Premium

AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)



Question : You have an application running on an EC Instance which will allow users to download files from a private S bucket using a pre-assigned URL. Before generating the URL
the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
: You have an application running on an EC Instance which will allow users to download files from a private S bucket using a pre-assigned URL. Before generating the URL
1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
2. Create a IAM user for the application with permissions that allow list access to the S3 bucket. Launch the instance as the IAM user and retrieve the IAM user's
credentials from the EC2 instance user data.
 3. Access Mostly Uused Products by 50000+ Subscribers
Instance metadata
4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary
directory with permissions that allow read access only to the application user.

Correct Answer : Get Lastest Questions and Answer :
Explanation: How Do Roles for Amazon EC2 Instances Work?
A developer is running an application on an Amazon EC2 instance that requires access to the Amazon S3 bucket named photos. An administrator creates the Get-pics role. The role
includes policies that grant read permissions for the bucket and that allow the developer to launch the role with an Amazon EC2 instance. When the application runs on the instance,
it can access the photos bucket by using the role's temporary credentials. The administrator doesn't have to grant the developer permission to access the photos bucket, and the
developer never has to share or manage credentials.

The administrator uses IAM to create the Get-pics role. In the role, the administrator uses a policy that specifies that only Amazon EC2 instances can assume the role and that
specifies read-only permissions for the photos bucket. A developer launches an Amazon EC2 instance and assigns the Get-pics role to that instance.

Note : If you use the IAM console, the instance profile is managed for you and is mostly transparent to you. However, if you use the CLI or API to create and manage the role and
instance, then you must create the instance profile and assign the role to it as separate steps. Then, when launching the instance, you must specify the instance profile name instead
of the role name.
When the application runs, it uses the AWS API to retrieve credentials from its Amazon EC2 instance. These are temporary security credentials that represent the role and are valid
for a limited period of time.

With some AWS SDKs, the developer can use a provider that manages the temporary security credentials transparently. (The documentation for individual AWS SDKs describes the features
supported by that SDK for managing credentials.) Alternatively, the application can get the temporary credentials directly from the instance metadata of the Amazon EC2 instance-
credentials and related values are available from the iam/security-credentials/role-name category (in this case, iam/security-credentials/Get-pics) of the metadata. If the
application gets the credentials from the instance metadata, it can cache the credentials. Using the retrieved credentials, the application accesses the photo bucket. Because of the
policy attached to the Get-pics role, the application has read-only permissions.

The temporary security credentials that are available in the instance are automatically rotated before they expire so that a valid set is always available. The application just needs
to make sure that it gets a new set of credentials from the instance metadata before the current ones expire. If the AWS SDK is managing credentials, the application doesn't need to
include additional logic to refresh the credentials. However, if the application gets temporary security credentials from the instance metadata and has cached them, it should get a
refreshed set of credentials every hour, or at least 15 minutes before the current set expires. The expiration time is included in the information that's returned in the
iam/security-credentials/role-name category.









Question : You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not
need to be recreated in the second region? (Choose 2 answers)

A. Route 53 Record Sets
B. IAM Roles
C. Elastic IP Addresses (EIP)
D. EC2 Key Pairs
E. Launch configurations
F. Security Groups


: You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not
1. A,C
2. B,C
 3. Access Mostly Uused Products by 50000+ Subscribers
4. E,F
5. D,F


Correct Answer : Get Lastest Questions and Answer :

Explanation: When dealing with a disaster, it's very likely that you will have to modify network settings as you are failing over to another site.
Amazon Route 53 : is a highly available and scalable Domain Name System (DNS) web service. It is designed to give
developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications.

Elastic IP Addresses (This is account specific and not region specific) : are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses,
however, Elastic IP addresses enable you to mask instance or Availability Zone failures by programmatically remapping
your public IP addresses to instances in your account in a particular region. For DR, you can also pre-allocate some IP
addresses for the most critical systems so that their IP addresses are already known before disaster strikes. This can
simplify the execution of the DR plan. Also ,key pair resources cannot be shared between regions. For example, if you import a key pair into the US West (Oregon) region, you won't be
able to see or use the key pair in another region.






Question : Your application is using an ELB in front of an Auto Scaling group of web/application servers deployed across two AZs and a Multi-AZ RDS Instance for data persistence.
The database CPU is often above 80% usage and 90% of I/O operations on the database are reads. To improve performance you recently added a single-node Memcached ElastiCache Cluster
to cache frequent DB query results. In the next weeks the overall workload is expected to grow by 30%. Do you need to change anything in the architecture to maintain the high
availability or the application with the anticipated additional load' Why?


