Amazon-Web-Services SAA-C03 Free Practice Questions

NEW QUESTION 1
A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Select TWO.)

• A. Use AWS Shield Advanced to stop the DDoS attack.
• B. Configure Amazon GuardDuty to automatically block the attackers.
• C. Configure the website to use Amazon CloudFront for both static and dynamic content.
• D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
• E. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization

Answer: AC

NEW QUESTION 2
A company is using a SQL database to store movie data that is publicly accessible. The database runs on an Amazon RDS Single-AZ DB instance A script runs queries at random intervals each day to record the number of new movies that have been added to the database. The script must report a final total during business hours The company's development team notices that the database performance is inadequate for development tasks when the script is running. A solutions architect must recommend a solution to resolve this issue. Which solution will meet this requirement with the LEAST operational overhead?

• A. Modify the DB instance to be a Multi-AZ deployment
• B. Create a read replica of the database Configure the script to query only the read replica
• C. Instruct the development team to manually export the entries in the database at the end of each day
• D. Use Amazon ElastiCache to cache the common queries that the script runs against the database

Answer: B

NEW QUESTION 3
A company hosts a containerized web application on a fleet of on-premises servers that process incoming requests. The number of requests is growing quickly. The on-premises servers cannot handle the increased number of requests. The company wants to move the application to AWS with minimum code changes and minimum development effort.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Use AWS Fargate on Amazon Elastic Container Service (Amazon ECS) to run the containerized web application with Service Auto Scalin
• B. Use an Application Load Balancer to distribute the incoming requests.
• C. Use two Amazon EC2 instances to host the containerized web applicatio
• D. Use an Application Load Balancer to distribute the incoming requests
• E. Use AWS Lambda with a new code that uses one of the supported language
• F. Create multiple Lambda functions to support the loa
• G. Use Amazon API Gateway as an entry point to the Lambda functions.
• H. Use a high performance computing (HPC) solution such as AWS ParallelClusterto establish an HPC cluster that can process the incoming requests at the appropriate scale.

Answer: A

NEW QUESTION 4
A company hosts its web application on AWS using seven Amazon EC2 instances. The company requires that the IP addresses of all healthy EC2 instances be returned in response to DNS queries.
Which policy should be used to meet this requirement?

• A. Simple routing policy
• B. Latency routing policy
• C. Multivalue routing policy
• D. Geolocation routing policy

Answer: C

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/multivalue-versus-simple-policies/
"Use a multivalue answer routing policy to help distribute DNS responses across multiple resources. For example, use multivalue answer routing when you want to associate your routing records with a Route 53 health check."
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-multivalue

NEW QUESTION 5
The management account has an Amazon S3 bucket that contains project reports. The company
wants to limit access to this S3 bucket to only users of accounts within the organization in AWS
Organizations.
Which solution meets these requirements with the LEAST amount of operational overhead?

• A. Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3bucket policy.
• B. Create an organizational unit (OU) for each departmen
• C. Add the aws:PrincipalOrgPaths globalcondition key to the S3 bucket policy.
• D. Use AWS CloudTrail to monitor the CreateAccount, InviteAccountToOrganization,LeaveOrganization, and RemoveAccountFromOrganization event
• E. Update the S3 bucket policyaccordingly.
• F. Tag each user that needs access to the S3 bucke
• G. Add the aws:PrincipalTag global condition key tothe S3 bucket policy.

Answer: A

Explanation:
Explanation
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-awsorganization-
of-iam-principals/
The aws:PrincipalOrgID global key provides an alternative to listing all the account IDs for all AWS
accounts in an organization. For example, the following Amazon S3 bucket policy allows members of
any account in the XXX organization to add an object into the examtopics bucket.
{"Version": "2020-09-10",
"Statement": {
"Sid": "AllowPutObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::examtopics/*",
"Condition": {"StringEquals":
{"aws:PrincipalOrgID":["XXX"]}}}}
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

NEW QUESTION 6
A company needs to retain application logs files for a critical application for 10 years. The application team regularly accesses logs from the past month for troubleshooting, but logs older than 1 month are rarely accessed. The application generates more than 10 TB of logs per month.
Which storage option meets these requirements MOST cost-effectively?

