Premium

AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)



Question : QuickTechie.com setting up their website on AWS and working on various security measures to be performed on the AWS EC instances.
Which of the below mentioned security mechanisms will not help the QuickTechie to avoid future data leaks and identify security weaknesses?
: QuickTechie.com setting up their website on AWS and working on various security measures to be performed on the AWS EC instances.
1. Perform a Code Check for any memory leaks.
2. Run penetration testing on AWS with prior approval from Amazon.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Perform SQL injection for application testing.



Correct Answer : Get Lastest Questions and Answer :

Explanation: AWS security follows the shared security model where the user is as much responsible as Amazon. Since Amazon is a public cloud it is bound to be targeted by hackers. If an
organization is planning to host their application on AWS EC2, they should perform the below mentioned security checks as a measure to find any security weakness/data leaks:
" Perform penetration testing as performed by attackers to find any vulnerability. The organization must take an approval from AWS before performing penetration testing
" Perform hardening testing to find if there are any unnecessary ports open
" Perform SQL injection to find any DB security issues
The code memory checks are generally useful when the organization wants to improve the application performance.
However, because penetration testing frequently is indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration
tests and vulnerability scans.







Question : QuickTechie.com is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC.
and also wants to have separate domains for each application and assign them using Route 53. It may have about ten instances each with two applications
as mentioned above. While launching the instance, QuickTechie Administrator configured two separate network interfaces (primary + ENI)
and wanted to have two elastic IPs for that instance.
It was suggested to use a public IP from AWS instead of an elastic IP as the number of elastic IPs is restricted. What action will you recommended ?
: QuickTechie.com is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC.
1. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
2. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. I do not agree as it is required to have only an elastic IP since an instance has more than one ENI and AWS does not assign a public IP to an instance with multiple ENIs.


Correct Answer : Get Lastest Questions and Answer :
Explanation:An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An ENI can include the following attributes:
a primary private IP address
one or more secondary private IP addresses
one Elastic IP address per private IP address
one public IP address, which can be auto-assigned to the network interface for eth0 when you launch an instance, but only when you create a network interface for eth0 instead of using an existing network interface
one or more security groups
a MAC address
a source/destination check flag
a description

You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow the network
interface as it is attached or detached from an instance and reattached to another instance. When you move a network interface from one instance to another, network traffic is
redirected to the new instance.
Each instance in a VPC has a default network interface. The default network interface has a primary private IP address in the IP address range of its VPC. You can create and attach
additional network interfaces. The maximum number of network interfaces that you can use varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance
Type.

Attaching multiple network interfaces to an instance is useful when you want to:

Create a management network.
Use network and security appliances in your VPC.
Create dual-homed instances with workloads/roles on distinct subnets.
Create a low-budget, high-availability solution.
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined.
An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.
The user can attach upto two ENIs with a single instance. However, AWS cannot assign a public IP when there are two ENIs attached to a single instance. It is recommended to assign an
elastic IP in this scenario. If the organization wants more than 5 EIPs they can request AWS to increase the number.





Question : QuickTechie.com is making software for a company in USA. Company agreed to host the application on AWS but in a secure environment.
QuickTechie is thinking of hosting the application on the AWS GovCloud region. Which of the below mentioned difference
is not correct when the organization is hosting on the AWS GovCloud in comparison with the AWS standard region?
: QuickTechie.com is making software for a company in USA. Company agreed to host the application on AWS but in a secure environment.
1. GovCloud region authentication is isolated from Amazon.com.
2. Physical and logical administrative access only to U.S. persons.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. It is physically isolated and has logical network isolation from all the other regions.


Correct Answer : Get Lastest Questions and Answer : What is AWS GovCloud (US)?

AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific
regulatory and compliance requirements. The AWS GovCloud (US) region adheres to U.S. International Traffic in Arms Regulations (ITAR) requirements.

