Practice Test #1 - AWS Certified Solutions Architect Associate - Results

Return to review
Attempt 3
All knowledge areas
All questions
Question 1: Correct
The IT department at a consulting firm is conducting a training workshop for new developers. As part of an evaluation
exercise on Amazon S3, the new developers were asked to identify the invalid storage class lifecycle transitions for
objects stored on S3.
Can you spot the INVALID lifecycle transitions from the options below? (Select two)

S3 Intelligent-Tiering => S3 Standard

(Correct)

S3 One Zone-IA => S3 Standard-IA

(Correct)

S3 Standard-IA => S3 One Zone-IA

S3 Standard => S3 Intelligent-Tiering

S3 Standard-IA => S3 Intelligent-Tiering

Explanation
Correct options:
As the question wants to know about the INVALID lifecycle transitions, the following options are the correct answers -
S3 Intelligent-Tiering => S3 Standard
S3 One Zone-IA => S3 Standard-IA
Following are the unsupported life cycle transitions for S3 storage classes - Any storage class to the S3 Standard storage
class. Any storage class to the Reduced Redundancy storage class. The S3 Intelligent-Tiering storage class to the S3
Standard-IA storage class. The S3 One Zone-IA storage class to the S3 Standard-IA or S3 Intelligent-Tiering storage
classes.
Incorrect options:
 S3 Standard => S3 Intelligent-Tiering
S3 Standard-IA => S3 Intelligent-Tiering
S3 Standard-IA => S3 One Zone-IA
Here are the supported life cycle transitions for S3 storage classes - The S3 Standard storage class to any other storage
class. Any storage class to the S3 Glacier or S3 Glacier Deep Archive storage classes. The S3 Standard-IA storage class to
the S3 Intelligent-Tiering or S3 One Zone-IA storage classes. The S3 Intelligent-Tiering storage class to the S3 One Zone-IA
storage class. The S3 Glacier storage class to the S3 Glacier Deep Archive storage class.
Amazon S3 supports a waterfall model for transitioning between storage classes, as shown in the diagram

below. via
- https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html
Question 2: Correct
A technology blogger wants to write a review on the comparative pricing for various storage types available on AWS
Cloud. The blogger has created a test file of size 1GB with some random data. Next he copies this test file into AWS S3
Standard storage class, provisions an EBS volume (General Purpose SSD (gp2)) with 100GB of provisioned storage and
copies the test file into the EBS volume, and lastly copies the test file into an EFS Standard Storage filesystem. At the
end of the month, he analyses the bill for costs incurred on the respective storage types for the test file.
What is the correct order of the storage charges incurred for the test file on these three storage types?

Cost of test file storage on S3 Standard < Cost of test file storage on EFS < Cost of test file storage on EBS

(Correct)


Cost of test file storage on EFS < Cost of test file storage on S3 Standard < Cost of test file storage on EBS

Cost of test file storage on EBS < Cost of test file storage on S3 Standard < Cost of test file storage on EFS

Cost of test file storage on S3 Standard < Cost of test file storage on EBS < Cost of test file storage on EFS
Explanation
Correct option:
Cost of test file storage on S3 Standard < Cost of test file storage on EFS < Cost of test file storage on EBS
With Amazon EFS, you pay only for the resources that you use. The EFS Standard Storage pricing is $0.30 per GB per
month. Therefore the cost for storing the test file on EFS is $0.30 for the month.
For EBS General Purpose SSD (gp2) volumes, the charges are $0.10 per GB-month of provisioned storage. Therefore, for
a provisioned storage of 100GB for this use-case, the monthly cost on EBS is $0.10*100 = $10. This cost is irrespective of
how much storage is actually consumed by the test file.
For S3 Standard storage, the pricing is $0.023 per GB per month. Therefore, the monthly storage cost on S3 for the test
file is $0.023.
Therefore this is the correct option.
Incorrect options:
Cost of test file storage on S3 Standard < Cost of test file storage on EBS < Cost of test file storage on EFS
Cost of test file storage on EFS < Cost of test file storage on S3 Standard < Cost of test file storage on EBS
Cost of test file storage on EBS < Cost of test file storage on S3 Standard < Cost of test file storage on EFS
Following the computations shown earlier in the explanation, these three options are incorrect.
References:
https://aws.amazon.com/ebs/pricing/
https://aws.amazon.com/s3/pricing/(https://aws.amazon.com/s3/pricing/)
https://aws.amazon.com/efs/pricing/
Question 3: Correct
A cyber security company is running a mission critical application using a single Spread placement group of EC2
instances. The company needs 15 Amazon EC2 instances for optimal performance.
How many Availability Zones (AZs) will the company need to deploy these EC2 instances per the given use-case?

15


 7

14

(Correct)

Explanation
Correct option:
3
When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your
instances are spread out across underlying hardware to minimize correlated failures. You can use placement groups to
influence the placement of a group of interdependent instances to meet the needs of your workload. Depending on the
type of workload, you can create a placement group using one of the following placement strategies:
Cluster placement group
Partition placement group
Spread placement group.
A Spread placement group is a group of instances that are each placed on distinct racks, with each rack having its own
network and power source.
Spread placement groups are recommended for applications that have a small number of critical instances that should
be kept separate from each other. Launching instances in a spread placement group reduces the risk of simultaneous
failures that might occur when instances share the same racks.
A spread placement group can span multiple Availability Zones in the same Region. You can have a maximum of seven
running instances per Availability Zone per group. Therefore, to deploy 15 EC2 instances in a single Spread placement
group, the company needs to use 3 AZs.

Spread placement group overview: via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-

groups.html
Incorrect options:
7
14
15
These three options contradict the details provided in the explanation above, so these options are incorrect.
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
Question 4: Correct
 The engineering team at an in-home fitness company is evaluating multiple in-memory data stores with the ability to
power its on-demand, live leaderboard. The company's leaderboard requires high availability, low latency, and real-
time processing to deliver customizable user data for the community of users working out together virtually from the
comfort of their home.
As a solutions architect, which of the following solutions would you recommend? (Select two)

Power the on-demand, live leaderboard using DynamoDB with DynamoDB Accelerator (DAX) as it meets the in-memory,
high availability, low latency requirements

(Correct)

Power the on-demand, live leaderboard using RDS Aurora as it meets the in-memory, high availability, low latency
requirements

Power the on-demand, live leaderboard using DynamoDB as it meets the in-memory, high availability, low latency
requirements

Power the on-demand, live leaderboard using AWS Neptune as it meets the in-memory, high availability, low latency
requirements

Power the on-demand, live leaderboard using ElastiCache Redis as it meets the in-memory, high availability, low latency
requirements

(Correct)

Explanation
Correct options:
Power the on-demand, live leaderboard using ElastiCache Redis as it meets the in-memory, high availability, low
latency requirements
Amazon ElastiCache for Redis is a blazing fast in-memory data store that provides sub-millisecond latency to power
internet-scale real-time applications. Amazon ElastiCache for Redis is a great choice for real-time transactional and
analytical processing use cases such as caching, chat/messaging, gaming leaderboards, geospatial, machine learning,
media streaming, queues, real-time analytics, and session store. ElastiCache for Redis can be used to power the live
leaderboard, so this option is correct.
ElastiCache for Redis
Overview:

Power the on-demand, live leaderboard using DynamoDB with DynamoDB Accelerator (DAX) as it meets the in-
memory, high availability, low latency requirements
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any
scale. It's a fully managed, multiregion, multimaster, durable database with built-in security, backup and restore, and in-
memory caching for internet-scale applications. DAX is a DynamoDB-compatible caching service that enables you to
benefit from fast in-memory performance for demanding applications. So DynamoDB with DAX can be used to power
the live leaderboard.
Incorrect options:
Power the on-demand, live leaderboard using AWS Neptune as it meets the in-memory, high availability, low latency
requirements - Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and
run applications that work with highly connected datasets. Neptune is not an in-memory database, so this option is not
correct.
Power the on-demand, live leaderboard using DynamoDB as it meets the in-memory, high availability, low latency
requirements - DynamoDB is not an in-memory database, so this option is not correct.
Power the on-demand, live leaderboard using RDS Aurora as it meets the in-memory, high availability, low latency
requirements - Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, that
combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness
of open source databases. Amazon Aurora features a distributed, fault-tolerant, self-healing storage system that auto-
scales up to 64TB per database instance. Aurora is not an in-memory database, so this option is not correct.
References:
https://aws.amazon.com/elasticache/
https://aws.amazon.com/elasticache/redis/
https://aws.amazon.com/dynamodb/dax/
Question 5: Incorrect
A cyber forensics company runs its EC2 servers behind an Application Load Balancer along with an Auto Scaling group.
The engineers at the company want to be able to install proprietary forensic tools on each instance and perform a
pre-activation status check of these tools whenever an instance is provisioned because of a scale-out event from an
auto-scaling policy.
Which of the following options can be used to enable this custom action?


Use the EC2 instance meta data to put the instance in a wait state and launch a custom script that installs the
proprietary forensic tools and performs a pre-activation status check

Use the EC2 instance user data to put the instance in a wait state and launch a custom script that installs the proprietary
forensic tools and performs a pre-activation status check

Use the Auto Scaling group lifecycle hook to put the instance in a wait state and launch a custom script that installs the
proprietary forensic tools and performs a pre-activation status check

(Correct)

Use the Auto Scaling group scheduled action to put the instance in a wait state and launch a custom script that installs
the proprietary forensic tools and performs a pre-activation status check

(Incorrect)

Explanation
Correct option:
Use the Auto Scaling group lifecycle hook to put the instance in a wait state and launch a custom script that installs
the proprietary forensic tools and performs a pre-activation status check
An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for automatic
scaling and management.
Auto Scaling group lifecycle hooks enable you to perform custom actions as the Auto Scaling group launches or
terminates instances. Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling
group launches or terminates them. When an instance is paused, it remains in a wait state either until you complete the
lifecycle action using the complete-lifecycle-action command or the CompleteLifecycleAction operation, or until the
timeout period ends (one hour by default). For example, you could install or configure software on newly launched
instances, or download log files from an instance before it terminates.
How lifecycle hooks
work:
 v
ia - https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
Incorrect options:
Use the Auto Scaling group scheduled action to put the instance in a wait state and launch a custom script that installs
the proprietary forensic tools and performs a pre-activation status check - To configure your Auto Scaling group to
scale based on a schedule, you create a scheduled action. The scheduled action tells Amazon EC2 Auto Scaling to
perform a scaling action at specified times. You cannot use scheduled action to carry out custom actions when the Auto
Scaling group launches or terminates an instance.
Use the EC2 instance meta data to put the instance in a wait state and launch a custom script that installs the
proprietary forensic tools and performs a pre-activation status check - EC2 instance metadata is data about your
instance that you can use to configure or manage the running instance. You cannot use EC2 instance metadata to put
the instance in wait state.
Use the EC2 instance user data to put the instance in a wait state and launch a custom script that installs the
proprietary forensic tools and performs a pre-activation status check - EC2 instance user data is the data that you
specified in the form of a configuration script while launching your instance. You cannot use EC2 instance user data to
put the instance in wait state.
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
Question 6: Correct
The DevOps team at an e-commerce company has deployed a fleet of EC2 instances under an Auto Scaling group
(ASG). The instances under the ASG span two Availability Zones (AZ) within the us-east-1 region. All the incoming
requests are handled by an Application Load Balancer (ALB) that routes the requests to the EC2 instances under the
ASG. As part of a test run, two instances (instance 1 and 2, belonging to AZ A) were manually terminated by the
 DevOps team causing the Availability Zones to become unbalanced. Later that day, another instance (belonging to AZ
B) was detected as unhealthy by the Application Load Balancer's health check.
Can you identify the correct outcomes for these events? (Select two)

Amazon EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it.
Later, another scaling activity launches a new instance to replace the terminated instance

(Correct)

Amazon EC2 Auto Scaling creates a new scaling activity to terminate the unhealthy instance and launch the new instance
simultaneously

As the Availability Zones got unbalanced, Amazon EC2 Auto Scaling will compensate by rebalancing the Availability
Zones. When rebalancing, Amazon EC2 Auto Scaling terminates old instances before launching new instances, so that
rebalancing does not cause extra instances to be launched

As the Availability Zones got unbalanced, Amazon EC2 Auto Scaling will compensate by rebalancing the Availability
Zones. When rebalancing, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that
rebalancing does not compromise the performance or availability of your application

(Correct)

Amazon EC2 Auto Scaling creates a new scaling activity for launching a new instance to replace the unhealthy instance.
Later, EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it
Explanation
Correct options:
As the Availability Zones got unbalanced, Amazon EC2 Auto Scaling will compensate by rebalancing the Availability
Zones. When rebalancing, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that
rebalancing does not compromise the performance or availability of your application
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to
handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify
the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group
never goes below this size. Actions such as changing the Availability Zones for your group or explicitly terminating or
detaching instances can lead to the Auto Scaling group becoming unbalanced between Availability Zones. Amazon EC2
Auto Scaling compensates by rebalancing the Availability Zones.
When rebalancing, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that
rebalancing does not compromise the performance or availability of your application. Therefore, this option is correct.
Availability Zone Rebalancing
Overview:

via - https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-benefits.html
Amazon EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it.
Later, another scaling activity launches a new instance to replace the terminated instance
However, the scaling activity of Auto Scaling works in a different sequence compared to the rebalancing activity. Auto
Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it. Later, another
scaling activity launches a new instance to replace the terminated instance.
Incorrect options:
Amazon EC2 Auto Scaling creates a new scaling activity for launching a new instance to replace the unhealthy
instance. Later, EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then
terminates it - This option contradicts the correct sequence of events outlined earlier for scaling activity created by EC2
Auto Scaling. Actually, Auto Scaling first terminates the unhealthy instance and then launches a new instance. Hence this
is incorrect.
As the Availability Zones got unbalanced, Amazon EC2 Auto Scaling will compensate by rebalancing the Availability
Zones. When rebalancing, Amazon EC2 Auto Scaling terminates old instances before launching new instances, so that
 rebalancing does not cause extra instances to be launched - This option contradicts the correct sequence of events
outlined earlier for rebalancing activity. When rebalancing, Amazon EC2 Auto Scaling launches new instances before
terminating the old ones. Hence this is incorrect.
Amazon EC2 Auto Scaling creates a new scaling activity to terminate the unhealthy instance and launch the new
instance simultaneously - This is a made-up option as both the terminate and launch activities can't happen
simultaneously. This option has been added as a distractor.
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-benefits.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html
Question 7: Incorrect
A news network uses Amazon S3 to aggregate the raw video footage from its reporting teams across the US. The news
network has recently expanded into new geographies in Europe and Asia. The technical teams at the overseas branch
offices have reported huge delays in uploading large video files to the destination S3 bucket.
Which of the following are the MOST cost-effective options to improve the file upload speed into S3? (Select two)

Create multiple AWS direct connect connections between the AWS Cloud and branch offices in Europe and Asia. Use the
direct connect connections for faster file uploads into S3

Use multipart uploads for faster file uploads into the destination S3 bucket

(Correct)

Use AWS Global Accelerator for faster file uploads into the destination S3 bucket

Use Amazon S3 Transfer Acceleration to enable faster file uploads into the destination S3 bucket

(Correct)

Create multiple site-to-site VPN connections between the AWS Cloud and branch offices in Europe and Asia. Use these
VPN connections for faster file uploads into S3
Explanation
Correct options:
Use Amazon S3 Transfer Acceleration to enable faster file uploads into the destination S3 bucket - Amazon S3 Transfer
Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
 Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at
an edge location, data is routed to Amazon S3 over an optimized network path.
Use multipart uploads for faster file uploads into the destination S3 bucket - Multipart upload allows you to upload a
single object as a set of parts. Each part is a contiguous portion of the object's data. You can upload these object parts
independently and in any order. If transmission of any part fails, you can retransmit that part without affecting other
parts. After all parts of your object are uploaded, Amazon S3 assembles these parts and creates the object. In general,
when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a
single operation. Multipart upload provides improved throughput, therefore it facilitates faster file uploads.
Incorrect options:
Create multiple AWS direct connect connections between the AWS Cloud and branch offices in Europe and Asia. Use
the direct connect connections for faster file uploads into S3 - AWS Direct Connect is a cloud service solution that
makes it easy to establish a dedicated network connection from your premises to AWS. AWS Direct Connect lets you
establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Direct
connect takes significant time (several months) to be provisioned and is an overkill for the given use-case.
Create multiple site-to-site VPN connections between the AWS Cloud and branch offices in Europe and Asia. Use
these VPN connections for faster file uploads into S3 - AWS Site-to-Site VPN enables you to securely connect your on-
premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend
your data center or branch office network to the cloud with an AWS Site-to-Site VPN connection. A VPC VPN Connection
utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet.
VPN Connections are a good solution if you have low to modest bandwidth requirements and can tolerate the inherent
variability in Internet-based connectivity. Site-to-site VPN will not help in accelerating the file transfer speeds into S3 for
the given use-case.
Use AWS Global Accelerator for faster file uploads into the destination S3 bucket - AWS Global Accelerator is a service
that improves the availability and performance of your applications with local or global users. It provides static IP
addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your
Application Load Balancers, Network Load Balancers or Amazon EC2 instances. AWS Global Accelerator will not help in
accelerating the file transfer speeds into S3 for the given use-case.
References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
Question 8: Correct
The DevOps team at an analytics company has noticed that the performance of its proprietary Machine Learning
workflow has deteriorated ever since a new Auto Scaling group was deployed a few days back. Upon investigation,
the team found out that the Launch Configuration selected for the Auto Scaling group is using the incorrect instance
type that is not optimized to handle the Machine Learning workflow.
As a solutions architect, what would you recommend to provide a long term resolution for this issue?