• A. Store the Iogs in Amazon S3 Use AWS Backup lo move logs more than 1 month old to S3 Glacier Deep Archive
• B. Store the logs in Amazon S3 Use S3 Lifecycle policies to move logs more than 1 month old to S3 Glacier Deep Archive
• C. Store the logs in Amazon CloudWatch Logs Use AWS Backup to move logs more then 1 month old to S3 Glacier Deep Archive
• D. Store the logs in Amazon CloudWatch Logs Use Amazon S3 Lifecycle policies to move logs more than 1 month old to S3 Glacier Deep Archive

Answer: B

NEW QUESTION 7
A company's web application consists of multiple Amazon EC2 instances that run behind an Application Load Balancer in a VPC. An Amazon ROS for MySQL DB instance contains the data. The company needs the ability to automatically detect and respond to suspicious or unexpected behaviour in its AWS environment the company already has added AWS WAF to its architecture.
What should a solutions architect do next lo protect against threats?

• A. Use Amazon GuardDuty to perform threat detectio
• B. Configure Amazon EventBridge (Amazon CloudWatch Events) to filler for GuardDuty findings and to invoke pin AWS Lambda function to adjust the AWS WAF rules
• C. Use AWS Firewall Manager to perform threat detection Configure Amazon EventBridge (Amazon CloudWatch Events) to filter for Firewall Manager findings and to invoke an AWS Lambda function to adjust the AWS WAF web ACL
• D. Use Amazon Inspector to perform three! detection and to update the AWS WAT rules Create a VPC network ACL to limit access to the web application
• E. Use Amazon Macie to perform throat detection and to update the AWS WAF rules Create a VPC network ACL to limit access to the web application

Answer: A

NEW QUESTION 8
A company recently launched a variety of new workloads on Amazon EC2 instances in its AWS account. The company needs to create a strategy to access and administer the instances remotely and securely. The company needs to implement a repeatable process that works with native AWS services and follows the AWS Well-Architected Framework.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Use the EC2 serial console to directly access the terminal interface of each instance for administration.
• B. Attach the appropriate 1AM role to each existing instance and new instanc
• C. Use AWS Systems Manager Session Manager to establish a remote SSH session.
• D. Create an administrative SSH key pai
• E. Load the public key into each EC2 instanc
• F. Deploy a bastion host in a public subnet to provide a tunnel for administration of each instance.
• G. Establish an AWS Site-to-Site VPN connectio
• H. Instruct administrators to use their local onpremises machines to connect directly to the instances by using SSH keys across the VPN tunnel.

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-launch-managedinstance. html

NEW QUESTION 9
A company hosts a marketing website in an on-premises data center. The website consists of static documents and runs on a single server. An administrator updates the website content infrequently and uses an SFTP client to upload new documents.
The company decides to host its website on AWS and to use Amazon CloudFront. The company's solutions architect creates a CloudFront distribution. The solutions architect must design the most cost-effective and resilient architecture for website hosting to serve as the CloudFront origin.
Which solution will meet these requirements?

• A. Create a virtual server by using Amazon Lightsai
• B. Configure the web server in the Lightsail instance.Upload website content by using an SFTP client.
• C. Create an AWS Auto Scaling group for Amazon EC2 instance
• D. Use an Application Load Balancer.Upload website content by using an SFTP client.
• E. Create a private Amazon S3 bucke
• F. Use an S3 bucket policy to allow access from a CloudFront origin access identity (OAI). Upload website content by using theAWSCLI.
• G. Create a public Amazon S3 bucke
• H. Configure AWS Transfer for SFT
• I. Configure the S3 bucket for website hostin
• J. Upload website content by using the SFTP client.

