Solutions Architect Associate - Practice Test stud

Elastic Beanstalk https://www.udemy.com/course/aws-certified-solutions-architect-associate-saa-c01/learn/lecture/13528230#overview

**A company is planning to launch an application which requires a data warehouse that will be used for their infrequently accessed data. You need to use an EBS Volume that can handle large, sequential I/O operations.

Which of the following is the most cost-effective storage type that you should use to meet the requirement?**

Cold HDD volumes provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS. With a lower throughput limit than Throughput Optimized HDD, this is a good fit ideal for large, sequential cold-data workloads. If you require infrequent access to your data and are looking to save costs, Cold HDD provides inexpensive block storage. Take note that bootable Cold HDD volumes are not supported.

**You need to back up your mySQL database hosted on a Reserved EC2 instance. It is using EBS volumes that are configured in a RAID array.

What steps will you take to minimize the time during which the database cannot be written to and to ensure a consistent backup?**

Explanation

Remember that since the instance is using a RAID configuration, the snapshot process is different. You should stop all I/O activity of the volumes before creating a snapshot. Hence, option 2 is correct:

Stop all applications from writing to the RAID array.
Flush all caches to the disk.
Confirm that the associated EC2 instance is no longer writing to the RAID array by taking actions such as freezing the file system, unmounting the RAID array, or even shutting down the EC2 instance.
After taking steps to halt all disk-related activity to the RAID array, take a snapshot of each EBS volume in the array.

When you take a snapshot of an attached Amazon EBS volume that is in use, the snapshot excludes data cached by applications or the operating system. For a single EBS volume, this is often not a problem. However, when cached data is excluded from snapshots of multiple EBS volumes in a RAID array, restoring the volumes from the snapshots can degrade the integrity of the array.

When creating snapshots of EBS volumes that are configured in a RAID array, it is critical that there is no data I/O to or from the volumes when the snapshots are created. RAID arrays introduce data interdependencies and a level of complexity not present in a single EBS volume configuration.

Option 1 is incorrect as you don't need to detach the volumes in the first place.

Option 3 is incorrect as you don't need to create a new image of the instance.

Option 4 is incorrect because there are missing steps in the process. You have to flush all caches to the disk first and you have to ensure that the EC2 instance is no longer writing to the RAID Array.

**You are working as a Solutions Architect for a start-up company that has a not-for-profit crowdfunding platform hosted in AWS. Their platform allows people around the globe to raise money for social enterprise projects including challenging circumstances like accidents and illnesses. Since the system handles financial transactions, you have to ensure that your cloud architecture is secure.

Which of the following AWS services encrypts data at rest by default? (Choose 2)**

All data transferred between any type of gateway appliance and AWS storage is encrypted using SSL. By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3). Also, when using the file gateway, you can optionally configure each file share to have your objects encrypted with AWS KMS-Managed Keys using SSE-KMS. This is the reason why Option 1 is correct.

Data stored in Amazon Glacier is protected by default; only vault owners have access to the Amazon Glacier resources they create. Amazon Glacier encrypts your data at rest by default and supports secure data transit with SSL. This is the reason why Option 4 is correct.

Options 2, 3 and 5 are incorrect because although Amazon RDS, ECS and Lambda all support encryption, you still have to enable and configure them first with tools like AWS KMS to encrypt the data at rest.

**You have a data analytics application that updates a real-time, foreign exchange dashboard and another separate application that archives data to Amazon Redshift. Both applications are configured to consume data from the same stream concurrently and independently by using Amazon Kinesis Data Streams. However, you noticed that there are a lot of occurrences where a shard iterator expires unexpectedly. Upon checking, you found out that the DynamoDB table used by Kinesis does not have enough capacity to store the lease data.

Which of the following is the most suitable solution to rectify this issue?**

A new shard iterator is returned by every GetRecords request (as NextShardIterator), which you then use in the next GetRecords request (as ShardIterator). Typically, this shard iterator does not expire before you use it. However, you may find that shard iterators expire because you have not called GetRecords for more than 5 minutes, or because you've performed a restart of your consumer application.

If the shard iterator expires immediately before you can use it, this might indicate that the DynamoDB table used by Kinesis does not have enough capacity to store the lease data. This situation is more likely to happen if you have a large number of shards. To solve this problem, increase the write capacity assigned to the shard table. Hence, Option 1 is correct.

https://docs.aws.amazon.com/streams/latest/dev/kinesis-record-processor-ddb.html

https://docs.aws.amazon.com/streams/latest/dev/troubleshooting-consumers.html

**You developed a web application and deployed it on a fleet of EC2 instances, which is using Amazon SQS. The requests are saved as messages in the SQS queue which is configured with the maximum message retention period. However, after thirteen days of operation, the web application suddenly crashed and there are 10,000 unprocessed messages that are still waiting in the queue. Since you developed the application, you can easily resolve the issue but you need to send a communication to the users on the issue.

What information will you provide and what will happen to the unprocessed messages?**

Explanation

In this scenario, it is stated that the SQS queue is configured with the maximum message retention period. The maximum message retention in SQS is 14 days that is why option 3 is the correct answer i.e. there will be no missing messages.

Options 1 and 2 are incorrect as there are no missing messages in the queue thus, there is no need to resubmit any previous requests.

Option 4 is incorrect as the queue can contain an unlimited number of messages, not just 10,000 messages.

In Amazon SQS, you can configure the message retention period to a value from 1 minute to 14 days. The default is 4 days. Once the message retention limit is reached, your messages are automatically deleted.

A single Amazon SQS message queue can contain an unlimited number of messages. However, there is a 120,000 limit for the number of inflight messages for a standard queue and 20,000 for a FIFO queue. Messages are inflight after they have been received from the queue by a consuming component, but have not yet been deleted from the queue.

https://tutorialsdojo.com/aws-cheat-sheet-amazon-sqs/

You are an AWS Network Engineer working for a utilities provider where you are managing a monolithic application with EC2 instance using a Windows AMI. You want to implement a cost-effective and highly available architecture for your application where you have an exact replica of the Windows server that is in a running state. If the primary instance terminates, you can attach the ENI to the standby secondary instance which allows the traffic flow to resume within a few seconds.

When it comes to the ENI attachment to an EC2 instance, what does 'warm attach' refer to?

Explanation

An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways:

When it's running (hot attach)
When it's stopped (warm attach)
When the instance is being launched (cold attach).

Therefore, option 1 is the correct answer.

Option 2 is incorrect because this describes a "cold attach" scenario.

Option 3 is incorrect because this describes a "hot attach" scenario.

Option 4 is incorrect because there is no specific name for attaching an ENI to an idle EC2 instance.

You are working for a large telecommunications company. They have a requirement to move 83 TB data warehouse to the cloud. It would take 2 months to transfer the data given their current bandwidth allocation.

Which is the most cost-effective service that would allow you to quickly upload their data into AWS?

Explanation

Although an AWS Snowball device costs less than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note that the storage capacity is different from the usable capacity for Snowball and Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence, it would be costly if you use two Snowball devices compared to using just one AWS Snowball Edge device.

The AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS capabilities. Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud.