No need to modify the launch configuration. Just modify the Auto Scaling group to use more number of existing instance
types. More instances may offset the loss of performance

Modify the launch configuration to use the correct instance type and continue to use the existing Auto Scaling group


 No need to modify the launch configuration. Just modify the Auto Scaling group to use the correct instance type

Create a new launch configuration to use the correct instance type. Modify the Auto Scaling group to use this new
launch configuration. Delete the old launch configuration as it is no longer needed

(Correct)

Explanation
Correct option:
Create a new launch configuration to use the correct instance type. Modify the Auto Scaling group to use this new
launch configuration. Delete the old launch configuration as it is no longer needed
A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances.
When you create a launch configuration, you specify information for the instances. Include the ID of the Amazon
Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping.
It is not possible to modify a launch configuration once it is created. The correct option is to create a new launch
configuration to use the correct instance type. Then modify the Auto Scaling group to use this new launch configuration.
Lastly to clean-up, just delete the old launch configuration as it is no longer needed.
Incorrect options:
Modify the launch configuration to use the correct instance type and continue to use the existing Auto Scaling group -
As mentioned earlier, it is not possible to modify a launch configuration once it is created. Hence, this option is incorrect.
No need to modify the launch configuration. Just modify the Auto Scaling group to use the correct instance type - You
cannot use an Auto Scaling group to directly modify the instance type of the underlying instances. Hence, this option is
incorrect.
No need to modify the launch configuration. Just modify the Auto Scaling group to use more number of existing
instance types. More instances may offset the loss of performance - Using the Auto Scaling group to increase the
number of instances to cover up for the performance loss is not recommended as it does not address the root cause of
the problem. The Machine Learning workflow requires a certain instance type that is optimized to handle Machine
Learning computations. Hence, this option is incorrect.
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html
Question 9: Correct
The payroll department at a company initiates several computationally intensive workloads on EC2 instances at a
designated hour on the last day of every month. The payroll department has noticed a trend of severe performance
lag during this hour. The engineering team has figured out a solution by using Auto Scaling Group for these EC2
instances and making sure that 10 EC2 instances are available during this peak usage hour. For normal operations only
2 EC2 instances are enough to cater to the workload.
As a solutions architect, which of the following steps would you recommend to implement the solution?

Configure your Auto Scaling group by creating a scheduled action that kicks-off at the designated hour on the last day of
the month. Set the desired capacity of instances to 10. This causes the scale-out to happen before peak traffic kicks in at
the designated hour
 (Correct)

Configure your Auto Scaling group by creating a target tracking policy and setting the instance count to 10 at the
designated hour. This causes the scale-out to happen before peak traffic kicks in at the designated hour

Configure your Auto Scaling group by creating a simple tracking policy and setting the instance count to 10 at the
designated hour. This causes the scale-out to happen before peak traffic kicks in at the designated hour

Configure your Auto Scaling group by creating a scheduled action that kicks-off at the designated hour on the last day of
the month. Set the min count as well as the max count of instances to 10. This causes the scale-out to happen before
peak traffic kicks in at the designated hour
Explanation
Correct option:
Configure your Auto Scaling group by creating a scheduled action that kicks-off at the designated hour on the last day
of the month. Set the desired capacity of instances to 10. This causes the scale-out to happen before peak traffic kicks
in at the designated hour
Scheduled scaling allows you to set your own scaling schedule. For example, let's say that every week the traffic to your
web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can
plan your scaling actions based on the predictable traffic patterns of your web application. Scaling actions are performed
automatically as a function of time and date.
A scheduled action sets the minimum, maximum, and desired sizes to what is specified by the scheduled action at the
time specified by the scheduled action. For the given use case, the correct solution is to set the desired capacity to 10.
When we want to specify a range of instances, then we must use min and max values.
Incorrect options:
Configure your Auto Scaling group by creating a scheduled action that kicks-off at the designated hour on the last day
of the month. Set the min count as well as the max count of instances to 10. This causes the scale-out to happen
before peak traffic kicks in at the designated hour - As mentioned earlier in the explanation, only when we want to
specify a range of instances, then we must use min and max values. As the given use-case requires exactly 10 instances
to be available during the peak hour, so we must set the desired capacity to 10. Hence this option is incorrect.
Configure your Auto Scaling group by creating a target tracking policy and setting the instance count to 10 at the
designated hour. This causes the scale-out to happen before peak traffic kicks in at the designated hour
Configure your Auto Scaling group by creating a simple tracking policy and setting the instance count to 10 at the
designated hour. This causes the scale-out to happen before peak traffic kicks in at the designated hour
Target tracking policy or simple tracking policy cannot be used to effect a scaling action at a certain designated hour.
Both these options have been added as distractors.
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html
Question 10: Correct
 An IT company has built a custom data warehousing solution for a retail organization by using Amazon Redshift. As
part of the cost optimizations, the company wants to move any historical data (any data older than a year) into S3, as
the daily analytical reports consume data for just the last one year. However the analysts want to retain the ability to
cross-reference this historical data along with the daily reports. The company wants to develop a solution with the
LEAST amount of effort and MINIMUM cost.
As a solutions architect, which option would you recommend to facilitate this use-case?

Use Redshift Spectrum to create Redshift cluster tables pointing to the underlying historical data in S3. The analytics
team can then query this historical data to cross-reference with the daily reports from Redshift

(Correct)

Setup access to the historical data via Athena. The analytics team can run historical data queries on Athena and continue
the daily reporting on Redshift. In case the reports need to be cross-referenced, the analytics team need to export these
in flat files and then do further analysis

Use Glue ETL job to load the S3 based historical data into Redshift. Once the ad-hoc queries are run for the historic data,
it can be removed from Redshift

Use the Redshift COPY command to load the S3 based historical data into Redshift. Once the ad-hoc queries are run for
the historic data, it can be removed from Redshift
Explanation
Correct option:
Use Redshift Spectrum to create Redshift cluster tables pointing to the underlying historical data in S3. The analytics
team can then query this historical data to cross-reference with the daily reports from Redshift
Amazon Redshift is a fully-managed petabyte-scale cloud-based data warehouse product designed for large scale data
set storage and analysis.
Using Amazon Redshift Spectrum, you can efficiently query and retrieve structured and semistructured data from files in
Amazon S3 without having to load the data into Amazon Redshift tables. Amazon Redshift Spectrum resides on
dedicated Amazon Redshift servers that are independent of your cluster. Redshift Spectrum pushes many compute-
intensive tasks, such as predicate filtering and aggregation, down to the Redshift Spectrum layer. Thus, Redshift
Spectrum queries use much less of your cluster's processing capacity than other queries.
Redshift Spectrum
Overview
via - https://aws.amazon.com/blogs/big-data/amazon-redshift-spectrum-extends-data-warehousing-out-to-exabytes-
no-loading-required/
Incorrect options:
Setup access to the historical data via Athena. The analytics team can run historical data queries on Athena and
continue the daily reporting on Redshift. In case the reports need to be cross-referenced, the analytics team need to
export these in flat files and then do further analysis Amazon Athena is an interactive query service that makes it easy
to analyze data directly in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to set up or
manage, and customers pay only for the queries they run. You can use Athena to process logs, perform ad-hoc analysis,
and run interactive queries. Providing access to historical data via Athena would mean that historical data reconciliation
would become difficult as the daily report would still be produced via Redshift. Such a setup is cumbersome to maintain
on a day to day basis. Hence the option to use Athena is ruled out.
Use the Redshift COPY command to load the S3 based historical data into Redshift. Once the ad-hoc queries are run
for the historic data, it can be removed from Redshift
Use Glue ETL job to load the S3 based historical data into Redshift. Once the ad-hoc queries are run for the historic
data, it can be removed from Redshift
Loading historical data into Redshift via COPY command or Glue ETL job would cost heavy for a one-time ad-hoc process.
The same result can be achieved more cost-efficiently by using Redshift Spectrum. Therefore both these options to load
historical data into Redshift are also incorrect for the given use-case.
References:
https://docs.aws.amazon.com/redshift/latest/dg/c-using-spectrum.html#c-spectrum-overview
https://aws.amazon.com/blogs/big-data/
amazon-redshift-spectrum-extends-data-warehousing-out-to-exabytes-no-loading-required/
Question 11: Correct
 A silicon valley based startup focused on the advertising technology (ad tech) space uses DynamoDB as a data store
for storing various kinds of marketing data, such as user profiles, user events, clicks, and visited links. Some of these
use-cases require a high request rate (millions of requests per second), low predictable latency, and reliability. The
startup now wants to add a caching layer to support high read volumes.
As a solutions architect, which of the following AWS services would you recommend as a caching layer for this use-
case? (Select two)

DynamoDB Accelerator (DAX)

(Correct)

ElastiCache

(Correct)

Elasticsearch

Redshift

RDS
Explanation
Correct options:
DynamoDB Accelerator (DAX) - Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory
cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at
millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your
DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.
Therefore, this is a correct option.
DAX
Overview:
 vi
a - https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.html
ElastiCache - Amazon ElastiCache for Memcached is an ideal front-end for data stores like Amazon RDS or Amazon
DynamoDB, providing a high-performance middle tier for applications with extremely high request rates and/or low
latency requirements. Therefore, this is also a correct option.
Incorrect options:
RDS - Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational
database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration
tasks such as hardware provisioning, database setup, patching, and backups. RDS cannot be used as a caching layer for
DynamoDB.
Elasticsearch - Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-
capable full-text search engine with an HTTP web interface and schema-free JSON documents. It cannot be used as a
caching layer for DynamoDB.
Redshift - Amazon Redshift is a fully-managed petabyte-scale cloud-based data warehouse product designed for large
scale data set storage and analysis. It cannot be used as a caching layer for DynamoDB.
References:
https://aws.amazon.com/dynamodb/dax/
https://aws.amazon.com/elasticache/faqs/
Question 12: Correct
A leading carmaker would like to build a new car-as-a-sensor service by leveraging fully serverless components that
are provisioned and managed automatically by AWS. The development team at the carmaker does not want an
option that requires the capacity to be manually provisioned, as it does not want to respond manually to changing
volumes of sensor data.
Given these constraints, which of the following solutions is the BEST fit to develop this car-as-a-sensor service?


 Ingest the sensor data in a Kinesis Data Stream, which is polled by a Lambda function in batches and the data is written
into an auto-scaled DynamoDB table for downstream processing

Ingest the sensor data in an Amazon SQS standard queue, which is polled by a Lambda function in batches and the data
is written into an auto-scaled DynamoDB table for downstream processing

(Correct)

Ingest the sensor data in a Kinesis Data Stream, which is polled by an application running on an EC2 instance and the
data is written into an auto-scaled DynamoDB table for downstream processing

Ingest the sensor data in an Amazon SQS standard queue, which is polled by an application running on an EC2 instance
and the data is written into an auto-scaled DynamoDB table for downstream processing
Explanation
Correct option:
Ingest the sensor data in an Amazon SQS standard queue, which is polled by a Lambda function in batches and the
data is written into an auto-scaled DynamoDB table for downstream processing
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you
consume. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple
and scale microservices, distributed systems, and serverless applications. SQS offers two types of message queues.
Standard queues offer maximum throughput, best-effort ordering, and at-least-once delivery. SQS FIFO queues are
designed to guarantee that messages are processed exactly once, in the exact order that they are sent.
AWS manages all ongoing operations and underlying infrastructure needed to provide a highly available and scalable
message queuing service. With SQS, there is no upfront cost, no need to acquire, install, and configure messaging
software, and no time-consuming build-out and maintenance of supporting infrastructure. SQS queues are dynamically
created and scale automatically so you can build and grow applications quickly and efficiently. As there is no need to
manually provision the capacity, so this is the correct option.
Incorrect options:
Ingest the sensor data in a Kinesis Data Stream, which is polled by a Lambda function in batches, and the data is
written into an auto-scaled DynamoDB table for downstream processing - Amazon Kinesis Data Streams (KDS) is a
massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per
second from hundreds of thousands of sources such as website clickstreams, database event streams, financial
transactions, social media feeds, IT logs, and location-tracking events. However, the user is expected to manually
provision an appropriate number of shards to process the expected volume of the incoming data stream. The
throughput of an Amazon Kinesis data stream is designed to scale without limits via increasing the number of shards
within a data stream. Therefore Kinesis Data Streams is not the right fit for this use-case.
Ingest the sensor data in an Amazon SQS standard queue, which is polled by an application running on an EC2
instance and the data is written into an auto-scaled DynamoDB table for downstream processing
Ingest the sensor data in a Kinesis Data Stream, which is polled by an application running on an EC2 instance and the
data is written into an auto-scaled DynamoDB table for downstream processing
 Using an application on an EC2 instance is ruled out as the carmaker wants to use fully serverless components. So both
these options are incorrect.
References:
https://aws.amazon.com/sqs/
https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html
https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html
https://aws.amazon.com/kinesis/data-streams/faqs/
Question 13: Correct
A social gaming startup has its flagship application hosted on a fleet of EC2 servers running behind an Elastic Load
Balancer. These servers are part of an Auto Scaling Group. 90% of the users start logging into the system at 6 pm
every day and continue till midnight. The engineering team at the startup has observed that there is a significant
performance lag during the initial hour from 6 pm to 7 pm. The application is able to function normally thereafter.
As a solutions architect, which of the following steps would you recommend addressing the performance bottleneck
during that initial hour of traffic spike?

Configure your Auto Scaling group by creating a scheduled action that kicks-off before 6 pm. This causes the scale-out to
happen even before peak traffic kicks in at 6 pm

(Correct)

Configure your Auto Scaling group by creating a lifecycle hook that kicks-off before 6 pm. This causes the scale-out to
happen even before peak traffic kicks in at 6 pm

Configure your Auto Scaling group by creating a step scaling policy. This causes the scale-out to happen even before
peak traffic kicks in at 6 pm

Configure your Auto Scaling group by creating a target tracking policy. This causes the scale-out to happen even before
peak traffic kicks in at 6 pm
Explanation
Correct option:
Configure your Auto Scaling group by creating a scheduled action that kicks-off before 6 pm. This causes the scale-out
to happen even before peak traffic kicks in at 6 pm
The scheduled action tells the Amazon EC2 Auto Scaling group to perform a scaling action at specified times. To create a
scheduled scaling action, you specify the start time when the scaling action should take effect, and the new minimum,
maximum, and desired sizes for the scaling action. For the given use-case, the engineering team can create a daily
scheduled action to kick-off before 6 pm which would cause the scale-out to happen even before peak traffic kicks in at
6 pm. Hence this is the correct option.
 Incorrect options:
Configure your Auto Scaling group by creating a lifecycle hook that kicks-off before 6 pm. This causes the scale-out to
happen even before peak traffic kicks in at 6 pm - Auto Scaling group lifecycle hooks enable you to perform custom
actions as the Auto Scaling group launches or terminates instances. For example, you could install or configure software
on newly launched instances, or download log files from an instance before it terminates. Therefore, lifecycle hooks
cannot cause a scale-out to happen at a specified time. Hence this option is incorrect.
Configure your Auto Scaling group by creating a target tracking policy. This causes the scale-out to happen even
before peak traffic kicks in at 6 pm - With target tracking scaling policies, you choose a scaling metric and set a target
value. Application Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates
the scaling adjustment based on the metric and the target value. Target tracking policy cannot cause a scale-out to
happen at a specified time. Hence this option is incorrect.
Configure your Auto Scaling group by creating a step scaling policy. This causes the scale-out to happen even before
peak traffic kicks in at 6 pm - With step scaling, you choose scaling metrics and threshold values for the CloudWatch
alarms that trigger the scaling process as well as define how your scalable target should be scaled when a threshold is in
breach for a specified number of evaluation periods. Step scaling policy cannot cause a scale-out to happen at a
specified time. Hence this option is incorrect.
In addition, both the target tracking as well as step scaling policies entail a lag wherein the instances will be provisioned
only when the underlying CloudWatch alarms go off. Therefore we would still see performance lag during some part of
the initial hour.
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-simple-step.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
Question 14: Correct
A social photo-sharing company uses Amazon S3 to store the images uploaded by the users. These images are kept
encrypted in S3 by using AWS-KMS and the company manages its own Customer Master Key (CMK) for encryption. A
member of the DevOps team accidentally deleted the CMK a day ago, thereby rendering the user's photo data
unrecoverable. You have been contacted by the company to consult them on possible solutions to this crisis.
As a solutions architect, which of the following steps would you recommend to solve this issue?

