endpoint and perform DNS-level failover.
• B. Install a second Direct Connect connection from a different network carrier and attach it to the same virtual private gateway as the first Direct Connect connection.
• C. Install a second cross connect for the same Direct Connect connection from the same network carrier, and join both connections to the same link aggregation group (LAG) on the same private virtual interface.
• D. Create an IPSec VPN connection routed over the public internet from the on-premises data center to AWS and attach it to the same virtual private gateway as the Direct Connect connection.

Answer: A

NEW QUESTION 23
A company uses an Amazon EMR cluster to process data once a day. The raw data comes from Amazon S3, and the resulting processed data is also stored in Amazon S3. The processing must complete within 4 hours; currently, it only takes 3 hours. However, the processing time is taking 5 to 10 minutes. longer each week due to an increasing volume of raw data.
The team is also concerned about rising costs as the compute capacity increases. The EMR cluster is currently running on three m3.xlarge instances (one master and two core nodes).
Which of the following solutions will reduce costs related to the increasing compute needs?

• A. Add additional task nodes, but have the team purchase an all-upfront convertible Reserved Instance for each additional nod e to offset the costs.
• B. Add additional task nodes, but use instance fleets with the master node in on-Demand mode and a mix of On-Demand and Spot Instances for the core and task node
• C. Purchase a scheduled Reserved Instances for the master node.
• D. Add additional task nodes, but use instance fleets with the master node in Spot mode and a mix of On-Demand and Spot Instances for the core and task node
• E. Purchase enough scheduled Reserved Instances to offset the cost of running any On-Demand instances.
• F. Add additional task nodes, but use instance fleets with the master node in On-Demand mode and a mix of On-Demand and Spot Instances for the core and task node
• G. Purchase a standard all-upfront Reserved Instance for the master node.

Answer: B

NEW QUESTION 24
A company has a requirement that only allows specially hardened AMIs to be launched into public subnets in a VPC, and for the AMIs to be associated with a specific security group. Allowing non-compliant instances to launch into the public subnet could present a significant security risk if they are allowed to operate.
A mapping of approved AMIs to subnets to security groups exists in an Amazon DynamoDB table in the same AWS account. The company created an AWS Lambda function that, when invoked, will terminate a given Amazon EC2 instance if the combination of AMI, subnet, and security group are not approved in the DynamoDB table.
What should the Solutions Architect do to MOST quickly mitigate the risk of compliance deviations?

• A. Create an Amazon CloudWatch Events rule that matches each time an EC2 instance is launched usingone of the allowed AMIs, and associate it with the Lambda function as the target.
• B. For the Amazon S3 bucket receiving the Aws CloudTrail logs, create an S3 event notification configuration with a filter to match when logs contain the ec2:RunInstances action, and associate it with the Lambda function as the target.
• C. Enable AWS CloudTrail and configure it to stream to an Amazon CloudWatch Logs grou
• D. Create a metric filter in CloudWatch to match when the ec2:RunInstances action occurs, and trigger the Lambda function when the metric is greater than 0.
• E. Create an Amazon CloudWatch Events rule that matches each time an EC2 instance is launched, and associate it with the Lambda function as the target.

Answer: C

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html

NEW QUESTION 25
A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company’s security policy states that privileges and network permissions must be configured according to best practice, using least privilege.
A Solutions Architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster.
What steps are required after the deployment to meet the requirements? (Choose two.)

• A. Create tasks using the bridge network mode.
• B. Create tasks using the awsvpc network mode.
• C. Apply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access other resources.
• D. Apply security groups to the tasks, and pass IAM credentials into the container at launch time to access other resources.
• E. Apply security groups to the tasks, and use IAM roles for tasks to access other resources.

Answer: BE

Explanation:
https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-ecs-introduces-awsvpc-networking-mode-for-c
https://amazonaws-china.com/blogs/compute/introducing-cloud-native-networking-for-ecs-containers/ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

NEW QUESTION 26
......