: Your application is using an ELB in front of an Auto Scaling group of web/application servers deployed across two AZs and a Multi-AZ RDS Instance for data persistence.
1. Yes. you should deploy two Memcached ElastiCache Clusters in different AZs because the RDS Instance will not Be able to handle the load If the cache node fails.
2. No. if the cache node fails the automated ElastiCache node recovery feature will prevent any availability impact.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. No if the cache node fails you can always get the same data from the DB without having any availability impact.



Correct Answer : Get Lastest Questions and Answer : (Please verify once agin between option 1 and 3, we have referred link : https://d0.awsstatic.com/whitepapers/performance-at-scale-with-amazon-elasticache.pdf)

Explanation: When you launch an ElastiCache cluster, you can choose the Availability Zone(s) that
the cluster lives in. For best performance, you should configure your cluster to use the
same Availability Zones as your application servers. To launch an ElastiCache cluster in
a specific Availability Zone, make sure to specify the Preferred Zone(s) option during
cache cluster creation. The Availability Zones that you specify will be where ElastiCache
will launch your cache nodes. We recommend that you select Spread Nodes Across
Zones, which tells ElastiCache to distribute cache nodes across these zones as evenly
as possible. This distribution will mitigate the impact of an Availability Zone disruption on
your ElastiCache nodes. The trade-off is that some of the requests from your application
to ElastiCache will go to a node in a different Availability Zone, meaning latency will be
slightly higher.

If one of the AZ is Down then ElastiCache will be available in another AZ. To handle 80%+30% load.









Related Questions

Question : QuickTechie.com setting up their website on AWS and working on various security measures to be performed on the AWS EC instances.
Which of the below mentioned security mechanisms will not help the QuickTechie to avoid future data leaks and identify security weaknesses?
 : QuickTechie.com setting up their website on AWS and working on various security measures to be performed on the AWS EC instances.
1. Perform a Code Check for any memory leaks.
2. Run penetration testing on AWS with prior approval from Amazon.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Perform SQL injection for application testing.




Question : QuickTechie.com is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC.
and also wants to have separate domains for each application and assign them using Route 53. It may have about ten instances each with two applications
as mentioned above. While launching the instance, QuickTechie Administrator configured two separate network interfaces (primary + ENI)
and wanted to have two elastic IPs for that instance.
It was suggested to use a public IP from AWS instead of an elastic IP as the number of elastic IPs is restricted. What action will you recommended ?
 : QuickTechie.com is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC.
1. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
2. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. I do not agree as it is required to have only an elastic IP since an instance has more than one ENI and AWS does not assign a public IP to an instance with multiple ENIs.



Question : QuickTechie.com is making software for a company in USA. Company agreed to host the application on AWS but in a secure environment.
QuickTechie is thinking of hosting the application on the AWS GovCloud region. Which of the below mentioned difference
is not correct when the organization is hosting on the AWS GovCloud in comparison with the AWS standard region?
 : QuickTechie.com is making software for a company in USA. Company agreed to host the application on AWS but in a secure environment.
1. GovCloud region authentication is isolated from Amazon.com.
2. Physical and logical administrative access only to U.S. persons.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. It is physically isolated and has logical network isolation from all the other regions.



Question : Acmeshell.com has people in the IT operations team who are responsible to manage the AWS infrastructure. And wants to setup that each user will
have access to launch and manage an instance in a zone which the other user cannot modify.
Which of the below mentioned options is the best solution to set this up?
 : Acmeshell.com has people in the IT operations team who are responsible to manage the AWS infrastructure. And wants to setup that each user will
1. Create four AWS accounts and give each user access to a separate account.
2. Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Create an IAM user and allow them permission to launch an instance of a different sizes only.





Question : QuickTechie.com has created a multi-tenant Learning Management System (LMS). The application is hosted for five different tenants (clients) in the
VPCs of the respective AWS accounts of the tenant. QuickTechie.com wants to setup a centralized server which can connect with the LMS of each tenant upgrade if
required. QuickTechie.com also wants to ensure that one tenant VPC should not be able to connect to the other tenant VPC for security reasons.
How can QuickTechie.com setup this scenario?
 : QuickTechie.com has created a multi-tenant Learning Management System (LMS). The application is hosted for five different tenants (clients) in the
1. QuickTechie should setup all the VPCs meshed together with VPC peering for all VPCs.
2. QuickTechie should setup VPC peering with all the VPCs peering each other but block the IPs from CIDR of the tenant VPCs to deny them.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. QuickTechie should setup all the VPCs with the same CIDR but have a centralized VPC. This way only the centralized VPC can talk to the other VPCs using VPC peering.




Question : QuickTechie is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application securely in AWS VPC.
What action can be recommended to the organization?
 : QuickTechie is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application securely in AWS VPC.
1. QuickTechie should only use a DynamoDB because by default it is always a part of the default subnet provided by AWS.
2. QuickTechie should setup their own NoSQL cluster on the AWS instance and configure route tables and subnets.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. QuickTechie should use a DynamoDB while creating a table within a private subnet.