Each Snowball Edge device can transport data at speeds faster than the internet. This transport is done by shipping the data in the appliances through a regional carrier. The appliances are rugged shipping containers, complete with E Ink shipping labels. The AWS Snowball Edge device differs from the standard Snowball because it can bring the power of the AWS Cloud to your on-premises location, with local storage and compute functionality.

Snowball Edge devices have three options for device configurations – storage optimized, compute optimized, and with GPU. When this guide refers to Snowball Edge devices, it's referring to all options of the device. Whenever specific information applies only to one or more optional configurations of devices, like how the Snowball Edge with GPU has an on-board GPU, it will be called out.

You work for an Intelligence Agency as its Principal Consultant developing a missile tracking application, which is hosted on both development and production AWS accounts. Alice, the Intelligence agency’s Junior Developer, only has access to the development account. She has received security clearance to access the agency’s production account but the access is only temporary and only write access to EC2 and S3 is allowed.

Which of the following allows you to issue short-lived access tokens that acts as temporary security credentials to allow access to your AWS resources?

Explanation

AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

In this diagram, IAM user Alice in the Dev account (the role-assuming account) needs to access the Prod account (the role-owning account). Here’s how it works:

Alice in the Dev account assumes an IAM role (WriteAccess) in the Prod account by calling AssumeRole.
STS returns a set of temporary security credentials.
Alice uses the temporary security credentials to access services and resources in the Prod account. Alice could, for example, make calls to Amazon S3 and Amazon EC2, which are granted by the WriteAccess role.

Option 1 is incorrect because the Amazon Cognito service is primarily used for user authentication and not for providing access to your AWS resources. A JSON Web Token (JWT) is meant to be used for user authentication and session management.

Option 3 is incorrect because although the AWS SSO service uses STS, it does not issue short-lived credentials by itself. AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.

Option 4 is incorrect as only STS has the ability to provide temporary security credentials.

**Using the EC2 API, you requested 40 m5.large On-Demand EC2 instances in a single Availability Zone. Twenty instances were successfully created but the other 20 requests failed. **

What is the solution for this issue and what is the root cause?

Explanation

Amazon EC2 has a soft limit of 20 instances per region, which can be easily resolved by completing the Amazon EC2 instance request form where your use case and your instance increase will be considered. Limit increases are tied to the region they were requested for.

Option 2 is incorrect as there is no such limit in the Availability Zone.

Option 3 is incorrect. Network Access List is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. It does not affect the creation of new EC2 instances.

Option 4 is incorrect as there is no problem with your API credentials.

Your customer is building an internal application that serves as a repository for images uploaded by a couple of users. Whenever a user uploads an image, it would be sent to Kinesis for processing before it is stored in an S3 bucket. Afterwards, if the upload was successful, the application will return a prompt telling the user that the upload is successful. The entire processing typically takes about 5 minutes to finish.

Which of the following options will allow you to asynchronously process the request to the application in the most cost-effective manner?

Explanation

AWS Lambda supports synchronous and asynchronous invocation of a Lambda function. You can control the invocation type only when you invoke a Lambda function. When you use an AWS service as a trigger, the invocation type is predetermined for each service. You have no control over the invocation type that these event sources use when they invoke your Lambda function. Since the processing only takes 5 minutes, Lambda is also a cost-effective choice.

Option 1 is incorrect because the AWS Step Functions service lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Although this can be a valid solution, it is not cost-effective since the application does not have a lot of components to orchestrate. Lambda functions can effectively meet the requirements in this scenario without using Step Functions. This service is not as cost-effective as Lambda.

Options 2 and 4 are incorrect as using On-Demand EC2 instances is not cost-effective. It is better to use a Lambda function instead.

Lambda Security

You can use AWS Identity and Access Management (IAM) to manage access to the Lambda API and resources like functions and layers. For users and applications in your account that use Lambda, you manage permissions in a permissions policy that you can apply to IAM users, groups, or roles. To grant permissions to other accounts or AWS services that use your Lambda resources, you use a policy that applies to the resource itself.

A Lambda function also has a policy, called an execution role, that grants it permission to access AWS services and resources. At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming. If you use AWS X-Ray to trace your function, or your function accesses services with the AWS SDK, you grant it permission to call them in the execution role. Lambda also uses the execution role to get permission to read from event sources when you use an event source mapping to trigger your function.

Note

If your function needs network access to a resource like a relational database that isn't accessible through AWS APIs or the internet, configure it to connect to your VPC.

Use resource-based policies to give other accounts and AWS services permission to use your Lambda resources. Lambda resources include functions, versions, aliases, and layer versions. Each of these resources has a permissions policy that applies when the resource is accessed, in addition to any policies that apply to the user. When an AWS service like Amazon S3 calls your Lambda function, the resource-based policy gives it access.

You are working for a SaaS (Software as a Service) company as a solutions architect and help design solutions for your company's customers. One of your customer is a bank and has a strong requirement to whitelist up to two public IPs when the bank is accessing external services across the public web. Which architectural choice do you recommend to maintain high availability, scale to up to 10 instances and comply with the bank's requirements?

Explanation Network Load Balancers expose a fixed IP to the public web, therefore allowing your application to be predictably reached using these IPs, while allowing you to scale your application behind the Network Load Balancer using an ASG. Application and Classic Load Balancers expose a fixed DNS (=URL). Finally, the ASG does not have a dynamic Elastic IPs attachment feature

You started a new job as a Solutions Architect in a big company that has both AWS experts and people learning AWS. You would like to have everyone empowered into building and configured great architectures without making manual mistakes. Recently, an intern mis-configured a newly created RDS database by forgetting to tag it which resulted in a production outage. How can you make sure to pass on the best practices reliably to all your AWS users?

Explanation CloudFormation allows you to keep your infrastructure as code and re-use the best practices around your company for configuration parameters.

Didn't read the answers clearly enough... **You have an S3 bucket that contains files in different sub folders, for example s3://my-bucket/images and s3://my-bucket/thumbails.

When an image is first uploaded to your application, it is often requested, whereas after 45 days, analytics prove that files are on average rarely requested, but the thumbnails still are. After 180 days, you would like to archive the files and the thumbnails. Overall you would like to remain highly available to prevent disasters happening against a whole AZ.

How can you implement an efficient cost strategy for your S3 bucket?**

Explanation Here prefixes must be used in order not to transfer the wrong objects after 45 days, whereas after 180 days all the objects can be transferred to Glacier (no prefixes needed). Finally, S3 One Zone IA would not achieve the necessary availability in case an AZ goes down.

You are the systems admin of a web hosting company. The application is deployed behind a network load balancer and an autoscaling group. The system administrator has now released a new cost-optimized AMI and that should be used to launch instances for the Auto Scaling Group. How can you update the ASG to launch from this new AMI ?

Explanation Launch configurations are immutable meaning they cannot be updated. You have to create a new launch configuration, attach it to the ASG and then terminate old instances / launch new instances

You would like to perform a daily big data analysis leveraging a Spark job you have written for that purpose. The big data analysis should read the data from S3 and output it back into S3, to be sent back to your customers. Which technology do you recommend to run the Big Data analysis?

Athena is serverless SQL, Redshift is SQL, Glue is for ETL, not Big Data Analysis. EMR is for launching Hadoop / Spark clusters and is the right answer here

AWS Glue runs your ETL jobs in an Apache Spark serverless environment.

