Premium

AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)



Question : You are designing a connectivity solution between on-premises infrastructure and Amazon
VPC. Your server's on-premises will be communicating with your VPC instances You will
be establishing IPSec tunnels over the internet. You will be using VPN gateways and
terminating the IPsec tunnels on AWS-supported customer gateways.
Which of the following objectives would you achieve by implementing an IPSec tunnel as
outlined above? (Choose 4 answers)

A. End-to-end protection of data in transit
B. End-to-end Identity authentication
C. Data encryption across the Internet
D. Protection of data in transit over the Internet
E. Peer identity authentication between VPN gateway and customer gateway
F. Data integrity protection across the Internet


: You are designing a connectivity solution between on-premises infrastructure and Amazon
1. A,B,C,D
2. B,C,D,E
 3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E,F,A
5. E,F,A,B


Answer: 3
Explanation: Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a
communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used
during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security
gateway and a host (network-to-host).

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer
authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while some other Internet security systems in widespread use, such as Transport
Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers at the Application layer. Hence, only IPsec protects all application traffic over an IP network. Applications
can be automatically secured by IPsec at the IP layer.






Question : You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web
application in a single VPC. You are considering the options for implementing IDS IPS
protection for traffic coming from the Internet.
Which of the following options would you consider? (Choose 2 answers)

A. Implement IDS/IPS agents on each Instance running In VPC
B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
C. Implement Elastic Load Balancing with SSL listeners In front of the web applications
D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.



: You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web
1. A,B
2. B,C
 3. Access Mostly Uused Products by 50000+ Subscribers
4. A,D



Answer: 4
Explanation: Many AWS customers install host-based IDS software, such as the open source product OSSEC, that includes file integrity checking and rootkit detection software. Use
these products to analyze important system files and folders and calculate checksum that reflect their trusted state, and then regularly check to see whether these files have been
modified and alert the system administrator if so. IDS/IPS systems can use statistical/behavioral or signature-based algorithms to detect and contain network attacks and Trojans.

Intrusion is a set of actions aimed to compromise the security goals, namely: integrity, confidentiality or availability of a computing and networking resource. Intrusion detection
is the process of monitoring the events occurring in a computer system or network, and analyzing them for signs of possible incidents, logging information about them and reporting to
security administrators. Intrusion Detection sytems are designed to detect malicious behaviors that could compromise the security and trust of a computer system. Intrusion prevention
is the process of performing intrusion detection and attempting to stop detected incidents on real time. Just like intrusion detection, information about the incidents is logged and
reported to the security administrator.

The main difference between intrusion detection and intrusion prevention is that intrusion detection only monitors incidents (passive monitoring), where intrusion prevention attempts
to stop them (reactive monitoring). promiscuous mode is not supported in AWS hence option B is out.

In-Flight Data Encryption : Incoming traffic goes through the AWS ELB (Elastic Load Balancer) that is used as an HTTPS terminator; it is proxy traffic to the backend IDS instances
as HTTP. The snort servers are analyzing the packet and then decide to accept or reject it. Once transmitted, outgoing data must be encrypted using SSL. Using Snort, the system
examines the outbound packet and logs the results; only then does SSL certificate encryption take place and the data is sent.

Intrusion prevention systems can be classified into four different types:Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by
analyzing protocol activity. Wireless intrusion prevention systems (WIPS): monitor a wireless network for suspicious traffic by analyzing wireless networking protocols.
Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms
of malware and policy violations.
Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.






Question : A customer has a GB AWS Direct Connect connection to an AWS region where they
have a web application hosted on Amazon Elastic Computer Cloud (EC2). The application
has dependencies on an on-premises mainframe database that uses a BASE (Basic
Available. Sort stale Eventual consistency) rather than an ACID (Atomicity. Consistency
isolation. Durability) consistency model. The application is exhibiting undesirable behavior
because the database is not able to handle the volume of writes. How can you reduce the
load on your on-premises database resources in the most cost-effective way?

: A customer has a GB AWS Direct Connect connection to an AWS region where they
1. Use an Amazon Elastic Map Reduce (EMR) S3DistCp as a synchronization mechanism
between the on-premises database and a Hadoop cluster on AWS.
2. Modify the application to write to an Amazon SQS queue and develop a worker process
to flush the queue to the on-premises database.
 3. Access Mostly Uused Products by 50000+ Subscribers
function to write to the on-premises database.
4. Provision an RDS read-replica database on AWS to handle the writes and synchronize
the two databases using Data Pipeline.


Answer: 2 You can use SQS to heavy write in database, because SQS is durable whatever messages are in SQS . Will remain in SQS until it os consumed.



