AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)
Question : You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet as well as from
an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How would you design routing to meet the above requirements?
1. Configure a single routing Table with a default route via the Internet gateway. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate
the routing table with all VPC subnets.
2. Configure a single routing table with a default route via the internet gateway. Propagate specific routes for the on-premises networks via BGP on the AWS Direct
Connect customer router. Associate the routing table with all VPC subnets.
3. Access Mostly Uused Products by 50000+ Subscribers
this routing table across all subnets in your VPC.
4. Configure two routing tables, one that has a default route via the Internet gateway and another that has a default route via the VPN gateway. Associate both routing
tables with each VPC subnet.
Correct Answer : Get Lastest Questions and Answer :
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you
can associate multiple subnets with the same route table. (Hence, option 4 is not at all valid).
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS
and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network
experience than Internet-based connections.
AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. (We dont see there is any use of VPN with
Direct Connect) Hence option 3 should be out.
We use the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). For example, the following route table has a
route for Internet traffic (0.0.0.0/0) that points to an Internet gateway, and a route for 172.31.0.0/16 traffic that points to a peering connection (pcx-1a2b3c4d). Any traffic from
the subnet that's destined for the 172.31.0.0/16 IP address range uses the peering connection, because this route is more specific than the route for Internet gateway. Any traffic
destined for within the VPC (10.0.0.0/16) is covered by the Local route, and therefore routed within the VPC. All other traffic from the subnet uses the Internet gateway.
Destination Target
10.0.0.0/16 Local
172.31.0.0/16 pcx-1a2b1a2b
0.0.0.0/0 igw-11aa22bb
Question : A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer's end, however the customer is
unable to connect from EC2 instances inside its VPC to servers residing in its datacenter. Which of the following options provide a viable solution to remedy this situation?
(Choose 2 answers)
A. Add a route to the route table with an iPsec VPN connection as the target.
B. Enable route propagation to the virtual pinnate gateway (VGW).
C. Enable route propagation to the customer gateway (CGW).
D. Modify the route table of all Instances using the 'route' command.
E. Modify the Instances VPC subnet route table by adding a route back to the customer's on-premises environment.
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. A,E
5. B,E
Correct Answer : Get Lastest Questions and Answer :
Explanation: The Virtual Interface (VIF) is created on the AWS Direct Connect Router, not on the Virtual Private Gateway (VGW). You associate the private VIF with a
specific VGW, which allows the Direct Connect Router to route traffic to your VPC via that VGW. The concept of VGW here is similar to the VPN connections.
The correct traffic flow would be:
Customer Router <== 802.1q VLAN ===> Direct Connect Router (VIF) === VGW === VPC Router === VPC Subnets
With Direct Connect you can create multiple private virtual interfaces and associate the Direct Connect virtual interface to a VGW so you may access your VPC.
Direct Connect requires BGP and dot1q support for VLAN tagging. When creating your Direct Connect virtual interfaces you will specify unused VLAN IDs to use on these interfaces and
which VGW to connect to. Your device will then need to be configured for this same VLAN and then connect it to the created virtual interface. This way you can segment the networks
using VLAN IDs.
Question : You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be
resilient. Which of the following options would you consider for configuring the web server infrastructure? (Choose 2 answers)
A. Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it.
B. Configure your Web servers with EIPS. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers.
C. Configure ELB with HTTPS listeners, and place the Web servers behind it.
D. Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your CloudFront distribution.
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. B,D
5. A,B
Correct Answer : Get Lastest Questions and Answer :
Explanation: Amazon CloudFront gives you three options for accelerating your entire website while delivering your content securely over HTTPS from all of CloudFront's
edge locations. In addition to delivering securely from the edge, you can also configure CloudFront to use HTTPS connections for origin fetches so that your data is encrypted
end-to-end from your origin to your end users.
By default, you can deliver your content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs, for example, https://dxxxxx.cloudfront.net/image.jpg.