Didn't read the question well enough... Your company has grown from a small startup to now being a leading tech company employing over 1000 people. As part of the scaling of your AWS team, you have observed some strange behavior with S3 buckets settings regularly being changed. How can you figure out what's happening without restricting the rights of your users?

Explanation Implementation an IAM policy to forbid users would be disruptive and wouldn't go unnoticed. S3 access logs would not provide us the necessary information, and changing the bucket policy to require MFA would not go unnoticed. Here, and in general, to analyze any API calls made within your AWS account, you should use CloudTrail

**You are working for a startup as its AWS Chief Architect. You are currently assigned on a project that develops an online registration platform for events, which uses Simple Workflow for complete control of your orchestration logic. A decider ingests the customer name, address, contact number, and email address while the activity workers update the customer with the status of their online application status via email. Recently, you were having problems with your online registration platform which was solved by checking the decision task of your workflow. **

In SWF, what is the purpose of a decision task?

Explanation

Option 2 is correct. The decider can be viewed as a special type of worker. Like workers, it can be written in any language and asks Amazon SWF for tasks. However, it handles special tasks called decision tasks.

Amazon SWF issues decision tasks whenever a workflow execution has transitions such as an activity task completing or timing out. A decision task contains information on the inputs, outputs, and current state of previously initiated activity tasks. Your decider uses this data to decide the next steps, including any new activity tasks, and returns those to Amazon SWF. Amazon SWF in turn enacts these decisions, initiating new activity tasks where appropriate and monitoring them.

By responding to decision tasks in an ongoing manner, the decider controls the order, timing, and concurrency of activity tasks and consequently the execution of processing steps in the application. SWF issues the first decision task when an execution starts. From there on, Amazon SWF enacts the decisions made by your decider to drive your execution. The execution continues until your decider makes a decision to complete it.

Option 1 is incorrect because this is the definition of a workflow in SWF.

Option 3 is incorrect because this is the definition of an activity task.

Option 4 is incorrect because this is the definition of an SWF task.

An Architect is managing a data analytics application which exclusively uses Amazon S3 as its data storage. For the past few weeks, the application works as expected until a new change was implemented to increase the rate at which the application updates its data. There have been reports that outdated data intermittently appears when the application accesses objects from S3 bucket. The development team investigated the application logic and didn’t find any issues.

Which of the following is the MOST likely cause of this issue?

Explanation

Amazon S3 provides read-after-write consistency for PUTS of new objects in your S3 bucket in all regions with one caveat: if you make a HEAD or GET request to the key name (to find if the object exists) before creating the object, Amazon S3 provides eventual consistency for read-after-write. Amazon S3 offers eventual consistency for overwrite PUTS and DELETES in all regions.

Updates to a single key are atomic. For example, if you PUT to an existing key, a subsequent read might return the old data or the updated data, but it will never return corrupted or partial data. This usually happens if your application is using parallel requests on the same object.

Amazon S3 achieves high availability by replicating data across multiple servers within Amazon's data centers. If a PUT request is successful, your data is safely stored. However, information about the changes must replicate across Amazon S3, which can take some time, and so you might observe the following behaviors:

A process writes a new object to Amazon S3 and immediately lists keys within its bucket. Until the change is fully propagated, the object might not appear in the list.
A process replaces an existing object and immediately attempts to read it. Until the change is fully propagated, Amazon S3 might return the prior data.
A process deletes an existing object and immediately attempts to read it. Until the deletion is fully propagated, Amazon S3 might return the deleted data.
A process deletes an existing object and immediately lists keys within its bucket. Until the deletion is fully propagated, Amazon S3 might list the deleted object.

Amazon S3’s support for parallel requests means you can scale your S3 performance by the factor of your compute cluster, without making any customizations to your application. Amazon S3 does not currently support Object Locking. If two PUT requests are simultaneously made to the same key, the request with the latest timestamp wins. If this is an issue, you will need to build an object-locking mechanism into your application.

Updates are key-based; there is no way to make atomic updates across keys. For example, you cannot make the update of one key dependent on the update of another key unless you design this functionality into your application.

Hence, the correct answer is Option 2.

Option 1 is incorrect because using a Range header is primarily used to retrieve an object in parts and is unlikely the root cause on why the application is intermittently getting old data. Using the Range HTTP header in a GET request, you can retrieve a specific range of bytes in an object stored in Amazon S3. With this, you can resume fetching other parts of the object whenever your application is ready. This resumable download is useful when you need only portions of your object data. It is also useful where network connectivity is poor and you need to react to failures.

Option 3 is incorrect because the update operations are key-based which means that there is no way to make atomic updates across keys. Hence, this is not the root cause of this issue.

Option 4 is incorrect because an object-locking mechanism will actually safeguard the application from the issue of getting obsolete data and not the other way around. Moreover, Amazon S3 does not currently support Object Locking.

**An online stocks trading application that stores financial data in an S3 bucket has a lifecycle policy that moves older data to Glacier every month. There is a strict compliance requirement where a surprise audit can happen at anytime and you should be able to retrieve the required data in under 15 minutes under all circumstances. Your manager instructed you to ensure that retrieval capacity is available when you need it and should handle up to 150 MB/s of retrieval throughput. **

Which of the following should you do to meet the above requirement? (Choose 2)

Explanation

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

To make an Expedited, Standard, or Bulk retrieval, set the Tier parameter in the Initiate Job (POST jobs) REST API request to the option you want, or the equivalent in the AWS CLI or AWS SDKs. If you have purchased provisioned capacity, then all expedited retrievals are automatically served through your provisioned capacity.

Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes. Without provisioned capacity Expedited retrievals are accepted, except for rare situations of unusually high demand. However, if you require access to Expedited retrievals under all circumstances, you must purchase provisioned retrieval capacity.

Option 1 is incorrect because Amazon Glacier Select is not an archive retrieval option and is primarily used to perform filtering operations using simple Structured Query Language (SQL) statements directly on your data archive in Glacier.

Option 3 is incorrect because Bulk retrievals typically complete within 5–12 hours hence, this does not satisfy the requirement of retrieving the data within 15 minutes. The provisioned capacity option is also not compatible with Bulk retrievals.

Option 4 is incorrect because using ranged archive retrievals is not enough to meet the requirement of retrieving the whole archive in the given timeframe. In addition, it does not provide additional retrieval capacity which is what the provisioned capacity option can offer.

**Your company has recently deployed a new web application which uses a serverless-based architecture in AWS. Your manager instructed you to implement CloudWatch metrics to monitor your systems more effectively. You know that Lambda automatically monitors functions on your behalf and reports metrics through Amazon CloudWatch. **

In this scenario, what types of data do these metrics monitor? (Choose 2)

AWS Lambda automatically monitors functions on your behalf, reporting metrics through Amazon CloudWatch. These metrics include total invocation requests, latency, and error rates. The throttles, Dead Letter Queues errors and Iterator age for stream-based invocations are also monitored.

You can monitor metrics for Lambda and view logs by using the Lambda console, the CloudWatch console, the AWS CLI, or the CloudWatch API.

Option 1 is incorrect because CloudWatch does not monitor Lambda's reserved concurrent executions. You can view it through the Lambda console or via CLI manually.

Options 4 and 5 are incorrect because these two are not Lambda metrics.

