AWS Certified Solutions Architect – Associate SAA-C02 Exam Questions and Answers – Page 6

The latest AWS Certified Solutions Architect – Associate SAA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Solutions Architect – Associate SAA-C02 exam and earn AWS Certified Solutions Architect – Associate SAA-C02 certification.

AWS Certified Solutions Architect - Associate SAA-C02 Exam Questions and Answers

Exam Question 501

A company is developing an eCommerce application that will consist of a load-balanced front end. a container-based application and a relational database A solutions architect needs to create a highly available solution that operates with as little manual intervention as possible

Which solutions meet these requirements? (Select TWO.)

A. Create an Amazon RDS DB instance in Multi-AZ mode
B. Create an Amazon RDS DB instance and one or more replicas in another Availability Zone
C. Create an Amazon EC2 instance-based Docker cluster to handle the dynamic application load
D. Create an Amazon Elastic Container Service (Amazon ECS) cluster with a Fargate launch type to handle the dynamic application load
E. Create an Amazon Elastic Container Service (Amazon ECS) cluster with an Amazon EC2 launch type to handle the dynamic application load

Correct Answer:
A. Create an Amazon RDS DB instance in Multi-AZ mode
D. Create an Amazon Elastic Container Service (Amazon ECS) cluster with a Fargate launch type to handle the dynamic application load

Answer Description:
Relational database: RDS
Container-based applications: ECS
“Amazon ECS enables you to launch and stop your container-based applications by using simple API calls. You can also retrieve the state of your cluster from a centralized service and have access to many familiar Amazon EC2 features.”
Little manual intervention: Fargate
You can run your tasks and services on a serverless infrastructure that is managed by AWS Fargate. Alternatively, for more control over your infrastructure, you can run your tasks and services on a cluster of Amazon EC2 instances that you manage.

References:

Exam Question 502

A company uses Amazon S3 to store its confidential audit documents. The S3 bucket uses bucket policies to restrict access to audit team IAM user credentials according to the principle of least privilege. Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.

What should a solutions architect do to secure the audit documents?

A. Enable the versioning and MFA Delete features on the S3 bucket
B. Enable multi-factor authentication (MFA) on the IAM user credentials for each audit team IAM user account.
C. Add an S3 Lifecycle policy to the audit team’s IAM user accounts to deny the s3:DeleteObject action during audit dates.
D. Use AWS Key Management Service (AWS KMS> to encrypt the S3 bucket and restrict audit team IAM user accounts from accessing the KMS key.

Correct Answer:
A. Enable the versioning and MFA Delete features on the S3 bucket

Exam Question 503

A solutions architect is creating a new VPC design. There are two public subnet for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web serves use only HTTPS. The solutions architect has already created a security group for the load Balancer allowing port 443 from 0.0 0.0/0. Company policy requires that each resource has the least access required to still be able to perform its tasks.

Which additional configuration strategy should the solution architect use to meet these requirements?

A. Create a security group for the web servers and allow port 443 from 0.0.0.070. Create a security group for the MySQL serve’s aid allow port 3306 from the web servers security group.
B. Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group
C. Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web sewers security group
D. Create a network ACL for the web servers and allow port 443 from the web balancer. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Correct Answer:
C. Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web sewers security group

Exam Question 504

A solutions architect has configured the following IAM policy.
A solutions architect has configured the following IAM policy.
Which action will be allowed by the policy?

A. An AWS Lambda function can be deleted from any network.
B. An AWS Lambda function can be created from any network.
C. An AWS Lambda function can be deleted from the 100.220.0.0/20 network
D. An AWS Lambda function can be deleted from the 220 100.16 0 20 network

Correct Answer:
D. An AWS Lambda function can be deleted from the 220 100.16 0 20 network

Exam Question 505

A company’s legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption Due to new compliance requirements, all existing and new data in this database must be encrypted

How should this be accomplished?

A. Create an Amazon S3 bucket with server-side encryption enabled Move all the data to Amazon S3 Delete the RDS instance
B. Enable RDS Multi-AZ mode with encryption at rest enabled Perform a failover to the standby instance to delete the original instance
C. Take a snapshot of the RDS instance Create an encrypted copy of the snapshot Restore the RDS instance from the encrypted snapshot
D. Create an RDS read replica with encryption at rest enabled Promote the read replica to master and switch the application over to the new master Delete the old RDS instance.

Correct Answer:
C. Take a snapshot of the RDS instance Create an encrypted copy of the snapshot Restore the RDS instance from the encrypted snapshot

Answer Description:
How do I encrypt Amazon RDS snapshots?
The following steps are applicable to Amazon RDS for MySQL, Oracle, SQL Server, PostgreSQL, or MariaDB.
Important: If you use Amazon Aurora, you can restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster if you specify an AWS Key Management Service (AWS KMS) encryption key when you restore from the unencrypted DB cluster snapshot. For more information, see Limitations of Amazon RDS Encrypted DB Instances.
Open the Amazon RDS console, and then choose Snapshots from the navigation pane.
Select the snapshot that you want to encrypt.
Under Snapshot Actions, choose Copy Snapshot.
Choose your Destination Region, and then enter your New DB Snapshot Identifier.
Change Enable Encryption to Yes.
Select your Master Key from the list, and then choose Copy Snapshot.
After the snapshot status is available, the Encrypted field will be True to indicate that the snapshot is encrypted.
You now have an encrypted snapshot of your DB. You can use this encrypted DB snapshot to restore the DB instance from the DB snapshot.