As the CMK was deleted a day ago, it must be in the 'pending deletion' status and hence you can just cancel the CMK
deletion and recover the key

(Correct)

The CMK can be recovered by the AWS root account user

The company should issue a notification on its web application informing the users about the loss of their data


Contact AWS support to retrieve the CMK from their backup

Explanation
Correct option:
As the CMK was deleted a day ago, it must be in the 'pending deletion' status and hence you can just cancel the CMK
deletion and recover the key
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their
use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses
hardware security modules that have been validated under FIPS 140-2.
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially
dangerous. Therefore, AWS KMS enforces a waiting period. To delete a CMK in AWS KMS you schedule key deletion. You
can set the waiting period from a minimum of 7 days up to a maximum of 30 days. The default waiting period is 30 days.
During the waiting period, the CMK status and key state is Pending deletion. To recover the CMK, you can cancel key
deletion before the waiting period ends. After the waiting period ends you cannot cancel key deletion, and AWS KMS
deletes the CMK.
How Deleting Customer Master Keys
Works:
via - https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
Incorrect options:
Contact AWS support to retrieve the CMK from their backup
The CMK can be recovered by the AWS root account user
The AWS root account user cannot recover CMK and the AWS support does not have access to CMK via any backups.
Both these options just serve as distractors.
The company should issue a notification on its web application informing the users about the loss of their data - This
option is not required as the data can be recovered via the cancel key deletion feature.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
Question 15: Correct
An e-commerce company wants to explore a hybrid cloud environment with AWS so that it can start leveraging AWS
services for some of its data analytics workflows. The engineering team at the e-commerce company wants to
establish a dedicated, encrypted, low latency, and high throughput connection between its data center and AWS
 Cloud. The engineering team has set aside sufficient time to account for the operational overhead of establishing this
connection.
As a solutions architect, which of the following solutions would you recommend to the company?

Use AWS Direct Connect plus VPN to establish a connection between the data center and AWS Cloud

(Correct)

Use AWS Direct Connect to establish a connection between the data center and AWS Cloud

Use site-to-site VPN to establish a connection between the data center and AWS Cloud

Use VPC transit gateway to establish a connection between the data center and AWS Cloud
Explanation
Correct option:
Use AWS Direct Connect plus VPN to establish a connection between the data center and AWS Cloud
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your
premises to AWS. AWS Direct Connect lets you establish a dedicated network connection between your network and
one of the AWS Direct Connect locations.
With AWS Direct Connect plus VPN, you can combine one or more AWS Direct Connect dedicated network connections
with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network
costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN
connections. This solution combines the AWS managed benefits of the VPN solution with low latency, increased
bandwidth, more consistent benefits of the AWS Direct Connect solution, and an end-to-end, secure IPsec connection.
Therefore, AWS Direct Connect plus VPN is the correct solution for this use-case.
 AWS Direct Connect Plus

VPN: via
- https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-vpn.html
Incorrect options:
Use site-to-site VPN to establish a connection between the data center and AWS Cloud - AWS Site-to-Site VPN enables
you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon
VPC). A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and
Amazon VPC over the Internet. VPN Connections are a good solution if you have an immediate need, have low to
modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. However, Site-
to-site VPN cannot provide low latency and high throughput connection, therefore this option is ruled out.
Use VPC transit gateway to establish a connection between the data center and AWS Cloud - A transit gateway is a
network transit hub that you can use to interconnect your virtual private clouds (VPC) and on-premises networks. A
transit gateway by itself cannot establish a low latency and high throughput connection between a data center and AWS
Cloud. Hence this option is incorrect.
Use AWS Direct Connect to establish a connection between the data center and AWS Cloud - AWS Direct Connect by
itself cannot provide an encrypted connection between a data center and AWS Cloud, so this option is ruled out.
References:
https://aws.amazon.com/directconnect/
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-plus-vpn-network-
to-amazon.html
Question 16: Correct
An IT Company wants to move all the compute components of its AWS Cloud infrastructure into serverless
architecture. Their development stack comprises a mix of backend programming languages and the company would
like to explore the support offered by the AWS Lambda runtime for their programming languages stack.
Can you identify the programming languages supported by the Lambda runtime? (Select two)


 C

PHP

C#/.NET

(Correct)

Go

(Correct)

Explanation
Correct options:
C#/.NET
Go
A runtime is a version of a programming language or framework that you can use to write Lambda functions. AWS
Lambda supports runtimes for the following languages:
C#/.NET
Go
Java
Node.js
Python
Ruby
AWS Lambda
runtimes:
 via - https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
Incorrect options:
C
PHP
R
Given the list of supported runtimes above, these three options are incorrect.
Reference:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
Question 17: Correct
The engineering team at a leading online real estate marketplace uses Amazon MySQL RDS because it simplifies much
of the time-consuming administrative tasks typically associated with databases. The team uses Multi-Availability Zone
(Multi-AZ) deployment to further automate its database replication and augment data durability and also deploys
read replicas. A new DevOps engineer has joined the team and wants to understand the replication capabilities for
Multi-AZ as well as Read-replicas.
Which of the following correctly summarizes these capabilities for the given database?

Multi-AZ follows asynchronous replication and spans at least two Availability Zones within a single region. Read replicas
follow synchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region

Multi-AZ follows asynchronous replication and spans one Availability Zone within a single region. Read replicas follow
synchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region

Multi-AZ follows synchronous replication and spans at least two Availability Zones within a single region. Read replicas
follow asynchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region

(Correct)

Multi-AZ follows asynchronous replication and spans at least two Availability Zones within a single region. Read replicas
follow asynchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region
Explanation
Correct option:
Multi-AZ follows synchronous replication and spans at least two Availability Zones within a single region. Read
replicas follow asynchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region
Amazon RDS Multi-AZ deployments provide enhanced availability and durability for RDS database (DB) instances, making
them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS
automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different
Availability Zone (AZ). Multi-AZ spans at least two Availability Zones within a single region.
Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They make it
easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.
For the MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database engines, Amazon RDS creates a second DB
instance using a snapshot of the source DB instance. It then uses the engines' native asynchronous replication to update
the read replica whenever there is a change to the source DB instance.
Amazon RDS replicates all databases in the source DB instance. Read replicas can be within an Availability Zone, Cross-
AZ, or Cross-Region.
Exam Alert:
Please review this comparison vis-a-vis Multi-AZ vs Read Replica for
RDS:

via - https://aws.amazon.com/rds/features/multi-az/
Incorrect Options:
Multi-AZ follows asynchronous replication and spans one Availability Zone within a single region. Read replicas follow
synchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region
Multi-AZ follows asynchronous replication and spans at least two Availability Zones within a single region. Read
replicas follow synchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region
Multi-AZ follows asynchronous replication and spans at least two Availability Zones within a single region. Read
replicas follow asynchronous replication and can be within an Availability Zone, Cross-AZ, or Cross-Region
These three options contradict the earlier details provided in the explanation. To summarize, Multi-AZ follows
synchronous replication for RDS. Hence these options are incorrect.
References:
 https://aws.amazon.com/rds/features/multi-az/
https://aws.amazon.com/rds/features/read-replicas/
Question 18: Correct
A US-based healthcare startup is building an interactive diagnostic tool for COVID-19 related assessments. The users
would be required to capture their personal health records via this tool. As this is sensitive health information, the
backup of the user data must be kept encrypted in S3. The startup does not want to provide its own encryption keys
but still wants to maintain an audit trail of when an encryption key was used and by whom.
Which of the following is the BEST solution for this use-case?

Use SSE-S3 to encrypt the user data on S3

Use SSE-KMS to encrypt the user data on S3

(Correct)

Use SSE-C to encrypt the user data on S3

Use client-side encryption with client provided keys and then upload the encrypted user data to S3
Explanation
Correct option:
Use SSE-KMS to encrypt the user data on S3
AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to
provide a key management system scaled for the cloud. When you use server-side encryption with AWS KMS (SSE-KMS),
you can specify a customer-managed CMK that you have already created. SSE-KMS provides you with an audit trail that
shows when your CMK was used and by whom. Therefore SSE-KMS is the correct solution for this use-case.
Server Side Encryption in
S3:
 via - https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
Incorrect options:
Use SSE-S3 to encrypt the user data on S3 - When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-
S3), each object is encrypted with a unique key. However this option does not provide the ability to audit trail the usage
of the encryption keys.
Use SSE-C to encrypt the user data on S3 - With Server-Side Encryption with Customer-Provided Keys (SSE-C), you
manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you
access your objects. However this option does not provide the ability to audit trail the usage of the encryption keys.
Use client-side encryption with client provided keys and then upload the encrypted user data to S3 - Using client-side
encryption is ruled out as the startup does not want to provide the encryption keys.
References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
Question 19: Correct
One of the biggest football leagues in Europe has granted the distribution rights for live streaming its matches in the
US to a silicon valley based streaming services company. As per the terms of distribution, the company must make
sure that only users from the US are able to live stream the matches on their platform. Users from other countries in
the world must be denied access to these live-streamed matches.
Which of the following options would allow the company to enforce these streaming restrictions? (Select two)

Use Route 53 based failover routing policy to restrict distribution of content to only the locations in which you have
distribution rights


Use Route 53 based weighted routing policy to restrict distribution of content to only the locations in which you have
distribution rights

Use Route 53 based latency routing policy to restrict distribution of content to only the locations in which you have
distribution rights

Use Route 53 based geolocation routing policy to restrict distribution of content to only the locations in which you have
distribution rights

(Correct)

Use georestriction to prevent users in specific geographic locations from accessing content that you're distributing
through a CloudFront web distribution

(Correct)

Explanation
Correct options:
Use Route 53 based geolocation routing policy to restrict distribution of content to only the locations in which you
have distribution rights
Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users,
meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be
routed to an ELB load balancer in the Frankfurt region. You can also use geolocation routing to restrict the distribution of
content to only the locations in which you have distribution rights.
Use georestriction to prevent users in specific geographic locations from accessing content that you're distributing
through a CloudFront web distribution
You can use georestriction, also known as geo-blocking, to prevent users in specific geographic locations from accessing
content that you're distributing through a CloudFront web distribution. When a user requests your content, CloudFront
typically serves the requested content regardless of where the user is located. If you need to prevent users in specific
countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following:
Allow your users to access your content only if they're in one of the countries on a whitelist of approved countries.
Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries. So
this option is also correct.
Route 53 Routing Policy
Overview:
via - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
Incorrect options:
Use Route 53 based latency routing policy to restrict distribution of content to only the locations in which you have
distribution rights - Use latency based routing when you have resources in multiple AWS Regions and you want to route
traffic to the region that provides the lowest latency. To use latency-based routing, you create latency records for your
resources in multiple AWS Regions. When Route 53 receives a DNS query for your domain or subdomain (example.com
or acme.example.com), it determines which AWS Regions you've created latency records for, determines which region
gives the user the lowest latency, and then selects a latency record for that region. Route 53 responds with the value
from the selected record, such as the IP address for a web server.
Use Route 53 based weighted routing policy to restrict distribution of content to only the locations in which you have
distribution rights - Weighted routing lets you associate multiple resources with a single domain name (example.com) or
subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a
variety of purposes, including load balancing and testing new versions of the software.
Use Route 53 based failover routing policy to restrict distribution of content to only the locations in which you have
distribution rights - Failover routing lets you route traffic to a resource when the resource is healthy or to a different
resource when the first resource is unhealthy. The primary and secondary records can route traffic to anything from an
Amazon S3 bucket that is configured as a website to a complex tree of records
 Weighted routing or failover routing or latency routing cannot be used to restrict the distribution of content to only the
locations in which you have distribution rights. So all three options above are incorrect.
References:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo
Question 20: Correct
The solo founder at a tech startup has just created a brand new AWS account. The founder has provisioned an EC2
instance 1A which is running in region A. Later, he takes a snapshot of the instance 1A and then creates a new AMI in
region A from this snapshot. This AMI is then copied into another region B. The founder provisions an instance 1B in
region B using this new AMI in region B.
At this point in time, what entities exist in region B?

1 EC2 instance and 1 AMI exist in region B

1 EC2 instance and 2 AMIs exist in region B

1 EC2 instance, 1 AMI and 1 snapshot exist in region B

(Correct)

1 EC2 instance and 1 snapshot exist in region B

Explanation
Correct option:
1 EC2 instance, 1 AMI and 1 snapshot exist in region B
An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an AMI
when you launch an instance. When the new AMI is copied from region A into region B, it automatically creates a
snapshot in region B because AMIs are based on the underlying snapshots. Further, an instance is created from this AMI
in region B. Hence, we have 1 EC2 instance, 1 AMI and 1 snapshot in region B.
AMI
Overview:
 via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
Incorrect options:
1 EC2 instance and 1 AMI exist in region B
1 EC2 instance and 2 AMIs exist in region B
1 EC2 instance and 1 snapshot exist in region B
As mentioned earlier in the explanation, when the new AMI is copied from region A into region B, it also creates a
snapshot in region B because AMIs are based on the underlying snapshots. In addition, an instance is created from this
AMI in region B. So, we have 1 EC2 instance, 1 AMI and 1 snapshot in region B. Hence all three options are incorrect.
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
Question 21: Correct
A file hosting startup offers cloud storage and file synchronization services to its end users. The file-hosting service
uses Amazon S3 under the hood to power its storage offerings. Currently all the customer files are uploaded directly
under a single S3 bucket. The engineering team has started seeing scalability issues where customer file uploads have
started failing during the peak access hours in the evening with more than 5000 requests per second.
Which of the following is the MOST resource efficient and cost-optimal way of addressing this issue?

Change the application architecture to use EFS instead of Amazon S3 for storing the customers' uploaded files


Change the application architecture to create customer-specific custom prefixes within the single bucket and then
upload the daily files into those prefixed locations

(Correct)

Change the application architecture to create a new S3 bucket for each customer and then upload each customer's files
directly under the respective buckets

Change the application architecture to create a new S3 bucket for each day's data and then upload the daily files directly
under that day's bucket
Explanation
Correct option:
Change the application architecture to create customer-specific custom prefixes within the single bucket and then
upload the daily files into those prefixed locations
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data
availability, security, and performance. Your applications can easily achieve thousands of transactions per second in
request performance when uploading and retrieving storage from Amazon S3. Amazon S3 automatically scales to high
request rates. For example, your application can achieve at least 3,500 PUT/COPY/POST/DELETE or 5,500 GET/HEAD
requests per second per prefix in a bucket.
There are no limits to the number of prefixes in a bucket. You can increase your read or write performance by
parallelizing reads. For example, if you create 10 prefixes in an Amazon S3 bucket to parallelize reads, you could scale
your read performance to 55,000 read requests per second. Please see this example for more clarity on prefixes: if you
have a file f1 stored in an S3 object path like so s3://your_bucket_name/folder1/sub_folder_1/f1 ,
then /folder1/sub_folder_1/ becomes the prefix for file f1.

Some data lake applications on Amazon S3 scan millions or billions of objects for queries that run over petabytes of data.
These data lake applications achieve single-instance transfer rates that maximize the network interface used for their
Amazon EC2 instance, which can be up to 100 Gb/s on a single instance. These applications then aggregate throughput
across multiple instances to get multiple terabits per second. Therefore creating customer-specific custom prefixes
within the single bucket and then uploading the daily files into those prefixed locations is the BEST solution for the given
constraints.
Optimizing Amazon S3
Performance:
 via - https://docs.aws.amazon.com/AmazonS3/latest/dev/optimizing-performance.html
Incorrect options:
Change the application architecture to create a new S3 bucket for each customer and then upload each customer's
files directly under the respective buckets - Creating a new S3 bucket for each new customer is an inefficient way of
handling resource availability (S3 buckets need to be globally unique) as some customers may use the service sparingly
but the bucket name is locked for them forever. Moreover, this is really not required as we can use S3 prefixes to
improve the performance.
Change the application architecture to create a new S3 bucket for each day's data and then upload the daily files
directly under that day's bucket - Creating a new S3 bucket for each new day's data is also an inefficient way of handling
resource availability (S3 buckets need to be globally unique) as some of the bucket names may not be available for daily
data processing. Moreover, this is really not required as we can use S3 prefixes to improve the performance.
Change the application architecture to use EFS instead of Amazon S3 for storing the customers' uploaded files - EFS is
a costlier storage option compared to S3, so it is ruled out.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/dev/optimizing-performance.html
Question 22: Correct
The engineering team at an e-commerce company wants to set up a custom domain for internal usage such as
internaldomainexample.com. The team wants to use the private hosted zones feature of Route 53 to accomplish this.
Which of the following settings of the VPC need to be enabled? (Select two)

enableVpcHostnames


enableDnsSupport

(Correct)

enableDnsHostnames

(Correct)

enableVpcSupport

enableDnsDomain
Explanation
Correct options:
enableDnsHostnames
enableDnsSupport
A private hosted zone is a container for records for a domain that you host in one or more Amazon virtual private clouds
(VPCs). You create a hosted zone for a domain (such as example.com), and then you create records to tell Amazon Route
53 how you want traffic to be routed for that domain within and among your VPCs.
For each VPC that you want to associate with the Route 53 hosted zone, change the following VPC settings to true:
enableDnsHostnames
enableDnsSupport
Incorrect options:
enableVpcSupport
enableVpcHostnames
enableDnsDomain
The options enableVpcSupport, enableVpcHostnames and enableDnsDomain have been added as distractors.
Reference:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html
Question 23: Correct
A chip design startup is running an Electronic Design Automation (EDA) application, which is a high-performance
workflow used to simulate performance and failures during the design phase of silicon chip production. The
application produces massive volumes of data that can be divided into two categories. The 'hot data' needs to be
both processed and stored quickly in a parallel and distributed fashion. The 'cold data' needs to be kept for reference
with quick access for reads and updates at a low cost.
 Which of the following AWS services is BEST suited to accelerate the aforementioned chip design process?