You currently have an Augment Reality (AR) mobile game which has a serverless backend. It is using a DynamoDB table which was launched using the AWS CLI to store all the user data and information gathered from the players and a Lambda function to pull the data from DynamoDB. The game is being used by millions of users each day to read and store data.

How would you design the application to improve its overall performance and make it more scalable while keeping the costs low? (Choose 2)

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.

Amazon API Gateway lets you create an API that acts as a "front door" for applications to access data, business logic, or functionality from your back-end services, such as code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. Amazon API Gateway has no minimum fees or startup costs.

AWS Lambda scales your functions automatically on your behalf. Every time an event notification is received for your function, AWS Lambda quickly locates free capacity within its compute fleet and runs your code. Since your code is stateless, AWS Lambda can start as many copies of your function as needed without lengthy deployment and configuration delays.

Option 2 is incorrect because although CloudFront delivers content faster to your users using edge locations, you still cannot integrate DynamoDB table with CloudFront as these two are incompatible. In addition, DataSync is a data transfer service that automates moving data between on-premises storage and Amazon S3 or Amazon EFS. You should not be caching large amounts of data on a client's mobile, but rather on your side.

Option 3 is incorrect because AWS Single Sign-On (SSO) is a cloud SSO service that just makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. This will not be of much help on the scalability and performance of the application. It is costly to manually set the provisioned read and write capacity to a higher RCU and WCU because this capacity will run round the clock and will still be the same even if the incoming traffic is stable and there is no need to scale.

Option 5 is incorrect because, by default, Auto Scaling is not enabled in a DynamoDB table which is created using the AWS CLI.

**An online job site is using NGINX for its application servers hosted in EC2 instances and MongoDB Atlas for its database-tier. MongoDB Atlas is a fully automated third-party cloud service which is not provided by AWS, but supports VPC peering to connect to your VPC. **

Which of the following items are invalid VPC peering configurations? (Choose 2)

Options 2 and 3 are invalid VPC Peering configurations, while the other options are valid ones.

The following VPC peering connection configurations are not supported.

Overlapping CIDR Blocks
Transitive Peering
Edge to Edge Routing Through a Gateway or Private Connection

Overlapping CIDR Blocks

You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.

If the VPCs have multiple IPv4 CIDR blocks, you cannot create a VPC peering connection if any of the CIDR blocks overlap (regardless of whether you intend to use the VPC peering connection for communication between the non-overlapping CIDR blocks only).

This limitation also applies to VPCs that have non-overlapping IPv6 CIDR blocks. Even if you intend to use the VPC peering connection for IPv6 communication only, you cannot create a VPC peering connection if the VPCs have matching or overlapping IPv4 CIDR blocks. Communication over IPv6 is not supported for an inter-region VPC peering connection.

Transitive Peering

You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). There is no VPC peering connection between VPC B and VPC C. You cannot route packets directly from VPC B to VPC C through VPC A.

Edge to Edge Routing Through a Gateway or Private Connection

If either VPC in a peering relationship has one of the following connections, you cannot extend the peering relationship to that connection:

A VPN connection or an AWS Direct Connect connection to a corporate network
An internet connection through an internet gateway
An internet connection in a private subnet through a NAT device
A VPC endpoint to an AWS service; for example, an endpoint to Amazon S3.
(IPv6) A ClassicLink connection. You can enable IPv4 communication between a linked EC2-Classic instance and instances in a VPC on the other side of a VPC peering connection. However, IPv6 is not supported in EC2-Classic, so you cannot extend this connection for IPv6 communication.

For example, if VPC A and VPC B are peered, and VPC A has any of these connections, then instances in VPC B cannot use the connection to access resources on the other side of the connection. Similarly, resources on the other side of a connection cannot use the connection to access VPC B.

**A company is using a custom shell script to automate the deployment and management of their EC2 instances. The script is using various AWS CLI commands such as revoke-security-group-ingress, revoke-security-group-egress, run-scheduled-instances and many others. **

In the shell script, what does the revoke-security-group-ingress command do?

xplanation

The revoke-security-group-ingress command removes one or more ingress rules from a security group.

Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur. This example removes TCP port 22 access for the 203.0.113.0/24 address range from the security group named MySecurityGroup. If the command succeeds, no output is returned.

Command:

aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24

Your web application is relying entirely on slower disk-based databases, causing it to perform slowly. To improve its performance, you integrated an in-memory data store to your web application using ElastiCache. How does Amazon ElastiCache improve database performance?

Explanation

ElastiCache improves the performance of your database through caching query results.

The primary purpose of an in-memory key-value store is to provide ultra-fast (submillisecond latency) and inexpensive access to copies of data. Most data stores have areas of data that are frequently accessed but seldom updated. Additionally, querying a database is always slower and more expensive than locating a key in a key-value pair cache. Some database queries are especially expensive to perform, for example, queries that involve joins across multiple tables or queries with intensive calculations.

By caching such query results, you pay the price of the query once and then are able to quickly retrieve the data multiple times without having to re-execute the query.

Option 1 is incorrect because this option describes what CloudFront does and not ElastiCache.

Option 2 is incorrect because this option describes what Amazon DynamoDB Accelerator (DAX) does and not ElastiCache. Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB. Amazon ElastiCache cannot provide a performance improvement from milliseconds to microseconds, let alone millions of requests per second like DAX can.

Option 4 is incorrect because this option describes what an RDS Read Replica does and not ElastiCache. Amazon RDS Read Replicas enable you to create one or more read-only copies of your database instance within the same AWS Region or in a different AWS Region.

You are trying to convince a team to use Amazon RDS Read Replica for your multi-tier web application. What are two benefits of using read replicas? (Choose 2)

Explanation

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

Option 2 is incorrect as Read Replicas are primarily used to offload read operations from the primary database instance.

Option 4 is incorrect as this is a benefit of Multi-AZ and not of a Read Replica.

Option 5 is incorrect because Read Replicas do not do anything to upgrade or increase the read throughput on the primary DB instance per se, but it provides a way for your application to fetch data from replicas. In this way, it improves the overall performance of your entire database-tier (and not just the primary DB instance).

**You are a Solutions Architect working for an aerospace engineering company which recently adopted a hybrid cloud infrastructure with AWS. One of your tasks is to launch a VPC with both public and private subnets for their EC2 instances as well as their database instances respectively.

Which of the following statements are true regarding Amazon VPC subnets? (Choose 2)**

Explanation

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location.

Below are the important points you have to remember about subnets:

-Each subnet maps to a single Availability Zone.
-Every subnet that you create is automatically associated with the main route table for the VPC.
-If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet.

Option 1 is incorrect because EC2 instances in a private subnet can communicate with the Internet not just by having an Elastic IP, but also with a public IP address.

Option 3 is incorrect because the allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses) and not /27 netmask. For you to easily remember this, /27 netmask is equivalent to exactly 27 IP addresses but keep in mind that the limit is until /28 netmask.

Option 5 is incorrect because each subnet must reside entirely within one Availability Zone and cannot span zones.