You can run workloads that contain all categories of Controlled Unclassified Information (CUI) data and government oriented publicly available data in the AWS GovCloud (US) region.
The AWS GovCloud (US) region supports the management of regulated data by offering the following features:

Restricting physical and logical administrative access to U.S. persons only

Providing FIPS 140-2 validated endpoints

Depending on your requirements, you can also run unclassified workloads in the AWS GovCloud (US) region and use the unique capabilities of this region.

Note

AWS manages physical and logical access controls for the AWS boundary. However, the overall security of your workloads is a shared responsibility, where you are responsible for
controlling user access to content in your AWS GovCloud (US) account.

The AWS GovCloud (US) User Guide provides details on setting up your AWS GovCloud (US) account, identifies the differences between the AWS GovCloud (US) region and other AWS regions,
and defines usage guidelines for processing ITAR-regulated data within the AWS GovCloud (US) region. AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government
agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud (US) Region adheres to the
U.S. International Traffic in Arms Regulations (ITAR) requirements. It has added advantages, such as:
" Restricting physical and logical administrative access to U.S. persons only
" There will be a separate AWS GovCloud (US) credentials, such as access key and secret access key than the standard AWS account
" The user signs in with the IAM user name and password
" The AWS GovCloud (US) Region authentication is completely isolated from Amazon.com
If the organization is planning to host on EC2 in AWS GovCloud then it will be billed to standard AWS account of organization since AWS GovCloud billing is linked with the standard
AWS account and is not be billed separately




Related Questions

Question : You are responsible for a legacy web application whose server environment is approaching
end of life You would like to migrate this application to AWS as quickly as possible, since
the application environment currently has the following limitations:
The VM's single 10GB VMDK is almost full
Me virtual network interface still uses the 10Mbps driver, which leaves your
100Mbps WAN connection completely underutilized
It is currently running on a highly customized. Windows VM within a VMware
environment:
You do not have me installation media
This is a mission critical application with an RTO (Recovery Time Objective) of 8 hours.
RPO (Recovery Point Objective) of 1 hour. How could you best migrate this application to
AWS while meeting your business continuity requirements?

 : You are responsible for a legacy web application whose server environment is approaching
1. Use the EC2 VM Import Connector for vCenter to import the VM into EC2.
2. Use Import/Export to import the VM as an EBS snapshot and attach to EC2.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Use me ec2-bundle-instance API to Import an Image of the VM into EC2



Question : You are migrating a legacy client-server application to AWS The application responds to a
specific DNS domain (e g www example com) and has a 2-tier architecture, with multiple
application servers and a database server Remote clients use TCP to connect to the
application servers. The application servers need to know the IP address of the clients in
order to function properly and are currently taking that information from the TCP socket A
Multi-AZ RDS MySQL instance will be used for the database.
During the migration you can change the application code but you have to file a change
request.
How would you implement the architecture on AWS In order to maximize scalability and
high ability?

 : You are migrating a legacy client-server application to AWS The application responds to a
1. File a change request to implement Proxy Protocol support In the application Use an
ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application
servers in different AZs.
2. File a change request to Implement Cross-Zone support in the application Use an ELB
with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in
different AZs.
 3. Access Mostly Uused Products by 50000+ Subscribers
Use Route 53 with Latency Based Routing enabled to distribute load on two application
servers in different AZs.
4. File a change request to implement Alias Resource support in the application Use Route
53 Alias Resource Record to distribute load on two application servers in different AZs.



Question : Your department creates regular analytics reports from your company's log files All log data is collected in Amazon S and processed by daily Amazon Elastic MapReduce
(EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. Your CFO requests that you optimize the cost structure for this
system. Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data?
 : Your department creates regular analytics reports from your company's log files All log data is collected in Amazon S and processed by daily Amazon Elastic MapReduce
1. Use reduced redundancy storage (RRS) for PDF and csv data in Amazon S3. Add Spot instances to Amazon EMR jobs Use Reserved Instances for Amazon Redshift.
2. Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs use Reserved instances fors
Amazon Redshift.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Use reduced redundancy storage (RRS) for PDF and csv data in S3. Add Spot Instances to EMR jobs Use Spot Instances for Amazon Redshift.