Amazon EMR

Amazon FSx for Lustre

(Correct)

AWS Glue

Amazon FSx for Windows File Server

Explanation
Correct option:
Amazon FSx for Lustre
Amazon FSx for Lustre makes it easy and cost-effective to launch and run the world’s most popular high-performance
file system. It is used for workloads such as machine learning, high-performance computing (HPC), video processing, and
financial modeling. The open-source Lustre file system is designed for applications that require fast storage – where you
want your storage to keep up with your compute. FSx for Lustre integrates with Amazon S3, making it easy to process
data sets with the Lustre file system. When linked to an S3 bucket, an FSx for Lustre file system transparently presents
S3 objects as files and allows you to write changed data back to S3.
FSx for Lustre provides the ability to both process the 'hot data' in a parallel and distributed fashion as well as easily
store the 'cold data' on Amazon S3. Therefore this option is the BEST fit for the given problem statement.
Incorrect options:
Amazon FSx for Windows File Server - Amazon FSx for Windows File Server provides fully managed, highly reliable file
storage that is accessible over the industry-standard Service Message Block (SMB) protocol. It is built on Windows
Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft
Active Directory (AD) integration. FSx for Windows does not allow you to present S3 objects as files and does not allow
you to write changed data back to S3. Therefore you cannot reference the "cold data" with quick access for reads and
updates at low cost. Hence this option is not correct.
Amazon EMR - Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using
open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. Amazon
EMR uses Hadoop, an open-source framework, to distribute your data and processing across a resizable cluster of
Amazon EC2 instances. EMR does not offer the same storage and processing speed as FSx for Lustre. So it is not the right
fit for the given high-performance workflow scenario.
AWS Glue - AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to
prepare and load their data for analytics. AWS Glue job is meant to be used for batch ETL data processing. AWS Glue
does not offer the same storage and processing speed as FSx for Lustre. So it is not the right fit for the given high-
performance workflow scenario.
 References:
https://aws.amazon.com/fsx/lustre/
https://aws.amazon.com/fsx/windows/faqs/
Question 24: Correct
An IT company wants to review its security best-practices after an incident was reported where a new developer on
the team was assigned full access to DynamoDB. The developer accidentally deleted a couple of tables from the
production environment while building out a new feature.
Which is the MOST effective way to address this issue so that such incidents do not recur?

The CTO should review the permissions for each new developer's IAM user so that such incidents don't recur

Use permissions boundary to control the maximum permissions employees can grant to the IAM principals

(Correct)

Remove full database access for all IAM users in the organization

Only root user should have full database access in the organization
Explanation
Correct option:
Use permissions boundary to control the maximum permissions employees can grant to the IAM principals
A permissions boundary can be used to control the maximum permissions employees can grant to the IAM principals
(that is, users and roles) that they create and manage. As the IAM administrator, you can define one or more
permissions boundaries using managed policies and allow your employee to create a principal with this boundary. The
employee can then attach a permissions policy to this principal. However, the effective permissions of the principal are
the intersection of the permissions boundary and permissions policy. As a result, the new principal cannot exceed the
boundary that you defined. Therefore, using the permissions boundary offers the right solution for this use-case.
Permission Boundary
Example:
 via - https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-
boundaries/
Incorrect options:
Remove full database access for all IAM users in the organization - It is not practical to remove full access for all IAM
users in the organization because a select set of users need this access for database administration. So this option is not
correct.
The CTO should review the permissions for each new developer's IAM user so that such incidents don't recur -
Likewise the CTO is not expected to review the permissions for each new developer's IAM user, as this is best done via
an automated procedure. This option has been added as a distractor.
Only root user should have full database access in the organization - As a best practice, the root user should not access
the AWS account to carry out any administrative procedures. So this option is not correct.
Reference:
https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-
boundaries/
Question 25: Correct
The DevOps team at a major financial services company uses Multi-Availability Zone (Multi-AZ) deployment for its
MySQL RDS database in order to automate its database replication and augment data durability. The DevOps team
has scheduled a maintenance window for a database engine level upgrade for the coming weekend.
Which of the following is the correct outcome during the maintenance window?

Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers the primary DB instance to
be upgraded which is then followed by the upgrade of the standby DB instance. This does not cause any downtime for
the duration of the upgrade


 Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers both the primary and
standby DB instances to be upgraded at the same time. However, this does not cause any downtime until the upgrade is
complete

Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers both the primary and
standby DB instances to be upgraded at the same time. This causes downtime until the upgrade is complete

(Correct)

Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers the standby DB instance to
be upgraded which is then followed by the upgrade of the primary DB instance. This does not cause any downtime for
the duration of the upgrade
Explanation
Correct option:
Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers both the primary and
standby DB instances to be upgraded at the same time. This causes downtime until the upgrade is complete
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in
the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such
as hardware provisioning, database setup, patching, and backups.
Upgrades to the database engine level require downtime. Even if your RDS DB instance uses a Multi-AZ deployment,
both the primary and standby DB instances are upgraded at the same time. This causes downtime until the upgrade is
complete, and the duration of the downtime varies based on the size of your DB instance.
RDS DB Engine
Maintenance:
via - https://aws.amazon.com/premiumsupport/knowledge-center/rds-required-maintenance/
Incorrect options:
Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers both the primary and
standby DB instances to be upgraded at the same time. However, this does not cause any downtime until the upgrade
is complete - For RDS database engine level upgrade, primary and standby DB instances are upgraded at the same time
and it causes downtime until the upgrade is complete, hence this option is incorrect.
Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers the standby DB
instance to be upgraded which is then followed by the upgrade of the primary DB instance. This does not cause any
downtime for the duration of the upgrade - For RDS database engine level upgrade, primary and standby DB instances
are upgraded at the same time and it causes downtime until the upgrade is complete, hence this option is incorrect.
Any database engine level upgrade for an RDS DB instance with Multi-AZ deployment triggers the primary DB instance
to be upgraded which is then followed by the upgrade of the standby DB instance. This does not cause any downtime
 for the duration of the upgrade - For RDS database engine level upgrade, primary and standby DB instances are
upgraded at the same time and it causes downtime until the upgrade is complete, hence this option is incorrect.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/rds-required-maintenance/
Question 26: Correct
Which of the following features of an Amazon S3 bucket can only be suspended once they have been enabled?

Versioning

(Correct)

Static Website Hosting

Server Access Logging

Requester Pays
Explanation
Correct option:
Versioning
Once you version-enable a bucket, it can never return to an unversioned state. Versioning can only be suspended once it
has been enabled.
Versioning
Overview:
 via - https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Incorrect options:
Server Access Logging
Static Website Hosting
Requester Pays
Server Access Logging, Static Website Hosting and Requester Pays features can be disabled even after they have been
enabled.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Question 27: Correct
A large financial institution operates an on-premises data center with hundreds of PB of data managed on Microsoft’s
Distributed File System (DFS). The CTO wants the organization to transition into a hybrid cloud environment and run
data-intensive analytics workloads that support DFS.
Which of the following AWS services can facilitate the migration of these workloads?

AWS Managed Microsoft AD



Amazon FSx for Windows File Server

(Correct)

Amazon FSx for Lustre

Microsoft SQL Server on Amazon

Explanation
Correct option:
Amazon FSx for Windows File Server
Amazon FSx for Windows File Server provides fully managed, highly reliable file storage that is accessible over the
industry-standard Service Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of
administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration.
Amazon FSx supports the use of Microsoft’s Distributed File System (DFS) to organize shares into a single folder
structure up to hundreds of PB in size. So this option is correct.
How FSx for Windows File Server
Works:

via - https://aws.amazon.com/fsx/windows/
Incorrect options:
Amazon FSx for Lustre
Amazon FSx for Lustre makes it easy and cost-effective to launch and run the world’s most popular high-performance
file system. It is used for workloads such as machine learning, high-performance computing (HPC), video processing, and
financial modeling. Amazon FSx enables you to use Lustre file systems for any workload where storage speed matters.
FSx for Lustre does not support Microsoft’s Distributed File System (DFS), so this option is incorrect.
AWS Managed Microsoft AD
 AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your
directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed
Microsoft AD is built on the actual Microsoft Active Directory and does not require you to synchronize or replicate data
from your existing Active Directory to the cloud. AWS Managed Microsoft AD does not support Microsoft’s Distributed
File System (DFS), so this option is incorrect.
Microsoft SQL Server on Amazon
Microsoft SQL Server on AWS offers you the flexibility to run Microsoft SQL Server database on AWS Cloud. Microsoft
SQL Server on AWS does not support Microsoft’s Distributed File System (DFS), so this option is incorrect.
Reference:
https://aws.amazon.com/fsx/windows/
Question 28: Correct
A DevOps engineer at an IT company was recently added to the admin group of the company's AWS account.
The AdministratorAccess managed policy is attached to this group.

Can you identify the AWS tasks that the DevOps engineer CANNOT perform even though he has full Administrator
privileges (Select two)?

Change the password for his own IAM user account

Delete the IAM user for his manager

Delete an S3 bucket from the production environment

Configure an Amazon S3 bucket to enable MFA (Multi Factor Authentication) delete

(Correct)

Close the company's AWS account

(Correct)

Explanation
Correct options:
Configure an Amazon S3 bucket to enable MFA (Multi Factor Authentication) delete
Close the company's AWS account
An IAM user with full administrator access can perform almost all AWS tasks except a few tasks designated only for the
root account user. Some of the AWS tasks that only a root account user can do are as follows: change account name or
 root password or root email address, change AWS support plan, close AWS account, enable MFA on S3 bucket delete,
create Cloudfront key pair, register for GovCloud. Even though the DevOps engineer is part of the admin group, he
cannot configure an Amazon S3 bucket to enable MFA delete or close the company's AWS account.
Incorrect Options:
Delete the IAM user for his manager
Delete an S3 bucket from the production environment
Change the password for his own IAM user account
The DevOps engineer is part of the admin group, so he can delete any IAM user, delete the S3 bucket, and change the
password for his own IAM user account.
For the complete list of AWS tasks that require AWS account root user credentials, please review this reference link:
https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
Question 29: Correct
A leading video streaming provider is migrating to AWS Cloud infrastructure for delivering its content to users across
the world. The company wants to make sure that the solution supports at least a million requests per second for its
EC2 server farm.
As a solutions architect, which type of Elastic Load Balancer would you recommend as part of the solution stack?

Infrastructure Load Balancer

Classic Load Balancer

Application Load Balancer

Network Load Balancer

(Correct)

Explanation
Correct option:
Network Load Balancer
Network Load Balancer is best suited for use-cases involving low latency and high throughput workloads that involve
scaling to millions of requests per second. Network Load Balancer operates at the connection level (Layer 4), routing
connections to targets - Amazon EC2 instances, microservices, and containers – within Amazon Virtual Private Cloud
(Amazon VPC) based on IP protocol data.
Incorrect options:
 Application Load Balancer - Application Load Balancer operates at the request level (layer 7), routing traffic to targets –
EC2 instances, containers, IP addresses, and Lambda functions based on the content of the request. Ideal for advanced
load balancing of HTTP and HTTPS traffic, Application Load Balancer provides advanced request routing targeted at
delivery of modern application architectures, including microservices and container-based applications. Application Load
Balancer is not a good fit for the low latency and high throughput scenario mentioned in the given use-case.
Classic Load Balancer - Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and
operates at both the request level and connection level. Classic Load Balancer is intended for applications that were
built within the EC2-Classic network. Classic Load Balancer is not a good fit for the low latency and high throughput
scenario mentioned in the given use-case.
Infrastructure Load Balancer - There is no such thing as Infrastructure Load Balancer and this option just acts as a
distractor.
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
Question 30: Correct
A biotechnology company wants to seamlessly integrate its on-premises data center with AWS cloud-based IT systems
which would be critical to manage as well as scale-up the complex planning and execution of every stage of its drug
development process. As part of a pilot program, the company wants to integrate data files from its analytical
instruments into AWS via an NFS interface.
Which of the following AWS service is the MOST efficient solution for the given use-case?

AWS Storage Gateway - Tape Gateway

AWS Site-to-Site VPN

AWS Storage Gateway - File Gateway

(Correct)

AWS Storage Gateway - Volume Gateway

Explanation
Correct option:
AWS Storage Gateway - File Gateway
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud
storage. The service provides three different types of gateways – Tape Gateway, File Gateway, and Volume Gateway –
that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access.
AWS Storage Gateway's file interface, or file gateway, offers you a seamless way to connect to the cloud in order to
store application data files and backup images as durable objects on Amazon S3 cloud storage. File gateway offers SMB
or NFS-based access to data in Amazon S3 with local caching. As the company wants to integrate data files from its
 analytical instruments into AWS via an NFS interface, therefore AWS Storage Gateway - File Gateway is the correct
answer.
File Gateway
Overview:

vi
a - https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html
Incorrect options:
AWS Storage Gateway - Volume Gateway - You can configure the AWS Storage Gateway service as a Volume Gateway
to present cloud-based iSCSI block storage volumes to your on-premises applications. Volume Gateway does not support
NFS interface, so this option is not correct.
AWS Storage Gateway - Tape Gateway - AWS Storage Gateway - Tape Gateway allows moving tape backups to the
cloud. Tape Gateway does not support NFS interface, so this option is not correct.
AWS Site-to-Site VPN - AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch
office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch
office network to the cloud with an AWS Site-to-Site VPN (Site-to-Site VPN) connection. It uses internet protocol security
(IPSec) communications to create encrypted VPN tunnels between two locations. You cannot use AWS Site-to-Site VPN
to integrate data files via the NFS interface, so this option is not correct.
References:
https://aws.amazon.com/storagegateway/
https://aws.amazon.com/storagegateway/volume/
https://aws.amazon.com/storagegateway/file/
https://aws.amazon.com/storagegateway/vtl/
Question 31: Correct
A silicon valley based startup uses a fleet of EC2 servers to manage its CRM application. These EC2 servers are behind
an Elastic Load Balancer (ELB). Which of the following configurations are NOT allowed for the Elastic Load Balancer?

Use the ELB to distribute traffic for four EC2 instances. Two of these instances are deployed in Availability Zone A of us-
east-1 region and the other two instances are deployed in Availability Zone B of us-west-1 region

(Correct)


 Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed in Availability Zone A of us-
east-1 region

Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed across two Availability Zones
of us-east-1 region

Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed in Availability Zone B of us-
west-1 region
Explanation
Correct option:
Use the ELB to distribute traffic for four EC2 instances. Two of these instances are deployed in Availability Zone A of
us-east-1 region and the other two instances are deployed in Availability Zone B of us-west-1 region
Elastic Load Balancer automatically distributes incoming traffic across multiple targets – Amazon EC2 instances,
containers, IP addresses, and Lambda functions – in multiple Availability Zones and ensures only healthy targets receive
traffic. ELB cannot distribute incoming traffic for targets deployed in different regions. This configuration is NOT allowed
for the Elastic Load Balancer and therefore this is the correct option.
Incorrect options:
Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed across two Availability
Zones of us-east-1 region
Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed in Availability Zone A of us-
east-1 region
Use the ELB to distribute traffic for four EC2 instances. All the four instances are deployed in Availability Zone B of us-
west-1 region
These three options are valid configurations for the ELB to distribute traffic (either within an Availability Zone or
between two Availability Zones).
Reference:
https://aws.amazon.com/elasticloadbalancing/
Question 32: Correct
A junior scientist working with the Deep Space Research Laboratory at NASA is trying to upload a high-resolution
image of a nebula into Amazon S3. The image size is approximately 3GB. The junior scientist is using S3 Transfer
Acceleration (S3TA) for faster image upload. It turns out that S3TA did not result in an accelerated transfer.
Given this scenario, which of the following is correct regarding the charges for this image transfer?