In Amazon EC2, you can manage your instances from the moment you launch them up to their termination. You can flexibly control your computing costs by changing the EC2 instance state. Which of the following statements is true regarding EC2 billing? (Choose 2)

Explanation

By working with Amazon EC2 to manage your instances from the moment you launch them through their termination, you ensure that your customers have the best possible experience with the applications or sites that you host on your instances. The following illustration represents the transitions between instance states. Notice that you can't stop and start an instance store-backed instance:

Below are the valid EC2 lifecycle instance states:

pending - The instance is preparing to enter the running state. An instance enters the pending state when it launches for the first time, or when it is restarted after being in the stopped state.

running - The instance is running and ready for use.

stopping - The instance is preparing to be stopped. Take note that you will not billed if it is preparing to stop however, you will still be billed if it is just preparing to hibernate.

stopped - The instance is shut down and cannot be used. The instance can be restarted at any time.

shutting-down - The instance is preparing to be terminated.

terminated - The instance has been permanently deleted and cannot be restarted. Take note that Reserved Instances that applied to terminated instances are still billed until the end of their term according to their payment option.

Option 1 is incorrect because you will not be billed if your instance is in pending state.

Option 2 is incorrect because you will not be billed if your instance is preparing to stop with a stopping state.

Option 3 is correct because when the instance state is stopping, you will not billed if it is preparing to stop however, you will still be billed if it is just preparing to hibernate.

Option 4 is correct because Reserved Instances that applied to terminated instances are still billed until the end of their term according to their payment option. I actually raised a pull-request to Amazon team about the billing conditions for Reserved Instances, which has been approved and reflected on your official AWS Documentation: https://github.com/awsdocs/amazon-ec2-user-guide/pull/45

Option 5 is incorrect because the statement is not entirely true. You can still be billed if your instance is preparing to hibernate with a stopping state.

Your customer has clients all across the globe that access product files stored in several S3 buckets, which are behind each of their own CloudFront web distributions. They currently want to deliver their content to a specific client, and they need to make sure that only that client can access the data. Currently, all of their clients can access their S3 buckets directly using an S3 URL or through their CloudFront distribution.

Which of the following are possible solutions that you could implement to meet the above requirements?

Explanation

Many companies that distribute content over the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content by using CloudFront, you can do the following:

-Require that your users access your private content by using special CloudFront signed URLs or signed cookies.

-Require that your users access your Amazon S3 content by using CloudFront URLs, not Amazon S3 URLs. Requiring CloudFront URLs isn't necessary, but it is recommended to prevent users from bypassing the restrictions that you specify in signed URLs or signed cookies.

All objects and buckets by default are private. The presigned URLs are useful if you want your user/customer to be able to upload a specific object to your bucket, but you don't require them to have AWS security credentials or permissions. You can generate a presigned URL programmatically using the AWS SDK for Java or the AWS SDK for .NET. If you are using Microsoft Visual Studio, you can also use AWS Explorer to generate a presigned object URL without writing any code. Anyone who receives a valid presigned URL can then programmatically upload an object.

Option 3 is correct because using a presigned URL to your S3 bucket will prevent other users from accessing your private data which is intended only for a certain client.

Option 1 is incorrect because the signed cookies feature is primarily used if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website. In addition, this solution is not complete since the users can bypass the restrictions by simply using the direct S3 URLs.

Option 2 is incorrect because although this solution is valid, the users can still bypass the restrictions in CloudFront by simply connecting to the direct S3 URLs.

Option 4 is incorrect because an Origin Access Identity (OAI) will require your client to access the files only by using the CloudFront URL and not through a direct S3 URL. This can be a possible solution if it mentions the use of Signed URL or Signed Cookies.

Configure Cross-Zone Load Balancing for Your Classic Load Balancer

With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. For more information, see Cross-Zone Load Balancing in the Elastic Load Balancing User Guide.

Cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled Availability Zone, and improves your application's ability to handle the loss of one or more instances. However, we still recommend that you maintain approximately equivalent numbers of instances in each enabled Availability Zone for higher fault tolerance.

For environments where clients cache DNS lookups, incoming requests might favor one of the Availability Zones. Using cross-zone load balancing, this imbalance in the request load is spread across all available instances in the region, reducing the impact of misbehaving clients.

When you create a Classic Load Balancer, the default for cross-zone load balancing depends on how you create the load balancer. With the API or CLI, cross-zone load balancing is disabled by default. With the AWS Management Console, the option to enable cross-zone load balancing is selected by default. After you create a Classic Load Balancer, you can enable or disable cross-zone load balancing at any time.

Contents

EC2 Instances

By default, AWS has a limit of 20 instances per region. This includes all instances set up on your AWS account.

To increase EC2 limits, request a higher limit by providing information about the new limit and regions where it should be applied. Static IP Addresses

By default, AWS sets a limit of 5 static IP addresses per region. This includes IP addresses unassigned and currently assigned to a server.

To increase IP addresses limit, request a higher limit by providing information about the new limit and regions where it should be applied. Snapshots

The AWS default limit for all snapshots is 10000 snapshots per region.

To increase the number of snapshots allowed, contact AWS Support and request a higher limit.

Today we are introducing Auto Scaling for DynamoDB to help automate capacity management for your tables and global secondary indexes. You simply specify the desired target utilization and provide upper and lower bounds for read and write capacity. DynamoDB will then monitor throughput consumption using Amazon CloudWatch alarms and then will adjust provisioned capacity up or down as needed. Auto Scaling will be on by default for all new tables and indexes, and you can also configure it for existing ones.

Amazon S3 Transfer Acceleration

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.

When using Transfer Acceleration, additional data transfer charges may apply. For more information about pricing, see Amazon S3 Pricing.

S3 and

Glacier Select

Some companies in highly regulated industries like Financial Services, Healthcare, and others, write data directly to Amazon Glacier to satisfy compliance needs like SEC Rule 17a-4 or HIPAA. Many S3 users have lifecycle policies designed to save on storage costs by moving their data into Glacier when they no longer need to access it on a regular basis. Most legacy archival solutions, like on premise tape libraries, have highly restricted data retrieval throughput and are unsuitable for rapid analytics or processing. If you want to make use of data stored on one of those tapes you might have to wait for weeks to get useful results. In contrast, cold data stored in Glacier can now be easily queried within minutes.

This unlocks a lot of exciting new business value for your archived data. Glacier Select allows you to to perform filtering directly against a Glacier object using standard SQL statements.

Glacier Select works just like any other retrieval job except it has an additional set of parameters you can pass in initiate job request