Question : You are the new IT architect in a company that operates a mobile sleep tracking application
When activated at night, the mobile app is sending collected data points of 1 kilobyte every 5 minutes to your backend
The backend takes care of authenticating the user and writing the data points into an Amazon DynamoDB table.
Every morning, you scan the table to extract and aggregate last night's data on a per user basis, and store the results in Amazon S3.
Users are notified via Amazon SMS mobile push notifications that new data is available, which is parsed and visualized by (he mobile app Currently you have around 100k users
who are mostly based out of North America. You have been tasked to optimize the architecture of the backend system to lower cost

what would you recommend? (Choose 2 answers)

A. Create a new Amazon DynamoDB Table each day and drop the one for the previous day after its data is on Amazon S3.
B. Have the mobile app access Amazon DynamoDB directly instead of JSON files stored on Amazon S3.
C. Introduce an Amazon SQS queue to buffer writes to the Amazon DynamoDB table and reduce provisioned write throughput.
D. Introduce Amazon Elasticache lo cache reads from the Amazon DynamoDB table and reduce provisioned read throughput.
E. Write data directly into an Amazon Redshift cluster replacing both Amazon DynamoDB and Amazon S3.


 : You are the new IT architect in a company that operates a mobile sleep tracking application
1. A,B
2. B,C
 3. Access Mostly Uused Products by 50000+ Subscribers
4. A,C



Question : A benefits enrollment company is hosting a -tier web application running in a VPC on
AWS which includes a NAT (Network Address Translation) instance in the public Web tier.
There is enough provisioned capacity for the expected workload tor the new fiscal year
benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two
days and then the web tier becomes unresponsive, upon investigation using CloudWatch
and other monitoring tools it is discovered that there is an extremely large and
unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over
port 80 from a country where the benefits company has no customers. The web tier
instances are so overloaded that benefit enrollment administrators cannot even SSH into
them. Which activity would be useful in defending against this attack?
 : A benefits enrollment company is hosting a -tier web application running in a VPC on
1. Create a custom route table associated with the web tier and block the attacking IP
addresses from the IGW (internet Gateway)
2. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and
update the Main Route Table with the new EIP
 3. Access Mostly Uused Products by 50000+ Subscribers

4. Create an inbound NACL (Network Access control list) associated with the web tier
subnet with deny rules to block the attacking IP addresses



Question : You have launched an EC instance with four () GB EBS Provisioned IOPS volumes attached. The EC Instance is EBS-Optimized and supports Mbps throughput between
EC2 and EBS. The two EBS volumes are configured as a single RAID 0 device, and each Provisioned IOPS volume is provisioned with 4.000 IOPS (4.000 16KB reads or writes) for a total
of 16.000 random IOPS on the instance. The EC2 Instance initially delivers the expected 16.000 IOPS random read and write performance. Sometime later in order to increase the total
random I/O performance of the instance, you add an additional two 500 GB EBS Provisioned IOPS volumes to the RAID. Each volume Is provisioned to 4.000 lOPs like the original four for
a total of 24.000 IOPS on the EC2 instance. Monitoring shows that the EC2 instance CPU utilization increased from 50% to 70%. but the total random IOPS measured at the instance level
does not increase at all. What is the problem and a valid solution?
 : You have launched an EC instance with four () GB EBS Provisioned IOPS volumes attached. The EC Instance is EBS-Optimized and supports Mbps throughput between
1. Larger storage volumes support higher Provisioned IOPS rates: increase the provisioned volume storage of each of the 6 EBS volumes to 1TB.
2. The EBS-Optimized throughput limits the total IOPS that can be utilized use an EBS Optimized instance that provides larger throughput.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. RAID 0 only scales linearly to about 4 devices, use RAID 0 with 4 EBS Provisioned IOPS volumes but increase each Provisioned IOPS EBS volume to 6.000 IOPS
5. The standard EBS instance root volume limits the total IOPS rate, change the instant root volume to also be a 500GB 4.000 Provisioned IOPS volume.