The junior scientist only needs to pay S3TA transfer charges for the image upload

The junior scientist only needs to pay S3 transfer charges for the image upload


The junior scientist needs to pay both S3 transfer charges and S3TA transfer charges for the image upload

The junior scientist does not need to pay any transfer charges for the image upload

(Correct)

Explanation
Correct option:
The junior scientist does not need to pay any transfer charges for the image upload
There are no S3 data transfer charges when data is transferred in from the internet. Also with S3TA, you pay only for
transfers that are accelerated. Therefore the junior scientist does not need to pay any transfer charges for the image
upload because S3TA did not result in an accelerated transfer.
S3 Transfer Acceleration (S3TA)
Overview:

via - https://aws.amazon.com/s3/transfer-acceleration/
Incorrect options:
The junior scientist only needs to pay S3TA transfer charges for the image upload - Since S3TA did not result in an
accelerated transfer, there are no S3TA transfer charges to be paid.
The junior scientist only needs to pay S3 transfer charges for the image upload - There are no S3 data transfer charges
when data is transferred in from the internet. So this option is incorrect.
The junior scientist needs to pay both S3 transfer charges and S3TA transfer charges for the image upload - There are
no S3 data transfer charges when data is transferred in from the internet. Since S3TA did not result in an accelerated
transfer, there are no S3TA transfer charges to be paid.
References:
https://aws.amazon.com/s3/transfer-acceleration/
https://aws.amazon.com/s3/pricing/
Question 33: Correct
 A video analytics organization has been acquired by a leading media company. The analytics organization has 10
independent applications with an on-premises data footprint of about 70TB for each application. The media company
has its IT infrastructure on the AWS Cloud. The terms of the acquisition mandate that the on-premises data should be
migrated into AWS Cloud and the two organizations establish connectivity so that collaborative development efforts
can be pursued. The CTO of the media company has set a timeline of one month to carry out this transition.
Which of the following are the MOST cost-effective options for completing the data transfer and then establishing
connectivity? (Select two)

Order 70 Snowball Edge Storage Optimized devices to complete the one-time data transfer

Setup AWS direct connect to establish connectivity between the on-premises data center and AWS Cloud

Order 1 Snowmobile to complete the one-time data transfer

Order 10 Snowball Edge Storage Optimized devices to complete the one-time data transfer

(Correct)

Setup Site-to-Site VPN to establish connectivity between the on-premises data center and AWS Cloud

(Correct)

Explanation
Correct options:
Order 10 Snowball Edge Storage Optimized devices to complete the one-time data transfer
Snowball Edge Storage Optimized is the optimal choice if you need to securely and quickly transfer dozens of terabytes
to petabytes of data to AWS. It provides up to 80 TB of usable HDD storage, 40 vCPUs, 1 TB of SATA SSD storage, and up
to 40 Gb network connectivity to address large scale data transfer and pre-processing use cases. As each Snowball Edge
Storage Optimized device can handle 80TB of data, you can order 10 such devices to take care of the data transfer for all
applications.
Exam Alert:
The original Snowball devices were transitioned out of service and Snowball Edge Storage Optimized are now the
primary devices used for data transfer. You may see the Snowball device on the exam, just remember that the original
Snowball device had 80TB of storage space.
Setup Site-to-Site VPN to establish connectivity between the on-premises data center and AWS Cloud
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon
Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with
 an AWS Site-to-Site VPN connection. A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity
between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a
good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the
inherent variability in Internet-based connectivity.
Therefore this option is the right fit for the given use-case as the connectivity can be easily established within the
timeframe of a month.
Incorrect options:
Order 1 Snowmobile to complete the one-time data transfer - Each Snowmobile has a total capacity of up to 100
petabytes. To migrate large datasets of 10PB or more in a single location, you should use Snowmobile. For datasets less
than 10PB or distributed in multiple locations, you should use Snowball. So Snowmobile is not the right fit for this use-
case.
Setup AWS direct connect to establish connectivity between the on-premises data center and AWS Cloud - AWS Direct
Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect
locations. Using industry-standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual
interfaces. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections
between your intranet and Amazon VPC. Direct Connect involves significant monetary investment and takes several
months to set up, therefore it's not the correct fit for this use-case.
Order 70 Snowball Edge Storage Optimized devices to complete the one-time data transfer - As the data-transfer can
be completed with just 10 Snowball Edge Storage Optimized devices, there is no need to order 70 devices.
References:
https://aws.amazon.com/snowball/faqs/
https://aws.amazon.com/vpn/
https://aws.amazon.com/snowmobile/faqs/
https://aws.amazon.com/directconnect/
Question 34: Correct
The engineering team at a Spanish professional football club has built a notification system on the web platform using
Amazon SNS notifications which are then handled by a Lambda function for end-user delivery. During the off-season,
the notification systems need to handle about 100 requests per second. During the peak football season, the rate
touches about 5000 requests per second and it is noticed that a significant number of the notifications are not being
delivered to the end-users on the web platform.
As a solutions architect, which of the following would you suggest as the BEST possible solution to this issue?

The engineering team needs to provision more servers running the Lambda service

The engineering team needs to provision more servers running the SNS service

Amazon SNS has hit a scalability limit, so the team needs to contact AWS support to raise the account limit


Amazon SNS message deliveries to AWS Lambda have crossed the account concurrency quota for Lambda, so the team
needs to contact AWS support to raise the account limit

(Correct)

Explanation
Correct option:
Amazon SNS message deliveries to AWS Lambda have crossed the account concurrency quota for Lambda, so the
team needs to contact AWS support to raise the account limit
Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service
that enables you to decouple microservices, distributed systems, and serverless applications.
How SNS
Works:

via - https://aws.amazon.com/sns/
With AWS Lambda, you can run code without provisioning or managing servers. You pay only for the compute time that
you consume—there’s no charge when your code isn’t running.
AWS Lambda currently supports 1000 concurrent executions per AWS account per region. If your Amazon SNS message
deliveries to AWS Lambda contribute to crossing these concurrency quotas, your Amazon SNS message deliveries will be
throttled. You need to contact AWS support to raise the account limit. Therefore this option is correct.
Incorrect options:
Amazon SNS has hit a scalability limit, so the team needs to contact AWS support to raise the account limit - Amazon
SNS leverages the proven AWS cloud to dynamically scale with your application. You don't need to contact AWS support,
as SNS is a fully managed service, taking care of the heavy lifting related to capacity planning, provisioning, monitoring,
and patching. Therefore, this option is incorrect.
The engineering team needs to provision more servers running the SNS service
The engineering team needs to provision more servers running the Lambda service
As both Lambda and SNS are serverless and fully managed services, the engineering team cannot provision more
servers. Both of these options are incorrect.
References:
https://aws.amazon.com/sns/
https://aws.amazon.com/sns/faqs/
 Question 35: Correct
A streaming solutions company is building a video streaming product by using an Application Load Balancer (ALB) that
routes the requests to the underlying EC2 instances. The engineering team has noticed a peculiar pattern. The ALB
removes an instance whenever it is detected as unhealthy but the Auto Scaling group fails to kick-in and provision the
replacement instance.
What could explain this anomaly?

Both the Auto Scaling group and Application Load Balancer are using ALB based health check

The Auto Scaling group is using ALB based health check and the Application Load Balancer is using EC2 based health
check

Both the Auto Scaling group and Application Load Balancer are using EC2 based health check

The Auto Scaling group is using EC2 based health check and the Application Load Balancer is using ALB based health
check

(Correct)

Explanation
Correct option:
The Auto Scaling group is using EC2 based health check and the Application Load Balancer is using ALB based health
check
An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for automatic
scaling and management.

Auto Scaling Group Overview: via

- https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html
 Application Load Balancer automatically distributes incoming application traffic across multiple targets, such as Amazon
EC2 instances, containers, and Lambda functions. It can handle the varying load of your application traffic in a single
Availability Zone or across multiple Availability Zones.
If the Auto Scaling group (ASG) is using EC2 as the health check type and the Application Load Balancer (ALB) is using its
in-built health check, there may be a situation where the ALB health check fails because the health check pings fail to
receive a response from the instance. At the same time, ASG health check can come back as successful because it is
based on EC2 based health check. Therefore, in this scenario, the ALB will remove the instance from its inventory,
however, the ASG will fail to provide the replacement instance. This can lead to the scaling issues mentioned in the
problem statement.
Incorrect options:
The Auto Scaling group is using ALB based health check and the Application Load Balancer is using EC2 based health
check - ALB cannot use EC2 based health checks, so this option is incorrect.
Both the Auto Scaling group and Application Load Balancer are using ALB based health check - It is recommended to
use ALB based health checks for both Auto Scaling group and Application Load Balancer. If both the Auto Scaling group
and Application Load Balancer use ALB based health checks, then you will be able to avoid the scenario mentioned in the
question.
Both the Auto Scaling group and Application Load Balancer are using EC2 based health check - ALB cannot use EC2
based health checks, so this option is incorrect.
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html
Question 36: Correct
A major bank is using SQS to migrate several core banking applications to the cloud to ensure high availability and
cost efficiency while simplifying administrative complexity and overhead. The development team at the bank expects
a peak rate of about 1000 messages per second to be processed via SQS. It is important that the messages are
processed in order.
Which of the following options can be used to implement this system?

Use Amazon SQS FIFO queue in batch mode of 2 messages per operation to process the messages at the peak rate

Use Amazon SQS FIFO queue to process the messages

Use Amazon SQS FIFO queue in batch mode of 4 messages per operation to process the messages at the peak rate

(Correct)

Use Amazon SQS standard queue to process the messages

Explanation
Correct option:
Use Amazon SQS FIFO queue in batch mode of 4 messages per operation to process the messages at the peak rate
Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale
microservices, distributed systems, and serverless applications. SQS offers two types of message queues - Standard
queues vs FIFO queues.
For FIFO queues, the order in which messages are sent and received is strictly preserved (i.e. First-In-First-Out). On the
other hand, the standard SQS queues offer best-effort ordering. This means that occasionally, messages might be
delivered in an order different from which they were sent.
By default, FIFO queues support up to 300 messages per second (300 send, receive, or delete operations per second).
When you batch 10 messages per operation (maximum), FIFO queues can support up to 3,000 messages per second.
Therefore you need to process 4 messages per operation so that the FIFO queue can support up to 1200 messages per
second, which is well within the peak rate.
FIFO Queues
Overview:

via - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html
Incorrect options:
 Use Amazon SQS standard queue to process the messages - As messages need to be processed in order, therefore
standard queues are ruled out.
Use Amazon SQS FIFO queue to process the messages - By default, FIFO queues support up to 300 messages per second
and this is not sufficient to meet the message processing throughput per the given use-case. Hence this option is
incorrect.
Use Amazon SQS FIFO queue in batch mode of 2 messages per operation to process the messages at the peak rate - As
mentioned earlier in the explanation, you need to use FIFO queues in batch mode and process 4 messages per
operation, so that the FIFO queue can support up to 1200 messages per second. With 2 messages per operation, you can
only support up to 600 messages per second.
References:
https://aws.amazon.com/sqs/
https://aws.amazon.com/sqs/features/
Question 37: Correct
Which of the following is true regarding cross-zone load balancing as seen in Application Load Balancer versus
Network Load Balancer?

By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer

(Correct)

By default, cross-zone load balancing is disabled for both Application Load Balancer and Network Load Balancer

By default, cross-zone load balancing is disabled for Application Load Balancer and enabled for Network Load Balancer

By default, cross-zone load balancing is enabled for both Application Load Balancer and Network Load Balancer
Explanation
Correct option:
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load
Balancer
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer.
When cross-zone load balancing is enabled, each load balancer node distributes traffic across the registered targets in all
the enabled Availability Zones. When cross-zone load balancing is disabled, each load balancer node distributes traffic
only across the registered targets in its Availability Zone.
How cross-zone load balancing
works:
 via - https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html
Incorrect Options:
By default, cross-zone load balancing is disabled for both Application Load Balancer and Network Load Balancer
By default, cross-zone load balancing is enabled for both Application Load Balancer and Network Load Balancer
By default, cross-zone load balancing is disabled for Application Load Balancer and enabled for Network Load
Balancer
Per the default cross-zone load balancing settings described earlier in the explanation, these three options are incorrect.
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html
Question 38: Incorrect
The DevOps team at an e-commerce company wants to perform some maintenance work on a specific EC2 instance
that is part of an Auto Scaling group using a step scaling policy. The team is facing a maintenance challenge - every
time the team deploys a maintenance patch, the instance health check status shows as out of service for a few
minutes. This causes the Auto Scaling group to provision another replacement instance immediately.
As a solutions architect, which are the MOST time/resource efficient steps that you would recommend so that the
maintenance work can be completed at the earliest? (Select two)

Put the instance into the Standby state and then update the instance by applying the maintenance patch. Once the
instance is ready, you can exit the Standby state and then return the instance to service
 (Correct)

Delete the Auto Scaling group and apply the maintenance fix to the given instance. Create a new Auto Scaling group and
add all the instances again using the manual scaling policy

Suspend the ScheduledActions process type for the Auto Scaling group and apply the maintenance patch to the instance.
Once the instance is ready, you can activate the ScheduledActions process type again

Suspend the ReplaceUnhealthy process type for the Auto Scaling group and apply the maintenance patch to the
instance. Once the instance is ready, you can activate the ReplaceUnhealthy process type again

(Correct)

Take a snapshot of the instance, create a new AMI and then launch a new instance using this AMI. Apply the
maintenance patch to this new instance and then add it back to the Auto Scaling Group by using the manual scaling
policy. Terminate the earlier instance that had the maintenance issue

(Incorrect)

Explanation
Correct options:
Put the instance into the Standby state and then update the instance by applying the maintenance patch. Once the
instance is ready, you can exit the Standby state and then return the instance to service - You can put an instance that
is in the InService state into the Standby state, update some software or troubleshoot the instance, and then return the
instance to service. Instances that are on standby are still part of the Auto Scaling group, but they do not actively handle
application traffic.
How Standby State
Works:
via - https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-enter-exit-standby.html
Suspend the ReplaceUnhealthy process type for the Auto Scaling group and apply the maintenance patch to the
instance. Once the instance is ready, you can activate the ReplaceUnhealthy process type again - The
ReplaceUnhealthy process terminates instances that are marked as unhealthy and then creates new instances to replace
them. Amazon EC2 Auto Scaling stops replacing instances that are marked as unhealthy. Instances that fail EC2 or Elastic
Load Balancing health checks are still marked as unhealthy. As soon as you resume the ReplaceUnhealthly process,
Amazon EC2 Auto Scaling replaces instances that were marked unhealthy while this process was suspended.
Incorrect options:
Take a snapshot of the instance, create a new AMI and then launch a new instance using this AMI. Apply the
maintenance patch to this new instance and then add it back to the Auto Scaling Group by using the manual scaling
policy. Terminate the earlier instance that had the maintenance issue - Taking the snapshot of the existing instance to
create a new AMI and then creating a new instance in order to apply the maintenance patch is not time/resource
optimal, hence this option is ruled out.
Delete the Auto Scaling group and apply the maintenance fix to the given instance. Create a new Auto Scaling group
and add all the instances again using the manual scaling policy - It's not recommended to delete the Auto Scaling group
just to apply a maintenance patch on a specific instance.
Suspend the ScheduledActions process type for the Auto Scaling group and apply the maintenance patch to the
instance. Once the instance is ready, you can activate the ScheduledActions process type again - Amazon EC2 Auto
 Scaling does not execute scaling actions that are scheduled to run during the suspension period. This option is not
relevant to the given use-case.
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-enter-exit-standby.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html
Question 39: Correct
A silicon valley based research group is working on a High Performance Computing (HPC) application in the area of
Computational Fluid Dynamics. The application carries out simulations of the external aerodynamics around a car and
needs to be deployed on EC2 instances with a requirement for high levels of inter-node communications and high
network traffic between the instances.
As a solutions architect, which of the following options would you recommend to the engineering team at the
startup? (Select two)

Deploy EC2 instances in a cluster placement group

(Correct)

Deploy EC2 instances in a spread placement group

Deploy EC2 instances with Elastic Fabric Adapter

(Correct)

Deploy EC2 instances in a partition placement group

Deploy EC2 instances behind a Network Load Balancer

Explanation
Correct options:
Deploy EC2 instances with Elastic Fabric Adapter
Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables customers to run applications
requiring high levels of inter-node communications at scale on AWS. Its custom-built operating system (OS) bypass
hardware interface enhances the performance of inter-instance communications, which is critical to scaling these
applications. Therefore this option is correct.
Deploy EC2 instances in a cluster placement group
Cluster placement groups pack instances close together inside an Availability Zone. They are recommended when the
majority of the network traffic is between the instances in the group. These are also recommended for applications that
 benefit from low network latency, high network throughput, or both. Therefore this option is one of the correct
answers.
Incorrect options:
Deploy EC2 instances in a spread placement group
A spread placement group is a group of instances that are each placed on distinct racks, with each rack having its own
network and power source. The instances are placed across distinct underlying hardware to reduce correlated failures.
You can have a maximum of seven running instances per Availability Zone per group. Since the spread placement group
can span across multiple Availability Zones in the same Region, it cannot support high levels of inter-node
communications and high network traffic. So this option is incorrect.
Deploy EC2 instances in a partition placement group
A partition placement group spreads your instances across logical partitions such that groups of instances in one
partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically
used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka. A partition placement group
can have a maximum of seven partitions per Availability Zone. Since the partition placement group can have partitions in
multiple Availability Zones in the same Region, it cannot support high levels of inter-node communications and high
network traffic. So this option is incorrect.
Deploy EC2 instances behind a Network Load Balancer
A load balancer serves as the single point of contact for clients. The load balancer distributes incoming traffic across
multiple targets, such as Amazon EC2 instances. A Network Load Balancer functions at the fourth layer of the Open
Systems Interconnection (OSI) model. Network Load Balancer cannot facilitate high network traffic between instances.
Network Load Balancer cannot support high levels of inter-node communication between EC2 instances. This option just
serves as a distractor.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
https://aws.amazon.com/hpc/efa/
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
Question 40: Correct
The planetary research program at an ivy-league university is assisting NASA to find potential landing sites for
exploration vehicles of unmanned missions to our neighboring planets. The program uses High Performance
Computing (HPC) driven application architecture to identify these landing sites.
Which of the following EC2 instance topologies should this application be deployed on?