Amazon Simple WorkFlow (Amazon  SWF) A fully-managed state tracker and task coordinator in the Cloud. You create desired Workflows with their associated tasks and any conditional logic you wish to apply and store them with SWF. Features SWF promotes a separation between the control �ow of your background job’s stepwise logic and the actual units of work that contain your unique business logic. SWF manages your Workflow execution history and other details of your Workflows across 3 availability zones. SWF lets you write your application components and coordination logic in any programming language and run them in the cloud or on-premises. SWF is highly scalable. It gives you full control over the number of workers that you run for each activity type and the number of instances that you run for a decider. SWF also provides the AWS Flow Framework to help developers use asynchronous programming in the development of their applications. Concepts 3 of 10 2019-12-15, 11:55 a.m.AWS Cheat Sheet - Amazon Simple WorkFlow (A... https://tutorialsdojo.com/aws-cheat-sheet-amazon... Workflow A set of activities that carry out some objective, together with logic that coordinates the activities. Workflows coordinate and manage the execution of activities that can be  run asynchronously across multiple computing devices and that can feature both sequential and parallel processing. Each Workflow runs in an AWS resource called a domain, which controls the Workflow’s scope. An AWS account can have multiple domains, each of which can contain multiple Workflows, but Workflows in Different domains can’t interact. When you register an activity to a Workflow, you provide information such as a name and version, and some timeout values based on how long you expect the activity to take. Activity Task An activity task tells an activity worker to perform its function. SWF stores tasks and assigns them to workers when they are ready, tracks their progress, and maintains their state, including details on their completion. To coordinate tasks, you write a program that gets the latest state of each task from SWF and uses it to initiate subsequent tasks. Activity tasks can run synchronously or asynchronously. They can be distributed across multiple computers, potentially in Different geographic regions, or they can all run on the same computer. Activity tasks for a running Workflow execution appear on the activity task list, which is provided when you schedule an activity in the Workflow. If you don’t specify a task list when scheduling an activity task, the task is automatically placed on the default task list. 4 of 10 2019-12-15, 11:55 a.m.AWS Cheat Sheet - Amazon Simple WorkFlow (A... https://tutorialsdojo.com/aws-cheat-sheet-amazon... Lambda task Executes a Lambda function instead of a traditional SWF activity. Decision task A Decision task tells a decider that the state of the Workflow execution has  changed so that the decider can determine the next activity that needs to be performed. The decision task contains the current Workflow history. SWF assigns each decision task to exactly one decider and allows only one decision task at a time to be active in a Workflow execution. Workflow Starter Any application that can initiate Workflow executions. Activity Worker An activity worker is a program that receives activity tasks, performs them, and provides results back. Implement workers to perform tasks. These workers can run either on cloud infrastructure, or on your own premises. Different activity workers can be written in Different programming languages and run on Different operating systems. Assigning particular tasks to particular activity workers is called task routing. Task routing is optional. Decider A software program that contains the coordination logic in a Workflow. It schedules activity tasks, provides input data to the activity workers, processes events that arrive while the Workflow is in progress, and ultimately ends the Workflow when the objective has been completed. Both activity workers and the decider receive their tasks by polling the SWF service. Workflow Execution History 5 of 10 2019-12-15, 11:55 a.m.AWS Cheat Sheet - Amazon Simple WorkFlow (A... https://tutorialsdojo.com/aws-cheat-sheet-amazon... The Workflow execution history is composed of events, where an event represents a signi�cant change in the state of the Workflow execution. SWF informs the decider of the state of the Workflow by including, with each decision task, a copy of the current Workflow execution history.  Polling Deciders and activity workers communicate with SWF using long polling. Workflow Execution

Write activity workers that implement the processing steps in your Workflow.
Write a decider to implement the coordination logic of your Workflow.
Register your activities and Workflow with Amazon SWF.
Start your activity workers and decider.
Start one or more executions of your Workflow. Each execution runs independently and you can provide each with its own set of input data. When an execution is started, Amazon SWF schedules the initial decision task. In response, your decider begins generating decisions which initiate activity tasks. Execution continues until your decider makes a decision to close the execution.
Filter and view complete details of running as well as completed executions. SWF provides service operations that are accessible through HTTP requests. Endpoints To reduce latency and to store data in a location that meets your requirements, SWF provides endpoints in Different regions. Each endpoint is completely independent. When you register an SWF domain, Workflow or activity, it exists only within the region you registered it in. 6 of 10 2019-12-15, 11:55 a.m.AWS Cheat Sheet - Amazon Simple WorkFlow (A... https://tutorialsdojo.com/aws-cheat-sheet-amazon... AWS Flow Framework An enhanced SDK for writing distributed, asynchronous programs that can run as Workflows on SWF.  It is available for the Java and Ruby programming languages, and it provides classes that simplify writing complex distributed programs.

split-shard¶ Description

Splits a shard into two new shards in the Kinesis data stream, to increase the stream's capacity to ingest and transport data. SplitShard is called when there is a need to increase the overall capacity of a stream because of an expected increase in the volume of data records being ingested.

You can also use SplitShard when a shard appears to be approaching its maximum utilization; for example, the producers sending data into the specific shard are suddenly sending more than previously anticipated. You can also call SplitShard to increase stream capacity, so that more Kinesis Data Streams applications can simultaneously read data from the stream for real-time processing.

You must specify the shard to be split and the new hash key, which is the position in the shard where the shard gets split in two. In many cases, the new hash key might be the average of the beginning and ending hash key, but it can be any hash key value in the range being mapped into the shard. For more information, see Split a Shard in the Amazon Kinesis Data Streams Developer Guide .

You can use DescribeStream to determine the shard ID and hash key values for the ShardToSplit and NewStartingHashKey parameters that are specified in the SplitShard request.

SplitShard is an asynchronous operation. Upon receiving a SplitShard request, Kinesis Data Streams immediately returns a response and sets the stream status to UPDATING . After the operation is completed, Kinesis Data Streams sets the stream status to ACTIVE . Read and write operations continue to work while the stream is in the UPDATING state.

You can use DescribeStream to check the status of the stream, which is returned in StreamStatus . If the stream is in the ACTIVE state, you can call SplitShard . If a stream is in CREATING or UPDATING or DELETING states, DescribeStream returns a ResourceInUseException .

If the specified stream does not exist, DescribeStream returns a ResourceNotFoundException . If you try to create more shards than are authorized for your account, you receive a LimitExceededException .

For the default shard limit for an AWS account, see Kinesis Data Streams Limits in the Amazon Kinesis Data Streams Developer Guide . To increase this limit, contact AWS Support .

If you try to operate on too many streams simultaneously using CreateStream , DeleteStream , MergeShards , and/or SplitShard , you receive a LimitExceededException .

SplitShard has a limit of five transactions per second per account.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters. Synopsis

split-shard --stream-name --shard-to-split --new-starting-hash-key [--cli-input-json ] [--generate-cli-skeleton ]

Options

--stream-name (string)

The name of the stream for the shard split.

--shard-to-split (string)

The shard ID of the shard to split.

--new-starting-hash-key (string)

A hash key value for the starting hash key of one of the child shards created by the split. The hash key range for a given shard constitutes a set of ordered contiguous positive integers. The value for NewStartingHashKey must be in the range of hash keys being mapped into the shard. The NewStartingHashKey hash key value and all higher hash key values in hash key range are distributed to one of the child shards. All the lower hash key values in the range are distributed to the other child shard.

Udemy logo AWS Certified Solutions Architect Associate Practice Exams Leave a rating AWS Certified Solutions Architect Associate Practice Test 4 - Results Attempt 1 Question 1: Incorrect

A data analytics company has been building its new generation big data and analytics platform on their AWS cloud infrastructure. They need a storage service that provides the scale and performance that their big data applications require such as high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations. In addition, their data needs to be stored redundantly across multiple AZs and allows concurrent connections from multiple EC2 instances hosted on multiple AZs.

Which of the following AWS storage services will you use to meet this requirement?

Explanation

In this question, you should take note of the two keywords/phrases: "file operation" and "allows concurrent connections from multiple EC2 instances". There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a "block" storage and can only have one connection to one EC2 instance at a time. Amazon EFS provides the scale and performance required for big data applications that require high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations.

