Amazon's AWS Certified Solutions Architect - Associate SAA-C02 (2021.10.27)

91. A company is seeing access requests by some suspicious IP addresses. The security team discovers the requests are from different IP addresses under the same CIDR range.
What should a solutions architect recommend to the team?

• A. Add a rule in the inbound table of the security to deny the traffic from that CIDR range.
• B. Add a rule in the outbound table of the security group to deny the traffic from that CIDR range.
• C. Add a deny rule in the inbound table of the network ACL with a lower number than other rules.
• D. Add a deny rule in the outbound table of the network ACL with a lower rule number than other rules.

- requests by some suspicious IP addresseess.

=> You can only create deny rules with network ACLs, it is not possible with security groups. Network ACLs process rules in order from the lowest numbered rules to the highest until they reach and allow or deny. The following table describes some of the differences between security groups and network ACLs

 

92. A company recently expanded globally and wants to make its application accessible to users in those geographic locations. The application is deployed on
Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group. The company needs the ability shift traffic from resources in one region to another.
What should a solutions architect recommend?

• A. Configure an Amazon Route 53 latency routing policy.
• B. Configure an Amazon Route 53 geolocation routing policy.
• C. Configure an Amazon Route 53 geoproximity routing policy.
• D. Configure an Amazon Route 53 multivalue answer routing policy.

- expaneded globally

=> C. Geolocation routing policy – Use when you want to route traffic based on the location of your users. Geoproximity routing policy – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.

 

93. A company wants to replicate its data to AWS to recover in the event of a disaster. Today, a system administrator has scripts that copy data to a NFS share.
Individual backup files need to be accessed with low latency by application administrators to deal with errors in processing.
What should a solutions architect recommend to meet these requirements?

• A. Modify the script to copy data to an Amazon S3 bucket instead of the on-premises NFS share.
• B. Modify the script to copy data to an Amazon S3 Glacier Archive instead of the on-premises NFS share.
• C. Modify the script to copy data to an Amazon Elastic File System (Amazon EFS) volume instead of the on-premises NFS share.
• D. Modify the script to copy data to an AWS Storage Gateway for File Gateway virtual appliance instead of the on-premises NFS share.

- wants to replicate its data

- NFS share에서 데이터를 카피

- 각각의 백업 파일은 low latency로 접근 가능

=> The file gateway employs a local read/write cache to provide a low-latency access to data for file share clients in the same local area network (LAN) as the file gateway.

94. An application requires a development environment (DEV) and production environment (PROD) for several years. The DEV instances will run for 10 hours each day during normal business hours, while the PROD instances will run 24 hours each day. A solutions architect needs to determine a compute instance purchase strategy to minimize costs.
Which solution is the MOST cost-effective?

• A. DEV with Spot Instances and PROD with On-Demand Instances
• B. DEV with On-Demand Instances and PROD with Spot Instances
• C. DEV with Scheduled Reserved Instances and PROD with Reserved Instances
• D. DEV with On-Demand Instances and PROD with Scheduled Reserved Instances

- DEV 인스턴스 하루에 10시간 

- PROD는 매일 24시간

- 비용 최소화

=> 'C' must be true but as of today (05/03/21) - AWS do not have any capacity for purchasing Scheduled Reserved Instances or any plans to make it available in the future. To reserve capacity, use On-Demand Capacity Reservations instead.

95. A company runs multiple Amazon EC2 Linux instances in a VPC with applications that use a hierarchical directory structure. The applications need to rapidly and concurrently read and write to shared storage.
How can this be achieved?

• A. Create an Amazon Elastic File System (Amazon EFS) file system and mount it from each EC2 instance.
• B. Create an Amazon S3 bucket and permit access from all the EC2 instances in the VPC.
• C. Create a file system on an Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io1) volume. Attach the volume to all the EC2 instances.
• D. Create file systems on Amazon Elastic Block Store (Amazon EBS) volumes attached to each EC2 instance. Synchronize the Amazon Elastic Block Store (Amazon EBS) volumes across the different EC2 instances.

