Amazon's AWS Certified Solutions Architect - Associate SAA-C02 (2021.10.19)

27. A company's website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The website has a mix of dynamic and static content. Users around the globe are reporting that the website is slow.
Which set of actions will improve website performance for users worldwide?

• A. Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon Route 53 record to point to the CloudFront distribution.
• B. Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger instance sizes and register the instances with the ALB.
• C. Launch new EC2 instances hosting the same web application in different Regions closer to the users. Then register instances with the same ALB using cross- Region VPC peering.
• D. Host the website in an Amazon S3 bucket in the Regions closest to the users and delete the ALB and EC2 instances. Then update an Amazon Route 53 record to point to the S3 buckets.

 => static -> CloudFront         /dynamic 도 CloudFront 사용 가능

=> CloudFront can provide low latency access to both static and dynamic content for global users, and can be integrated with Route 53.

28. A company has been storing analytics data in an Amazon RDS instance for the past few years. The company asked a solutions architect to find a solution that allows users to access this data using an API. The expectation is that the application will experience periods of inactivity but could receive bursts of traffic within seconds.
Which solution should the solutions architect suggest?

• A. Set up an Amazon API Gateway and use Amazon ECS.
• B. Set up an Amazon API Gateway and use AWS Elastic Beanstalk.
• C. Set up an Amazon API Gateway and use AWS Lambda functions.
• D. Set up an Amazon API Gateway and use Amazon EC2 with Auto Scaling.

- 분석 데이터를 Amazon RDS instance에 저장해왔음

=> "The expectation is that the application will experience periods of inactivity". Lambda is pay-per use and can scale out. 

29. A company must generate sales reports at the beginning of every month. The reporting process launches 20 Amazon EC2 instances on the first of the month. The process runs for 7 days and cannot be interrupted. The company wants to minimize costs.
Which pricing model should the company choose?

• A. Reserved Instances
• B. Spot Block Instances
• C. On-Demand Instances
• D. Scheduled Reserved Instances

- quite controversial

- 7일동안 걸리고 방해되어서는 안됨 ***비용 최소화

=> Scheduled Reserved Instances (Scheduled Instances) enable you to purchase capacity reservations that recur on a daily, weekly, or monthly basis, with a specified start time and duration, for a one-year term. You reserve the capacity in advance, so that you know it is available when you need it. You pay for the time that the instances are scheduled, even if you do not use them. Scheduled Instances are a good choice for workloads that do not run continuously, but do run on a regular schedule. For example, you can use Scheduled Instances for an application that runs during business hours or for batch processing that runs at the end of the week.

30. A gaming company has multiple Amazon EC2 instances in a single Availability Zone for its multiplayer game that communicates with users on Layer 4. The chief technology officer (CTO) wants to make the architecture highly available and cost-effective.
What should a solutions architect do to meet these requirements? (Choose two.)?

• A. Increase the number of EC2 instances.
• B. Decrease the number of EC2 instances.
• C. Configure a Network Load Balancer in front of the EC2 instances.
• D. Configure an Application Load Balancer in front of the EC2 instances.
• E. Configure an Auto Scaling group to add or remove instances in multiple Availability Zones automatically.

- 한 가용 공간에 여러 개의 Amazon EC2

-layer4과 communicate

- 고가용성, cost-effective

=> layer4가 핵심 -> NLB

=> Auto Scaling with the ability to scale as the per demand in multiple AZs with its integration with Network Load Balancer for Layer 4 handling would provide a architecture which highly available and cost-effective.

 

31. A company currently operates a web application backed by an Amazon RDS MySQL database. It has automated backups that are run daily and are not encrypted. A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed. The company will make at least one encrypted backup before destroying the old backups.
What should be done to enable encryption for future backups?

• A. Enable default encryption for the Amazon S3 bucket where backups are stored.
• B. Modify the backup section of the database configuration to toggle the Enable encryption check box.
• C. Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.
• D. Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance.