The EC2 instances should be deployed in a spread placement group so that there are no correlated failures

The EC2 instances should be deployed in a partition placement group so that distributed workloads can be handled
effectively

The EC2 instances should be deployed in a cluster placement group so that the underlying workload can benefit from
low network latency and high network throughput
 (Correct)

The EC2 instances should be deployed in an Auto Scaling group so that application meets high availability requirements
Explanation
Correct option:
The EC2 instances should be deployed in a cluster placement group so that the underlying workload can benefit from
low network latency and high network throughput
The key thing to understand in this question is that HPC workloads need to achieve low-latency network performance
necessary for tightly-coupled node-to-node communication that is typical of HPC applications. Cluster placement groups
pack instances close together inside an Availability Zone. These are recommended for applications that benefit from low
network latency, high network throughput, or both. Therefore this option is the correct answer.
Cluster Placement
Group:

via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
Incorrect options:
The EC2 instances should be deployed in a partition placement group so that distributed workloads can be handled
effectively - A partition placement group spreads your instances across logical partitions such that groups of instances in
one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is
typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka. A partition
placement group can have a maximum of seven partitions per Availability Zone. Since a partition placement group can
have partitions in multiple Availability Zones in the same region, therefore instances will not have low-latency network
performance. Hence the partition placement group is not the right fit for HPC applications.
Partition Placement
Group:
via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
The EC2 instances should be deployed in a spread placement group so that there are no correlated failures - A spread
placement group is a group of instances that are each placed on distinct racks, with each rack having its own network
and power source. The instances are placed across distinct underlying hardware to reduce correlated failures. You can
have a maximum of seven running instances per Availability Zone per group. Since a spread placement group can span
multiple Availability Zones in the same Region, therefore instances will not have low-latency network performance.
Hence spread placement group is not the right fit for HPC applications.
Spread Placement
Group:

via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
The EC2 instances should be deployed in an Auto Scaling group so that application meets high availability
requirements - An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical
grouping for the purposes of automatic scaling. You do not use Auto Scaling groups per se to meet HPC requirements.
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
 Question 41: Correct
A software engineering intern at an e-commerce company is documenting the process flow to provision EC2 instances
via the Amazon EC2 API. These instances are to be used for an internal application that processes HR payroll data. He
wants to highlight those volume types that cannot be used as a boot volume.
Can you help the intern by identifying those storage volume types that CANNOT be used as boot volumes while
creating the instances? (Select two)

Instance Store

Cold HDD (sc1)

(Correct)

Throughput Optimized HDD (st1)

(Correct)

General Purpose SSD (gp2)

Provisioned IOPS SSD (io1)

Explanation
Correct options:
Throughput Optimized HDD (st1)
Cold HDD (sc1)
The EBS volume types fall into two categories:
SSD-backed volumes optimized for transactional workloads involving frequent read/write operations with small I/O size,
where the dominant performance attribute is IOPS.
HDD-backed volumes optimized for large streaming workloads where throughput (measured in MiB/s) is a better
performance measure than IOPS.
Throughput Optimized HDD (st1) and Cold HDD (sc1) volume types CANNOT be used as a boot volume, so these two
options are correct.
Please see this detailed overview of the volume types for EBS
volumes.
 via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
Incorrect options:
General Purpose SSD (gp2)
Provisioned IOPS SSD (io1)
Instance Store
General Purpose SSD (gp2), Provisioned IOPS SSD (io1), and Instance Store can be used as a boot volume.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
Question 42: Correct
A company has multiple EC2 instances operating in a private subnet which is part of a custom VPC. These instances
are running an image processing application that needs to access images stored on S3. Once each image is processed,
the status of the corresponding record needs to be marked as completed in a DynamoDB table.
How would you go about providing private access to these AWS resources which are not part of this custom VPC?


 Create a gateway endpoint for S3 and add it as a target in the route table of the custom VPC. Create an interface
endpoint for DynamoDB and then connect to the DynamoDB service using the private IP address

Create a gateway endpoint for DynamoDB and add it as a target in the route table of the custom VPC. Create an
interface endpoint for S3 and then connect to the S3 service using the private IP address

Create a separate interface endpoint for S3 and DynamoDB each. Then connect to these services using the private IP
address

Create a separate gateway endpoint for S3 and DynamoDB each. Add two new target entries for these two gateway
endpoints in the route table of the custom VPC

(Correct)

Explanation
Correct option:
Create a separate gateway endpoint for S3 and DynamoDB each. Add two new target entries for these two gateway
endpoints in the route table of the custom VPC
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow
communication between instances in your VPC and services without imposing availability risks or bandwidth constraints
on your network traffic.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services
powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct
Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the
service. Traffic between your VPC and the other service does not leave the Amazon network.
There are two types of VPC endpoints: interface endpoints and gateway endpoints. An interface endpoint is an elastic
network interface with a private IP address from the IP address range of your subnet that serves as an entry point for
traffic destined to a supported service.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a
supported AWS service. The following AWS services are supported:
Amazon S3
DynamoDB
Incorrect options:
Create a gateway endpoint for S3 and add it as a target in the route table of the custom VPC. Create an interface
endpoint for DynamoDB and then connect to the DynamoDB service using the private IP address
Create a gateway endpoint for DynamoDB and add it as a target in the route table of the custom VPC. Create an
interface endpoint for S3 and then connect to the S3 service using the private IP address
Create a separate interface endpoint for S3 and DynamoDB each. Then connect to these services using the private IP
address
 Neither S3 nor DynamoDB supports interface endpoints, so these three options are incorrect.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
Question 43: Correct
The sourcing team at the US headquarters of a global e-commerce company is preparing a spreadsheet of the new
product catalog. The spreadsheet is saved on an EFS file system created in us-east-1 region. The sourcing team
counterparts from other AWS regions such as Asia Pacific and Europe also want to collaborate on this spreadsheet.
As a solutions architect, what is your recommendation to enable this collaboration with the LEAST amount of
operational overhead?

The spreadsheet will have to be copied into EFS file systems of other AWS regions as EFS is a regional service and it does
not allow access from other AWS regions

The spreadsheet on the EFS file system can be accessed from EC2 instances running in other AWS regions by using an
inter-region VPC peering connection

(Correct)

The spreadsheet data will have to be moved into an RDS MySQL database which can then be accessed from any AWS
region

The spreadsheet will have to be copied in Amazon S3 which can then be accessed from any AWS region
Explanation
Correct option:
The spreadsheet on the EFS file system can be accessed from EC2 instances running in other AWS regions by using an
inter-region VPC peering connection
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with
AWS Cloud services and on-premises resources.
Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and
durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers
can access using AWS Direct Connect or AWS VPN.
You can connect to Amazon EFS file systems from EC2 instances in other AWS regions using an inter-region VPC peering
connection, and from on-premises servers using an AWS VPN connection. So this is the correct option.
Incorrect options:
The spreadsheet will have to be copied in Amazon S3 which can then be accessed from any AWS region
The spreadsheet data will have to be moved into an RDS MySQL database which can then be accessed from any AWS
region
 Copying the spreadsheet into S3 or RDS database is not the correct solution as it involves a lot of operational overhead.
For RDS, one would need to write custom code to replicate the spreadsheet functionality running off of the database. S3
does not allow in-place edit of an object. Additionally, it's also not POSIX compliant. So one would need to develop a
custom application to "simulate in-place edits" to support collabaration as per the use-case. So both these options are
ruled out.
The spreadsheet will have to be copied into EFS file systems of other AWS regions as EFS is a regional service and it
does not allow access from other AWS regions - Creating copies of the spreadsheet into EFS file systems of other AWS
regions would mean no collaboration would be possible between the teams. In this case, each team would work on "its
own file" instead of a single file accessed and updated by all teams. Hence this option is incorrect.
Reference:
https://aws.amazon.com/efs/
Question 44: Correct
A global media company is using Amazon CloudFront to deliver media-rich content to its audience across the world.
The Content Delivery Network (CDN) offers a multi-tier cache by default, with regional edge caches that improve
latency and lower the load on the origin servers when the object is not already cached at the edge. However there are
certain content types that bypass the regional edge cache, and go directly to the origin.
Which of the following content types skip the regional edge cache? (Select two)

Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin

(Correct)

E-commerce assets such as product photos

User-generated videos

Dynamic content, as determined at request time (cache-behavior configured to forward all headers)

(Correct)

Static content such as style sheets, JavaScript files

Explanation
Correct options:
Dynamic content, as determined at request time (cache-behavior configured to forward all headers)
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and
APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
CloudFront points of presence (POPs) (edge locations) make sure that popular content can be served quickly to your
viewers. CloudFront also has regional edge caches that bring more of your content closer to your viewers, even when
the content is not popular enough to stay at a POP, to help improve performance for that content.
Dynamic content, as determined at request time (cache-behavior configured to forward all headers), does not flow
through regional edge caches, but goes directly to the origin. So this option is correct.
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin from the POPs and do not proxy through
the regional edge caches. So this option is also correct.
How CloudFront Delivers
Content:

via - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowCloudFrontWorks.html
Incorrect Options:
E-commerce assets such as product photos
User-generated videos
Static content such as style sheets, JavaScript files
The following type of content flows through the regional edge caches - user-generated content, such as video, photos,
or artwork; e-commerce assets such as product photos and videos and static content such as style sheets, JavaScript
files. Hence these three options are not correct.
 Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowCloudFrontWorks.html
Question 45: Correct
A leading video streaming service delivers billions of hours of content from Amazon S3 to customers around the
world. Amazon S3 also serves as the data lake for its big data analytics solution. The data lake has a staging zone
where intermediary query results are kept only for 24 hours. These results are also heavily referenced by other parts
of the analytics pipeline.
Which of the following is the MOST cost-effective strategy for storing this intermediary query data?

Store the intermediary query results in S3 Intelligent-Tiering storage class

Store the intermediary query results in S3 Standard-Infrequent Access storage class

Store the intermediary query results in S3 One Zone-Infrequent Access storage class

Store the intermediary query results in S3 Standard storage class

(Correct)

Explanation
Correct option:
Store the intermediary query results in S3 Standard storage class
S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Because it
delivers low latency and high throughput, S3 Standard is appropriate for a wide variety of use cases, including cloud
applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics. As there is
no minimum storage duration charge and no retrieval fee (remember that intermediary query results are heavily
referenced by other parts of the analytics pipeline), this is the MOST cost-effective storage class amongst the given
options.
Incorrect options:
Store the intermediary query results in S3 Intelligent-Tiering storage class - The S3 Intelligent-Tiering storage class is
designed to optimize costs by automatically moving data to the most cost-effective access tier, without performance
impact or operational overhead. It works by storing objects in two access tiers: one tier that is optimized for frequent
access and another lower-cost tier that is optimized for infrequent access. The minimum storage duration charge is 30
days, so this option is NOT cost-effective because intermediary query results need to be kept only for 24 hours. Hence
this option is not correct.
Store the intermediary query results in S3 Standard-Infrequent Access storage class - S3 Standard-IA is for data that is
accessed less frequently but requires rapid access when needed. S3 Standard-IA offers high durability, high throughput,
and low latency of S3 Standard, with a low per GB storage price and per GB retrieval fee. This combination of low cost
and high performance makes S3 Standard-IA ideal for long-term storage, backups, and as a data store for disaster
 recovery files. The minimum storage duration charge is 30 days, so this option is NOT cost-effective because
intermediary query results need to be kept only for 24 hours. Hence this option is not correct.
Store the intermediary query results in S3 One Zone-Infrequent Access storage class - S3 One Zone-IA is for data that is
accessed less frequently but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a
minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ and costs 20% less than S3
Standard-IA. The minimum storage duration charge is 30 days, so this option is NOT cost-effective because intermediary
query results need to be kept only for 24 hours. Hence this option is not correct.
To summarize again, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA have a minimum storage duration charge
of 30 days (so instead of 24 hours, you end up paying for 30 days). S3 Standard-IA and S3 One Zone-IA also have retrieval
charges (as the results are heavily referenced by other parts of the analytics pipeline, so the retrieval costs would be
pretty high). Therefore, these 3 storage classes are not cost optimal for the given use-case.
Reference:
https://aws.amazon.com/s3/storage-classes/
Question 46: Correct
A digital media streaming company wants to use AWS Cloudfront to distribute its content only to its service
subscribers. As a solutions architect, which of the following solutions would you suggest in order to deliver restricted
content to the bona fide end users? (Select two)

Require HTTPS for communication between CloudFront and your S3 origin

Use CloudFront signed cookies

(Correct)

Forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers

Use CloudFront signed URLs

(Correct)

Require HTTPS for communication between CloudFront and your custom origin
Explanation
Correct options:
Use CloudFront signed URLs
Many companies that distribute content over the internet want to restrict access to documents, business data, media
streams, or content that is intended for selected users, for example, users who have paid a fee.
 To securely serve this private content by using CloudFront, you can do the following:
Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
A signed URL includes additional information, for example, expiration date and time, that gives you more control over
access to your content. So this is a correct option.
Use CloudFront signed cookies
CloudFront signed cookies allow you to control who can access your content when you don't want to change your
current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the
subscribers' area of a website. So this is also a correct option.
Incorrect options:
Require HTTPS for communication between CloudFront and your custom origin
Require HTTPS for communication between CloudFront and your S3 origin
Requiring HTTPS for communication between CloudFront and your custom origin (or S3 origin) only enables secure
access to the underlying content. You cannot use HTTPS to restrict access to your private content. So both these options
are incorrect.
Forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers - This option is just added as a
distractor. You cannot use HTTPS to restrict access to your private content.
Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
Question 47: Correct
The engineering team at a data analytics company has observed that its flagship application functions at its peak
performance when the underlying EC2 instances have a CPU utilization of about 50%. The application is built on a
fleet of EC2 instances managed under an Auto Scaling group. The workflow requests are handled by an internal
Application Load Balancer that routes the requests to the instances.
As a solutions architect, what would you recommend so that the application runs near its peak performance state?

Configure the Auto Scaling group to use simple scaling policy and set the CPU utilization as the target metric with a
target value of 50%

Configure the Auto Scaling group to use target tracking policy and set the CPU utilization as the target metric with a
target value of 50%

(Correct)

Configure the Auto Scaling group to use step scaling policy and set the CPU utilization as the target metric with a target
value of 50%


Configure the Auto Scaling group to use a Cloudwatch alarm triggered on a CPU utilization threshold of 50%
Explanation
Correct option:
Configure the Auto Scaling group to use target tracking policy and set the CPU utilization as the target metric with a
target value of 50%
An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for the
purposes of automatic scaling and management. An Auto Scaling group also enables you to use Amazon EC2 Auto
Scaling features such as health check replacements and scaling policies.
With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates
and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the
metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to,
the specified target value.
For example, you can use target tracking scaling to:
Configure a target tracking scaling policy to keep the average aggregate CPU utilization of your Auto Scaling group at 50
percent. This meets the requirements specified in the given use-case and therefore, this is the correct option.
Target Tracking Policy
Overview:
via - https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html
Incorrect options:
Configure the Auto Scaling group to use step scaling policy and set the CPU utilization as the target metric with a
target value of 50%
Configure the Auto Scaling group to use simple scaling policy and set the CPU utilization as the target metric with a
target value of 50%
With step scaling and simple scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that
trigger the scaling process. Neither step scaling nor simple scaling can be configured to use a target metric for CPU
utilization, hence both these options are incorrect.
Configure the Auto Scaling group to use a Cloudwatch alarm triggered on a CPU utilization threshold of 50% - An Auto
Scaling group cannot directly use a Cloudwatch alarm as the source for a scale-in or scale-out event, hence this option is
incorrect.
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html
 https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-simple-step.html
Question 48: Correct
A new DevOps engineer has joined a large financial services company recently. As part of his onboarding, the IT
department is conducting a review of the checklist for tasks related to AWS Identity and Access Management.
As a solutions architect, which best practices would you recommend (Select two)?

Grant maximum privileges to avoid assigning privileges again

Configure AWS CloudTrail to log all IAM actions

(Correct)

Enable MFA for privileged users

(Correct)

Use user credentials to provide access specific permissions for Amazon EC2 instances

Create a minimum number of accounts and share these account credentials among employees
Explanation
Correct options:
Enable MFA for privileged users - As per the AWS best practices, it is better to enable Multi Factor Authentication (MFA)
for privileged users via an MFA-enabled mobile device or hardware MFA token.
Configure AWS CloudTrail to record all account activity - AWS recommends to turn on CloudTrail to log all IAM actions
for monitoring and audit purposes.
Incorrect options:
Create a minimum number of accounts and share these account credentials among employees - AWS recommends
that user account credentials should not be shared between users. So, this option is incorrect.
Grant maximum privileges to avoid assigning privileges again - AWS recommends granting the least privileges required
to complete a certain job and avoid giving excessive privileges which can be misused. So, this option is incorrect.
Use user credentials to provide access specific permissions for Amazon EC2 instances - It is highly recommended to use
roles to grant access permissions for EC2 instances working on different AWS services. So, this option is incorrect.
References:
https://aws.amazon.com/iam/
 https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
https://aws.amazon.com/cloudtrail/faqs/
Question 49: Correct
An IT consultant is helping the owner of a medium-sized business set up an AWS account. What are the security
recommendations he must follow while creating the AWS account root user? (Select two)

Create AWS account root user access keys and share those keys only with the business owner

Encrypt the access keys and save them on Amazon S3

Enable Multi Factor Authentication (MFA) for the AWS account root user account

(Correct)

Send an email to the business owner with details of the login username and password for the AWS root user. This will
help the business owner to troubleshoot any login issues in future

Create a strong password for the AWS account root user

(Correct)

Explanation
Correct options:
Create a strong password for the AWS account root user
Enable Multi Factor Authentication (MFA) for the AWS account root user account
Here are some of the best practices while creating an AWS account root user:
1) Use a strong password to help protect account-level access to the AWS Management Console. 2) Never share your
AWS account root user password or access keys with anyone. 3) If you do have an access key for your AWS account root
user, delete it. If you must keep it, rotate (change) the access key regularly. You should not encrypt the access keys and
save them on Amazon S3. 4) If you don't already have an access key for your AWS account root user, don't create one
unless you absolutely need to. 5) Enable AWS multi-factor authentication (MFA) on your AWS account root user
account.
AWS Root Account Security Best
Practices:
 via - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Incorrect options:
Encrypt the access keys and save them on Amazon S3 - AWS recommends that if you don't already have an access key
for your AWS account root user, don't create one unless you absolutely need to. Even an encrypted access key for the
root user poses a significant security risk. Therefore, this option is incorrect.
Create AWS account root user access keys and share those keys only with the business owner - AWS recommends that
if you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to.
Hence, this option is incorrect.
Send an email to the business owner with details of the login username and password for the AWS root user. This will
help the business owner to troubleshoot any login issues in future - AWS recommends that you should never share
your AWS account root user password or access keys with anyone. Sending an email with AWS account root user
credentials creates a security risk as it can be misused by anyone reading the email. Hence, this option is incorrect.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
Question 50: Correct
A gaming company uses Amazon Aurora as its primary database service. The company has now deployed 5 multi-AZ
read replicas to increase the read throughput and for use as failover target. The replicas have been assigned the
following failover priority tiers and corresponding sizes are given in parentheses: tier-1 (16TB), tier-1 (32TB), tier-10
(16TB), tier-15 (16TB), tier-15 (32TB).
In the event of a failover, Amazon RDS will promote which of the following read replicas?