Answer: D

NEW QUESTION 10
A company runs an application that receives data from thousands of geographically dispersed remote devices that use UDP The application processes the data immediately and sends a message back to the device if necessary No data is stored.
The company needs a solution that minimizes latency for the data transmission from the devices. The solution also must provide rapid failover to another AWS Region
Which solution will meet these requirements?

• A. Configure an Amazon Route 53 failover routing policy Create a Network Load Balancer (NLB) in each of the two Regions Configure the NLB to invoke an AWS Lambda function to process the data
• B. Use AWS Global Accelerator Create a Network Load Balancer (NLB) in each of the two Regions as an endpoin
• C. Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type Create an ECS service on the cluster Set the ECS service as the target for the NLB Process the data in Amazon ECS.
• D. Use AWS Global Accelerator Create an Application Load Balancer (ALB) in each of the two Regions as an endpoint Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type Create an ECS service on the cluste
• E. Set the ECS service as the target for the ALB Process the data in Amazon ECS
• F. Configure an Amazon Route 53 failover routing policy Create an Application Load Balancer (ALB) in each of the two Regions Create an Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type Create an ECS service on the cluster Set the ECS service as the target for the ALB Process the data in Amazon ECS

Answer: C

NEW QUESTION 11
A company has hired a solutions architect to design a reliable architecture for its application. The application consists of one Amazon RDS DB instance and two manually provisioned Amazon EC2 instances that run web servers. The EC2 instances are located in a single Availability Zone.
What should the solutions architect do to maximize reliability of the application Infrastructure?

• A. Delete one EC2 instance and enable termination protection on the other EC2 instanc
• B. Update the DB instance to De multi-AZ, and enable deletion protection.
• C. Update the DB instance to be Multi-A
• D. and enable deletion protectio
• E. Place the EC2 instances behind an Application Load Balancer, and run them in an EC2 Auto Scaling group across multiple Availability Zones
• F. Create an additional DB instance along with an Amazon API Gateway and an AWS Lambda function.Configure the application to invoke the Lambda function through API Gateway Have the Lambda function write the data to the two DB instances.
• G. Place the EC2 instances in an EC2 Auto Scaling group that has multiple subnets located in multiple Availability Zone
• H. Use Spot Instances instead of On-Demand Instance
• I. Set up Amazon CloudWatch alarms to monitor the health of the instance
• J. Update the DB instance to be Multi-AZ, and enable deletion protection.

Answer: B

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html

NEW QUESTION 12
A company is experiencing sudden increases in demand. The company needs to provision large Amazon EC2 instances from an Amazon Machine image (AMI) The instances will run m an Auto Scaling group. The company needs a solution that provides minimum initialization latency to meet the demand.
Which solution meets these requirements?

• A. Use the aws ec2 register-image command to create an AMI from a snapshot Use AWS Step Functions to replace the AMI in the Auto Scaling group
• B. Enable Amazon Elastic Block Store (Amazon EBS) fast snapshot restore on a snapshot Provision an AMI by using the snapshot Replace the AMI m the Auto Scaling group with the new AMI
• C. Enable AMI creation and define lifecycle rules in Amazon Data Lifecycle Manager (Amazon DLM) Create an AWS Lambda function that modifies the AMI in the Auto Scaling group
• D. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke AWS Backup lifecycle policies that provision AMIs Configure Auto Scaling group capacity limits as an event source in EventBridge (CloudWatch Events)

Answer: B

NEW QUESTION 13
A company has an on-premises application that generates a large amount of time-sensitive data that is backed up to Amazon S3. The application has grown and there are user complaints about internet bandwidth limitations. A solutions architect needs to design a long-term solution that allows for both timely backups to Amazon S3 and with minimal impact on internet connectivity for internal users.
Which solution meets these requirements?