- Amazon RDS Mysql 데이터베이스가 매일 encrypted 되지 않은 채 backup을 만듬

- 앞으로는 백업이 encrypted되어야 하고 되어 있지 않은 건 파괴

- 오래된 백업 파괴하기 전에 최소한 하나의 encrypted된 백업 만들어야 함

=> "Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted."

=> It's true that RDS stores its backup in S3. However, you have no visibility of that bucket (indeed it doesn't ask you where to store the backup). Hence, you can't enable encryption for it (which would only encrypt the backup while inside the bucket. If you'd move it out, it would still be unencrypted).

32. A company is hosting a website behind multiple Application Load Balancers. The company has different distribution rights for its content around the world. A solutions architect needs to ensure that users are served the correct content without violating distribution rights.
Which configuration should the solutions architect choose to meet these requirements?

• A. Configure Amazon CloudFront with AWS WAF.
• B. Configure Application Load Balancers with AWS WAF.
• C. Configure Amazon Route 53 with a geolocation policy.
• D. Configure Amazon Route 53 with a geoproximity routing policy.

- 여러 ALB에서 웹사이트를 호스팅 중. 지역별로 다른 배포 권한을 가지고 있어서 배포에 관한 법을 위반하지 않으면서 맞는 content를 설정해야 함.

=> When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. Another possible use is for balancing load across endpoints in a predictable, easy-to-manage way, so that each user location is consistently routed to the same endpoint.

 

33. A solutions architect has created a new AWS account and must secure AWS account root user access.
Which combination of actions will accomplish this? (Choose two.)

• A. Ensure the root user uses a strong password.
• B. Enable multi-factor authentication to the root user. - MFA
• C. Store root user access keys in an encrypted Amazon S3 bucket.
• D. Add the root user to a group containing administrative permissions.
• E. Apply the required permissions to the root user with an inline policy document.

=> password + MFA

34. A solutions architect at an ecommerce company wants to back up application log data to Amazon S3. The solutions architect is unsure how frequently the logs will be accessed or which logs will be accessed the most. The company wants to keep costs as low as possible by using the appropriate S3 storage class.
Which S3 storage class should be implemented to meet these requirements?

• A. S3 Glacier
• B. S3 Intelligent-Tiering
• C. S3 Standard-Infrequent Access (S3 Standard-IA)
• D. S3 One Zone-Infrequent Access (S3 One Zone-IA)

- Amazon S3에 앱 로그 데이터를 백업

- 로그가 얼마나 자주 접근되어질지 어떤 로그가 많이 로그되어 질지 unsure

- 알맞은 S3 스토리지를 사용해 비용을 최대한 낮추려고 함

=> When u r not sure go for intelligent tiering

 

35. A company's website is used to sell products to the public. The site runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer
(ALB). There is also an Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the
CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.
What should a solutions architect do to protect the application?

• A. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.
• B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
• C. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
• D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.

- ALB & Auto Scaling groupdp EC2 instances로 운영되고 있는 웹사이트

- Amazon CloudFront distrubution이 있고 SQL 삽입 공격에 보호하기 위해 AWS WAF 사용중

- ALB가 CloudFront distribution의 origin

- 외부의 malicious ip를 block해야 함

=> CORRECT: "Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address" is the correct answer.

INCORRECT: "Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address" is incorrect as CloudFront does not sit within a subnet so network ACLs do not apply to it.

INCORRECT: "Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address" is incorrect as the source IP addresses of the data in the EC2 instances’ subnets will be the ELB IP addresses.

INCORRECT: "Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address." is incorrect as you cannot create deny rules with security groups.

 

36. A solutions architect is designing an application for a two-step order process. The first step is synchronous and must return to the user with little latency. The second step takes longer, so it will be implemented in a separate component. Orders must be processed exactly once and in the order in which they are received.
How should the solutions architect integrate these components?

• A. Use Amazon SQS FIFO queues.
• B. Use an AWS Lambda function along with Amazon SQS standard queues.
• C. Create an SNS topic and subscribe an Amazon SQS FIFO queue to that topic.
• D. Create an SNS topic and subscribe an Amazon SQS Standard queue to that topic.