Tier-1 (32TB)

(Correct)


 Tier-15 (32TB)

Tier-10 (16TB)

Tier-1 (16TB)
Explanation
Correct option:
Tier-1 (32TB)
Amazon Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 64TB per
database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time
recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs).
For Amazon Aurora, each Read Replica is associated with a priority tier (0-15). In the event of a failover, Amazon Aurora
will promote the Read Replica that has the highest priority (the lowest numbered tier). If two or more Aurora Replicas
share the same priority, then Amazon RDS promotes the replica that is largest in size. If two or more Aurora Replicas
share the same priority and size, then Amazon Aurora promotes an arbitrary replica in the same promotion tier.
Therefore, for this problem statement, the Tier-1 (32TB) replica will be promoted.
Incorrect options:
Tier-15 (32TB)
Tier-1 (16TB)
Tier-10 (16TB)
Given the failover rules discussed earlier in the explanation, these three options are incorrect.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Mana
ging.FaultTolerance
Question 51: Correct
An organization wants to delegate access to a set of users from the development environment so that they can access
some resources in the production environment which is managed under another AWS account.
As a solutions architect, which of the following steps would you recommend?

Create new IAM user credentials for the production environment and share these credentials with the set of users from
the development environment

Create a new IAM role with the required permissions to access the resources in the production environment. The users
can then assume this IAM role while accessing the resources from the production environment
 (Correct)

Both IAM roles and IAM users can be used interchangeably for cross-account access

It is not possible to access cross-account resources

Explanation
Correct option:
Create a new IAM role with the required permissions to access the resources in the production environment. The
users can then assume this IAM role while accessing the resources from the production environment
IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS
resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to
make AWS API calls. Consequently, you don't have to share long-term credentials for access to a resource. Using IAM
roles, it is possible to access cross-account resources.
Incorrect options:
Create new IAM user credentials for the production environment and share these credentials with the set of users
from the development environment - There is no need to create new IAM user credentials for the production
environment, as you can use IAM roles to access cross-account resources.
It is not possible to access cross-account resources - You can use IAM roles to access cross-account resources.
Both IAM roles and IAM users can be used interchangeably for cross-account access - IAM roles and IAM users are
separate IAM entities and should not be mixed. Only IAM roles can be used to access cross-account resources.
Reference:
https://aws.amazon.com/iam/features/manage-roles/
Question 52: Correct
A leading social media analytics company is contemplating moving its dockerized application stack into AWS Cloud.
The company is not sure about the pricing for using Elastic Container Service (ECS) with the EC2 launch type compared
to the Elastic Container Service (ECS) with the Fargate launch type.
Which of the following is correct regarding the pricing for these two services?

Both ECS with EC2 launch type and ECS with Fargate launch type are just charged based on Elastic Container Service
used per hour

ECS with EC2 launch type is charged based on EC2 instances and EBS volumes used. ECS with Fargate launch type is
charged based on vCPU and memory resources that the containerized application requests

(Correct)


 Both ECS with EC2 launch type and ECS with Fargate launch type are charged based on vCPU and memory resources that
the containerized application requests

Both ECS with EC2 launch type and ECS with Fargate launch type are charged based on EC2 instances and EBS volumes
used
Explanation
Correct option:
ECS with EC2 launch type is charged based on EC2 instances and EBS volumes used. ECS with Fargate launch type is
charged based on vCPU and memory resources that the containerized application requests
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service. ECS allows you to
easily run, scale, and secure Docker container applications on AWS.
ECS
Overview:

via - https://aws.amazon.com/ecs/
With the Fargate launch type, you pay for the amount of vCPU and memory resources that your containerized
application requests. vCPU and memory resources are calculated from the time your container images are pulled until
the Amazon ECS Task* terminates, rounded up to the nearest second. With the EC2 launch type, there is no additional
charge for the EC2 launch type. You pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to store and
run your application.
Incorrect options:
Both ECS with EC2 launch type and ECS with Fargate launch type are charged based on vCPU and memory resources
that the containerized application requests
Both ECS with EC2 launch type and ECS with Fargate launch type are charged based on EC2 instances and EBS volumes
used
As mentioned above - with the Fargate launch type, you pay for the amount of vCPU and memory resources. With EC2
launch type, you pay for AWS resources (e.g. EC2 instances or EBS volumes). Hence both these options are incorrect.
Both ECS with EC2 launch type and ECS with Fargate launch type are just charged based on Elastic Container Service
used per hour
This is a made-up option and has been added as a distractor.
 References:
https://aws.amazon.com/ecs/pricing/
Question 53: Incorrect
One of the largest healthcare solutions provider in the world uses Amazon S3 to store and protect a petabyte of
critical medical imaging data for its AWS based Health Cloud service, which connects hundreds of thousands of
imaging machines and other medical devices. The engineering team has observed that while some of the objects in
the imaging data bucket are frequently accessed, others sit idle for a considerable span of time.
As a solutions architect, what is your recommendation to build the MOST cost-effective solution?

Store the objects in the imaging data bucket using the S3 Intelligent-Tiering storage class

(Correct)

Create a data monitoring application on an EC2 instance in the same region as the imaging data bucket. The application
is triggered daily via CloudWatch and it changes the storage class of infrequently accessed objects to S3 One Zone-IA and
the frequently accessed objects are migrated to S3 Standard class

Store the objects in the imaging data bucket using the S3 Standard-IA storage class

(Incorrect)

Create a data monitoring application on an EC2 instance in the same region as the imaging data bucket. The application
is triggered daily via CloudWatch and it changes the storage class of infrequently accessed objects to S3 Standard-IA and
the frequently accessed objects are migrated to S3 Standard class
Explanation
Correct option:
Store the objects in the imaging data bucket using the S3 Intelligent-Tiering storage class
The S3 Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-
effective access tier, without performance impact or operational overhead. It works by storing objects in two access
tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access.
For a small monthly monitoring and automation fee per object, Amazon S3 monitors access patterns of the objects in S3
Intelligent-Tiering and moves the ones that have not been accessed for 30 consecutive days to the infrequent access
tier. If an object in the infrequent access tier is accessed, it is automatically moved back to the frequent access tier.
Therefore using the S3 Intelligent-Tiering storage class is the correct solution for the given problem statement.
S3 Storage Classes
Overview:

Incorrect options:
Store the objects in the imaging data bucket using the S3 Standard-IA storage class
S3 Standard-IA is for data that is accessed less frequently but requires rapid access when needed. S3 Standard-IA offers
high durability, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval
fee. This combination of low cost and high performance makes S3 Standard-IA ideal for long-term storage, backups, and
as a data store for disaster recovery files. The minimum storage duration charge is 30 days. As some of the objects are
frequently accessed, the per GB retrieval fee for S3 Standard-IA can cause the costs to shoot up, hence this option is
incorrect.
Create a data monitoring application on an EC2 instance in the same region as the imaging data bucket. The
application is triggered daily via CloudWatch and it changes the storage class of infrequently accessed objects to S3
One Zone-IA and the frequently accessed objects are migrated to S3 Standard class
Create a data monitoring application on an EC2 instance in the same region as the imaging data bucket. The
application is triggered daily via CloudWatch and it changes the storage class of infrequently accessed objects to S3
Standard-IA and the frequently accessed objects are migrated to S3 Standard class
Creating a data monitoring application on an EC2 instance for managing the desired S3 storage class entails significant
development cost as well as infrastructure maintenance effort. The S3 Intelligent-Tiering storage class does the job in a
cost-effective way. Therefore both these options are incorrect.
Reference:
https://aws.amazon.com/s3/storage-classes/
Question 54: Correct
 The engineering team at an online fashion retailer uses AWS Cloud to manage its technology infrastructure. The EC2
server fleet is behind an Application Load Balancer and the fleet strength is managed by an Auto Scaling group. Based
on the historical data, the team is anticipating a huge traffic spike during the upcoming Thanksgiving sale.
As an AWS solutions architect, what feature of the Auto Scaling group would you leverage so that the potential surge
in traffic can be preemptively addressed?

Auto Scaling group lifecycle hook

Auto Scaling group step scaling policy

Auto Scaling group scheduled action

(Correct)

Auto Scaling group target tracking scaling policy

Explanation
Correct option:
Auto Scaling group scheduled action
The engineering team can create a scheduled action for the Auto Scaling group to pre-emptively provision additional
instances for the sale duration. This makes sure that adequate instances are ready before the sale goes live. The
scheduled action tells Amazon EC2 Auto Scaling to perform a scaling action at specified times. To create a scheduled
scaling action, you specify the start time when the scaling action should take effect, and the new minimum, maximum,
and desired sizes for the scaling action. At the specified time, Amazon EC2 Auto Scaling updates the group with the
values for minimum, maximum, and desired size that are specified by the scaling action.
Incorrect options:
Auto Scaling group target tracking scaling policy - With target tracking scaling policies, you choose a scaling metric and
set a target value. Application Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy
and calculates the scaling adjustment based on the metric and the target value.
Auto Scaling group step scaling policy - With step scaling, you choose scaling metrics and threshold values for the
CloudWatch alarms that trigger the scaling process as well as define how your scalable target should be scaled when a
threshold is in breach for a specified number of evaluation periods.
Both the target tracking as well as step scaling policies entail a lag wherein the instances will be provisioned only when
the underlying CloudWatch alarms go off. Therefore these two options are not pre-emptive in nature and ruled out for
the given use-case.
Auto Scaling group lifecycle hook - Auto Scaling group lifecycle hooks enable you to perform custom actions as the Auto
Scaling group launches or terminates instances. For example, you could install or configure software on newly launched
instances, or download log files from an instance before it terminates. Lifecycle hooks cannot be used to pre-emptively
provision additional instances for a specific period such as the sale duration.
 Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html
Question 55: Correct
The CTO of an online home rental marketplace wants to re-engineer the caching layer of the current architecture for
its relational database. He wants the caching layer to have replication and archival support built into the architecture.
Which of the following AWS service offers the capabilities required for the re-engineering of the caching layer?

DocumentDB

ElastiCache for Redis

(Correct)

DynamoDB Accelerator (DAX)

ElastiCache for Memcached

Explanation
Correct option:
ElastiCache for Redis
Amazon ElastiCache for Redis is a blazing fast in-memory data store that provides sub-millisecond latency to power
internet-scale real-time applications. Amazon ElastiCache for Redis is a great choice for real-time transactional and
analytical processing use cases such as caching, chat/messaging, gaming leaderboards, geospatial, machine learning,
media streaming, queues, real-time analytics, and session store. ElastiCache for Redis supports replication and archival
snapshots right out of the box. Hence this is the correct option.
Exam Alert:
Please review this comparison sheet for Redis vs Memcached
features:
via - https://aws.amazon.com/elasticache/redis-vs-memcached/
Incorrect options:
ElastiCache for Memcached - Amazon ElastiCache for Memcached is a Memcached-compatible in-memory key-value
store service that can be used as a cache or a data store. Amazon ElastiCache for Memcached is a great choice for
implementing an in-memory cache to decrease access latency, increase throughput, and ease the load off your
relational or NoSQL database. Session stores are easy to create with Amazon ElastiCache for Memcached. ElastiCache
for Memcached does not support replication and archival snapshots, so this option is ruled out.
DynamoDB Accelerator (DAX) - Amazon DynamoDB is a key-value and document database that delivers single-digit
millisecond performance at any scale. It's a fully managed, multi-region, multi-master, durable database with built-in
security, backup and restore, and in-memory caching for internet-scale applications. DAX is a DynamoDB-compatible
caching service that enables you to benefit from fast in-memory performance for demanding applications. DAX cannot
be used as a caching layer for a relational database.
DocumentDB - Amazon DocumentDB is a fast, scalable, highly available, and fully managed document database service
that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and
index JSON data. DocumentDB cannot be used as a caching layer for a relational database.
References:
https://aws.amazon.com/elasticache/redis/
https://aws.amazon.com/elasticache/redis-vs-memcached/
Question 56: Correct
The development team at an e-commerce startup has set up multiple microservices running on EC2 instances under
an Application Load Balancer. The team wants to route traffic to multiple back-end services based on the URL path of
the HTTP header. So it wants requests for https://www.example.com/orders to go to a specific microservice and
requests for https://www.example.com/products to go to another microservice.
Which of the following features of Application Load Balancers can be used for this use-case?


Path-based Routing

(Correct)

Query string parameter-based routing

Host-based Routing

HTTP header-based routing

Explanation
Correct option:
Path-based Routing
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, and Lambda functions.
If your application is composed of several individual services, an Application Load Balancer can route a request to a
service based on the content of the request. Here are the different types -
Host-based Routing:
You can route a client request based on the Host field of the HTTP header allowing you to route to multiple domains
from the same load balancer.
Path-based Routing:
You can route a client request based on the URL path of the HTTP header.
HTTP header-based routing:
You can route a client request based on the value of any standard or custom HTTP header.
HTTP method-based routing:
You can route a client request based on any standard or custom HTTP method.
Query string parameter-based routing:
You can route a client request based on the query string or query parameters.
Source IP address CIDR-based routing:
You can route a client request based on source IP address CIDR from where the request originates.
Path-based Routing Overview:
You can use path conditions to define rules that route requests based on the URL in the request (also known as path-
based routing).
 The path pattern is applied only to the path of the URL, not to its query
parameters.

via - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#path-
conditions
Incorrect options:
Query string parameter-based routing
HTTP header-based routing
Host-based Routing
As mentioned earlier in the explanation, none of these three types of routing support requests based on the URL path of
the HTTP header. Hence these three are incorrect.
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html
Question 57: Correct
A social media analytics company uses a fleet of EC2 servers to manage its analytics workflow. These EC2 servers
operate under an Auto Scaling group. The engineers at the company want to be able to download log files whenever
an instance terminates because of a scale-in event from an auto-scaling policy.
Which of the following features can be used to enable this custom action?

Auto Scaling group lifecycle hook

 (Correct)

EC2 instance meta data

EC2 instance user data

Auto Scaling group scheduled action

Explanation
Correct option:
Auto Scaling group lifecycle hook
An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for automatic
scaling and management.
Auto Scaling group lifecycle hooks enable you to perform custom actions as the Auto Scaling group launches or
terminates instances. Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling
group launches or terminates them. For example, you could install or configure software on newly launched instances,
or download log files from an instance before it terminates.
How lifecycle hooks
work:
via - https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
Incorrect options:
EC2 instance meta data - EC2 instance metadata is data about your instance that you can use to configure or manage
the running instance. You cannot use EC2 instance metadata to download log files whenever an instance terminates
because of a scale-in event from an auto-scaling policy.
EC2 instance user data - EC2 instance user data is the data that you specified in the form of a configuration script while
launching your instance. You cannot use EC2 instance user data to download log files whenever an instance terminates
because of a scale-in event from an auto-scaling policy.
Auto Scaling group scheduled action - To configure your Auto Scaling group to scale based on a schedule, you create a
scheduled action. The scheduled action tells Amazon EC2 Auto Scaling to perform a scaling action at specified times. You
cannot use scheduled action to download log files whenever an instance terminates because of a scale-in event from an
auto-scaling policy.
Reference:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
Question 58: Correct
A research group at an ivy-league university needs a fleet of EC2 instances operating in a fault-tolerant architecture
for a specialized task that must deliver high random I/O performance. Each instance in the fleet would have access to
a dataset that is replicated across the instances. Because of the resilient architecture, the specialized task would
continue to be processed even if any of the instances goes down as the underlying application architecture would
ensure the replacement instance has access to the required dataset.
Which of the following options is the MOST cost-optimal and resource-efficient solution to build this fleet of EC2
instances?