Exam Question 506

A solutions architect must analyze and update a company’s existing 1AM policies prior to deploying a new workload.
The solutions architect created the following policy:
A solutions architect must analyze and update a company’s existing 1AM policies prior to deploying a new workload.
What is the net effect of this policy?

A. Users will be allowed all actions except s3 PutObject if multi-factor authentication (MFA) is enabled
B. Users win be allowed all actions except s3 PutObject if multi-factor authentication (MFA) is not enabled
C. Users will be denied all actions except s3;PutObject if multi-factor authentication (MFA) is enabled.
D. Users win be denied all actions except s3:PutObject if multi-factor authentication (MFA) is not enabled.

Correct Answer:
C. Users will be denied all actions except s3;PutObject if multi-factor authentication (MFA) is enabled.

Exam Question 507

A company wants to move its on-premises network, attached storage (NAS) to AWS. The company wants to make the data available to any Linux instances within its VPC and ensure changes are automatically synchronized across all instances accessing the data store. The majority of the data is accessed very rarely, and some files are accessed by multiple users at the same time.
Which solution meets these requirements and is MOST cost-effective?

A. Create an Amazon Elastic Block Store (Amazon EBS) snapshot containing the data. Share it with users within the VP
B. Create an Amazon S3 bucket that has a lifecycle policy set to transition the data to S3 Standard-Infrequent Access (S3 Standard-IA) after the appropriate number of days.
C. Create an Amazon Elastic File System (Amazon EFS) file system within the VP
D. Set the throughput mode to Provisioned and to the required amount of IOPS to support concurrent usage.
E. Create an Amazon Elastic File System (Amazon EFS) file system within the VP
F. Set the lifecycle policy to transition the data to £FS Infrequent Access (EFS IA) after the appropriate number of days.

Correct Answer:
C. Create an Amazon Elastic File System (Amazon EFS) file system within the VP

Exam Question 508

A company’s dynamic website is hosted using on-premises servers in the United States. The company is launching its product in Europe and it wants to optimize site loading times for new European users. The site’s backend must remain in the United States.

The product is being launched in a few days, and an immediate solution is needed

What should the solutions architect recommend?

A. Launch an Amazon EC2 instance in us-east-1 and migrate the site to it
B. Move the website to Amazon S3 Use cross-Region replication between Regions.
C. Use Amazon CloudFront with a custom origin pointing to the on-premises servers
D. Use an Amazon Route 53 geoproximity routing policy pointing to on-premises servers

Correct Answer:
C. Use Amazon CloudFront with a custom origin pointing to the on-premises servers

Exam Question 509

The financial application at a company stores monthly reports in an Amazon S3 bucket. The vice president of finance has mandated that all access to these reports be logged and that any modifications to the log files be detected.

Which actions can a solutions architect take to meet these requirements?

A. Use S3 server access logging on the bucket that houses the reports with the read and write data events and log file validation options enabled.
B. Use S3 server access logging on the bucket that houses the reports with the read and write management events and log file validation options enabled
C. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write data events on the S3 bucket that houses the reports Log these events to a new bucket, and enable log file validation
D. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write management events on the S3 bucket that houses the reports. Log these events to a new bucket, and enable log file validation.

Correct Answer:
C. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write data events on the S3 bucket that houses the reports Log these events to a new bucket, and enable log file validation

References:

Amazon Simple Storage Service > User Guide > Enabling CloudTrail event logging for S3 buckets and objects

Exam Question 510

A company runs an online marketplace web application on AWS. The application serves hundreds of thousands of users during peak hours. The company needs a scalable, near-real-time solution to share the details of millions of financial transactions with several other internal applications. Transactions also need to be processed to remove sensitive data before being stored in a document database for low-latency retrieval.

What should a solutions architect recommend to meet these requirements?

A. Store the batched transactions data in Amazon S3 as files. Use AWS Lambda to process every file and remove sensitive data before updating the files in Amazon S3. The Lambda function then stores the data in Amazon DynamoDB. Other applications can consume transaction files stored in Amazon S3.
B. Store the transactions data into Amazon DynamoDB. Set up a rule in DynamoDB to remove sensitive data from every transaction upon write. Use DynamoDB Streams to share the transactions data with other applications.
C. Stream the transactions data into Amazon Kinesis Data Streams. Use AWS Lambda integration to remove sensitive data from every transaction and then store the transactions data in Amazon DynamoDB. Other applications can consume the transactions data off the Kinesis data stream.
D. Stream the transactions data into Amazon Kinesis Data Firehose to store data in Amazon DynamoDB and Amazon S3. Use AWS Lambda integration with Kinesis Data Firehose to remove sensitive data. Other applications can consume the data stored in Amazon S3.

Correct Answer:
C. Stream the transactions data into Amazon Kinesis Data Streams. Use AWS Lambda integration to remove sensitive data from every transaction and then store the transactions data in Amazon DynamoDB. Other applications can consume the transactions data off the Kinesis data stream.