- 2 steop order process 만들려고 함

- 첫 번째는 동기적이며 반드시 적은 지연시간으로 사용자에게 return되어야 함

- 두 번째는 시간이 더 걸리기에 분리된 컴포넌트에서 implement되어야 함

- 두 가지는 한 번씩만 프로세스 되어야 함

=> C번은 No , SNS does not guarantee ordering, if it were an SNS FIFO topic then that would've been correct, but just SNS topic will not guarantee ordering

 

37. A web application is deployed in the AWS Cloud. It consists of a two-tier architecture that includes a web layer and a database layer. The web server is vulnerable to cross-site scripting (XSS) attacks.
What should a solutions architect do to remediate the vulnerability?

• A. Create a Classic Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
• B. Create a Network Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
• C. Create an Application Load Balancer. Put the web layer behind the load balancer and enable AWS WAF.
• D. Create an Application Load Balancer. Put the web layer behind the load balancer and use AWS Shield Standard.

- 웹 앱이 aws cloud에 배포되어 있음

- 웹 레이어와 데이터베이스 레이어로 이루어져 있음

- 웹 서버가 XSS attack에 vulnerable

- 해결책은?

=> You can deploy AWS WAF on

-Amazon CloudFront as part of your CDN solution

-The Application Load Balancer that fronts your web servers or origin servers running on EC2

-Amazon API Gateway for your REST APIs

-AWS AppSync for your GraphQL APIs

With AWS WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.. AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include

-IP addresses

-HTTP headers

-HTTP body

-URI strings

-SQL injection

-Cross-site scripting

 

38. A company's website is using an Amazon RDS MySQL Multi-AZ DB instance for its transactional data storage. There are other internal systems that query this DB instance to fetch data for internal batch processing. The RDS DB instance slows down significantly when the internal systems fetch data. This impacts the websiteג€™s read and write performance, and the users experience slow response times.
Which solution will improve the website's performance?

• A. Use an RDS PostgreSQL DB instance instead of a MySQL database.
• B. Use Amazon ElastiCache to cache the query responses for the website.
• C. Add an additional Availability Zone to the current RDS MySQL Multi-AZ DB instance.
• D. Add a read replica to the RDS DB instance and configure the internal systems to query the read replica.

=> Everytime there's a question on Db slowness, you can bet the answer will be "Read Replica", whether the Db is MySQL, PostGres, Aurora, RDS... READ REPLICA

=> Option A is wrong as changing DB would not help improve performance. Option B is wrong as ElastiCache would only help for caching data from same queries. Option C is wrong as Multi-AZ database spans across 2 AZs and its an high availability solution.

 

39. An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application
Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?

• A. Use a simple scaling policy to dynamically scale the Auto Scaling group.
• B. Use a target tracking policy to dynamically scale the Auto Scaling group.
• C. Use an AWS Lambda function to update the desired Auto Scaling group capacity.
• D. Use scheduled scaling actions to scale up and scale down the Auto Scaling group.

=> Anything to do with the CPU utilization will be target tracking. Anything that has some predictable load will be scheduled.

=> is at or near 40% --> target

40. A company runs an internal browser-based application. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales up to 20 instances during work hours, but scales down to
2 instances overnight. Staff are complaining that the application is very slow when the day begins, although it runs well by mid-morning.
How should the scaling be changed to address the staff complaints and keep costs to a minimum?

• A. Implement a scheduled action that sets the desired capacity to 20 shortly before the office opens.
• B. Implement a step scaling action triggered at a lower CPU threshold, and decrease the cooldown period.
• C. Implement a target tracking action triggered at a lower CPU threshold, and decrease the cooldown period.
• D. Implement a scheduled action that sets the minimum and maximum capacity to 20 shortly before the office opens.

=> Answers A & D are incorrect because the question states to keep costs to a minimum. This means, NOT running 20 instances from the start. Answers B & C are both a better options. The problem in the morning is not that there should have been 20 instances running and that they are not running. The problem is that the auto scaling is not responding fast enough to the increase in demand. That is why decreasing the cool down period will make the auto scaling more aggressive (and responsive) but will still run less than 20 instances from the get go, and therefore will cost less money.