The latest AWS Certified Solutions Architect – Associate SAA-C03 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Solutions Architect – Associate SAA-C03 exam and earn AWS Certified Solutions Architect – Associate SAA-C03 certification.
Question 531
A company fails an AWS security review conducted by a third party.
The review finds that some of the company’s methods to access the Amazon EMR API are not secure.
Developers are using AWS Cloud9, and access keys are connecting to the Amazon EMR API through the public internet.
Which combination of steps should the company take to MOST improve its security? (Select TWO)
A. Set up a VPC peering connection to the Amazon EMR API
* B. Set up VPC endpoints to connect to the Amazon EMR API
C. Set up a NAT gateway to connect to the Amazon EMR API.
* D. Set up IAM roles to be used to connect to the Amazon EMR API
E. Set up each developer with AWS Secrets Manager to store access keys
Question 532
An application launched on Amazon EC2 instances needs to publish personally identifiable information (PH) about customers using Amazon Simple Notification Service (Amazon SNS). The application is launched in private subnets within an Amazon VPC.
What is the MOST secure way to allow the application to access service endpoints in the same AWS Region?
A. Use an internet gateway
* B. Use AWS PrivateLink
C. Use a NAT gateway.
D. Use a proxy instance
Question 533
A company wants to launch a new application using Amazon Route 53, an Application Load Balancer (ALB), and an Amazon EC2 Auto Scaling group. The company is preparing to perform user experience testing and has a limited budget for this phase of the project. Although the company plans to do a load test in the future, it wants to prevent users from load testing at this time because it wants to limit unnecessary EC2 automatic scaling.
What should a solutions architect do to minimize costs of the user experience testing?
A. Configure AWS Shield’s client request threshold to 100 connections per client.
* B. Deploy AWS WAF on the ALB with a rate-based rule configured to limit the number of requests each client can make.
C. Configure the ALB with an advanced request routing policy to throttle the client connections being sent to the Auto Scaling group.
D. Deploy Amazon Simple Queue Service (Amazon SQS) between the ALB and Auto Scaling group to queue client requests and change the Auto Scaling group maximum size to one.
Question 534
53 latency-based routing to route requests to its UDP-based application tor users around the world the application is hosted on redundant servers in the company’s on-premises data centers in the United States Asia, and Europe The company’s compliance requirements state that the application must be hosted on-premises. The company wants to improve the performance and availability of the application.
What should a solutions architect do to meet these requirements?
A. Configure throe Network Load Balancers (NLBs) in the three AWS Regions to address the on-premises endpoints. Create an accelerator by using AWS Global Accelerator, and register the NLBs as its endpoints. Provide access to the application by using a CNAML that points to the accelerator DNS.
B. Configure three Application Load Balancers (ALGs) in the three AWS Regions to wireless the on-premises endpoints. Create an accelerator by using AWS Global Accelerator, and register the ALBs as its endpoints. Provide access to the application by using a CNAK1L that points to the accelerator UNS
* C. Configure three Network Load Balancers (NLOs) in the three AWS Regions to address the on-premises endpoints in Route 53. Create latency-based record that points to the three NLBs. and use it as an origin for an Amazon CloudFront distribution. Provide access to the application by using a CNAML that points to the CloudFront DNS.
D. Configure three Application Load Balancers (ALBs) in the three AWS Regions to address the on-premises endpoint. in Route 53.
Question 535
A company has an application running as a service in Amazon Elastic Container Service (Amazon EC2) using the Amazon launch type.
The application code makes AWS API calls to publish messages to Amazon Simple Queue Service (Amazon SQS).
What is the MOST secure method of giving the application permission to publish messages to Amazon SQS?
A. Use AWS Identity and Access Management (IAM) to grant SQS permissions to the role used by the launch configuration for the Auto Scaling group of the ECS cluster.
* B. Create a new IAM user with SQS permissions. The update the task definition to declare the access key ID and secret access key as environment variables.
C. Create a new IAM role with SQS permissions. The update the task definition to use this role for the task role setting.
D. Update the security group used by the ECS cluster to allow access to Amazon SQS
Question 536
A company has an application running on Amazon EC2 On-Demand Instances. The application does not scale, and the Instances run In one AWS Region. The company wants the flexibility to change the operating system from Windows to AWS Linux in the future. The company needs to reduce the cost of the instances without creating additional operational overhead or changes to the application.
What should the company purchase to meet these requirements MOST cost-effectively?
A. Dedicated Hosts for the Instance type being used
B. A Compute Savings Plan for the instance type being used
C. An EC2 Instance Savings Plan (or the instance type being used
* D. Convertible Reserved Instances tor the instance type being used
Question 537
A company wants to run a static website served through Amazon CloudFront.
What is an advantage of storing the website content in an Amazon S3 bucket instead of an Amazon Elastic Block Store (Amazon EBS) volume?
A. S3 buckets are replicated globally, allowing for large scalability. EBS volumes are replicated only within an AWS Region.
* B. S3 is an origin for CloudFront. EBS volumes would need EC2 instances behind an Elastic Load Balancing load balancer to be an origin
C. S3 buckets can be encrypted, allowing for secure storage of the web files. EBS volumes cannot be encrypted.
D. S3 buckets support object-level read throttling, preventing abuse. EBS volumes do not provide object-level throttling.
Question 538
A company expects its user base to increase five times over one year. Its application is hosted in one region and uses an Amazon RDS for MySQL database, and Application Load Balance Amazon Elastic Container Service (Amazon ECS) to host the website and its microservices.
Which design changes should a solutions architect recommend to support the expected growth? (Select TWO.)
* A. Move static files from Amazon ECS to Amazon S3
B. Use an Amazon Route 53 geolocation routing policy.
C. Scale the environment based on real-time AWS CloudTrail logs.
D. Create a dedicated Elastic Load Balancer for each microservice.
* E. Create RDS lead replicas and change the application to use these replicas.
Question 539
A solutions architect is designing a new workload in which an AWS Lambda function will access an Amazon DynamoDB table.
What is the MOST secure means of granting the Lambda function access to the DynamoDB labia?
* A. Create an IAM role with the necessary permissions to access the DynamoDB table. Assign the role to the Lambda function.
B. Create a DynamoDB user name and password and give them to the developer to use in the Lambda function.
C. Create an IAM user, and create access and secret keys for the user. Give the user the necessary permissions to access the DynarnoOB table. Have the developer use these keys to access the resources.
D. Create an IAM role allowing access from AWS Lambda. Assign the role to the DynamoDB table
Question 540
A city has deployed a web application running on AmazonEC2 instances behind an Application Load Balancer (ALB).
The Application’s users have reported sporadic performance, which appears to be related to DDoS attacks originating from random IP addresses.
The City needs a solution that requires minimal configuration changes and provides an audit trail for the DDoS source.
Which solution meets these requirements?
A. Enable an AWS WAF web ACL on the ALB and configure rules to block traffic from unknown sources.
B. Subscribe to Amazon inspector. Engage the AWS DDoS Resource Team (DRT) to integrate migrating controls into the service.
* C. Subscribe to AWS shield advanced. Engage the AWS DDoS Response Team (DRT) to integrate migrating controls into the service.
D. Create an Amazon CloudFront distribution for the application and set the ALB as the origin. Enable an AWS WAF web ACL on the distribution and configure rules to block traffic from unknown sources.