• A. Establish AWS VPN connections and proxy all traffic through a VPC gateway endpoint
• B. Establish a new AWS Direct Connect connection and direct backup traffic through this new connection.
• C. Order daily AWS Snowball devices Load the data onto the Snowball devices and return the devices to AWS each day.
• D. Submit a support ticket through the AWS Management Console Request the removal of S3 service limits from the account.

Answer: B

NEW QUESTION 14
A global company hosts its web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The web application has static data and dynamic data. The company stores its static data in an Amazon S3 bucket. The company wants to improve performance and reduce latency for the static data and dynamic data. The company is using its own domain name registered with Amazon Route 53.
What should a solutions architect do to meet these requirements?

• A. Create an Amazon CloudFront distribution that has the S3 bucket and the ALB as origins Configure Route 53 to route traffic to the CloudFront distribution.
• B. Create an Amazon CloudFront distribution that has the ALB as an origin Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoin
• C. Configure Route 53 to route traffic to the CloudFront distribution.
• D. Create an Amazon CloudFront distribution that has the S3 bucket as an origin Create an AWS Global Accelerator standard accelerator that has the ALB and the CloudFront distribution as endpoints Create a custom domain name that points to the accelerator DNS name Use the custom domain name as an endpoint for the web application.
• E. Create an Amazon CloudFront distribution that has the ALB as an origin
• F. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint Create two domain name
• G. Point one domain name to the CloudFront DNS name for dynamic content, Point the other domain name to the accelerator DNS name for static content Use the domain names as endpoints for the web application.

Answer: D

NEW QUESTION 15
A company needs to ingested and handle large amounts of streaming data that its application generates. The application runs on Amazon EC2 instances and sends data to Amazon Kinesis Data Streams. which is contained wild default settings. Every other day the application consumes the data and writes the data to an Amazon S3 bucket for business intelligence (BI) processing the company observes that Amazon S3 is not receiving all the data that trio application sends to Kinesis Data Streams.
What should a solutions architect do to resolve this issue?

• A. Update the Kinesis Data Streams default settings by modifying the data retention period.
• B. Update the application to use the Kinesis Producer Library (KPL) lo send the data to Kinesis Data Streams.
• C. Update the number of Kinesis shards lo handle the throughput of me data that is sent to Kinesis Data Streams.
• D. Turn on S3 Versioning within the S3 bucket to preserve every version of every object that is ingested in the S3 bucket.

Answer: A

NEW QUESTION 16
A company uses an Amazon Auroia PostgreSQL DB cluster 10 store its critical data m tne us-east-l Region The company wants to develop a disaster recovery plan to recover the database m the us west 1 Region The company has a recovery time objective (RTO) of S minutes and has a recovery point objective (RPO) of 1 minute
What should a solutions architect do to moot these requirements?

• A. Create a read replica in us-west-1 Set the DB cluster to automaKaliy fail over to the read replica if the primary instance is not responding
• B. Create an Aurora global database Sel us-west-1 as the secondary Region update connections to use the writer and reader endpomis as appropriate
• C. Set up a second Aurora DB cluster in us-west-1 Use logical replication to keep the databases synchronized Create an Amazon EvontBridgc (Amazon CloudWatch Events) rule to change thedatabase endpoint rf the primary DB cluster does not respond.
• D. Use Aurora automated snapshots to store data in an Amazon S3 bucket Enable S3 Verswnm
• E. Configure S3 Cross-Region Replication to us-west-1 Create a second Aurora DB cluster in us-west-1 Create an Amazon EventBndge (Amazon CloudWatch Events) rule to restore the snapshot il the primary D8 cluster does not respond

Answer: B

NEW QUESTION 17
A company hosts an application on multiple Amazon EC2 instances The application processes messages from an Amazon SQS queue writes to an Amazon RDS table and deletes the message from the queue Occasional duplicate records are found in the RDS table. The SQS queue does not contain any duplicate messages.
What should a solutions architect do to ensure messages are being processed once only?