If you want to deliver your content over HTTPS using your own domain name and your own SSL certificate, you can use one of our Custom SSL certificate support features.
If you use HTTPS or SSL for your front-end listener, you must install an SSL certificate on your load balancer. The load balancer uses the certificate to terminate the connection and
then decrypt requests from clients before sending them to the back-end instances.
The SSL protocol uses an X.509 certificate (SSL server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of
identification issued by a certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the
issuer.
If you have a load balancer, you can add a new listener that accepts HTTPS requests on port 443 for both the front-end and back-end connections. TCP has port 80
Related Questions
Question : An AWS customer is deploying an application that is composed of an AutoScaling group of EC Instances. The customers security policy requires that every outbound
connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific
instance-id. In addition an x 509 certificates must be signed by the customer's Key management service in order to be trusted for authentication.
Which of the following configurations will support these requirements?
1. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this
role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
2. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with
the instance's assigned instance-id to the Key management service for signature.
3. Access Mostly Uused Products by 50000+ Subscribers
generate a signed certificate and send it directly to the newly launched instance.
4. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and
send new instances a certificate signature that contains the specific instance-id.
Question : You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S bucket. Users will upload pictures from their mobile device
directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the
most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application?
1. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app and use them to access
Amazon S3.
2. Record the user's Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials
using the AWS Security Token Service 'AssumeRole' function Store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time
the user runs the mobile app.
3. Access Mostly Uused Products by 50000+ Subscribers
permissions. Store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
4. Create IAM user. Assign appropriate permissions to the IAM user. Generate an access key and secret key for the IAM user, store them in the mobile app and use these
credentials to access Amazon S3.
5. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them In the
mobile app and use these credentials to access Amazon S3.
Question : A web-startup runs its very successful social news application on Amazon EC with an Elastic Load Balancer, an Auto-Scaling group of Java/Tomcat application-servers,
and DynamoDB as data store. The main web-application best runs on m2 x large instances since it is highly memory- bound. Each new deployment requires semi-automated creation
and testing of a new AMI for the application servers which takes quite a while and is therefore only done once per week. Recently, a new chat feature has been implemented in nodejs
and needs to be integrated in the architecture. First tests show that the new component is CPU bound. Because the company has some experience with using Chef, they decided to
streamline the deployment process and use AWS Ops Works as an application life cycle tool to simplify management of the application and reduce the deployment cycles.
What configuration in AWS Ops Works is necessary to integrate the new chat module in the most cost-efficient and flexible way?
1. Create one AWS Ops Works stack, create one AWS Ops Works layer, create one custom recipe
2. Create one AWS Ops Works stack, create two AWS Ops Works layers create one custom recipe
3. Access Mostly Uused Products by 50000+ Subscribers
4. Create two AWS Ops Works stacks, create two AWS Ops Works layers create two custom recipe
Question : You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC. Unfortunately this app requires access to a
number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running
inside the VPC to reach back and access its internal dependencies without being reconfigured?
(Choose 3 answers)
A. An AWS Direct Connect link between the VPC and the network housing the internal services.
B. An Internet Gateway to allow a VPN connection.
C. An Elastic IP address on the VPC instance
D. An IP address space that does not conflict with the one on-premises
E. Entries in Amazon Route 53 that allow the Instance to resolve its dependencies IP addresses
F. A VM Import of the current virtual machine
1. A,B,C
2. C,D,E
3. Access Mostly Uused Products by 50000+ Subscribers
4. A,D,F
Question : Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC
instances. Which of the following strategies will help prevent a similar situation in the future?
The administrator still must be able to:
- launch, start stop, and terminate development resources.
- launch and start production instances.
1. Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection.
2. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.
Question : Your fortune company has under taken a TCO (total cost of ownership) analysis evaluating the use of Amazon S versus acquiring more hardware. The outcome was that
all employees would be granted access to use Amazon S3 for storage of their personal documents. Which of the following will you need to consider so you can set up a solution that