Use Instance Store based EC2 instances

(Correct)

Use EC2 instances with EFS mount points

Use EBS based EC2 instances

Use EC2 instances with access to S3 based storage

Explanation
Correct option:
Use Instance Store based EC2 instances
An instance store provides temporary block-level storage for your instance. This storage is located on disks that are
physically attached to the host computer. Instance store is ideal for the temporary storage of information that changes
frequently such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet
of instances, such as a load-balanced pool of web servers. Instance store volumes are included as part of the instance's
usage cost.
As Instance Store based volumes provide high random I/O performance at low cost (as the storage is part of the
instance's usage cost) and the fault-tolerant architecture can adjust for the loss of any instance, therefore you should
use Instance Store based EC2 instances for this use-case.
EC2 Instance Store
Overview:
 via - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
Incorrect options:
Use EBS based EC2 instances - EBS based volumes would need to use Provisioned IOPS (io1) as the storage type and that
would incur additional costs. As we are looking for the most cost-optimal solution, this option is ruled out.
Use EC2 instances with EFS mount points - Using EFS implies that extra resources would have to be provisioned. As we
are looking for the most resource-efficient solution, this option is also ruled out.
Use EC2 instances with access to S3 based storage - Using EC2 instances with access to S3 based storage does not
deliver high random I/O performance, this option is just added as a distractor.
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
Question 59: Correct
A geological research agency maintains the seismological data for the last 100 years. The data has a velocity of 1GB
per minute. You would like to store the data with only the most relevant attributes to build a predictive model for
earthquakes.
What AWS services would you use to build the most cost-effective solution with the LEAST amount of infrastructure
maintenance?

Ingest the data in Kinesis Data Analytics and use SQL queries to filter and transform the data before writing to S3


Ingest the data in Kinesis Data Firehose and use a Lambda function to filter and transform the incoming stream before
the output is dumped on S3

(Correct)

Ingest the data in a Spark Streaming Cluster on EMR use Spark Streaming transformations before writing to S3

Ingest the data in AWS Glue job and use Spark transformations before writing to S3
Explanation
Correct option:
Ingest the data in Kinesis Data Firehose and use a Lambda function to filter and transform the incoming stream before
the output is dumped on S3
Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can
capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and
Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using
today. It is a fully managed service that automatically scales to match the throughput of your data and requires no
ongoing administration. It can also batch, compress, and encrypt the data before loading it, minimizing the amount of
storage used at the destination and increasing security.
Kinesis Data Firehose
Overview

via - https://aws.amazon.com/kinesis/data-firehose/
The correct choice is to ingest the data in Kinesis Data Firehose and use a Lambda function to filter and transform the
incoming data before the output is dumped on S3. This way you only store a sliced version of the data with only the
relevant data attributes required for your model. Also it should be noted that this solution is entirely serverless and
requires no infrastructure maintenance.
Incorrect options:
 Ingest the data in Kinesis Data Analytics and use SQL queries to filter and transform the data before writing to S3 -
Amazon Kinesis Data Analytics is the easiest way to analyze streaming data in real-time. Kinesis Data Analytics enables
you to easily and quickly build queries and sophisticated streaming applications in three simple steps: setup your
streaming data sources, write your queries or streaming applications, and set up your destination for processed data.
Kinesis Data Analytics cannot directly ingest data from the source as it ingests data either from Kinesis Data Streams or
Kinesis Data Firehose, so this option is ruled out.
Ingest the data in AWS Glue job and use Spark transformations before writing to S3 - AWS Glue is a fully managed
extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
AWS Glue job is meant to be used for batch ETL data processing and it's not the right fit for a near real-time data
processing use-case.
Ingest the data in a Spark Streaming Cluster on EMR use Spark Streaming transformations before writing to S3 -
Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools
such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. Amazon EMR uses Hadoop,
an open-source framework, to distribute your data and processing across a resizable cluster of Amazon EC2 instances.
Using an EMR cluster would imply managing the underlying infrastructure so it’s ruled out because the correct solution
for the given use-case should require the least amount of infrastructure maintenance.
Reference:
https://aws.amazon.com/kinesis/data-firehose/
Question 60: Correct
A US-based non-profit organization develops learning methods for primary and secondary vocational education,
delivered through digital learning platforms, which are hosted on AWS under a hybrid cloud setup. After experiencing
stability issues with their cluster of self-managed RabbitMQ message brokers, the organization wants to explore an
alternate solution on AWS.
As a solutions architect, which of the following AWS services would you recommend that can provide support for
quick and easy migration from RabbitMQ?

Amazon Simple Notification Service (Amazon SNS)

Amazon MQ

(Correct)

Amazon SQS Standard

Amazon SQS FIFO (First-In-First-Out)

Explanation
Correct option:
Amazon MQ
 Amazon MQ is a managed message broker service for Apache ActiveMQ that makes it easy to set up and operate
message brokers in the cloud. Message brokers allow different software systems–often using different programming
languages, and on different platforms–to communicate and exchange information. If an organization is using messaging
with existing applications and wants to move the messaging service to the cloud quickly and easily, AWS recommends
Amazon MQ for such a use case. So this is the correct option.
Incorrect options:
Amazon Simple Notification Service (Amazon SNS) - Amazon Simple Notification Service (SNS) is a highly available,
durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed
systems, and serverless applications. Amazon SNS provides topics for high-throughput, push-based, many-to-many
messaging. SNS does not provide support for migration from RabbitMQ as its a fully managed pub/sub messaging
service. Hence this option is incorrect.
Amazon SQS Standard - Amazon SQS Standard offers a reliable, highly scalable hosted queue for storing messages as
they travel between computers. Amazon SQS lets you easily move data between distributed application components
and helps you build applications in which messages are processed independently (with message-level ack/fail
semantics), such as automated workflows. SQS Standard does not provide support for migration from RabbitMQ. Hence
this option is incorrect.
Amazon SQS FIFO (First-In-First-Out) - Amazon SQS FIFO (First-In-First-Out) has all the capabilities of the standard
queue. They are used when the order of operations and events is critical, or where duplicates can't be tolerated. SQS
FIFO does not provide support for migration from RabbitMQ. Hence this option is incorrect.
Reference:
https://aws.amazon.com/amazon-mq/
https://aws.amazon.com/blogs/compute/migrating-from-rabbitmq-to-amazon-mq/
Question 61: Correct
The data engineering team at an e-commerce company has set up a workflow to ingest the clickstream data into the
raw zone of the S3 data lake. The team wants to run some SQL based data sanity checks on the raw zone of the data
lake.
What AWS services would you recommend for this use-case such that the solution is cost-effective and easy to
maintain?

Load the incremental raw zone data into RDS on an hourly basis and run the SQL based sanity checks

Load the incremental raw zone data into an EMR based Spark Cluster on an hourly basis and use SparkSQL to run the
SQL based sanity checks

Load the incremental raw zone data into Redshift on an hourly basis and run the SQL based sanity checks

Use Athena to run SQL based analytics against S3 data

(Correct)
Explanation
Correct option:
Use Athena to run SQL based analytics against S3 data
Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard
SQL. Athena is serverless, so there is no infrastructure to set up or manage, and customers pay only for the queries they
run. You can use Athena to process logs, perform ad-hoc analysis, and run interactive queries.
AWS Athena
Benefits:

via - https://aws.amazon.com/athena/
Incorrect options:
Load the incremental raw zone data into Redshift on an hourly basis and run the SQL based sanity checks - Amazon
Redshift is a fully-managed petabyte-scale cloud-based data warehouse product designed for large scale data set
storage and analysis. As the development team would have to maintain and monitor the Redshift cluster size and would
require significant development time to set up the processes to consume the data periodically, so this option is ruled
out.
Load the incremental raw zone data into an EMR based Spark Cluster on an hourly basis and use SparkSQL to run the
SQL based sanity checks - Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of
data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto.
Amazon EMR uses Hadoop, an open-source framework, to distribute your data and processing across a resizable cluster
of Amazon EC2 instances. Using an EMR cluster would imply managing the underlying infrastructure so it’s ruled out
because the correct solution for the given use-case should require the least amount of development effort and ongoing
maintenance.
Load the incremental raw zone data into RDS on an hourly basis and run the SQL based sanity checks - Loading the
incremental data into RDS implies data migration jobs will have to be written via a Lambda function or an EC2 based
process. This goes against the requirement that the solution should involve the least amount of development effort and
ongoing maintenance. Hence this option is not correct.
Reference:
 https://aws.amazon.com/athena/
Question 62: Correct
A silicon valley based startup wants to be the global collaboration platform for API development. The product team at
the startup has figured out a market need to support both stateful and stateless client-server communications via the
APIs developed using its platform. You have been hired by the startup as an AWS solutions architect to build a Proof-
of-Concept to fulfill this market need using AWS API Gateway.
Which of the following would you recommend to the startup?

API Gateway creates RESTful APIs that enable stateful client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateless, full-duplex communication between
client and server

API Gateway creates RESTful APIs that enable stateless client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateless, full-duplex communication between
client and server

API Gateway creates RESTful APIs that enable stateful client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between
client and server

API Gateway creates RESTful APIs that enable stateless client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between
client and server

(Correct)

Explanation
Correct option:
API Gateway creates RESTful APIs that enable stateless client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between
client and server
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor,
and secure APIs at any scale. APIs act as the front door for applications to access data, business logic, or functionality
from your backend services. Using API Gateway, you can create RESTful APIs and WebSocket APIs that enable real-time
two-way communication applications.
How API Gateway
Works:
via - https://aws.amazon.com/api-gateway/
API Gateway creates RESTful APIs that:
Are HTTP-based.
Enable stateless client-server communication.
Implement standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
API Gateway creates WebSocket APIs that:
Adhere to the WebSocket protocol, which enables stateful, full-duplex communication between client and server. Route
incoming messages based on message content.
So API Gateway supports stateless RESTful APIs as well as stateful WebSocket APIs. Therefore this option is correct.
Incorrect options:
API Gateway creates RESTful APIs that enable stateful client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between
client and server
API Gateway creates RESTful APIs that enable stateless client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateless, full-duplex communication between
client and server
API Gateway creates RESTful APIs that enable stateful client-server communication and API Gateway also creates
WebSocket APIs that adhere to the WebSocket protocol, which enables stateless, full-duplex communication between
client and server
These three options contradict the earlier details provided in the explanation. To summarize, API Gateway supports
stateless RESTful APIs and stateful WebSocket APIs. Hence these options are incorrect.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
Question 63: Correct
A media company wants to get out of the business of owning and maintaining its own IT infrastructure. As part of this
digital transformation, the media company wants to archive about 5PB of data in its on-premises data center to
durable long term storage.
 As a solutions architect, what is your recommendation to migrate this data in the MOST cost-optimal way?

Setup AWS direct connect between the on-premises data center and AWS Cloud. Use this connection to transfer the
data into AWS Glacier

Setup Site-to-Site VPN connection between the on-premises data center and AWS Cloud. Use this connection to transfer
the data into AWS Glacier

Transfer the on-premises data into multiple Snowball Edge Storage Optimized devices. Copy the Snowball Edge data into
Amazon S3 and create a lifecycle policy to transition the data into AWS Glacier

(Correct)

Transfer the on-premises data into multiple Snowball Edge Storage Optimized devices. Copy the Snowball Edge data into
AWS Glacier
Explanation
Correct option:
Transfer the on-premises data into multiple Snowball Edge Storage Optimized devices. Copy the Snowball Edge data
into Amazon S3 and create a lifecycle policy to transition the data into AWS Glacier
Snowball Edge Storage Optimized is the optimal choice if you need to securely and quickly transfer dozens of terabytes
to petabytes of data to AWS. It provides up to 80 TB of usable HDD storage, 40 vCPUs, 1 TB of SATA SSD storage, and up
to 40 Gb network connectivity to address large scale data transfer and pre-processing use cases. The data stored on the
Snowball Edge device can be copied into the S3 bucket and later transitioned into AWS Glacier via a lifecycle policy. You
can't directly copy data from Snowball Edge devices into AWS Glacier.
Incorrect options:
Transfer the on-premises data into multiple Snowball Edge Storage Optimized devices. Copy the Snowball Edge data
into AWS Glacier - As mentioned earlier, you can't directly copy data from Snowball Edge devices into AWS Glacier.
Hence, this option is incorrect.
Setup AWS direct connect between the on-premises data center and AWS Cloud. Use this connection to transfer the
data into AWS Glacier - AWS Direct Connect lets you establish a dedicated network connection between your network
and one of the AWS Direct Connect locations. Using industry-standard 802.1q VLANs, this dedicated connection can be
partitioned into multiple virtual interfaces. Direct Connect involves significant monetary investment and takes more
than a month to set up, therefore it's not the correct fit for this use-case where just a one-time data transfer has to be
done.
Setup Site-to-Site VPN connection between the on-premises data center and AWS Cloud. Use this connection to
transfer the data into AWS Glacier - AWS Site-to-Site VPN enables you to securely connect your on-premises network or
branch office site to your Amazon Virtual Private Cloud (Amazon VPC). VPN Connections are a good solution if you have
an immediate need, and have low to modest bandwidth requirements. Because of the high data volume for the given
use-case, Site-to-Site VPN is not the correct choice.
 Reference:
https://aws.amazon.com/snowball/
Question 64: Incorrect
The audit department at one of the leading consultancy firms generates and accesses the audit reports only during
the last month of a financial year. The department uses AWS Step Functions to orchestrate the report creating
process with failover and retry scenarios built into the solution and the data should be available with millisecond
latency. The underlying data to create these audit reports is stored on S3 and runs into hundreds of Terabytes.
As a solutions architect, which is the MOST cost-effective storage class that you would recommend to be used for this
use-case?

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)

(Incorrect)

Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

(Correct)

Amazon S3 Glacier (S3 Glacier)

Amazon S3 Standard
Explanation
Correct option:
Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
Since the data is accessed only for a month in a year but needs rapid access when required, the most cost-effective
storage class for this use-case is S3 Standard-IA. S3 Standard-IA storage class is for data that is accessed less frequently
but requires rapid access when needed. S3 Standard-IA matches the high durability, high throughput, and low latency of
S3 Standard, with a low per GB storage price and per GB retrieval fee. Standard-IA is designed for 99.9% availability
compared to 99.99% availability of S3 Standard. However, the report creation process has failover and retry scenarios
built into the workflow, so in case the data is not available owing to the 99.9% availability of S3 Standard-IA, the job will
be auto re-invoked till data is successfully retrieved. Therefore this is the correct option.
S3 Storage Classes
Overview:
 via - https://aws.amazon.com/s3/storage-classes/
Incorrect options:
Amazon S3 Standard - S3 Standard offers high durability, availability, and performance object storage for frequently
accessed data. As described above, S3 Standard-IA storage is a better fit than S3 Standard, hence using S3 standard is
ruled out for the given use-case.
Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering) - The S3 Intelligent-Tiering storage class is designed to optimize
costs by automatically moving data to the most cost-effective access tier, without performance impact or operational
overhead. S3 Standard-IA matches the high durability, high throughput, and low latency of S3 Intelligent-Tiering, with a
low per GB storage price and per GB retrieval fee. Moreover, Standard-IA has the same availability as that of S3
Intelligent-Tiering. So, it's cost-efficient to use S3 Standard-IA instead of S3 Intelligent-Tiering.
Amazon S3 Glacier (S3 Glacier) - S3 Glacier on the other hand, is a secure, durable, and low-cost storage class for data
archiving. S3 Glacier cannot support millisecond latency, so this option is ruled out.
For more details on the durability, availability, cost and access latency - please review this reference
link: https://aws.amazon.com/s3/storage-classes
Question 65: Correct
A healthcare startup needs to enforce compliance and regulatory guidelines for objects stored in Amazon S3. One of
the key requirements is to provide adequate protection against accidental deletion of objects.
As a solutions architect, what are your recommendations to address these guidelines? (Select two)

Change the configuration on AWS S3 console so that the user needs to provide additional confirmation while deleting
any S3 object


Create an event trigger on deleting any S3 object. The event invokes an SNS notification via email to the IT manager

Establish a process to get managerial approval for deleting S3 objects

Enable versioning on the bucket

(Correct)

Enable MFA delete on the bucket

(Correct)

Explanation
Correct options:
Enable versioning on the bucket - Versioning is a means of keeping multiple variants of an object in the same bucket.
You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket.
Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite.
For example:
If you overwrite an object, it results in a new object version in the bucket. You can always restore the previous version. If
you delete an object, instead of removing it permanently, Amazon S3 inserts a delete marker, which becomes the
current object version. You can always restore the previous version. Hence, this is the correct option.
Versioning
Overview:
via - https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Enable MFA delete on the bucket - To provide additional protection, multi-factor authentication (MFA) delete can be
enabled. MFA delete requires secondary authentication to take place before objects can be permanently deleted from
an Amazon S3 bucket. Hence, this is the correct option.
Incorrect options:
Create an event trigger on deleting any S3 object. The event invokes an SNS notification via email to the IT manager -
Sending an event trigger after object deletion does not meet the objective of preventing object deletion by mistake
because the object has already been deleted. So, this option is incorrect.
Establish a process to get managerial approval for deleting S3 objects - This option for getting managerial approval is
just a distractor.
Change the configuration on AWS S3 console so that the user needs to provide additional confirmation while deleting
any S3 object - There is no provision to set up S3 configuration to ask for additional confirmation before deleting an
object. This option is incorrect.
References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
Retake test
Continue
Fullscreen