• A. Use the CreateQueue API call to create a new queue
• B. Use the Add Permission API call to add appropriate permissions
• C. Use the ReceiveMessage API call to set an appropriate wail time
• D. Use the ChangeMessageVisibility APi call to increase the visibility timeout

Answer: D

Explanation:
Explanation
The visibility timeout begins when Amazon SQS returns a message. During this time, the consumer processes and deletes the message. However, if the consumer fails before deleting the message and your system doesn't call the DeleteMessage action for that message before the visibility timeout expires, the message becomes visible to other consumers and the message is received again. If a message must be received only once, your consumer should delete it within the duration of the visibility timeout. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html
Keyword: SQS queue writes to an Amazon RDS From this, Option D best suite & other Options ruled out [Option A - You can't intruduce one more Queue in the existing one; Option B - only Permission & Option C - Only Retrieves Messages] FIF O queues are designed to never introduce duplicate messages. However, your message producer might introduce duplicates in certain scenarios: for example, if the producer sends a message, does not receive a response, and then resends the same message. Amazon SQS APIs provide deduplication functionality that prevents your message producer from sending duplicates. Any duplicates introduced by the message producer are removed within a 5-minute deduplication interval. For standard queues, you might occasionally receive a duplicate copy of a message (at-least- once delivery). If you use a standard queue, you must design your applications to be idempotent (that is, they must not be affected adversely when processing the same message more than once).

NEW QUESTION 18
A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application’s traffic recently spiked due to fraudulent requests from botnets.
Which steps should a solutions architect take to block requests from unauthorized users? (Select TWO.)

• A. Create a usage plan with an API key that it shared with genuine users only.
• B. Integrate logic within the Lambda function to ignore the requests lion- fraudulent IP addresses
• C. Implement an AWS WAF rule to target malicious requests and trigger actions to filler them out
• D. Convert the existing public API to a private API Update the DNS records to redirect users to the new API endpoint
• E. Create an IAM role tor each user attempting to access the API A user will assume the role when making the API call

Answer: CD

NEW QUESTION 19
A rapidly growing ecommerce company is running its workloads in a single AWS Region. A solutions architect must create a disaster recovery (DR) strategy that includes a different AWS Region. The company wants its database to be up to date in the DR Region with the least possible latency. The remaining infrastructure in the DR Region needs to run at reduced capacity and must be able to scale up if necessary.
Which solution will meet these requirements with the LOWEST recovery time objective (RTO)?

• A. Use an Amazon Aurora global database with a pilot light deployment.
• B. Use an Amazon Aurora global database with a warm standby deployment.
• C. Use an Amazon RDS Multi-AZ DB instance with a pilot light deployment.
• D. Use an Amazon RDS Multi-AZ DB instance with a warm standby deployment.

Answer: B

NEW QUESTION 20
A company has an application with a REST-based interface that allows data to be received in near-real time from a third-party vendor Once received the application processes and stores the data for further analysis. The application is running on Amazon EC2 instances.
The third-party vendor has received many 503 Service Unavailable Errors when sending data to the application When the data volume spikes, the compute capacity reaches its maximum limit and the application is unable to process all requests.
Which design should a solutions architect recommend to provide a more scalable solution?

• A. Use Amazon Kinesis Data Streams to ingest the data Process the data using AWS Lambda function.
• B. Use Amazon API Gateway on top of the existing applicatio
• C. Create a usage plan with a quota limit for the third-party vendor
• D. Use Amazon Simple Notification Service (Amazon SNS) to ingest the data Put the EC2 instances in an Auto Scaling group behind an Application Load Balancer
• E. Repackage the application as a container Deploy the application using Amazon Elastic Container Service (Amazon ECS) using the EC2 launch type with an Auto Scaling group

Answer: A

NEW QUESTION 21
......