Amazon EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. With a few clicks in the AWS Management Console, you can create file systems that are accessible to Amazon EC2 instances via a file system interface (using standard operating system file I/O APIs) and supports full file system access semantics (such as strong consistency and file locking).

Amazon EFS file systems can automatically scale from gigabytes to petabytes of data without needing to provision storage. Tens, hundreds, or even thousands of Amazon EC2 instances can access an Amazon EFS file system at the same time, and Amazon EFS provides consistent performance to each Amazon EC2 instance. Amazon EFS is designed to be highly durable and highly available.

Option 2 is incorrect because EBS does not allow concurrent connections from multiple EC2 instances hosted on multiple AZs and it does not store data redundantly across multiple AZs by default, unlike EFS.

Option 3 is incorrect because although S3 can handle concurrent connections from multiple EC2 instances, it does not have the ability to provide low-latency file operations, which is required in this scenario.

Option 4 is incorrect because Glacier is an archiving storage solution and is not applicable in this scenario.

References:

https://docs.aws.amazon.com/efs/latest/ug/performance.html

https://aws.amazon.com/efs/faq/

Check out this Amazon EFS Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-efs/

Check out this Amazon S3 vs EBS vs EFS Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-s3-vs-ebs-vs-efs/

Here's a short video tutorial on Amazon EFS:

Question 12: Incorrect

A financial company instructed you to automate the recurring tasks in your department such as patch management, infrastructure selection, and data synchronization to improve their current processes. You need to have a service which can coordinate multiple AWS services into serverless workflows.

Which of the following is the most cost-effective service to use in this scenario?

Explanation

AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.

Application development is faster and more intuitive with Step Functions, because you can define and manage the workflow of your application independently from its business logic. Making changes to one does not affect the other. You can easily update and modify workflows in one place, without having to struggle with managing, monitoring and maintaining multiple point-to-point integrations. Step Functions frees your functions and containers from excess code, so your applications are faster to write, more resilient, and easier to maintain.

Option 1 is incorrect because SWF is a fully-managed state tracker and task coordinator service. It does not provide serverless orchestration to multiple AWS resources.

Option 2 is incorrect because although Lambda is used for serverless computing, it does not provide a direct way to coordinate multiple AWS services into serverless workflows.

Option 4 is incorrect because AWS Batch is primarily used to efficiently run hundreds of thousands of batch computing jobs in AWS.

Reference:

https://aws.amazon.com/step-functions/features/

Check out this AWS Step Functions Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-aws-step-functions/

Amazon Simple Workflow (SWF) vs AWS Step Functions vs Amazon SQS:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-simple-workflow-swf-vs-aws-step-functions-vs-amazon-sqs/

Comparison of AWS Services Cheat Sheets:

https://tutorialsdojo.com/comparison-of-aws-services-for-udemy-students/ Question 19: Incorrect

A company is using hundreds of AWS resources in multiple AWS regions. They require a way to uniquely identify all of their AWS resources that will allow them to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

Which of the following is the most suitable option to use in this scenario?

Explanation

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

Option 1 is incorrect because an AWS Resource ID is primarily used to find your resources in the Amazon EC2 console only and not your entire VPC or AWS account.

Option 2 is incorrect because AWS Service Namespaces only helps you identify an AWS service and not a unique resource. For example, the namespace for Amazon S3 is s3, and the namespace for Amazon EC2 is ec2.

Option 4 is incorrect because although Tags can enable you to categorize your AWS resources by purpose, owner, or environment, it is still limited because you cannot tag all of your AWS resources. Take note that you cannot tag Egress-only internet gateway, VPC flow log, VPC endpoint, and many others. Amazon Resource Names (ARNs) uniquely identify all of your AWS resources which is a more suitable option for this scenario.

References:

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html

Question 27: Incorrect

A data analytics company, which uses machine learning to collect and analyze consumer data, is using Redshift cluster as their data warehouse. You are instructed to implement a disaster recovery plan for their systems to ensure business continuity even in the event of an AWS region outage.

Which of the following is the best approach to meet this requirement?

Explanation

You can configure Amazon Redshift to copy snapshots for a cluster to another region. To configure cross-region snapshot copy, you need to enable this copy feature for each cluster and configure where to copy snapshots and how long to keep copied automated snapshots in the destination region. When cross-region copy is enabled for a cluster, all new manual and automatic snapshots are copied to the specified region.

Option 1 is incorrect because although this option is possible, this entails a lot of manual work and hence, not the best option. You should configure cross-region snapshot copy instead.

Option 2 is incorrect because although Amazon Redshift is a fully-managed data warehouse, you will still need to configure cross-region snapshot copy to ensure that your data is properly replicated to another region.

Option 3 is incorrect because using automated snapshots is not enough and will not be available in case the entire AWS region is down.

Reference:

https://docs.aws.amazon.com/redshift/latest/mgmt/managing-snapshots-console.html

Check out this Amazon Redshift Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-redshift/ Question 29: Incorrect You are a Solutions Architect working for a large multinational investment bank. They have a web application that requires a minimum of 4 EC2 instances to run to ensure that it can cater to its users across the globe. You are instructed to ensure fault tolerance of this system.

Which of the following is the best option?

Explanation

Fault Tolerance is the ability of a system to remain in operation even if some of the components used to build the system fail. In AWS, this means that in the event of server fault or system failures, the number of running EC2 instances should not fall below the minimum number of instances required by the system for it to work properly. So if the the application requires a minimum of 4 instances, there should be at least 4 instances running in case there is an outage in one of the Availability Zones or if there are server issues.

One of the differences between Fault Tolerance and High Availability is that, the former refers to the minimum number of running instances. For example, you have a system that requires a minimum of 4 running instances and currently has 6 running instances deployed in two Availability Zones. There was a component failure in one of the Availability Zones which knocks out 3 instances. In this case, the system can still be regarded as Highly Available since there are still instances running that can accomodate the requests. However, it is not Fault Tolerant since the required minimum of four instances have not been met.

As such, Option 1 is the correct answer because even if there was an outage in one of the Availability Zones, the system still satisfies the requirement of a minimum of 4 running instances.

Option 2 is incorrect because if one Availability Zone went out, there will only be 2 running instances available out of the required 4 minimum instances. Although the Auto Scaling group can spin up another 2 instances, the fault tolerance of the web application has already been compromised.

Option 3 is incorrect because if the Availability Zone went out, there will be no running instance available to accommodate the request.

Option 4 is incorrect because if one Availability Zone went out, there will only be 3 instances available to accommodate the request.

References:

https://media.amazonwebservices.com/AWS_Building_Fault_Tolerant_Applications.pdf

https://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_ftha_04.pdf Question 35: Incorrect You have a web-based order processing system which is currently using a queue in Amazon SQS. The support team noticed that there are a lot of cases where an order was processed twice. This issue has caused a lot of trouble in your processing and made your customers very unhappy. Your IT Manager has asked you to ensure that this issue does not happen again.

What can you do to prevent this from happening again in the future?

Explanation

Amazon SWF provides useful guarantees around task assignment. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.

The main issue in this scenario is that the order management system produces duplicate orders at times. Since the company is using SQS, there is a possibility that a message can have a duplicate in case an EC2 instance failed to delete the already processed message. To prevent this issue from happening, you have to use Amazon Simple Workflow service instead of SQS. Therefore, the correct answer is Option 3.