Related Questions

Question : You've been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that
uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoOB for their dynamic data and then
archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized
access. Which approach provides a cost effective scalable mitigation to this kind of attack?
 : You've been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that
1. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC. They would then establish Internet
connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application
running in their VPC.
2. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet.
3. Access Mostly Uused Products by 50000+ Subscribers
ELB. The WAF tier would pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
4. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering. This will enable the ELB itself to perform WAF(Web Application Firewall) functionality



Question : Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be
able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don't want to create new IAM users for each NOC member and make those users sign in
again to the AWS Management Console. Which option below will meet the needs for your NOC members?
 : Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be
1. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
2. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Use your on-premises SAML2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.


Question : Your company previously configured a heavily used, dynamically routed VPN connection between your on-premises data center and AWS. You recently provisioned a
DirectConnect connection and would like to start using the new connection. After configuring DirectConnect settings in the AWS Console, which of the following options will
provide the most seamless transition for your users?
 : Your company previously configured a heavily used, dynamically routed VPN connection between your on-premises data center and AWS. You recently provisioned a
1. Delete your existing VPN connection to avoid routing loops configure your DirectConnect router with the appropriate settings and verify network traffic is leveraging
DirectConnect.
2. Configure your DirectConnect router with a higher BGP priority than your VPN router, verify network traffic is leveraging Directconnect and then delete your existing
VPN connection.
 3. Access Mostly Uused Products by 50000+ Subscribers
leveraging DirectConnect and then delete the VPN connection.
4. Configure your DirectConnect router, update your VPC route tables to point to the DirectConnect connection, configure your VPN connection with a higher BGP point. And
verify network traffic is leveraging the DirectConnect connection.


Question : A web company is looking to implement an external payment service into their highly
available application deployed in a VPC. Their application EC2 instances are behind a
public facing ELB. Auto scaling is used to add additional instances as traffic increases. Under
normal load the application runs 2 instances in the Auto Scaling group but at peak it can
scale 3x in size. The application instances need to communicate with the payment service
over the Internet which requires whitelisting of all public IP addresses used to communicate
with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added
through an API.
How should they architect their solution?

 : A web company is looking to implement an external payment service into their highly
1. Route payment requests through two NAT instances setup for High Availability and
whitelist the Elastic IP addresses attached to the MAT instances.
2. Whitelist the VPC Internet Gateway Public IP and route payment requests through the
Internet Gateway.
 3. Access Mostly Uused Products by 50000+ Subscribers
through the ELB.
4. Automatically assign public IP addresses to the application instances in the Auto Scaling
group and run a script on boot that adds each instances public IP address to the payment
validation whitelist API.




Question : You are running a news website in the eu-west- region that updates every minutes.
The website has a world-wide audience it uses an Auto Scaling group behind an Elastic
Load Balancer and an Amazon RDS database Static content resides on Amazon S3, and is
distributed through Amazon CloudFront. Your Auto Scaling group is set to trigger a scale
up event at 60% CPU utilization, you use an Amazon RDS extra large DB instance with
10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in
the 2 GB range.
Web analytics reports show that the average load time of your web pages is around 1 5 to
2 seconds, but your SEO consultant wants to bring down the average load time to under
0.5 seconds.
How would you improve page load times for your users? (Choose 3 answers)

A. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively.
B. Add an Amazon ElastiCache caching layer to your application for storing sessions and frequent DB queries
C. Configure Amazon CloudFront dynamic content support to enable caching of re-usable content from your site
D. Switch Amazon RDS database to the high memory extra large Instance type
E. Set up a second installation in another region, and use the Amazon Route 53 latency based routing feature to select the right region.

 : You are running a news website in the eu-west- region that updates every minutes.
1. A,B,C
2. B,C,D
 3. Access Mostly Uused Products by 50000+ Subscribers
4. B,D,E
5. C,D,E


Question : Your team has a tomcat-based Java application you need to deploy into development, test
and production environments. After some research, you opt to use Elastic Beanstalk due to
its tight integration with your developer tools and RDS due to its ease of management.
Your QA team lead points out that you need to roll a sanitized set of production data into
your environment on a nightly basis. Similarly, other software teams in your org want
access to that same restored data via their EC2 instances in your VPC .The optimal setup
for persistence and security that meets the above requirements would be the following.

 : Your team has a tomcat-based Java application you need to deploy into development, test
1. Create your RDS instance as part of your Elastic Beanstalk definition and alter its
security group to allow access to it from hosts in your application subnets.
2. Create your RDS instance separately and add its IP address to your application's DB
connection strings in your code Alter its security group to allow access to it from hosts
within your VPC's IP address block.
 3. Access Mostly Uused Products by 50000+ Subscribers
connection string as an environment variable. Create a security group for client machines
and add it as a valid source for DB traffic to the security group of the RDS instance itself.
4. Create your RDS instance separately and pass its DNS name to your's DB connection
string as an environment variable Alter its security group to allow access to It from hosts In
your application subnets.