 

96. A solutions architect observes that a nightly batch processing job is automatically scaled up for 1 hour before the desired Amazon EC2 capacity is reached. The peak capacity is the same every night and the batch jobs always start at 1 AM. The solutions architect needs to find a cost-effective solution that will allow for the desired EC2 capacity to be reached quickly and allow the Auto Scaling group to scale down after the batch jobs are complete.
What should the solutions architect do to meet these requirements?

• A. Increase the minimum capacity for the Auto Scaling group.
• B. Increase the maximum capacity for the Auto Scaling group.
• C. Configure scheduled scaling to scale up to the desired compute level.
• D. Change the scaling policy to add more EC2 instances during each scaling operation.

- 항상 새벽 1시에 시작

=> C for sure due to the predictable nature of workload

97. A Solutions Architect must design a web application that will be hosted on AWS, allowing users to purchase access to premium, shared content that is stored in an
S3 bucket. Upon payment, content will be available for download for 14 days before the user is denied access.
Which of the following would be the LEAST complicated implementation?

• A. Use an Amazon CloudFront distribution with an origin access identity (OAI). Configure the distribution with an Amazon S3 origin to provide access to the file through signed URLs. Design a Lambda function to remove data that is older than 14 days.
• B. Use an S3 bucket and provide direct access to the file. Design the application to track purchases in a DynamoDB table. Configure a Lambda function to remove data that is older than 14 days based on a query to Amazon DynamoDB.
• C. Use an Amazon CloudFront distribution with an OAI. Configure the distribution with an Amazon S3 origin to provide access to the file through signed URLs. Design the application to set an expiration of 14 days for the URL.
• D. Use an Amazon CloudFront distribution with an OAI. Configure the distribution with an Amazon S3 origin to provide access to the file through signed URLs. Design the application to set an expiration of 60 minutes for the URL and recreate the URL as necessary.

=> There is no need to remove the data. Just expire the pre-signed url. So answer should be between C and D. However the max expiry time for pre-signed url is 7 days. So option D is the right answer. It seems the restriction on max expiry time is only valid for normal S3 pre-signed URLs. For Cloudfront signed URLs there is no restriction. So changing answer to C.

 

98. A solutions architect is designing a mission-critical web application. It will consist of Amazon EC2 instances behind an Application Load Balancer and a relational database. The database should be highly available and fault tolerant.
Which database implementations will meet these requirements? (Choose two.)

• A. Amazon Redshift
• B. Amazon DynamoDB
• C. Amazon RDS for MySQL
• D. MySQL-compatible Amazon Aurora Multi-AZ
• E. Amazon RDS for SQL Server Standard Edition Multi-AZ

- highly available  and fauly tolerant

- relational database

=> A - Redshift is a cloud data warehouse not a sql database

B - it does not say that global tables is active and it is a NoSQL database

C - It is not multi az

 

99. A company's web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only.
Which configuration will meet this requirement?

• A. Configure the security group for the EC2 instances.
• B. Configure the security group on the Application Load Balancer.
• C. Configure AWS WAF on the Application Load Balancer in a VPC.
• D. Configure the network ACL for the subnet that contains the EC2 instances.

- one specific country only

 

100. A solutions architect has created two IAM policies: Policy1 and Policy2. Both policies are attached to an IAM group.

A cloud engineer is added as an IAM user to the IAM group. Which action will the cloud engineer be able to perform?

• A. Deleting IAM users
• B. Deleting directories
• C. Deleting Amazon EC2 instances
• D. Deleting logs from Amazon CloudWatch Logs

 => There is an explicit DENY on deleting directories in the second policy. So the only thing that can be deleted is EC2 instances as per the permission in the first policy.

=> As per the permission on Policy 1, the Cloud Engineer has full permission for EC2 instances. rest he will have limited permission.

iam - Get & List

kms - List

ec2 - All

ds - All (Directory Service)

logs - Get & Describe

resource - all