Option 1 is incorrect because the retention period simply specifies if the Amazon SQS should delete the messages that have been in a queue for a certain period of time.

Option 2 is incorrect because, for standard queues, the visibility timeout isn't a guarantee against receiving a message twice. To avoid duplicate SQS messages, it is better to design your applications to be idempotent (they should not be affected adversely when processing the same message more than once).

Option 4 is incorrect because changing the message size in SQS is not related at all in this scenario.

References:

https://aws.amazon.com/swf/faqs/

https://aws.amazon.com/swf/

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html

Check out this Amazon SQS Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-sqs/

Amazon Simple Workflow (SWF) vs AWS Step Functions vs Amazon SQS:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-simple-workflow-swf-vs-aws-step-functions-vs-amazon-sqs/ Question 40: Incorrect

You are a Big Data Engineer who is assigned to handle the online enrollment system database of a prestigious university, which is hosted in RDS. You are required to monitor the database metrics in Amazon CloudWatch to ensure the availability of the enrollment system.

What are the enhanced monitoring metrics that Amazon CloudWatch gathers from Amazon RDS DB instances which provide a more accurate information? (Choose 2)

Explanation

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice.

CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance. As a result, you might find differences between the measurements, because the hypervisor layer performs a small amount of work. The differences can be greater if your DB instances use smaller instance classes, because then there are likely more virtual machines (VMs) that are managed by the hypervisor layer on a single physical instance. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.

In RDS, the Enhanced Monitoring metrics shown in the Process List view are organized as follows:

-RDS child processes – Shows a summary of the RDS processes that support the DB instance, for example aurora for Amazon Aurora DB clusters and mysqld for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. The console displays a maximum of 100 processes and threads. The results are a combination of the top CPU consuming and memory consuming processes and threads. If there are more than 50 processes and more than 50 threads, the console displays the top 50 consumers in each category. This display helps you identify which processes are having the greatest impact on performance.

-RDS processes – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances.

-OS processes – Shows a summary of the kernel and system processes, which generally have minimal impact on performance.

References:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/rds-metricscollected.html

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.CloudWatchLogs

Check out this Amazon CloudWatch Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-cloudwatch/

Check out this Amazon RDS Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-relational-database-service-amazon-rds/ Question 43: Incorrect

A web application is hosted in an Auto Scaling group of EC2 instances deployed across multiple Availability Zones in front of an Application Load Balancer. You need to implement an SSL solution for your system to improve its security which is why you requested an SSL/TLS certificate from a third-party certificate authority (CA).

Where can you safely import the SSL/TLS certificate of your application? (Choose 2)

Explanation

If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store. Hence, Options 1 and 2 are the correct answers.

ACM lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.

Options 3 and 4 are incorrect as S3 is not a suitable service to store the SSL certificate.

Option 5 is incorrect because although you can upload certificates to CloudFront, it doesn't mean that you can import SSL certificates on it. You would not be able to export the certificate that you have loaded in CloudFront nor assign them to your EC2 or ELB instances as it would be tied to a single CloudFront distribution.

Reference:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-uploading-certificates

Check out this Amazon CloudFront Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-cloudfront/

Tutorials Dojo's AWS Certified Solutions Architect Associate Exam Study Guide:

https://tutorialsdojo.com/aws-cheat-sheet-aws-certified-solutions-architect-associate/ Question 47: Incorrect Your company wants to host a static website on Amazon S3 using a bucket named "tutorialsdojo" in the Asia Pacific (Sydney) region. What website URL will be assigned to the S3 bucket?

Explanation

To host a static website, you configure an Amazon S3 bucket for website hosting, and then upload your website content to the bucket. The website is then available at the AWS Region-specific website endpoint of the bucket, which is in one of the following formats:

.s3-website-.amazonaws.com

Hence, the correct answer is option A:

tutorialsdojo.s3-website-ap-southeast-2.amazonaws.com

Reference:

https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html

Check out this Amazon S3 Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-s3/ Question 48: Incorrect

An application is using a RESTful API hosted in AWS which uses Amazon API Gateway and AWS Lambda. There is a requirement to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services.

Which of the following is the most suitable service to use to meet this requirement?

Explanation

You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. API Gateway supports AWS X-Ray tracing for all API Gateway endpoint types: regional, edge-optimized, and private. You can use AWS X-Ray with Amazon API Gateway in all regions where X-Ray is available.

X-Ray gives you an end-to-end view of an entire request, so you can analyze latencies in your APIs and their backend services. You can use an X-Ray service map to view the latency of an entire request and that of the downstream services that are integrated with X-Ray. And you can configure sampling rules to tell X-Ray which requests to record, at what sampling rates, according to criteria that you specify. If you call an API Gateway API from a service that's already being traced, API Gateway passes the trace through, even if X-Ray tracing is not enabled on the API.

You can enable X-Ray for an API stage by using the API Gateway management console, or by using the API Gateway API or CLI.

Option 1 is incorrect because VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your entire VPC. Although it can capture some details about the incoming user requests, it is still better to use AWS X-Ray as it provides a better way to debug and analyze your microservices applications with request tracing so you can find the root cause of your issues and performance.

Option 2 is incorrect because CloudWatch is a monitoring and management service. It does not have the capability to trace and analyze user requests as they travel through your Amazon API Gateway APIs.

Option 3 is incorrect because CloudTrail is primarily used for API logging of all of your AWS resources.

Reference:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html

Check out this AWS X-Ray Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-aws-x-ray/

Instrumenting your Application with AWS X-Ray:

https://tutorialsdojo.com/aws-cheat-sheet-instrumenting-your-application-with-aws-x-ray/

Question 57: Incorrect You are working for a media company and you need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all of the objects uploaded to the S3 bucket can be read publicly all over the Internet? (Choose 2)

Explanation

By default, all Amazon S3 resources such as buckets, objects, and related subresources are private which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public.

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies.

For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.

Option 2 is incorrect as ACLs are primarily used to grant basic read/write permissions to AWS accounts and not suitable for providing public access over the Internet.

Option 4 is incorrect. Although with IAM, you can create a user, group, or role that has certain permissions to the S3 bucket, it does not control the individual objects that are hosted in the bucket.

Option 5 is incorrect because by default, all the S3 resources are private, so only the AWS account that created the resources can access them.

References:

http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html

https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

Check out this Amazon S3 Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-s3/

Additional learning material: How do I configure an S3 bucket policy to Deny all actions unless they meet certain conditions?

Question 62: Incorrect

A tech startup has recently received a Series A round of funding to continue building their mobile forex trading application. You are hired to set up their cloud architecture in AWS and to implement a highly available, fault tolerant system. For their database, they are using DynamoDB and for authentication, they have chosen to use Cognito. Since the mobile application contains confidential financial transactions, there is a requirement to add a second authentication method that doesn't rely solely on user name and password.

How can you implement this in AWS?

Explanation

You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA adds a second authentication method that doesn't rely solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users. You can also use adaptive authentication with its risk-based model to predict when you might need another authentication factor. It's part of the user pool advanced security features, which also include protections against compromised credentials.

Reference:

https://docs.aws.amazon.com/cognito/latest/developerguide/managing-security.html

utions Architect questions under time pressure

PreviousNotes NextEverything

Last updated 3 years ago

Was this helpful?